SCNS - Tactical Perimeter Defense

Tactical Perimeter Defense
Warren Peterson
Warren Peterson is the President of Security Certied Program, LLC and the founder of the Security Certied Program. Mr. Peterson regularly delivers standing-room only security presentations for government and corporate clients on subjects ranging from general security to the threats of Cyber terrorism. Mr. Peterson is an accomplished and experienced teacher who holds many industry certications. His training methods have earned him the utmost respect and recognition from both his students and his peers. Even many years after courses have ended, many of Mr. Petersons students from around the world stay in touch with him. Mr. Peterson has developed instructional curriculum for customized courses, such as courses for Microsoft, Cisco, CompTIA, and various security programs. In addition to writing for magazines, such as Certication Magazine, he is the lead author for the Security Certied Program courses, including: Network Security Fundamentals, Hardening the Infrastructure, Network Defense and Countermeasures, Tactical Perimeter Defense, Strategic Infrastructure Security, Advanced Security Implementation, and Enterprise Security Solutions. Mr. Peterson includes the following personal thanks: Thank you to my wife, Carin, you and our girls give me constant support, and I thank you for your devotion. You remind me daily
why teaching is so important. I love you deeply, and look forward to seeing you again now that this writing phase is over! Thank you to Waleed, you have been the foundation behind more positive change than I can describe, knowing you and working with you has been a true pleasure. Thanks to Gene, for your trusted advice and mentoring; to Mark, for your passion and enthusiasm (go have another coffee!); to Tracy, for your loyalty and friendship, which are unmatched; to Joe, for your professionalism, and desire for the best; to Dave, for always being there, even early in the morning.
And, thanks to Charles, Shrinath, and Robert, time has moved us apart, but you have each made an impression on me, and I thank you for that.
TACTICAL PERIMETER DEFENSE

Course Number: SCPTPD20 Course Edition: 2.0 For software version: N/A
ACKNOWLEDGEMENTS
Project Team
Curriculum and Technical Writers: Warren Peterson and Clay Scott Copy Editor: Carin Peterson Reviewing Editor: Sandy Castle-Rhoads Technical Editor: Tracy Richter Quality Assurance Analyst: David Young Graphic Designer: Mark Patrick
Project Support
Development Assistance: Ben Tchoubineh
NOTICES
DISCLAIMER: While Security Certied Program LLC takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy, and all materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of merchantability or tness for a particular purpose. Any name used in the data les for this course is that of a ctitious company. Any resemblance to current or future companies is purely coincidental. We do not believe we have used anyones name in creating this course, but if we have, please notify us and we will change the name in the next revision of the course. Security Certied Program LLC is an independent developer of courseware and certication programs for individuals, businesses, educational institutions, and government agencies. Use of screenshots, photographs of another entitys products, or another entitys product name or service in this book is for editorial purposes only. No such use should be construed to imply sponsorship or endorsement of the book by, nor any afliation of such entity with Security Certied Program LLC. This courseware may contain links to sites on the Internet that are owned and operated by third parties (the External Sites). Security Certied Program LLC is not responsible for the availability of, or the content located on or through, any External Site. Please contact Security Certied Program LLC if you have any concerns regarding such links or External Sites. TRADEMARK NOTICES: The Security Certied Program, SCP, SCNS, SCNP, and SCNA are trademarks of The Security Certied Program, LLC in the U.S. and other countries; The Security Certied Program, SCP, SCNS, SCNP, products and services discussed or described may be trademarks of The Security Certied Program, LLC. All other product names and services used throughout this book may be common law or registered trademarks of their respective proprietors. Copyright 2007 Security Certied Program, LLC. All rights reserved. Screenshots used for illustrative purposes are the property of the software proprietor. This publication or any part thereof, may not be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, storage in an information retrieval system, or otherwise, without express written permission of Security Certied Program LLC, 825 West State Street, Suite 204, Geneva, Illinois 60134, USA. (630) 208-5030. Security Certied Program LLCs World Wide Web site is located at: www.SecurityCertied.Net. This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or other products is the responsibility of the user according to terms and conditions of the owner. Do not make illegal copies of books or software. If you believe that this book, related materials, or any other Security Certied Program LLC materials are being reproduced or transmitted without permission, please call 1-630-208-5030.
ii

About This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Lesson 1: Network Defense Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Lesson 2: Advanced TCP/IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Lesson 3: Routers and Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Lesson 4: Designing Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Lesson 5: Conguring Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Lesson 6: Implementing IPSec and VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Lesson 7: Designing an Intrusion Detection System . . . . . . . . . . . . . . . . . . . . . . . 369 Lesson 8: Conguring an IDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 Lesson 9: Securing Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447 Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
CONTENT OVERVIEW
Contents
iii
CONTENTS
CONTENTS
About This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Course Setup Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii How To Use This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xl
LESSON 1: NETWORK DEFENSE FUNDAMENTALS

Topic 1A
Network Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Five Key Issues of Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 The Threats to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Defensive Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Defensive Strategy Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Task 1A-1 Identifying Non-repudiation Issues . . . . . . . . . . . . . . . . . . . 10 Defensive Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Castle Analogy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attacking the Castle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Castles Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Castles Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Castles Back Doors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Defense Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1B-1 Describing the Layers of a Defended Network . . . . . . . . . . . . 10 10 11 11 12 12 13 14 15 15 16 16 20 21 21 21 22 22 22 23
Topic 1B
Topic 1C
Objectives of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1C-1 Describing the Challenge Response Token Process . . . . . . . . .
Topic 1D
The Impact of Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intrusion Detection Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1D-1 Describing the Problems of Additional Layers of Security . . . . .
Topic 1E
iv Tactical Perimeter Defense
Network Auditing Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Security Auditing Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Security Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audit Trails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Handling and Preserving Audit Data. . . . . . . . . . . . . . . . . . . . . . . . . . . Legal Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1E-1 Describing Network Auditing . . . . . . . . . . . . . . . . . . . . . . . Lesson Review 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24 25 25 25 26 27
CONTENTS
LESSON 2: ADVANCED TCP/IP

Topic 2A
TCP/IP Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Function of IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Subnet Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2A-1 Layering and Address Conversions . . . . . . . . . . . . . . . . . . . . Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLSM and CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X-casting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2A-2 Routers and Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 36 36 40 42 42 43 44 44 46 48 50 52 57 58 58 59 62 63 63 64 65
Topic 2B
Analyzing the Three-way Handshake . . . . . . . . . . . . . . . . . . . Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-1 Using Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireshark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-2 Installing and Starting Wireshark . . . . . . . . . . . . . . . . . . . . Wireshark Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-3 Using Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TCP Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-4 Analyzing the Three-way Handshake . . . . . . . . . . . . . . . . . . The Session Teardown Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-5 Analyzing the Session Teardown Process . . . . . . . . . . . . . . . .
Topic 2C Topic 2D Topic 2E Topic 2F Topic 2G
Capturing and Identifying IP Datagrams . . . . . . . . . . . . . . . . 65 Task 2C-1 Capturing and Identifying IP Datagrams . . . . . . . . . . . . . . . . 67 Capturing and Identifying ICMP Messages. . . . . . . . . . . . . . . 68 Task 2D-1 Capturing and Identifying ICMP Messages . . . . . . . . . . . . . . . 69 Capturing and Identifying TCP Headers . . . . . . . . . . . . . . . . . 70 Task 2E-1 Capturing and Identifying TCP Headers. . . . . . . . . . . . . . . . . 72 Capturing and Identifying UDP Headers . . . . . . . . . . . . . . . . 73 Task 2F-1 Working with UDP Headers . . . . . . . . . . . . . . . . . . . . . . . . . 73 Analyzing Packet Fragmentation. . . . . . . . . . . . . . . . . . . . . . . 74 Task 2G-1 Analyzing Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Contents v
CONTENTS
Topic 2H
Analyzing an Entire Session . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2H-1 Performing a Complete ICMP Session Analysis . . . . . . . . . . . . Continuing the Complete Session Analysis . . . . . . . . . . . . . . . . . . . . . . Task 2H-2 Performing a Complete FTP Session Analysis . . . . . . . . . . . . . Lesson Review 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
76 76 79 80 92
LESSON 3: ROUTERS AND ACCESS CONTROL LISTS

Topic 3A
Fundamental Cisco Security. . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Configuring Access Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Task 3A-1 Configuring Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Implementing Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Implementing Cisco Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Task 3A-2 Configuring Login Banners . . . . . . . . . . . . . . . . . . . . . . . . . 103 SSH Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Router Configuration to use SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Task 3A-3 Configuring SSH on a Router . . . . . . . . . . . . . . . . . . . . . . . 105 Task 3A-4 Configuring the SSH Client . . . . . . . . . . . . . . . . . . . . . . . . . 107
Topic 3B
Routing Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 The ARP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 LAN-to-LAN Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 LAN-to-WAN Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Task 3B-1 Performing IP and MAC Analysis . . . . . . . . . . . . . . . . . . . . . 113 The Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Static and Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Comparing Routed Protocols and Routing Protocols . . . . . . . . . . . . . . 119 The Routing Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Task 3B-2 Viewing a RIP Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 RIPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Task 3B-3 Viewing a RIPv2 Capture . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Removing Protocols and Services . . . . . . . . . . . . . . . . . . . . . .128 CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Task 3C-1 Turning Off CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Task 3C-2 Hardening ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Source Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Small Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Finger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Remaining Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Task 3C-3 Removing Unneeded Services . . . . . . . . . . . . . . . . . . . . . . . 133 AutoSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Topic 3C
vi
Topic 3D
Creating Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . .134 Access Control List Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 The Access List Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 The Wildcard Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Task 3D-1 Creating Wildcard Masks . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Implementing Access Control Lists . . . . . . . . . . . . . . . . . . . .138 Defending Against Attacks with ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . 142 Task 3E-1 Creating Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . 144 Context-based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
CONTENTS
Topic 3E
Topic 3F
Logging Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Configuring Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Task 3F-1 Configuring Buffered Logging . . . . . . . . . . . . . . . . . . . . . . . 149 ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Task 3F-2 Configuring Anti-spoofing Logging . . . . . . . . . . . . . . . . . . . 151 Lesson Review 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
LESSON 4: DESIGNING FIREWALLS

Topic 4A
Firewall Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Firewall Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 What a Firewall Cannot Do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Implementation Options for Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . 158 Task 4A-1 Firewall Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Create a Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163 Task 4B-1 Creating a Simple Firewall Policy . . . . . . . . . . . . . . . . . . . . . 167
Topic 4B Topic 4C
Rule Sets and Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . .168 Stateless and Stateful Packet Inspection . . . . . . . . . . . . . . . . . . . . . . . 172 How Attackers Get Around Packet Filters . . . . . . . . . . . . . . . . . . . . . . . 175 Task 4C-1 Firewall Rule Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Topic 4D
Proxy Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176 Proxy Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Proxy Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Proxy Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Task 4D-1 Diagram the Proxy Process . . . . . . . . . . . . . . . . . . . . . . . . . 179
Topic 4E Topic 4F
The Bastion Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 An Attack on the Bastion Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Task 4E-1 Describing a Bastion Host . . . . . . . . . . . . . . . . . . . . . . . . . 182 The Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182 What is a Honeypot? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Goals of the Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Contents vii
CONTENTS
Legal Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Task 4F-1 Honeypot Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Lesson Review 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
LESSON 5: CONFIGURING FIREWALLS

Topic 5A
Understanding Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 Address, Port, Protocol, and Services: The Building Blocks of Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Examining the Common Types of Firewalls . . . . . . . . . . . . . . . . . . . . . . 196 Building Firewall Rules to Control Network Communications. . . . . . . . 201 Common Firewall Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Why Would I Want a Firewall on My Network? . . . . . . . . . . . . . . . . . . . 205 What Can a Firewall Not Protect You From? . . . . . . . . . . . . . . . . . . . . . 206 Things to Consider About Firewall Implementation . . . . . . . . . . . . . . . 207 Configuring Microsoft ISA Server 2006 . . . . . . . . . . . . . . . . .210 Introduction to ISA Server 2006. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Task 5B-1 Preparing for the ISA Server 2006 . . . . . . . . . . . . . . . . . . . . 212 ISA Server Installation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Task 5B-2 Install Microsoft ISA Server 2006 . . . . . . . . . . . . . . . . . . . . 215 Configuring ISA Server 2006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Task 5B-3 Exploring the Microsoft ISA Server 2006 Interface . . . . . . . . . 218 Exporting/Importing ISA Server 2006 Configurations as XML Files . . . 223 Task 5B-4 Exporting the Default Configuration . . . . . . . . . . . . . . . . . . 223 ISA Server 2006 Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Task 5B-5 Creating a Basic Access Rule . . . . . . . . . . . . . . . . . . . . . . . 226 ISA Server 2006 Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . 230 Task 5B-6 Creating a Protocol Rule Element . . . . . . . . . . . . . . . . . . . . 231 Task 5B-7 Creating a User Rule Element . . . . . . . . . . . . . . . . . . . . . . . 233 Content Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Task 5B-8 Creating a Content Group Rule Element . . . . . . . . . . . . . . . . 234 ISA Server 2006 Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Task 5B-9 Creating and Modifying Schedule Rule Elements. . . . . . . . . . . 236 Using Content Types and Schedules in Rules . . . . . . . . . . . . . . . . . . . . 237 Task 5B-10 Using Content Types and Schedules in Rules . . . . . . . . . . . . . 237 ISA Server 2006 Network Rule Elements. . . . . . . . . . . . . . . . . . . . . . . . 239 Task 5B-11 Creating a Network Rule Element . . . . . . . . . . . . . . . . . . . . 240 ISA Server Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Task 5B-12 Configuring a Web Publishing Rule . . . . . . . . . . . . . . . . . . . 242 ISA Server 2006 Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Task 5B-13 Enabling and Configuring Caching . . . . . . . . . . . . . . . . . . . . 245 Configuring ISA Server 2006 Network Templates . . . . . . . . . . . . . . . . . 249 Task 5B-14 Install Second Microsoft Loop Back Adapter and Assign an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Task 5B-15 Configure ISA Server 2006 in a Three-legged DMZ . . . . . . . . . 251
Topic 5B
viii
Configuring ISA Server Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Task 5B-16 Working with Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Task 5B-17 Working with Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 ISA Server 2006 Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Task 5B-18 Configuring Logging Options . . . . . . . . . . . . . . . . . . . . . . . 262 Additional Configuration Options for ISA Server 2006 . . . . . . . . . . . . . 265 Task 5B-19 Securing ISA Server 2006 with the Security Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Packet Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Task 5B-20 Configuring Packet Prioritization. . . . . . . . . . . . . . . . . . . . . 268 Uninstalling ISA Server 2006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Task 5B-21 Uninstalling ISA Server 2006 . . . . . . . . . . . . . . . . . . . . . . . 270
CONTENTS
Topic 5C
IPTables Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271 Firewalling in Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 The Flow of the Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 The iptables Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Rule Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Rule Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Other Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Rule Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Creating a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Deleting a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Flushing a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Checking for Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Negating Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Defining a Target. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Complex Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Configuring Masquerading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Task 5C-1 Working with Chain Management . . . . . . . . . . . . . . . . . . . . 288
Topic 5D
Implementing Firewall Technologies . . . . . . . . . . . . . . . . . . .290 Lesson Review 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
LESSON 6: IMPLEMENTING IPSEC AND VPNS

Topic 6A
Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .301 Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 IPSec Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Task 6A-1 Describing the Need for IPSec . . . . . . . . . . . . . . . . . . . . . . 304 IPSec Policy Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . .304 The MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Contents ix
Topic 6B
CONTENTS
Task 6B-1 Examining the MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 IPSec Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Task 6B-2 Identifying Default IPSec Security Policies . . . . . . . . . . . . . . 306 Saving the Customized MMC Configuration . . . . . . . . . . . . . . . . . . . . . 307 Task 6B-3 Saving a Customized MMC . . . . . . . . . . . . . . . . . . . . . . . . . 307 The Secure Server (Require Security) Policy . . . . . . . . . . . . . . . . . . . . . 307 Task 6B-4 Examining Security Methods. . . . . . . . . . . . . . . . . . . . . . . . 308 The Rules Tab for the Secure Server (Require Security) Policy. . . . . . . 309 Task 6B-5 Examining Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Topic 6C
IPSec AH Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . .312 Creating Custom IPSec Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Task 6C-1 Creating the 1_REQUEST_AH(md5)_only Policy . . . . . . . . . . . 315 Editing Authentication Method Policies . . . . . . . . . . . . . . . . . . . . . . . . 317 Task 6C-2 Editing the 1_REQUEST_AH(md5)_only Policy . . . . . . . . . . . . 318 Setting Up the Computers Response . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Task 6C-3 Configuring the Policy Response . . . . . . . . . . . . . . . . . . . . . 320 Configuring AH in Both Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Task 6C-4 Configuring the Second Computer . . . . . . . . . . . . . . . . . . . . 321 Configuring FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Task 6C-5 Setting Up the FTP Process . . . . . . . . . . . . . . . . . . . . . . . . 322 Implementing the IPSec Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Task 6C-6 Implementing the 1_REQUEST_AH(md5)_only Policy. . . . . . . . 324 Request-only Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Task 6C-7 Analyzing the Request-only Session. . . . . . . . . . . . . . . . . . . 325 Implementing a Request-and-Respond Policy . . . . . . . . . . . . . . . . . . . 325 Task 6C-8 Configuring a Request-and-Respond IPSec Session . . . . . . . . . 325 Request-and-Respond Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . 326 Task 6C-9 Analyzing the Request-and-Respond Session . . . . . . . . . . . . . 326 Combining AH and ESP in IPSec . . . . . . . . . . . . . . . . . . . . . . .327 Task 6D-1 Creating the 5_REQUEST_AH(md5)+ESP(des) IPSec Policy and the Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Configuring the IPSec Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Task 6D-2 Creating the 5_RESPOND_AH(md5)+ESP(des) IPSec Policy . . . . 330 AH and ESP IPSec Session Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Task 6D-3 Configuring and Analyzing an IPSec Session Using AH and ESP . 331 Configuring All the Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Task 6D-4 Implementing the 7_REQUIRE_AH(sha)+ESP(sha+3des) Policy . 333 Configuring the AH-and-ESP IPSec Response Policy. . . . . . . . . . . . . . . 335 Task 6D-5 Implementing the 7_RESPOND_AH(sha)+ESP(sha+3des) Policy . 335 Implementing the Full IPSec Session . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Task 6D-6 Implementing and Analyzing an AH(sha) and ESP(sha+3des) IPSec Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 VPN Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337 VPN Business Drivers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 VPN Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Topic 6D
Topic 6E
x Tactical Perimeter Defense
VPN Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Tunneling and Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Task 6E-1 Defining Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . 341
CONTENTS
Topic 6F
Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341 Point-to-Point Tunneling Protocol (PPTP) . . . . . . . . . . . . . . . . . . . . . . 342 Layer 2 Tunneling Protocol (L2TP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 IPSec Tunnel and Transport Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 IPSec and Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . 346 Task 6F-1 Assigning Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . 347 VPN Design and Architecture. . . . . . . . . . . . . . . . . . . . . . . . . .348 VPN Implementation Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Task 6G-1 Examining VPN-related RFCs . . . . . . . . . . . . . . . . . . . . . . . . 349 VPN Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350 VPNs and Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 VPN Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Task 6H-1 Viewing Firewall-related RFCs . . . . . . . . . . . . . . . . . . . . . . . 353
Topic 6G Topic 6H
Topic 6I
Configuring a VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354 Task 6I-1 Configuring the VPN Server . . . . . . . . . . . . . . . . . . . . . . . . 354 VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Task 6I-2 Configuring VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Establishing the VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Task 6I-3 Establish the VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Returning the Classroom Setup to its Original State . . . . . . . . . . . . . . 364 Task 6I-4 Restoring the Classroom Setup . . . . . . . . . . . . . . . . . . . . . . 364 Lesson Review 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
LESSON 7: DESIGNING AN INTRUSION DETECTION SYSTEM

Topic 7A
The Goals of an Intrusion Detection System . . . . . . . . . . . . .371 What is Intrusion Detection? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Some Intrusion Detection Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 373 The IDS Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 IDS Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Realistic Goals of IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Task 7A-1 Describing Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Topic 7B
Technologies and Techniques of Intrusion Detection . . . . . .377 The Intrusion Detection Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Behavioral Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Information Collection and Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . 382 Task 7B-1 Discussing IDS Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Contents
xi
CONTENTS
Topic 7C
Host-based Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . .384 Host-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Centralized Host-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Distributed Host-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Task 7C-1 Describing Centralized Host-based Intrusion Detection . . . . . . 387 Network-based Intrusion Detection . . . . . . . . . . . . . . . . . . . .387 Network-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Traditional Network-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . 388 Distributed Network-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . 389 Task 7D-1 Discussing Sensor Placement . . . . . . . . . . . . . . . . . . . . . . . 390 The Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391 When to Analyze . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Interval Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Real-time Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 How to Analyze . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Signature Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 An Example Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Statistical Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 Task 7E-1 Discussing Data Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Topic 7D
Topic 7E
Topic 7F
How to Use an IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 Detection of Outside Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 Detection of Inside Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Anticipation of Attack Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Surveillance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Task 7F-1 Discussing Intrusion Detection Uses . . . . . . . . . . . . . . . . . . 397 What an IDS Cannot Do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398 Provide the Magic Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 Manage Hardware Failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 Investigate an Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 100 Percent Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Task 7G-1 Discussing Incident Investigation . . . . . . . . . . . . . . . . . . . . 399 Lesson Review 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Topic 7G
LESSON 8: CONFIGURING AN IDS

Topic 8A
Snort Foundations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404 Snort Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 How Snort Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 Snort Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 Snort Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406 Task 8B-1 Installing Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Common Snort Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Topic 8B
xii Tactical Perimeter Defense
Task 8B-2 Initial Snort Configuration . . . . . . . . . . . . . . . . . . . . . . . . 408 Using Snort as a Packet Sniffer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Task 8B-3 Capturing Packets with Snort . . . . . . . . . . . . . . . . . . . . . . . 411 Task 8B-4 Capturing Packet Data with Snort . . . . . . . . . . . . . . . . . . . . 413 Task 8B-5 Logging with Snort. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
CONTENTS
Topic 8C
Snort as an IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415 Its All in the Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Snort Rule IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Task 8C-1 Creating a Simple Ruleset . . . . . . . . . . . . . . . . . . . . . . . . . 421 Task 8C-2 Testing the Ruleset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 More Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Pre-configured Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 Task 8C-3 Examining Pre-configured Rules . . . . . . . . . . . . . . . . . . . . . 426 Examine Denial of Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Task 8C-4 Examining DDoS Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Examine Backdoor Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Task 8C-5 Examining Backdoor Rules . . . . . . . . . . . . . . . . . . . . . . . . . 427 Examine Web Attack Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Task 8C-6 Examining Web Attack Rules . . . . . . . . . . . . . . . . . . . . . . . 428 Examine Web IIS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Task 8C-7 Examining IIS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Configuring Snort to Use a Database . . . . . . . . . . . . . . . . . . .430 Snort Output Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Configure Snort to Use a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Task 8D-1 Editing Snort.Conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Installing MySQL for Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Task 8D-2 Installing MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Task 8D-3 Creating the Snort Database . . . . . . . . . . . . . . . . . . . . . . . . 432 MySQL User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Task 8D-4 Creating MySQL User Accounts . . . . . . . . . . . . . . . . . . . . . . 433 Snort to Database Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Task 8D-5 Testing the New Configuration . . . . . . . . . . . . . . . . . . . . . . 434 Snort as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Task 8D-6 Configuring Snort as a Service . . . . . . . . . . . . . . . . . . . . . . 434
Topic 8D
Topic 8E
Running an IDS on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435 LAMP On SuSe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 Task 8E-1 Installing LAMP Components . . . . . . . . . . . . . . . . . . . . . . . 436 Apache and PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Task 8E-2 Apache and PHP Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Enable Snort on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Task 8E-3 Configure Snort on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Configuring MySQL on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Task 8E-4 Configuring MySQL for Snort. . . . . . . . . . . . . . . . . . . . . . . . 439 Connecting Snort to a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Contents xiii
CONTENTS
Task 8E-5 Testing Snort Connectivity to the Database. . . . . . . . . . . . . . 440 Installing ADOdb and BASE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Task 8E-6 Downloading ADOdb and BASE . . . . . . . . . . . . . . . . . . . . . . 441 Task 8E-7 Installing ADOdb and BASE . . . . . . . . . . . . . . . . . . . . . . . . 441 Configuring BASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Task 8E-8 Configuring BASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Task 8E-9 Configuring the Firewall to Allow HTTP . . . . . . . . . . . . . . . . 443 Generating Snort Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 Task 8E-10 Generating Portscan Snort Events . . . . . . . . . . . . . . . . . . . . 443 Task 8E-11 Generating Web Snort Events . . . . . . . . . . . . . . . . . . . . . . . 444 Lesson Review 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
LESSON 9: SECURING WIRELESS NETWORKS

Topic 9A
Wireless Networking Fundamentals . . . . . . . . . . . . . . . . . . . .448 Wireless Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448 Wireless Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 Task 9A-1 Examining Satellite Orbits . . . . . . . . . . . . . . . . . . . . . . . . . 456 Radio Wireless Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Short Message Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 IEEE 802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Wireless Application Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Task 9A-2 Choosing a Wireless Media . . . . . . . . . . . . . . . . . . . . . . . . . 464
Topic 9B
Wireless LAN (WLAN) Fundamentals . . . . . . . . . . . . . . . . . . .465 Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 WLAN Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Lesson Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Prepare for the Ad-hoc Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Task 9B-1 Installing the Linksys WPC54G WNIC . . . . . . . . . . . . . . . . . . 469 Configure the Second WNIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 Task 9B-2 Installing the Netgear WPN511 . . . . . . . . . . . . . . . . . . . . . . 471 Enable the Ad-Hoc Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Task 9B-3 Enabling the Ad-Hoc Network . . . . . . . . . . . . . . . . . . . . . . . 474 802.11 Framing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Access Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Task 9B-4 Installing the Linksys WAP54G Access Point . . . . . . . . . . . . . 482 Configure the Infrastructure Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 Task 9B-5 Configuring the Linksys Client . . . . . . . . . . . . . . . . . . . . . . 485 Adding Infrastructure Network Clients . . . . . . . . . . . . . . . . . . . . . . . . . 487 Task 9B-6 Configuring the Netgear Client . . . . . . . . . . . . . . . . . . . . . . 487 WLAN Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
xiv
Topic 9C
Wireless Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . .490 Wireless Transport Layer Security (WTLS) . . . . . . . . . . . . . . . . . . . . . . . 491 Fundamental Access Point Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Configure WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Task 9C-1 Installing the Netgear WPN824 Access Point . . . . . . . . . . . . . 502 Establishing the WEP Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Task 9C-2 Configuring WEP on the Network Client . . . . . . . . . . . . . . . . 505 Temporal Key Integrity Protocol (TKIP) . . . . . . . . . . . . . . . . . . . . . . . . 506 Extensible Authentication Protocol (EAP) . . . . . . . . . . . . . . . . . . . . . . 506 Wi-Fi Protected Access (WPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Configure WPA2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Task 9C-3 Configure WPA2 on the Access Point . . . . . . . . . . . . . . . . . . 509 Supplicants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Task 9C-4 Configuring WPA2 on the Network Client . . . . . . . . . . . . . . . 510 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 Wireless Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512 Wireshark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 NetStumbler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 Task 9D-1 Installing NetStumbler . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Identify Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Task 9D-2 Identifying Wireless Networks . . . . . . . . . . . . . . . . . . . . . . 515 OmniPeek Personal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 Task 9D-3 Installing OmniPeeK Personal . . . . . . . . . . . . . . . . . . . . . . . 516 WildPackets Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 OmniPeek Personal Captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Task 9D-4 Viewing OmniPeek Personal Captures . . . . . . . . . . . . . . . . . . 517 Live Captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Task 9D-5 Viewing Live OmniPeek Personal Captures . . . . . . . . . . . . . . . 521 Non-802.11 Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Task 9D-6 Analyze Upper Layer Traffic . . . . . . . . . . . . . . . . . . . . . . . . 522 Decode WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Task 9D-7 Decrypting WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Aircrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526 WEPCrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 AirSnort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Ekahau . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Kismet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
CONTENTS
Topic 9D
Topic 9E
Wireless Trusted Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . .528 802.1x and EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528 EAP Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529 Lightweight EAP (LEAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529 EAP with Transport Layer Security (EAP-TLS) . . . . . . . . . . . . . . . . . . . . 530 EAP with Tunneled Transport Layer Security (EAP-TTLS) . . . . . . . . . . . 531 Protected EAP (PEAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Contents xv
CONTENTS
EAP Type Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 Wireless Trusted Network Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 Task 9E-1 Choosing a Wireless Trusted Network . . . . . . . . . . . . . . . . . . 533 Lesson Review 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .537 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543
xvi
ABOUT THIS COURSE

This course is the official courseware for the Security Certied Program SC0-451 certication exam. The Tactical Perimeter Defense course is designed to provide network administrators and certication candidates with hands-on tasks on the most fundamental perimeter security technologies. The network perimeter is often the rst line of defense in an organizations network, and this course covers the issues every administrator must be familiar with. What is the Security Certied Program (SCP)? Security Certied Program is both our company name and our program name. Security Certied Program, LLC a Chicago-based security training organization, has created the Security Certied Program (SCP) to help develop and validate your skills as a computer and network security professional. The SCP courses and certications are designed not just around knowledge-based theory, like so many others, rather around the actual technical skills required by practitioners. The SCP structure is unique as it measures competence in core security skills as well as skills needed for specic security technologies, such as Packet Structure, Signature Analysis, Operating System Hardening, Router Security, Firewalls, Virtual Private Networks (VPNs), Intrusion Detection, Risk Analysis, Wireless Security, Digital Signatures and Certicates, Cryptography, Biometrics and Network Forensics. The SCP certications include three vendor-neutral security certications. The rst certication is the Security Certied Network Specialist (SCNS), the next certication is Security Certied Network Professional (SCNP), and the third is Security Certied Network Architect (SCNA).
ABOUT THIS COURSE
About This Course
xvii
The Security Certied Program Certication Path What is SCNS? The SCNS (Security Certied Network Specialist) is the SCPs core certication. The primary focus is on the defense of the perimeter. This certication covers the core security technologies used in defending todays business environments, including the following: Network Defense Fundamentals, Advanced TCP/IP, Router Security and Access Control Lists, Designing & Conguring Firewalls, Conguring Virtual Private Networks, Designing & Conguring Intrusion Detection Systems, and Securing Wireless Networks. What kind of experience do I need before I go for my SCNS? Before you begin the SCNS certication track, it is recommended that, at a minimum, you attain CompTIAs Security+ certication or have equivalent training with hands-on experience. The SCNS training and certication build on concepts and skills covered in the Security+ certication.
xviii Tactical Perimeter Defense
How do I become SCNS certied? The SCNS certication is comprised of one exam, titled: Tactical Perimeter Defense (TPD). To become SCNS certied, candidates must complete this exam with a passing score. The TPD exam uses exam number: SC0-451. It is strongly recommended that candidates study this official courseware extensively, and implement the hands-on tasks repeatedly, before taking the exams. What are exams like? The exams are multiple-answer, often scenario-based tests. The TPD exam has 60 questions and the candidate has 90 minutes to complete the exam. At the time of this publication, the exam breakdown was as follows: Examination Domain
1.0 Network Defense Fundamentals 2.0 Hardening Routers and Access Control Lists 3.0 Implementing IPSec and Virtual Private Networks 4.0 Advanced TCP/IP 5.0 Security Wireless Networks 6.0 Designing and Conguring Intrusion Detection Systems 7.0 Designing and Conguring Firewall Systems
Percentage
5% 10% 10% 15% 15% 20% 25%
Note that SCP exams are updated regularly to reect changes in the network security industry. It is strongly recommended that potential candidates review the exam objectives at www.securitycertied.net/certications.htm How do I take the exams? The SCP exams are available at any Prometric or VUE Testing center in over 7,400 locations around the world. There are several ways to register for SCP exams. To register for SCP exams over the Internet, visit Prometric at www.prometric.com/SCP or VUE at www. vue.com/scp/ and create and account with the vendor of your choice (if you dont already have one). For International Exam Registration, please check with your preferred vendors Web site for more information. During the exam: Read questions carefully. Dont jump to any conclusions! Skip questions that you are unsure of, and come back to them at the end. If you have time remaining, you will be given the opportunity to review your answers. Be sure to do so, and make sure you didnt make any obvious mistakes. If you come back to a question and are not sure about an answer, remember that your rst hunch is more often correct than your second-choice answer (after overanalyzing the question)! Be sure to answer all questions; unanswered questions count against your score, so if you dont have an answer, try to eliminate any options that you know are wrong and make a best guess from whatever remains.
About This Course
xix
On your exam day, try to arrive 15 minutes early so you do not feel rushed or stressed by being late. This will also give you a few minutes to review any notes before beginning your exam. However, as the SCP exams are closed-book, notes or calculators may not be brought into the testing station and will have to be left with the facilitys faculty. Will my certicate expire? Yes. As technologies in the security eld are constantly changing, your SCNS certicate will be valid for two years starting on the date you pass the Tactical Perimeter Defense exam. Candidates who have received their SCNS credential will need to retake the TPD exam before their SCNS certication expires. Candidates who are recertifying will be able to do so at a discounted exam rate. For more information on the current SCNS re-certication exam rate please email Exams@SecurityCertied.Net. What if I want to go further? After you have become SCNS-certied you will have the option of furthering your skills by moving on to the next level of SCP certication, the Security Certied Network Professional (SCNP) certicate. The Security Certied Network Professional (SCNP) certication is focused on infrastructure technologies. SCNP builds upon the security concepts and technologies covered in Tactical Perimeter Defense (TPD). The SCNP course, Strategic Infrastructure Security (SIS) covers several critical areas Cryptography, Operating System Security (Windows 2003 and SuSe Linux), Attack Techniques, Internet and WWW Security, Risk Analysis, Security Policy Creation, and Analysis of Intrusion Signatures. To become a Security Certied Network Professional (SCNP), candidates must successfully pass one exam and hold a current Security Certied Network Specialist (SCNS) certication. Security Certied Programs third certication is Security Certied Network Architect (SCNA). SCNA deals with more advanced security skills and concepts. Many enterprises are trying to integrate Digital Signatures, Digital Certicates, and Biometric and Smart Card Authentication systems into their infrastructures. These technologies are vital for businesses as they look to integrate their partners and suppliers into their business structures and provide real-time information and services to their customers. SCNA is about the fundamentals of building a trusted network, strong authentication techniques, encryption, biometrics, smart cards, and network forensics. SCNA includes two courses, Advanced Security Implementation (ASI) and Enterprise Security Solutions (ESS). Each course is a 40-hour program, and the content and hands-on labs are structures to develop the skills required by todays top security experts. To become a Security Certied Network Architect (SCNA), candidates must pass two exams. The rst is Enterprise Security Implementation (ESI), which covers the concepts and lab work covered in both the ASI and ESS courses, and the second is The Solutions Exam (TSE); which will cover all facets of technologies covered in all of the SCP courses. How do I prepare for the exam? The TPD exam will require that you be familiar with many technologies and utilities that are covered in this book. Further, the test was authored with the
xx
intention that people who have not become familiar with the technologies and utilities covered will not nd it as easy to pass the exam as those who have used the program and technologies in question. What does all this mean? It means that you really should use the utilities and programs that are covered here, rather than just read about them. You should become very familiar with all of the tasks in this book. If possible, create a home lab with at least two machines, and practicerepeatedlythe hands-on tasks in this book. Even using what you learned to help secure your own home network from hosts on the Internet will help you prepare for the exam Studying for the exam: 1. Read the book from start to nish completing all the tasks even if you are familiar with the technology in question. You never know when some new facet of a technology or program may be brought up and many of the lessons build upon the previous ones and it is easy to miss something if you skip around. 2. Be sure to complete all hands-on tasks. Again, the SCP exams are based on knowledge and hands-on experience! Once you have completed a task, do it again until you are very comfortable with that task. Be sure to answer Topic Review questions within each lesson. Make note of the questions you answered incorrectly and study the appropriate sections again. Before taking the SCP exams, it is recommended that you take the practice exams available through MeasureUp. More information on officially recommended practice exams is available at: www.securitycertied.net/practice_ tests.htm.
3.
4.
But perhaps the best way to make sure that you reach your goal is to register for the exam and stick to the date you set forth. Nothing keeps you on your toes and working toward a goal like a deadline! Honestly measure your skills, make your study schedule, and set the date that you will be ready to take the exam and register for it. Practice exams The only provider of practice exams authorized and recommended by the creators of the SCP is MeasureUp. For more information visit www.securitycertied.net/ practice_tests.htm for more information. Contact Information The Security Certied Program US: 800-869-0025 International: 630-208-5030 Email: Info@SecurityCertied.Net Website: www.SecurityCertied.Net
Course Prerequisites
To ensure your success, we recommend that you have CompTIAs Security+ certication, or have equivalent experience. This course assumes that the reader has fundamental working knowledge of networking concepts, and foundational security knowledge.
About This Course
xxi
Course Objectives
When youre done working your way through this course, youll be able to: Describe the core issues of building a perimeter network defense system. Investigate the advanced concepts of the TCP/IP protocol suite. Secure routers through hardening techniques and congure Access Control Lists. Design and congure multiple rewall technologies. Examine and implement IPSec and Virtual Private Networks. Design and congure an Intrusion Detection System. Secure wireless networks through the use of encryption systems.
COURSE SETUP INFORMATION

Hardware and Software Requirements
To run this course, you will need: Student machines, one per student, recommended minimum specications: Pentium 4, 2.0 GHz processor. 512 MB of RAM. 50 GB hard drive. DVD-ROM drive. NIC, capable of promiscuous mode support. Integrated video card, capable of 32-bit video.
During the lesson on VPN, machines that are designated as VPN servers will require two network cards. Integrated and/or non-integrated network cards will work.
Instructor machine, same conguration as student machines. Three Cisco routers, 2500 Series preferred (used from a reseller is ne), running IOS 12.2 or greater, with IPSec/SSH support. One Cisco console cable. Two serial cables. DCE to DTE, for connecting routers. Three switches/hubs, 10/100 Mbps. The rewall lesson will require Microsoft ISA Server 2006. This must be downloaded as a 180-day trial from Microsoft, or full ISA Server software must be provided for students. During the VPN lesson, machines designated as VPN servers will require two NICs. The NICs can be either integrated or non-integrated. During the VPN lesson, the instructor machine will need to be running the FTP Service. You may enable the service during your initial setup, or during the VPN lesson, as you prefer. For class preparation, you will need the following tools. Note, where the tools are available as per open source licensing, they have been included on the course CD-ROM, all other tools should be downloaded and put in the
xxii
correct folder. All these tools should be copied to the C:\Tools or /Tools directories on your Windows and Linux systems accordingly. Lesson
Lesson 2
Tool
WinPcap_4_0.exe wireshark-setup-0.99.5.exe tftp.cap fragment.cap ping.text ping.cap ftp.txt ftp.cap puTTY.exe ping_arp.mac.cap rip.update.cap ripv2withAuthentication.cap ISA Server 2006 ISAScwHlpPack.exe rfc-index.wri rfc2547.txt rfc2979.txt Snort_2_6_1_2_Installer Snort Rules mysql-essential-5.0.27-win32 adodb493a.tgz base-1.2.7.tar.gz WildPackets_OmniPeek_Personal41 dotnetfx.exe NetStumbler
Download Source
SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD www.microsoft.com/isaserver/prodinfo/ default.mspx SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD www.omnipeek.com/downloads.php SCNS Book CD SCNS Book CD
Lesson 3
Lesson 5
Lesson 6
Lesson 8
Lesson 9
In this course, there are several wireless components utilized. Each training location can decide if they wish to acquire this equipment or use the content as the learning source. The equipment used in this lesson is: Two laptops running Windows XP. One Linksys WPC54G NIC and associated set-up CD-ROM. One Netgear WPN511 NIC and associates set-up CD-ROM. One Linksys WAP54G access point and associated set-up CD-ROM. One Netgear WPN824 access point and associated set-up CD-ROM.
Class Requirements
In order for the class to run properly, perform the procedures described below. Before you begin actually setting up the class, here are some recommendations for the classroom conguration and hardware preparation.
About This Course
xxiii
Recommendations for hardware preparation:

The hardware requirements are listed earlier in this course. It is not advisable to use systems that do not meet these requirements. It is recommended that all the computers be of the same or similar hardware conguration. Congure the BIOS so that the boot order is 1: DVD-ROM, 2: oppy drive (if present), and 3: hard drive. Protect the student machines with a BIOS password.
Classroom Configuration
The following graphic shows the recommended classroom conguration. Use this gure in conjunction with the IP addressing and naming schemes described in the following section.
Figure 0-1: Recommended classroom setup.
IP Addressing and Computer Naming Scheme

Refer to the classroom conguration for the recommended IP addressing and computer naming schemes for this course. Use this pattern to develop the names and addresses for all machines, as required. The routers divide the classroom into two halves, LEFT and RIGHT, with the CENER router controlled by the instructor. The LEFT side is congured for subnet 172.16.0.0/16, the CENTER is congured for subnet 172.17.0.0/16, and the RIGHT side is congured for subnet 172.18.0.0/16. Students should have the passwords for the LEFT and RIGHT routers, as per their location in the classroom, but do not need the password for the CENTER router. This course uses two base operating systems, Windows Server 2003 and SuSe Linux Enterprise Server 10. Each machine will dual-boot to these two systems, using the name and IP addresses as per the following table.
xxiv
Part of Classroom
LEFT LEFT LEFT RIGHT RIGHT RIGHT CENTER
Windows Name
WIN-L01 WIN-L02 WIN-L03 WIN-R01 WIN-R02 WIN-R03 WIN-C01
Linux Name
LIN-L01 LIN-L02 LIN-L03 LIN-R01 LIN-R02 LIN-R03 LIN-C01
IP Address
172.16.10.1 172.16.10.2 172.16.10.3 172.18.10.1 172.18.10.2 172.18.10.3 172.17.10.1
Default Gateway
172.16.0.1 172.16.0.1 172.16.0.1 172.18.0.1 172.18.0.1 172.18.0.1 172.17.0.1
Installing Windows 2003 R2

1. 2. 3. 4. 5. 6. 7. 8. 9. Turn on the computer and insert the Windows Server 2003 R2 disc 1 into the CD-ROM drive. When the screen prompts to BOOT FROM CD press any key to continue booting. (Note, your system might boot automatically.) At the Windows 2003 Setup Screen, certain les will begin to load independently. At the Windows 2003 Standard Edition Setup screen, press Enter to set up Windows Server 2003. Read the Licensing Agreement, and then press F8 to accept the agreement. Windows 2003 Standard Edition Setup screen will reappear, press C to create a partition. In the Create Partition Of Size (In MB) text box type 25000 and press Enter. To set up Windows on the newly-created partition, select the new partition, and press Enter. Select Format The Partition Using The NTFS File System (default) and press Enter. After the partition has been formatted and les copied, the computer will reboot.
10. Windows Server 2003 will continue installation independently. You will be able to see the approximate time it will take to complete installation on the left side of your screen. 11. Windows Server 2003 will install devices independently. The screen may ash, or icker, for several seconds during this process. 12. For Regional And Language Options, select your settings, and then click Next. 13. In the Personalize Your Settings screen, in the Name text box, type TEST, in the Organization text box, type SCP and click Next. 14. When prompted, enter the product key and click Next.
About This Course xxv
15. In the Licensing Modes screen, select the Per Device Or Per User radio button, and then click Next. 16. In the Computer Name dialog box, type WIN-XXX (replace XXX with your seat number, or as your instructor denes). The Administrator Password should be left blank, then click Next. 17. If the password is left blank, a screen will appear to conrm that you wish to leave the password blank, click Yes. (Note, the password is left blank for running the class, you would always have a password in a production environment.) 18. In the Date And Time Settings screen, select your time zone, set the date and time, and click Next. 19. Windows 2003 will begin installing network congurations. 20. In the Windows Server 2003 Setup Network Settings screen, select Typical Settings. Click Next. 21. In the Windows Server 2003 Setup Workgroup or Computer Domain screen, select Workgroup and then click Next. 22. Windows Server 2003 will nalize installation and reboot the computer independently. 23. After the system reboots, press Ctrl+Alt+Delete. 24. In the Log On To Windows screen, type Administrator and leave the password blank. Click OK. 25. The Personalized Setting will nalize independently. 26. When prompted, insert the Windows Server 2003 disc 2 into the CD-ROM drive and click OK. 27. In the Windows Server 2003 R2 Setup Wizard screen, click Next when prompted. (Note, do not check the box to create a desktop shortcut.) 28. In the Setup Summary screen, click Next to copy the les. 29. Windows Server 2003 will update your system independently. 30. In the Completing Windows Server 2003 R2 Setup screen, click Finish. 31. In the Windows Server Post-Setup Security Updates screen, click Finish. 32. When the Windows Server 2003 Post-Setup Security Updates screen appears, click Yes to close this dialog box. 33. Ensure that the Dont Display This Page At Logon check box is not checked. 34. Close the Manage Your Server window. 35. Choose StartControl PanelNetwork ConnectionsLocal Area Connection.
xxvi Tactical Perimeter Defense
36. Select TCP/IP and click Properties. 37. Select the Use The Following IP Address radio button. 38. In the IP Address text box type 172.X.X.X(your instructor will inform you what to enter in the last three octets based on your seat number). On the left side, your IP will be 172.16.x.x and on the right side, your IP will be 172. 18.x.x. 39. In the Subnet Mask text box, type 255.255.0.0 40. In the Default Gateway text box, type 172.16.0.1 if you are on the left side and type 172.18.0.1 if you are on the right side (if you are unsure, ask your instructor which side you are on). 41. In the Preferred DNS Server text box, type 127.0.0.1 and click OK twice. 42. If you receive the Pop-Up Warning, click Yes. 43. Close the Local Area Connection Properties screen.
Installing Network Monitor

1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartControl PanelAdd Or Remove Programs. Click the Add/Remove Windows Components button. In the Windows Components Wizard window, scroll down the list and highlight the Management And Monitoring Tools option. Click the Details button. Check the Network Monitor Tools check box and click OK. In the Windows Components Wizard window, click Next. If prompted to insert the CD, do so now and click OK. If you are not prompted for the CD, move on to the next step. Click Finish once the install has completed. Close the Add Or Remove Programs window.
10. Remove the Windows 2003 Server disc from your CD-ROM drive.
Installing Additional Tools for Windows 2003 Server

1. 2. 3. 4. Insert the SCP Tools & Resources disc that was provided with your book into your CD-ROM drive. Open the CD to show its contents. Create a folder on the Windows partition C:\Tools. Copy the les on the CD to C:\Tools.
About This Course
xxvii
Installing SUSE Linux Enterprise Server 10

1. 2. 3. 4. 5. 6. 7. 8. 9. The installation of SUSE LINUX ENTERPRISE 10 must be done after the installation of Windows Server 2003. Insert the SUSE Linux Enterprise Server (SLES) 10 disc into the DVDROM drive. Restart the computer with the SLES disc in the drive. This will begin the installation. At the initial SLES install screen, select the Installation option, and press Enter. This step may take a few minutes while les are copied. Select your language option and click Next. These steps are based on English (US). Read the License Agreement, select the Yes, I Agree To The License Agreement radio button, and click Next. Leave the radio button selected for New Installation and click Next. Select your Region and Time Zone, and click Next. Accept the default installation settings, and click Accept.
10. Read the prompt about formatting your partitions, then click Install. 11. While the les are loading, you can watch the progress bar on the right side of the screen. This will note the approximate time remaining to nish the installation. (Note: Based on your system, this make take many minutes.) 12. When the les have nished loading, your system may reboot. Remove the disc from the DVD-ROM drive. If you do not remove the disc, the system will re-enter install mode. 13. At the boot loader, select the SUSE Linux Enterprise Server 10 line, and press Enter. The install process will continue. 14. Enter LIN-XXX as your Hostname. Replace XXX with your seat number in the class. For example, LIN-L01 or LIN-R03. 15. Enter SCPXXX as your Domain Name. Replace XXX to match your seat number in the class as in the previous step. For example, SCPL01 or SCPR03. 16. Once the Hostname and Domain name are entered, click Next. 17. Enter QWERTY1 as the password, and conrm the password in the second text box. Click Next. 18. The Network Conguration screen will take a moment as Linux determines your system conguration. Once complete, click Network Interfaces to edit the settings on your NIC. 19. To manually congure your NIC, click the Edit button.
xxviii
20. With the Address tab active, select the Static Address Setup radio button. 21. In the IP Address text box, type 172.x.x.x (your instructor will inform you what to enter in the last three octets, it is based on your seat in the classroom. If you are on the left side, this will be 172.16.x.x, and if you are on the right side, this will be 172.18.x.x.) 22. Change the subnet mask to 255.255.0.0, and then click the Routing button. 23. In the Default Gateway text box, type 172.16.0.1 if you are on the left side of the network, and type 172.18.0.1 if you are on the right side of the network. If you are unsure, please ask your instructor prior to entering any DG addresses. 24. Once the Default Gateway address is entered, click OK, and then click Next. 25. At the Network Card Conguration Overview, verify your IP Address and Subnet Mask, and then click Next. 26. At the Network Conguration screen, click Next. Networking services will now be installed and congured. 27. Select the No, Skip This Test radio button, and click Next. 28. Accept the default CA Management Installation Settings, and click Next. 29. Accept the default Authentication Method Of Local (/etc/passwd), and click Next. 30. In the New Local User screen, enter the following information: Users Full Name: SCP Test User Username: test1 Password: 1test Conrm Password: 1test
Click Next. 31. The system will now perform clean up of the installation. Read through the Release Notes, and then click Next. 32. Accept the default Hardware Conguration as it is detected, and click Next. If your system does not properly detect your hardware, you will need to locate the correct Linux drivers for your hardware. This setup guide does not include non-detected hardware environments. 33. The nal setup les will be congured. Once done, you will see the Installation Completed screen. Click Finish to exit the Setup and log in to Linux. 34. After the les load, you will be at the login prompt. Enter root as the Username, and press Enter. 35. Enter QWERTY1 as the password, and press Enter. The default les will load, and you will now be logged into SUSE Linux Enterprise 10.
About This Course xxix
Installing Additional Tools for SUSE Linux Enterprise Server 10

1. 2. 3. 4. 5. Insert the SCP Tools & Resources disc that was provided with your book into your CD-ROM drive. Open the CD to show its contents. Use the Nautilus File Manager and navigate to the / directory. Create a folder labeled Tools. Copy the les from the CD to the /Tools folder.
Configuring Cisco Routers

Three Cisco routers are used in the classroom. The course is written based on the Cisco 2500 series, specically the 2501, running IOS version 12.2 (with IPSec and SSH support). These routers can be easily found by many authorized resellers, and while they are not the most current Cisco routers, they work very well for the purposes of this class. There is no need to purchase or use newer routers for the classroom, but you are welcome to do so, if you so desire. During the conguration or the CENTER router, you must enter the IP Address for the gateway for the classroom. This is to allow Internet Access for the classroom, and you must congure the CENTER router as per your environment, if Internet Access is to be granted. Extensive routing congurations beyond what is listed here is not required for the class. The LEFT router is for one half of the class to connect through. It should have the following conguration: Hostname and Routername: LEFT Access List Conguration: Access-list 123 deny tcp any any eq 25 Access-list 123 permit ip any any INT S0: ip access-group 123 in The CENTER router is for the Instructor to connect to the class. It should have the following conguration: Hostname and Routername: CENTER Access List Conguration: Access-list 155 deny tcp any any eq 20 Access-list 155 deny tcp any any eq 21 Access-list 155 permit ip any any INT S0: ip access-group 155 in INT S1: ip access-group 155 in The RIGHT router is for the other half of the class to connect through. It should have the following conguration: Hostname and Routername: RIGHT Access List Conguration: Access-list 145 deny tcp any any eq 25 Access-list 145 permit ip any any INT S1: ip access-group 145 in
xxx Tactical Perimeter Defense
The detailed conguration procedures are listed here in three main categories: Physical conguration Router setup Access list conguration
Physical Router Configuration

The LEFT router is to be connected to the CENTER router via a Cisco serial cable. The RIGHT router is also to be connected to the CENTER router via a Cisco serial cable. All Ethernet connections are to be made through standard 10/100 BaseT cables.
1. 2.
Study the class setup diagram provided in Classroom Conguration. Physically connect the three routers to each other, using serial crossover cables, so that the router designated as CENTER controls the clock rate. To do this, connect the DCE end of the serial cable to the serial interfaces on the CENTER router and the DTE ends to the LEFTs and RIGHTs appropriate serial interfaces. Connect the Ethernet interface on the CENTER router to the instructor machine via a crossover Ethernet cable. Connect the Ethernet interfaces on the LEFT and RIGHT routers to their respective hubs serving their side of the classroom.
3. 4.
Before You Start the Router Setup

All routers should be cleared of any congs before setting up the class. If you have a congured router but you dont know the password, perform the following steps: 1. 2. 3. 4. 5. 6. Console into the router. Enter the sh ver command, and record the conguration register setting (usually 0x2102). Power down the router, and then power it back up. After the amount of main memory is displayed, press the Break key (or Ctrl+Break). You should see the > prompt with no router name. Enter o/r 0x42 to boot from ash or o/r 0x41 to boot from the CD-ROM. Typically, you would boot from ash if it were intact. Enter i to force the router to reboot and ignore its saved cong.
About This Course xxxi
7. 8.
Answer no to all setup questions. When the Router> prompt is displayed, enter enable to switch to enable mode. The Router# prompt should now be displayed. Once you are in enable mode, you can view and change the password, and you can erase the cong. To view the password, enter show cong at the Router# prompt.
9.
10. To change the password, from the Router# prompt: a. b. c. d. Enter cong mem to copy NVRAM to mem. Enter wr term Enter cong term to enter cong mode. The Router(cong)# prompt is now displayed. If an enable secret password is set, enter enable secret newpassword or if there is no enable secret password, enter enable password newpassword where newpassword is the new password you want to use. To exit cong mode press Ctrl+Z. The Router# prompt is now displayed. Enter write mem to commit the changes to mem. You should now be able to console in and congure the router.
e. f.
11. To erase the cong, from the Router# prompt: a. b. c. d. e. f. g. Enter write erase Enter cong term to enter cong mode. The Router(cong)# prompt is now displayed. Enter cong-register 0x2102 or whatever the conguration register setting was when you began. To exit cong mode, press Ctrl+Z. The Router# prompt is now displayed. Enter reload When you are prompted to save the modied system conguration, enter y When you are prompted to proceed with the reload, enter y
Setup for CENTER Router

The CENTER router is used by the instructor to connect to the rest of the class. To set up the CENTER router: 1. Boot up the router and console into it. You should be prompted to enter the initial conguration dialog. (If you are not, follow the procedures listed previously in the Before You Start the Router Setup section.) When you are prompted: a. b. c. To enter the initial conguration dialog, enter y To enter basic management setup, enter n As to whether you want to see the current interface summary, press Enter.
2.
xxxii
d. e. f. g. h. i. j. k. l. n. o. p. q. r. s. t. u. v. w. x. y. z.
To enter the host name for [Router], enter CENTER To enter the enable secret password, enter instructor To enter the enable password, enter cisco1 To enter the virtual terminal password, enter 2501 To congure SNMP network management, enter n To congure LAT, enter n To congure bridging, press Enter to accept the default of No. To congure AppleTalk, press Enter to accept the default of No. To congure DECnet, press Enter to accept the default of No. To congure IGRP routing, enter n To congure RIP routing, enter y To congure CLNS, press Enter to accept the default of No. To congure IPX, press Enter to accept the default of No. To congure Vines, press Enter to accept the default of No. To congure XNS, press Enter to accept the default of No. To congure Apollo, press Enter to accept the default of No. If you are prompted to congure BRI, select switch type 0. To congure the Ethernet0 interface, press Enter to accept the default of Yes. To congure IP on this interface, press Enter to accept the default of Yes. For the IP address for this interface, enter 172.17.0.1 For the subnet mask for this interface, press Enter to accept the default of 255.255.0.0. To congure the Serial0 interface, press Enter to accept the default of Yes.
m. To congure IP, press Enter to accept the default of Yes.
aa. To congure IP on this interface, press Enter to accept the default of Yes. ab. To congure IP unnumbered on this interface, press Enter to accept the default of No. ac. For the IP address for this interface, enter 192.168.20.2 ad. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0. ae. To congure the Serial1 interface, press Enter to accept the default of Yes. af. To congure IP on this interface, press Enter to accept the default of Yes. ag. To congure IP unnumbered on this interface, press Enter to accept the default of No. ah. For the IP address for this interface, enter 192.168.10.2 ai. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0.
About This Course
xxxiii
aj.
If you are prompted to congure any other serial interfaces, enter n until a conguration command script is generated, and you are prompted to make a selection regarding the next action.
ak. To enter your selection, press Enter to accept the default of 2. You should see a message indicating that the router is building the conguration. When the conguration build is complete, an OK message is displayed. al. 3. 4. 5. 6. To press RETURN to get started, press Enter. The CENTER> prompt should now be displayed.
At the CENTER> prompt, enter en to activate enable mode. When you are prompted for the password, enter instructor and the CENTER# prompt should now be displayed. At the CENTER# prompt, enter conf t to enter cong mode. The CENTER(cong)# prompt should now be displayed. At the CENTER(cong)# prompt: a. b. Enter no ip domain lookup Enter int s0 and the CENTER(cong-if)# prompt should now be displayed.
7.
At the CENTER(cong-if)# prompt: a. b. c. d. e. f. g. h. Enter no shut Enter clo ra 4000000 Enter ban 10000000 Enter int s1 Enter no shut Enter clo ra 4000000 Enter ban 10000000 Enter exit and the CENTER(cong)# prompt is now displayed.
8.
At the CENTER(cong)# prompt: a. b. Enter ip route 0.0.0.0 0.0.0.0 a.b.c.d (note you must replace a.b.c.d with the gateway to get out of the network to the Internet). Enter exit and the CENTER# prompt is now displayed.
9.
At the CENTER# prompt: a. b. Enter sh run and you should see a message indicating that the router is building the conguration. Enter copy ru st
10. When you are prompted for a destination lename, press Enter to accept the default of startup-cong. You should again see a message indicating that the router is building the conguration.
xxxiv
Setup for LEFT Router

The LEFT router is used by half of the students to connect to the rest of the class. To set up the LEFT router: 1. Boot up the router and console into it. You should be prompted to enter the initial conguration dialog. (If you are not, follow the procedures listed previously in the Before You Start the Router Setup section.) When you are prompted: a. b. c. d. e. f. g. h. i. j. k. l. n. o. p. q. r. s. t. u. v. w. x. y. z. To enter the initial conguration dialog, enter y To enter basic management setup, enter n As to whether you want to see the current interface summary, press Enter. To enter the host name for [Router], enter LEFT To enter the enable secret password, enter cisco To enter the enable password, enter cisco1 To enter the virtual terminal password, enter 2501 To congure SNMP network management, enter n To congure LAT, enter n To congure bridging, press Enter to accept the default of No. To congure AppleTalk, press Enter to accept the default of No. To congure DECnet, press Enter to accept the default of No. To congure IGRP routing, enter n To congure RIP routing, enter y To congure CLNS, press Enter to accept the default of No. To congure IPX, press Enter to accept the default of No. To congure Vines, press Enter to accept the default of No. To congure XNS, press Enter to accept the default of No. To congure Apollo, press Enter to accept the default of No. If you are prompted to congure BRI, select switch type 0. To congure the Ethernet0 interface, press Enter to accept the default of Yes. To congure IP on this interface, press Enter to accept the default of Yes. For the IP address for this interface, enter 172.16.0.1 For the subnet mask for this interface, press Enter to accept the default of 255.255.0.0. To congure the Serial0 interface, press Enter to accept the default of Yes.
2.
aa. To congure IP on this interface, press Enter to accept the default of Yes. ab. To congure IP unnumbered on this interface, press Enter to accept the default of No.
About This Course xxxv
ac. For the IP address for this interface, enter 192.168.10.1 ad. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0. ae. To congure the Serial1 interface, enter n af. If you are prompted to congure any other serial interfaces, enter n until a conguration command script is generated, and you are prompted to make a selection regarding the next action. ag. To enter your selection, press Enter to accept the default of 2. You should see a message indicating that the router is building the conguration. When the conguration build is complete, an OK message is displayed. ah. To press RETURN to get started, press Enter. The LEFT> prompt should now be displayed. 3. 4. 5. 6. At the LEFT> prompt, enter en to activate enable mode. When you are prompted for the password, enter cisco and the LEFT# prompt should now be displayed. At the LEFT# prompt, enter conf t to enter cong mode. The LEFT(cong)# prompt should now be displayed. At the LEFT(cong)# prompt: a. b. 7. Enter no ip domain lookup Enter int s0 and the LEFT(cong-if)# prompt should now be displayed.
At the LEFT(cong-if)# prompt: a. b. c. Enter no shut Enter ban 10000000 Enter exit and the LEFT(cong)# prompt is now displayed.
8.
At the LEFT(cong)# prompt: a. b. Enter ip route 0.0.0.0 0.0.0.0 192.168.10.2 Enter exit and the LEFT# prompt is now displayed.
9.
At the LEFT# prompt: a. b. Enter sh run and you should see a message indicating that the router is building the conguration. Enter copy ru st
Setup for RIGHT Router

The RIGHT router is used by half of the students to connect to the rest of the class. To set up the RIGHT router:
xxxvi
1.
Boot up the router and console into it. You should be prompted to enter the initial conguration dialog. (If you are not, follow the procedures listed previously in the Before You Start the Router Setup section.) When you are prompted: a. b. c. d. e. f. g. h. i. j. k. l. n. o. p. q. r. s. t. u. v. w. x. y. z. To enter the initial conguration dialog, enter y To enter basic management setup, enter n As to whether you want to see the current interface summary, press Enter. To enter the host name for [Router], enter RIGHT To enter the enable secret password, enter cisco To enter the enable password, enter cisco1 To enter the virtual terminal password, enter 2501 To congure SNMP network management, enter n To congure LAT, enter n To congure bridging, press Enter to accept the default of No. To congure AppleTalk, press Enter to accept the default of No. To congure DECnet, press Enter to accept the default of No. To congure IGRP routing, enter n To congure RIP routing, enter y To congure CLNS, press Enter to accept the default of No. To congure IPX, press Enter to accept the default of No. To congure Vines, press Enter to accept the default of No. To congure XNS, press Enter to accept the default of No. To congure Apollo, press Enter to accept the default of No. If you are prompted to congure BRI, select switch type 0. To congure the Ethernet0 interface, press Enter to accept the default of Yes. To congure IP on this interface, press Enter to accept the default of Yes. For the IP address for this interface, enter 172.18.0.1 For the subnet mask for this interface, press Enter to accept the default of 255.255.0.0. To congure the Serial0 interface, enter n
2.
aa. To congure the Serial1 interface, press Enter to accept the default of Yes. ab. To congure IP on this interface, press Enter to accept the default of Yes. ac. To congure IP unnumbered on this interface, press Enter to accept the default of No. ad. For the IP address for this interface, enter 192.168.20.1 ae. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0.
About This Course xxxvii
af. If you are prompted to congure any other serial interfaces, enter n until a conguration command script is generated, and you are prompted to make a selection regarding the next action. ag. To enter your selection, press Enter to accept the default of 2. You should see a message indicating that the router is building the conguration. When the conguration build is complete, an OK message is displayed. ah. To press RETURN to get started, press Enter. The RIGHT> prompt should now be displayed. 3. 4. 5. 6. At the RIGHT> prompt, enter en to activate enable mode. When you are prompted for the password, enter cisco and the RIGHT# prompt should now be displayed. At the RIGHT# prompt, enter conf t to enter cong mode. The RIGHT(cong)# prompt should now be displayed. At the RIGHT(cong)# prompt: a. b. 7. Enter no ip domain lookup Enter int s1 and the RIGHT(cong-if)# prompt should now be displayed.
At the RIGHT(cong-if)# prompt: a. b. c. Enter no shut Enter ban 10000000 Enter exit and the RIGHT(cong)# prompt is now displayed.
8.
At the RIGHT(cong)# prompt: a. b. Enter ip route 0.0.0.0 0.0.0.0 192.168.20.2 Enter exit and the RIGHT# prompt is now displayed.
9.
At the RIGHT# prompt: a. b. Enter sh run and you should see a message indicating that the router is building the conguration. Enter copy ru st
Configuring the Access Lists

After the initial router setup and the basic conguration have been completed on all three routers, you need to enter the access lists for each of the routers. To do so: 1. To complete the LEFT Router Access Lists:
xxxviii
a. b. c. d. e. f. g. 2.
At the LEFT# prompt, enter conf t to switch to cong mode. The LEFT(cong)# prompt is now displayed. At the LEFT(cong)# prompt, enter access-list 123 deny tcp any any eq 25 At the LEFT(cong)# prompt, enter access-list 123 permit ip any any At the LEFT(cong)# prompt, enter int S0 to congure the interface. The LEFT(cong-if)# prompt is now displayed. At the LEFT(cong-if)# prompt, enter ip access-group 123 in At the LEFT(cong-if)# prompt, press Ctrl+Z to leave cong mode. The LEFT# prompt is now displayed. At the LEFT# prompt, enter copy ru st and save the conguration changes to startup-cong.
To complete the RIGHT Router Access Lists: a. b. c. d. e. f. g. At the RIGHT# prompt, enter conf t to switch to cong mode. The RIGHT(cong)# prompt is now displayed. At the RIGHT(cong)# prompt, enter access-list 145 deny tcp any any eq 25 At the RIGHT(cong)# prompt, enter access-list 145 permit ip any any At the RIGHT(cong)# prompt, enter int S1 to congure the interface. The RIGHT(cong-if)# prompt is now displayed. At the RIGHT(cong-if)# prompt, enter ip access-group 145 in At the RIGHT(cong-if)# prompt, press Ctrl+Z to leave cong mode. The RIGHT# prompt is now displayed. At the RIGHT# prompt, enter copy ru st and save the conguration changes to startup-cong.
3.
To complete the CENTER Router Access Lists: a. b. c. d. e. f. g. h. i. At the CENTER# prompt, enter conf t to switch to cong mode. The CENTER(cong)# prompt is now displayed. At the CENTER(cong)# prompt, enter access-list 155 deny tcp any any eq 20 At the CENTER(cong)# prompt, enter access-list 155 deny tcp any any eq 21 At the CENTER(cong)# prompt, enter access-list 155 permit ip any any At the CENTER(cong)# prompt, enter int S1 to congure the S1 interface. The CENTER(cong-if)# prompt is now displayed. At the CENTER(cong-if)# prompt, enter ip access-group 155 in At the CENTER(cong-if)# prompt, enter int S0 to congure the S0 interface. At the CENTER(cong-if)# prompt, enter ip access-group 155 in At the CENTER(cong-if)# prompt, press Ctrl+Z to leave cong mode. The CENTER# prompt is now displayed.
About This Course
xxxix
j. 4.
At the CENTER# prompt, enter copy ru st and save the conguration changes to startup-cong.
Test the classroom setup, and troubleshoot as necessary. Once physical connectivity issues have been sorted out, you should be able to ping from one side of the classroom to the other. Specically, the instructor machine should be able to ping every student machine and vice versa. Student machines from the left side of the classroom should be able to ping student machines on the right side of the classroom and vice versa.
List of Additional Files

Printed with each lesson is a list of les students open to complete the tasks in that lesson. Many tasks also require additional les that students do not open, but are needed to support the le(s) students are working with. These supporting les are included with the student data les on the course CD-ROM or data disk. Do not delete these les.
HOW TO USE THIS BOOK

You can use this book as a learning guide, a review tool, and a reference.
As a Learning Guide
Each lesson covers one broad topic or set of related topics. Lessons are arranged in order of increasing prociency with Tactical Perimeter Defense; skills you acquire in one lesson are used and developed in subsequent lessons. For this reason, you should work through the lessons in sequence. We organized each lesson into explanatory topics and step-by-step activities. Topics provide the theory you need to master Tactical Perimeter Defense, activities allow you to apply this theory to practical hands-on examples. You get to try out each new skill on a specially prepared sample le. This saves you typing time and allows you to concentrate on the technique at hand. Through the use of sample les, hands-on activities, illustrations that give you feedback at crucial steps, and supporting background information, this book provides you with the foundation and structure to learn about Tactical Perimeter Defense quickly and easily.
As a Review Tool
Any method of instruction is only as effective as the time and effort you are willing to invest in it. For this reason, we encourage you to spend some time reviewing the books more challenging topics and activities.
As a Reference
You can use the Concepts sections in this book as a rst source for denitions of terms, background information on given topics, and summaries of procedures.
xl
About This Course
xli
xlii
Network Defense Fundamentals

Overview
In this lesson, you will be introduced to the core concepts of network security. You will examine the technologies of defending a network, and how those technologies may be used to create a layered defense of the network. You will also identify the foundations of network auditing.
LESSON
1
Data Files none Lesson Time 2 hours
Objectives
To dene the concepts of defending a modern complex network, you will: 1A Describe the ve keys of network security. Given a network scenario, you will describe how the ve keys of network security are integrated in a modern operational network. 1B Describe the concepts of defensive technologies in creating a layered defense. Given a network analogy of a fortied castle, you will identify the function of defensive technologies in creating a secure layered defense. 1C Describe the objectives of access control methods. Given a network scenario, you will describe the available access control methods and how they are implemented in the defense of the network. 1D Identify the impact of a layered defense on the performance of the network. Given a network where a layered defensive system has been implemented, you will identify the performance impact of each layer on accessing resources in the network. 1E Dene concepts of auditing in a network. Given a network scenario, you will examine the concepts of network auditing, including handling of data and types of audits.
Lesson 1: Network Defense Fundamentals
Topic 1A
Network Defense
In todays world, it is getting easier for attackers to inltrate private networks. They have access to more tools, more powerful computers, and there are more networks to target. Sadly, many organizations simply do not take this threat seriously. They do not see the driving force to create a secure network. They do not see the need to spend money on a defense for their electronic assets. But the need is very real. Every year, the Computer Security Institute (CSI), and the Federal Bureau of Investigations (FBI), perform a survey of businesses, looking into the nancial losses for theft of proprietary information, and other losses. Although only a handful of companies who participate in this survey have estimated their losses, the number has been in the tens to hundreds of millions of dollars. What makes these numbers even more serious is the fact that these are voluntary reports, and only a small number of businesses are involved. Many organizations are not eager, even in an anonymous setting, to disclose any losses due to computer crime. Even so, there is an obvious pattern here. The attacks against networks are getting more seriouswith a greater loss to the business world than ever before. Even as organizations start to become more security conscious, the number of attackers grows. Clearly, defense is needed, and it is needed now. Network systems allow the enterprise to access information technology assets by authorized users quickly through seemingly secure methods. But as remote sites get interconnected through the Internet using non-dedicated lines to enterprise networks, many unauthorized users get connected and have access as well. Users may be naive at times about network security, because the assumption is often made that systems are needed, and are operational, to do their jobs. If they are on, some assume, they are secure. But administrators know that security is a real issue to address and no assumptions are going to make network security magically happen. They know that carefully planned steps must be taken to build a secure network system environment, where business transactions and support functions can occur within a system built on trust. They should have complete condence in security. Network security must become a strategic initiative within the enterprise. It must begin as an integral part of the strategic planning process that leads to strategic action plans, resulting in budgeted tactical projects to initiate and implement network security. The defense of the network starts with the basic security issues all networks must address. These key issues are detailed in upcoming sections.
network: Two or more machines interconnected for communications.
threat: The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest. A potential violation of security.
security: A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or inuences.
network security: Protection of networks and their services from unauthorized modication, destruction, or disclosure, and provision of assurance that the network perform its critical functions correctly and there are no harmful side effects. Network security includes providing for data integrity.
Five Key Issues of Network Security

The ve key issues of network security are: Authorization and availability Authentication Condentiality Integrity Non-repudiation
Authorization and Availability

First and foremost, network security systems must be operationally available in order to control who has access to what information technology (IT) assets, resources, les, directories, and processes within the network. The security must limit user privileges to minimize the risk of unauthorized access to sensitive information and areas of the network that only authorized users should be allowed to access. Additionally, it must make network systems available through the diligent exercise of security, but never hinder the performance of the network system to serve the authorized user. Authorization and availability also create system assurance, which ensures that: Systems are available with required functionality present and correctly congured for implementation on an ongoing basis. There are adequate controls to protect against unauthorized user access and unintentional errors by users or software. There are security measures in place to deter or stop intentional exploits by attackers.
availability: Assuring information and communications services will be ready for use when expected.
Assurance is absolutely necessary because without it, the other objectives of security will be difficult to meet. However, assurance cannot be a one-time promise but must be an ongoing effort to be most effective.
Authentication
After controlling who has access, even authorized users must be authenticated to verify and prove their identity. Authentication veries users to be who they say they are. In data communications, authenticating the sender is necessary to verify that the data came from the right source. The receiver is authenticated, as well, to verify that the data is going to the right destination. Public Key Infrastructure (PKI), is one of the best ways to ensure authentication through digital certicates and digital signatures. The number of factors used to show the identity of the user through authentication or proving the identity of the user through strong authentication determines how effective authentication can be. The three factors are: One-factor authentication provides what you knowsuch as a password or PIN. It is strictly based on recalling a piece of information from ones own memory or from writing it down (but that would defeat the purpose of providing only authorized access to networks based on using a password). Two-factor authentication provides what you have in addition to what you know. Examples are a proximity card for door entry or an ATM card with a PIN. An RSA SecureID Token used in conjunction with a pass code, or a
authentication: To positively verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
smart card that may carry all your security credentials in a secure way with a PIN used to access the credentials are the second factors. The third factor that provides strong authentication is proving the users identity, or who you are, by using biometrics. Biometrics uses a physiological characteristic to identify you, such as a ngerprint, retina scan, hand geometry, voice recognition, iris scan, or behavioral characteristics, such as keystroke recognition or signature recognition. It results in strong authentication, because users not only verify their digital identity through what they know and what they have, but they are proving their physical identity by verifying their biometric characteristics.
Confidentiality
Data communications, as well as email, needs to be protected for privacy and condentiality. Network security must provide a secure channel for the transmission of data and email that does not allow eavesdropping by unauthorized users. Data condentiality ensures the privacy of data on the network system. PKI can provide what is required to ensure the condentiality and privacy of communications and data transmissions across networks. The following are the four basic types of information or data that require condentiality: Information that reveals technical data or source information. For example, the model number and software version of your rewall should be kept condential because divulgence may give a potential attacker/hacker a way to an advantage to exploit your system. Information that may be time dependent. It may only be condential for a given amount of time and then may not have any signicance as private information after that, but until then must be kept condential. Information that may reveal organizational or systems relationships that through divulgence may give unauthorized users a channel for social engineering exploits or other opportunities. Information that is private and condential in its own right. Information that may be crucial in the operations of the enterprise and divulgence would surely give an attacker an easy exploitation opportunity.
condentiality: Assuring information will be kept secret, with access limited to appropriate persons.
rewall: A system or combination of systems that enforces a boundary between two or more networks. Gateway that limits access between networks in accordance with local security policy. The typical rewall is an inexpensive micro-based Unix box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster.
hacker: A person who enjoys exploring the details of computers and how to stretch their capabilities. A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn the necessary minimum.
Integrity
Integrity is a security principle that ensures the continuous accuracy of data and information stored within network systems. Continuity of data integrity is paramount. Data must be kept from unauthorized modication, forgery, or any other form of corruption, regardless of whether these are from malicious threats or corruption that is accidental in nature. Upon receiving the email or data communication, integrity must be veried to ensure that the message has not been altered, modied, or added to or subtracted by unauthorized users while in transit. Again, PKI will ensure the integrity of messages through digital certicates and message digests. Integrity has two main objectives: Data integrity ensures that the data has not been altered in an unauthorized manner while in transit, during storage, or while being processed. System integrity ensures that a system, while performing its intended processes and applications, provides support to authorized users free from unauthorized manipulation.
integrity: Assuring information will not be accidentally or maliciously altered or destroyed.
Non-repudiation
Security must be established to prevent parties in a data transaction from denying their participation after the business transaction has occurred. Through PKI, the sender as well as the receiver are authenticated with regard to their respective identities, as well as tamperproof time stamping of the transaction, to ensure nonrepudiation from both parties. This establishes accountability for the transaction itself for all parties involved in the transaction. The three types of repudiation (or denial) to prevent are: Repudiation of origin by the message creator who denies ever creating or writing the message itself. Repudiation of receipt by the receiver who denies ever receiving the message even after receiving it. Repudiation of submission as to the time and date of the actual submission. The time stamp will help in non-repudiation for submission.
non-repudiation: Method by which the sender of data is provided with proof of delivery and the recipient is assured of the senders identity, so that neither can later deny having processed the data.
The Threats to Security

Threats can come from myriad sources in our connected world. The Internet is not the only threat. An organization has to consider employees, contractors, and even the cleaning staff! Any of these people could potentially be a threat, and cause damage.
Malicious threats are intentional in nature and can come from either internal or external users. When unauthorized users make attempts to nd vulnerabilities in a network system and nd them, they present themselves as a malicious threat trying to get access by whatever means available. A successful unauthorized access event is called an active threat. The malicious threat has now gained unauthorized access into your network and will exploit whatever assets can be accessed. Once accessed, the exploit can manifest itself as a passive or an active threat. As a passive threat, the accessed data is viewed or intercepted but not modied. It does not change the operation of or the state of the system.
passive threat: The threat of unauthorized disclosure of information without changing the state of the system. A type of threat that involves the interception, not the alteration, of information.
If the data is intercepted and modied by an unauthorized user, it is said to be an active threat. It may also change the operation of or state of the system itself.
breach: The successful defeat of security controls which could result in a penetration of the system. A violation of controls of a particular information system such that information assets or system components are unduly exposed.
Whether accidental or malicious, the threat can come from either internal or external users and may be authorized or unauthorized users. Surveys have consistently shown that of all respondents who reported a security breach within the past year, close to 60 percent of these breaches were caused by inside users accessing unauthorized resources, and over 40 percent blamed accounts left open after an employee had left the company. Of all respondents, 20 percent reported that their companies were victims of an attempted or successful break-in by an angry former employee. Also, during most economic slowdowns, companies lay off employees in increasing numbers each week. Such breaches will only get worse during these periods. Network security administrators must: Realize how to minimize, or mitigate, the effects of current and future threats upon their network. Realize what defensive strategies and techniques must be implemented to keep networks secure. This should be done to ensure the privacy, condentiality, and protection of sensitive data and information technology assets.
Defensive Strategies
If all threats to a network system were known, as well as all the vulnerabilities of the system itself, then a specic defensive posture could be deployed to guard and secure the system. It could even be a static defensive posture with denitive controls in place because the exact threat would be known. Perimeter security using a rewall is a good example of a static defensive posture. The threat is assumed to be known and rules are generated to allow the rewall to work. Unfortunately, if the threat is not known, any such assumptions can be fatal to the network. Administrators must take into consideration the following points when addressing and creating a defensive posture for the enterprise network.
Defense-in-Depth
Defense-in-Depth states that all information technology assets within a protected network need to have the necessary amount of security protection to guard against direct attacks at whatever level the asset resides within the network. The assumption cannot be made that a rewall or some sort of all-encompassing perimeter security is enough to protect all information technology assets within the network.
Active Defense-in-Depth
An Active Defense-in-Depth is necessary as a defensive posture to think creatively and counter any and every threat, whether known or unknown. It is an active defense that changes its defensive posture based on the threat. Its defensive assets are able to ex in any direction, based on the disposition of the threat. The basis for Active Defense-in-Depth are the concepts of Defense-in-Depth. The requirement for securing network systems and their information technology assets against all current and future threats compels us to use multiple layers of security techniques that provide overlapping protection against attackers, hackers, and any other malicious threat that may attempt an exploit. This is a core requirement for any network taking active measures to protect its assets. This strategy not only recognizes the value of Defense-in-Depth, which states that every information technology asset within the network must have its own necessary and adequate protection, but that it is an active defense that takes whatever actions necessary to stop the threat by the utilization of multiple layers of security to include rewalls, intrusion detection, monitoring devices, and other techniques for network security. It recognizes that due to the highly interactive nature of the various systems and networks, any single system cannot be secured adequately unless all interconnecting systems are also secured adequately. It must take into consideration the context of a shared-risk environment that dictates protection of IT systems at all levels, because of the interactive and interconnected nature of todays systems and networks. The strategy calls for use of multiple, overlapping protection approaches to ensure that the failure or bypass of any individual protection approach will not leave the system unprotected. Through user training and awareness, well thoughtout and planned policies, procedures and processes, as well as redundancy of protection mechanisms, the Active Defense-in-Depth strategy ensures the effective protection of information technology assets so the objective and purpose of the mission can be accomplished. An Active Defense-in-Depth utilizes the concept of addressing the largest vulnerability or the most dangerous threat rst. The additional layers of security can take care of the remainder of the threats. Anything else is less of a threat and many times the perimeter defense with rewalls can take care of many of the everyday types of threats. There is a general ow of the Active Defense-in-Depth strategy. The rst area is to advance the users security knowledge via training. Users must realize that the upcoming changes in the network are to protect them, and if they are required to act differently while online, then they must follow the security policy and do so.
intrusion detection: Pertaining to techniques that attempt to detect intrusion into a computer or network by observation of actions, security logs, or audit data. Detection of break-ins or attempts either manually or via software expert systems that operate on logs or other information available.
vulnerability: Hardware, rmware, or software ow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to an AIS.
attack: An attempt to bypass security controls on a computer. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures.
Security must then be established with a strong perimeter system. Inside the network, the Intrusion Detection System is working hard to identify unauthorized attempts to use resources. The stated strategy will respond to an attack, again as per the dened security policy. Finally, further controls and systems will be in place to minimize the likelihood of further intrusions and create a more trusted environment. After each part of the defense strategy, the lessons that have been learned are used to strengthen the overall security of the network. Figure 1-1 illustrates this concept.
intrusion: Any set of actions that attempts to compromise the integrity, condentiality, or availability of a resource.
Figure 1-1: The Active Defense-in-Depth model.
Defensive Strategy Requirements

Any network that is going to deploy a defense system to protect their network must fulll some common requirements if the defense is going to be successful. Although these are not written as hard and fast rules, they should be followed in nearly all organizations.
Training and Awareness

Training and awareness is the foundation for the Active Defense-in-Depth defensive posture because through training and awareness, cultural change within the enterprise occurs. A cultural change is required for all users to exercise security in their day-to-day operations and functions in execution of their processes. Military units that have a high rate of operational readiness for combat use a maxim that states, Train like you ght because you will ght like you train. Theres a lot to be learned from such a maxim. It means that training must be realistic and replicate battle conditions. Training must replicate the same scenarios that may expose vulnerabilities for attack by the threat. The same battle scenarios are presented in training to make attack response a second nature to the user, as well as the security professional overlooking the protection of the network.
Perimeter Security
Perimeter security is the rst line of defense for the network and usually is protected by a packet ltering or rules-based rewall. In order to be most effective, ensure that the rewall has the following properties and rules: Base your packet ltering and traffic management rules according to an organizational security policy. Firewall denes all network connections. All traffic from inside out and outside in must pass through the rewall.
packet: A block of data sent over the network transmitting the identities of the sending and receiving stations, errorcontrol information, and message.
Intrusion Detection Systems (IDS)

Intrusion Detection Systems (IDS) are a combination of hardware and software systems that monitor and collect network system information and analyze it to detect attacks or intrusions. Some IDSs can automatically respond to an intrusion or attack based on a collected library of attack signatures. IDSs use softwarebased scanners, such as an Internet scanner, that may be the primary tool for network vulnerability analysis. This type of scanner performs both scheduled and deliberate probes of the network infrastructure for aws and vulnerabilities in operating systems, routers, applications, and communication devices.
packet ltering: A feature incorporated into routers and bridges to limit the ow of information based on pre-determined communications such as source, destination, or type of service being provided by the network. Packet lters let the administrator limit protocol-specic trafc to one network segment, isolate email domains, and perform many other functions.
router: An interconnection device that is similar to a bridge, but serves packets or frames containing certain protocols. Routers link LANs at the network layer.
vulnerability analysis: Systematic examination of an AIS or product to determine the adequacy of security measures, identify security deciencies, provide data from which to predict the effectiveness of proposed security measures, and conrm the adequacy of such measures after implementation.
Attack Response
Attack response consists of many practices in response to attacks or incidents whether real, false, or simulated for training. All attacks are handled the same way until it is veried by the administrator that it is in fact a false positive or a simulated attack for training. In any case, the response itself needs to be kept secret from outside the security network as not to give any potential attackers an advantage or possible vulnerability to exploit. A ready response team should be designated and alerted in a timely fashion once any attack has been detected. This team must have senior management backing and technical training to include security policy creation, maintenance, enforcement, and escalation during response in case the team cannot handle the particular attack.
false positive: Occurs when the system classies an action as anomalous (a possible intrusion) when it is a legitimate action.
TASK 1A-1
Identifying Non-repudiation Issues
1. What are the three potential problems a network could face if there is no assurance of non-repudiation, and what is the potential excuse for each problem? The following examples of excuses that people are known to routinely give each other are indicative of the potential problems in a network if nonrepudiation is not implemented: Repudiation of origin: I never sent it. Repudiation of receipt: I never received it. Repudiation of submission: I sent it out a while back versus You say you sent it out when? I only received it yesterday.
Topic 1B
Defensive Technologies
To have a network that can be considered well-secured requires a layered defense. The concepts of a layered defense are old and simple: The more layers an attacker will have to go through, the more difficult it is for the attack to be successful.
The Castle Analogy

This concept can be traced back very far; for this discussion, we will go back to the days of castles and fortresses. These buildings often housed hundreds of people and their rulers. In some cases, the castle was the entire town, with small huts outside the castle boundaries. Needless to say, they required very good and reliable security.
10
A castles defense system is the classic layered concept. The castle itself is built out of strong and very thick stone. The walls of the castle are very high. The towers of the castle are even higher and allow the guards to see intruders at a greater distance. Other guards are positioned inside to watch for imposters and other internal disruptions. Closer to the castle is the moat, a body of water surrounding the castle. The only entrance is the drawbridge, which can be raised so no one can enter or leave without permission. There is a massive door protecting the entrance past the drawbridge. Small arrow holes are hidden along the walls and in the towers for archers to use; these make it easy for arrows to get out of the castle but difficult to shoot an arrow into one of those holes. As you can see, each additional layer of defense created a more secure overall castle. The analogy is directly transferable to networking. No one single technology can create a secure network, just as a moat alone cannot create a secure castle.
Attacking the Castle

If the castles were so well defended, then how and why did they eventually fall? With layers upon layers of defense, the castles seemed as if they could not fall into their enemys hands. History tells us otherwise. There were three basic approaches to bringing upon the downfall of a castle. One was through a massive attack, where hundreds or thousands of soldiers would storm the castle, a constant attack until the massive door nally was penetrated. This method generally would cost many lives, but often was successful. The second approach was a variation of the rst. Instead of actually storming the castle, a large army would simply lay siege to the castle for months until nally the defenders would give up. The third method was to nd the secret entrance(s). Often the castle needed secret alternate ways in and out for emergencies. Once the enemy found this second entrance, they could send a small force in to open the castle from inside. This would prove to be a more effective method, since the cost in lives to the attacker was far less.
Now, looking at this analogy, what are the defensive technologies employed in todays network security terms? There are many similarities, as you may have noticed.
The Castles Firewall

In the castle analogy, there is a denite rewall in place. The two parts would be the moat and the high stone walls. This is how the rewall should operate in a networkmultiple parts. For example, you may have a rewall blocking ports, and another part of the rewall that is running Network Access Translation (NAT) to hide your internal IP addresses. These pieces are the classic perimeter security system, and all networks that are serious about security must have them.
11
protocol: Agreed-upon methods of communications used by computers. A specication that describes the rules and procedures that products should follow to perform activities on a network, such as transmitting data. If they use the same protocols, products from different vendors should be able to communicate on the same network.
Further analogies to the rewall are the arrow holes and the front door itself. These arrow holes are roughly equivalent to protocol port numbers, in that they are small and can be set up to be only one-way. Arrows go out, but they do not come back in. The front door can be opened to allow full two-way movement or communication.
The Castles Intrusion Detection

The guards on the inside watching for an imposter or other internal problem are the intrusion detection. The guards high up in the watchtower are also part of the Intrusion Detection System, looking for attackers from the outside.
The Castles Back Doors

One of the most serious problems with the security of a network is a back door. If a user installs a modem and makes an independent, direct connection to the Internet, all an attacker needs to do is nd that back door. Once the back door is found, the attacker can come in and open up the entire network from the inside. This analogy is used to illustrate the need for a solid, well-planned, layered defense strategy for the network. Since any single point is subject to attack and potential failure, there must be other systems in place that work as defense for the network. Figure 1-2 is a graphical representation of the layered concept.
back door: A hole in the security of a computer system deliberately left in place by designers or maintainers. Synonymous with trap door; a hidden software or hardware mechanism used to circumvent security controls.
Figure 1-2: The layered defense concept.
12
The Defense Technologies

So, what exactly are the defensive technologies that can be deployed in a network? There are many, and some are not purely defensive, but they are used in the defense of the network.
Figure 1-3: The layers of defense in reaching a le. The best way of looking at the defense of the network is to start on the outside, at the perimeter, and work your way in to the target. The target may be a number of different things, but we will focus in this discussion on an application residing on a host computer. 1. The rst aspect in the defense of the network does not even use electricity. It is the security policy. Many people consider the rewall the rst line of defense, but this could be argued as incorrect. Without a policy, the rewall cannot be congured! So, the rst item is the policy. There must be a clear understanding of the purpose of the security in the network. The policy must cover who can do what, when, and how. The policy also must state the clear objectives of each piece of equipment used in the defense of the network. As with many things in life, proper planning is required for successful implementation. 2. After the security policy has been created and agreed to, the implementation of the defense systems can begin. On the very edge of the network are the routers. These routers may be congured, via access control lists, to perform
proxy: A rewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all trafc passing through it. A software agent that acts on behalf of a user, typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.
host: A single computer or workstation; it can be connected to a network.
13
NAT and proxy services are covered in greater detail in upcoming lessons.
part of the rewall system, and provide some level of packet ltering. The rewall may provide NAT and proxy services. NAT will ensure that the internal private addresses stay hidden, and the proxy services will make requests for resources on behalf of the internal clients. 3. Moving through the layers, beyond the rewall, the next piece is the IDS. The IDS is in place to notify the security professionals when an intrusion has happened, and can perform this function both on the inside of the network, and also detect attempts on the outside of the network. Still deeper into the defense of the network is authentication. The host computer will require a form of authentication to gain access to the resources. Making it to the host is one thing, authenticating with the host and getting access is another. After authentication with the host is the le system security. Each le, or each resource, should be designed with its own security. This security dictates who has access to this le, and what kind of access each person has. The le security may even specify the times during the day that users have access to the le.
4.
5.
physical security: The measures used to provide physical protection of resources against deliberate and accidental threats.
The physical security of the network, although not a specic technology, is worth mentioning. Physical security of the computers, routers, switches, and employees is critical to maintaining a well-defended network. There is no point in implementing all the above technologies, if anyone can walk into an office and browse a computer. Physical access must be part of the defense, and should be outlined in the security policy.
TASK 1B-1
Describing the Layers of a Defended Network
1. Describe how an organization benets from implementing each layer of a layered defense to protect their network. Benets to implementing a layered defense include: Security Policy: Organized defense. Perimeter Defense: Rule sets dene what kind of traffc is allowed in or out. IDS: Monitoring of network or hosts to detect unusual behavior or attacks so that responses can be calculated, rather than remain arbitrary. Authentication: Depending upon the level of authentication used (one-, two-, or three-factor), it can be very diffcult for one user to impersonate another. File System Security: Users with veried credentials are granted or denied access to certain resources. Physical Security: Prevents access to machines by users with malicious intent.
14
Topic 1C
Objectives of Access Control
Every network, no matter how well it is defended, will require verication of the network users credentials. This is the process of access control. All networks need a system in place to be sure only authorized users have access to the network and its resources.
Access Control
On the network, one of the critical areas of security is determining who has access to what. It is the security professionals job to ensure that the policy guidelines are met and no unauthorized access of resources takes place. Or, as the denition of access control states, it is the prevention of unauthorized use by controlling the access to any protected system or resource. Access control systems are what help the security professional satisfy that requirement. There are two types of access control that may be implemented: Mandatory Access Control (MAC) and Discretionary Access Control (DAC). The policy in place determines which of these controls will be used.
Mandatory Access Control

MAC is an access control policy that supports a system which generally handles highly sensitive or secret information. Government agencies typically use MAC. Also, the security classication of both the user, called a subject, and the data or resource being accessed, called an object, must be labeled as Top Secret, Secret, or Classied for security. These labels are security classications for objects and security clearances for subjects. If only one level of security is maintained in a system, it is called a System High Policy, which requires all system users to have the appropriate clearance for the highest level of sensitive information that may be accessed. If Secret information is on this system, then all authorized users must have at least a Secret clearance level. If multiple levels of classied information are on a single system and requires users with different security clearances to access it, then a Multi-level Security Policy is enforced. To make this effective, the system typically has screened subnets by use of rewalls to allow access only to appropriate clearance-level users.
Discretionary Access Control

DAC is an access control policy that uses the identity of the user or group in which they belong to allow authorized access. It is discretionary in that the administrator is able to control who has access, to what, and what type of access they will have, such as create or write, read, update, or delete. This is known as CRUD, which stands for Create, Read, Update, and Delete.
15
Authentication
Once the policies of access control are in place, there needs to be a mechanism that can verify the user who is requesting access. Having either DAC or MAC in the organizations network is useless if the network cannot identify the users of the network. This is where authentication comes in. Although each operating system has its own methods of authentication, here we will discuss the concepts and methods of authentication. How is authentication dened? The basic denition is the process of determining the identity of a user that is attempting to access a system. (The word system in this case could be a router, server, workstation, and so on.)
server: A system that provides network service such as disk storage and le transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine.
Authentication occurs when a user provides the requested information to an authentication verication authority. The requested information can take many forms, as you will see. The verication authority can also take different forms, but is generally a server on the network. The traditional method of authentication is to provide a password. This password is a value that the user creates individually, or is generated for them. In any case, it is a value the user remembers and enters when requested. Systems can be as simple as having a single password to log in and use every resource available, or as complex as requiring one password to log in and different passwords to access specic resources. To increase the level of reliability and ease of use to users, biometric authentication can be introduced. When this type of system is added to the authentication scheme, it is considered to be strong authentication. The designation of strong is given since the user is not only identied digitally, but by their physical person via a physiological characteristic, such as a ngerprint scan, iris scan, or hand geometry.
Authentication Tokens
For some organizations, the traditional methods of using passwords are not enough and the implementation of a biometric solution, such as ngerprint scanning, does not meet their policy requirements. These organizations may then look to tokens. Tokens come in different sizes and implementations. An authentication token is a portable device used for authenticating a user, thereby allowing authorized access into a network system. The tokens are literal physical devices and they operate by using systems such as challenge and response or time-based code sequences. One of the most well-known is the RSA SecureID Token.
Challenge Response Token

The challenge response token is an authentication technique using a calculator type of token that contains identical security keys or algorithms as a Network Access Server (NAS). This sends an unpredictable challenge to the user, who computes a response using their authentication response token. This is shown in Figure 1-4.
16
Figure 1-4: An example of a challenge response card from Cryptocard.
The Challenge Response Process

Each challenge response token is pre-loaded with a Data Encryption Standard (DES) encryption key and a default user PIN unique to that token in association with a User Name. Neither of these items can be extracted from the token. Upon receiving a new token, the user must take the following steps to access a secured network using challenge/response technology: 1. Activate the token by changing the PIN to one known only by the user. User enters the chosen PIN on the token. 2. 3. 4. 5. 6. 7. 8. 9. The user begins the logon sequence. The user types in the User ID from the requesting PC. The NAS passes the PIN and User ID to the authentication server as part of the logon request. The authentication server generates a random challenge and sends it back to the user via the connection through the NAS. It is then sent to the user where it appears on the requesting PC screen. The user types the challenge into the token, which then encrypts it using its internal DES key. The token displays the encrypted response. The user types the encrypted response into the requesting PC keyboard.
key: A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt. DES: (Data Encryption Standard) Denition 1: An unclassied crypto algorithm adopted by the National Bureau of Standards for public use. Denition 2: A cryptographic algorithm for the protection of unclassied data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
10. The authentication server receives the response, and using the same DES key that the token used, processes it and veries the user and the token. 11. The authentication server sends a message to the NAS to allow the user access.
17
Figure 1-5: An example of the challenge response token authentication system.
Time-based Tokens
The challenge response token system is widely used on many networks today. There is a different type of token that is also currently used. It is the time-based token. Where the challenge response token requires the user to enter data in the token and read data back out of the token, the user in the time-based token only reads data.
Figure 1-6: An example of the time-based token authentication system. The time-based token utilizes an authentication technique where the security token and the security server use an identical algorithm. To gain access, the user takes the code generated by the token and adds their user name and PIN to create a passcode. The passcode is combined with a seed value and the current time, which is then encrypted with an algorithm and sent to the server. The server authenticates the user by generating its own version of the valid code by accessing the pre-registered PIN and using the same seed value and algorithm to validate the user and their token.
Figure 1-7: An example of the RSA SecureID token.

18 Tactical Perimeter Defense
Time-based and challenge response tokens are both good examples of two-factor authentication. The server validates what they know (the user name and PIN) and what they have (the authentication token).
Software Tokens
If an organization does not wish to purchase hardware tokens such as those described, they may opt for a software solution instead. A software token is an authentication technique using a portable device such as a Palm Pilot, Palm PC, or Wireless Telephone to carry the embedded software. When attempting to access the secured network, the user is prompted to provide their PIN (pre-registered with the server in association with the user name) and authentication code, which is generated by the software token. This information is routed to an access server such as an RSA ACE/Server for verication. If the PIN and authentication code are valid, the user is granted access. If not, the user is denied access to the network.
Figure 1-8: An example of a Palm Pilot running RSA security software.
19
TASK 1C-1
Describing the Challenge Response Token Process
1. Describe the Challenge Response token process between the user, client, and server. Each challenge/response token is pre-loaded with a DES (Data Encryption Standard) encryption key and a default user PIN unique to that token in association with a user name. Neither of these items can be extracted from the token. Upon receiving a new token, the user must follow several steps to access a secured network by using challenge/response technology. 2. Place the following steps in the proper order. 7 3 10 The user types the challenge into the token, which then encrypts it using its internal DES key. The user types in the User ID from the requesting PC. The authentication server receives the response and using the same DES key that the token used, processes it, and veries the user and the token. The NAS passes the PIN and User ID to the authentication server as part of the logon request. The token displays the encrypted response. The authentication server sends a message to the NAS to allow the user access. The token is activated by changing the PIN to one known only to the user. User enters the chosen PIN on the token. The challenge is sent to the user where it appears on the requesting PC screen. The user begins the logon sequence. The user types the encrypted response into the requesting PC keyboard. The authentication server generates a random challenge and sends it back to the user via the connection through the NAS.
4 8 11 1 6 2 9 5
20
Topic 1D
The Impact of Defense
Network security protects all the information technology assets within the enterprise including computers, servers, databases, applications, peripherals, and perhaps most importantly, data or information. Network security allows authorized users to access IT assets quickly, whenever its needed, all the while improving communications with internal and external customers within a totally secure environment. Implementation of security controls, whether in a layered defense or any other mode, should not, in any way, hinder the functionality of the network. Networks must be secure, but the implementation of security cannot hinder the objective and purpose of the network itself. Of the different technologies discussed in this lesson, how many could have a negative impact on the performance of the network? If you answered all of them, you are correct. However, they do not have to have a negative impact on the network. Proper implementation of security controls will reduce the impact on the network. How exactly do these technologies impact the network in the rst place? Lets examine some of the technologies discussed previously.
Firewalls
The rewall is the rst line of defense for the network. All packets that enter the network should come through this point in a properly designed network. A modern rewall is generally a system of applications and hardware working together. The jobs a rewall can be asked to perform are packet ltering, network address translation, and proxy services. A rewall can have a negative impact on the network by blocking access to resources that should be accessible. It is possible that, because of improper conguration of a rewall, entire portions of a network become unavailable, in which case the performance hit is signicant. Additionally, if an ordinary PC has been congured to be the rewall (a multihomed computer), it may not have the internal speed to perform all the functions of the rewall fast enough, resulting in latency.
Encryption
The encryption process as a whole involves taking data that is readable in plain text, and using a mathematical calculation, make the text unreadable. The receiver then needs to perform a similar calculation to decrypt the message and read it in its plain text format. The performance hit is much more obvious with encryption. If the data packets are encrypted, the information that must be transmitted is larger, and more bandwidth will be consumed. Additionally, the devices that perform the encryption and decryption have more work to do in running the algorithms that perform the task. Networks that have systems at minimum levels will be affected the most by the addition of encryption.
Lesson 1: Network Defense Fundamentals 21
Computers and routers that are asked to perform encryption must be able to handle the extra workload. It is not always the network that has a performance drop; it is often the computers themselves, as they struggle to keep up with all the extra processing required to encrypt and decrypt data. File system encryption can be as much of a performance hit as encrypted network traffic.
Passwords
Forcing hard-to-remember passwords on users results in either the passwords being written down or frequent calls to the help desk to come and unlock their computer. This results in a performance hit on the overall functionality of the entire network. The password issue is a difficult one, as networks require strong passwords, but users have a hard time creating them. The network administration staff should take the time to educate users on creating strong passwords. One of the better methods of making strong passwords that users can remember is to use phrases instead of words (which should never be used). The phrase method requires the user to think of a phrase they will remember. This way it can be related to a users birthday and not be a security risk. For example, I was Born on June 27! could then be a password of IwBoJ27! This illustrates how easy it can be to generate secure passwords that can be remembered.
Intrusion Detection Systems

Although some think that an IDS could not have an impact on a network, in reality, it can. It is true that the IDS does not have that much of an impact on the actual packets as they move about the network; however, this is not the only type of impact the network must manage. If an IDS is improperly congured, so that it is identifying traffic not indicative of an intrusion, and the security professionals spend their time investigating unneeded attacks, then the IDS has created a signicant problem, not a solved one. An IDS that is constantly giving off false alarms is a bad thing for the network, as eventually the security team will stop responding, or respond slowly.
Auditing
If a commonly used server has had every single auditing option turned on, the computer is going to suffer a performance hit in logging all that information. If it also happens to be a le server, chances are good that available disk space will be taken up by the log les, again resulting in calls to the help desk. This can also be a method of hiding an attackers tracks. If an attacker gains access to a server and enables every single auditing option, it will be much more work for the administrator to search the log les for the real evidence of the security breach.
22
TASK 1D-1
Describing the Problems of Additional Layers of Security
1. How could adding additional layers of defense cause problems for the users of a network? Answers may vary, but may include: Improper conguration of a rewall, NAT, or proxy can result in authorized users not being able to access resources they need to access or vice versa; users may not fully understand the modern key management process used in encryption systems, therefore, unless encryption is an integrated feature of the operating system, IP stack, or application, users may be inconvenienced; the user logon and verication process can also inconvenience users if it is too complicated. 2. How could adding additional layers of defense cause problems for the packet ow on the network? Answers may vary, but could include: Strong encryption can increase the actual network traffc; more CPU cycles are required to generate encrypted traffc and decipher them upon receipt; IDS systems running in a very paranoid mode may create excessive auditing and alerts, sometimes resulting in false alerts.
Topic 1E
Network Auditing Concepts
Auditing entails the recording, maintenance, and protection from unauthorized access, modication, or deletion of detailed access event logs of information technology assets and network systems to ensure compliance with an established security policy. Auditing within a network systems environment involves much more than the typical recording of system activity.
Security Auditing Basics

It would be useless to put a lock on a door if it was never checked to see if it was still locked or if it was unlocked, when it was unlocked, and by whom. In checking the security of a network, answers to the following questions need to be recorded and logged for use later in case of system compromise: What was checked? Who did the checking? When was it checked? How was it checked? Were there any ndings?
compromise: An intrusion into a computer system where unauthorized disclosure, modication, or destruction of sensitive information may have occurred.
23
security violation: An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information contained therein or to the system itself.
Besides the usual recording of logins, logouts, accessing les, directories and resources, and security violations, additional network security events must be audited on both sides of the network connection. Both sides means any establishing or dropping of network connections with other networks must be logged, as well as any failed network components and any misrouted or lost data while in transit. Auditing should capture the information of the following events: All access events with use of identication and authentication mechanisms. Any deletion of les, data, or information. Modication of directories. Movement of large data assets into users address space. Any security actions or other security-related events. Date and time of the event. Name of user creating the event, as well as event origin. Event description and type. Name of asset in case of deletion. Event success or failure.
Each event should contain the following entries in the audit log:
audit: The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures.
Security Audits
Logged records of monitored events are kept on hand for auditing purposes. Although they can be conducted by either internal or external resources, the two typical types of security audits are operational or independent.
security audit: A search through a computer system for security problems and vulnerabilities.
Operational Audit
This type of audit is usually done by internal resources to examine the operational and ongoing activities within a network system for compliance with an established security policy.
Independent Audit
An independent audit is usually conducted by external or outside resources and may be a review or audit of detailed audit logs to: Examine system activities and access logs. Assess the adequacy of security methods and controls. Assess compliance with established enterprise network system policies and procedures. Assess effectiveness of support, enabling, and core processes. Recommend improvements in security processes, methods, and controls.
24
Whether an audit is done as an operational or independent audit, a thorough search through the system should be conducted to detect any aws, vulnerabilities, or problems. An IDS can provide network system vulnerabilities, but a security audit should be conducted to nd problems within the le systems on the network. Out of this audit should come detailed reports that may give you some clues as to possible existing or future problems. These may include: Accounts with no name or expired names of people that have left the company or group. New accounts needing validation for authorized users. Group accounts needing access control specics to pinpoint who had access at what time and not just a group name logon. Recent changes to le protection or changes in rights to large les. Accounts with easily guessed passwords. Accounts with expired or no passwords. Any other suspicious user activity.
Audit Trails
Network auditing still needs to log the audit trail or history of any network transaction. The requirement for any audit trail is that documentation be kept to record the historical use of the network system. But the primary purpose of a recorded audit trail is to be able to examine the detailed historical record of system use in order to replicate specic event scenarios after a compromise or exploit has occurred. An audit trail is the only way to examine the sequence of events that led up to the systems compromise or exploitation. Without an audit trail, there would be no way to nd out how a compromise or exploit of the system occurred, or when it actually happened.
Handling and Preserving Audit Data

Audit data should be some of the most carefully secured data at the site and in the backups. If an intruder were to gain access to audit logs, the systems themselves would be at risk, in addition to the data. Audit data may also become key to the investigation, apprehension, and prosecution of the perpetrator of an incident. For this reason, it is advisable to seek the advice of legal counsel when deciding how audit data should be handled. This should happen before an incident occurs. If a data-handling plan is not adequately dened prior to an incident, it could mean that there is no recourse in the aftermath of an event, and it may create liability resulting from improper treatment of the data.
audit trail: In computer security systems, a chronological record of system resource usage. This includes user login, le access, other various activities, and whether any actual or attempted security violations occurred.
perpetrator: The entity from the external environment that is taken to be the cause of a risk. An entity in the external environment that performs an attack, i.e. hacker.
Legal Considerations
Due to the content of audit data, there are a number of legal questions that arise which might need to be addressed by your legal counsel. If you collect and save audit data, you need to be prepared for consequences resulting both from its content as well as its existence.
25
One area concerns the privacy of individuals. In certain instances, audit data may contain personal information. Searching through the data, even for a routine check of the systems security, could represent an invasion of privacy. A second area of concern involves knowledge of intrusive behavior originating from your site. If an organization keeps audit data, is it responsible for examining it to search for incidents? If a host in one organization is used as a launching point for an attack against another organization, can the second organization use the audit data of the rst organization to prove negligence on the part of that organization? These examples are not meant to be comprehensive, but should motivate your organization to consider the legal issues involved with audit data.
TASK 1E-1
Describing Network Auditing
1. What are the benets of auditing network traffic? Logs of audited network traffc can be used to examine a detailed historical record of network and system use in order to reconstruct specic event scenarios after a compromise or exploit has occurred. 2. What is a possible drawback to network auditing? If an intruder were to gain access to audit logs, the systems themselves would be at risk, in addition to the data. 3. Why is the handling and storage of audit data so critical? Audit data may contain personal information. Searching through the data, even for a routine check of the systems security, could represent an invasion of privacy. Apart from that, the very knowledge of intrusive behavior originating from your site raises the question of responsibility with regard to reporting the incident to a third party or maybe even an authority such as the FBI.
Summary
In this lesson, you walked through the process of creating a layered defense. You are able to identify why the layered defense is important and the technologies used to create one. You also examined the concepts of network auditing, including handling of data and types of audits. You have dened the ve keys of network defense, described the objectives of access control methods, and identied the impact of defense on the network.
26
Lesson Review
1A What do authentication and availability create in the network?
Authentication and availability in a network create system assurance. Describe the differences between one-, two-, and three-factor authentication. One-factor authentication provides what you know, such as a password or PIN. Two-factor authentication is providing what you have, like a smart card or a token in addition to what you know. The third factor which provides strong authentication is proving a users identity, or who you are, by using biometrics. Biometrics uses a physiological characteristic to identify you, such as a ngerprint, retina scan, hand geometry, voice recognition, iris scan, or behavioral characteristics such as keystroke recognition or signature recognition. Is it possible to have data condentiality without having data integrity? No, however, it is possible to have data integrity without data condentiality. What is the difference between a passive threat and an active threat? Simply put, in a passive threat, data is viewed, but in an active threat, data is modied.
1B What are the primary technologies used to create a layered defense? A security policy implemented at various layers of the network. Perimeter defenses, such as routers, rewalls, NAT, and proxies. Intrusion Detection Systems (IDS) can be put in place to monitor network traffc or hosts. Authentication has to be regularized using one-, two-, or three-factor authentication methods depending upon the requirement (machinespecic authentication may be required in some cases). File System Security should be in place once a user is logged in, to allow or deny access to resources. Physical access/security to the network or individual machines should be addressed.
What could be the result of skipping a layer of defense? Security policy: Unstructured defense. Perimeter defense: Intruders will come in. IDS: You wont know that intruders have come in. Authentication: Anyone can log in to your network. File System Security: Anyone who has access to a machine can access everything on that machine. Physical security: Anyone can access any machine.
27
1C Name and describe the two methods of Access Control. Mandatory Access Control, where subjects and objects are Classied, Secret, or Top Secret. Discretionary Access Control, where a users identity is used in rst determining certain user rights into the system, and then at each resource to see if the user has Create, Read, Update, or Delete (CRUD) privileges.
Describe the process of authentication. Authentication is the process of determining the identity of a user who is attempting to access a system. A user provides the requested information to an authentication verication authority. The authentication verication authority uses this information, or a derivative of it, against a pre-congured database. If the values match, the user is issued appropriate credentials to access the system. The user then presents these credentials to access resources. What are software tokens, and how can an organization benet by using them? A software token is an authentication technique using a portable device, such as a Palm Pilot or Palm PC. Since the token is generated via software, an organization does not have to be tied down to a particular hardware token generator. When circumstances change and they have to upgrade the strength of the token, for example, they just need to upgrade the software in the portable device rather than recall and reissue hardware devices.
1D How could a rewall have a negative impact on network performance?

A rewall can have a negative impact on the network by blocking access to resources that should be accessible. It is possible that, because of improper conguration of a rewall, entire portions of a network become unavailable. Additionally, if an ordinary PC has been congured to be the rewall (a multihomed computer) it may not have the internal speed to perform all the functions of a rewall fast enough, resulting in latency. How can encryption affect network performance? If the data packets are encrypted, the information that must be transmitted is larger, and therefore more bandwidth will be consumed. How can encryption affect individual hosts? The devices that perform encryption and decryption have more work to do in running the algorithms that perform the task.
1E What are two of the events that can be captured with auditing?
Answers may include the following: All access events with use of identication and authentication mechanisms; any deletion of les, data, or information; modication of directories; movement of large data assets into users address space; any security actions or other security-related events.
28
What are two of the entries that should be captured in an event? Answers may include the following: Date and time of the event; name of user creating the event as well as event origin; event description and type; name of asset in case of deletion; event successful or failed. What are the two typical types of security audits? Operational and independent.
29
30
Advanced TCP/IP
Overview
There is one primary set of protocols that runs networks and the Internet today. In this lesson, you will work with those protocols: the Transmission Control Protocol (TCP) and the Internet Protocol (IP). In order to manage the security of a network, you must become familiar with the details of how TCP/IP functions, including core concepts, such as addressing and subnetting, and advanced concepts, such as session establishment and packet analysis.
LESSON
2
Data Files tftp.cap fragment.cap ping.txt ping.cap ftp.txt ftp.cap WinPcap Wireshark Lesson Time 6 hours
Objectives
To better understand advanced TCP/IP concepts, you will: 2A Dene the core concepts of TCP/IP. Given a machine running TCP/IP, you will dene the core concepts of TCP/IP, including the layering models, RFCs, addressing and subnetting, VLSM and CIDR, and the TCP/IP suite. 2B Analyze sessions of TCP. Given a Windows Server 2003 computer, you will examine control ags, sequence numbers, and acknowledgement numbers, and you will use Network Monitor to view and analyze all of the elds of the three-way handshake and session teardowns. 2C Analyze IP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the elds of IP. 2D Analyze ICMP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the elds of ICMP. 2E Analyze TCP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the elds of TCP. 2F Analyze UDP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the elds of UDP.
Lesson 2: Advanced TCP/IP
31
2G
Analyze fragmentation. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze network traffic fragmentation.
2H
Complete a full session analysis. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze a complete FTP session, frame by frame.
32
Topic 2A
TCP/IP Concepts
In order for two hosts to communicate, there must rst be an agreed-upon method of communication for both hosts to use. The protocol that the Internet was built on, and the protocol that all hosts on the Internet use is TCP/IP, or Transmission Control Protocol/Internet Protocol. Because the two hosts agree on the protocol they will use, we can go right into the details of the protocol itself.
Many of the Concepts in this topic were covered in the prerequisite courses, but are provided here for review.
The TCP/IP Model

In order for data to move from one host to another, it must be transmitted and received. There are several ways this could happen, in theory. The data le could be sent as a whole le, intact, from one host to another. The data le could be split in half and sent, sending and receiving two equal sized pieces. The data le could be split into many smaller pieces, all sent and received in a specic sequence.
host: A single computer or workstation; it can be connected to a network.
It is this last method that is actually used. For example, if a user is at a host and wants to view a web page on a different host, the request and subsequent response will take many small steps to complete. In Figure 2-1, you can see the four layers of the TCP/IP Model, along with the browsers request for a web page going to the web server.
server: A system that provides network service such as disk storage and le transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine.
Figure 2-1: A web request moving along the TCP/IP Model. The four layers of the TCP/IP Model are: The Application Layer The Transport Layer The Internet Layer (also called the Network Layer) The Network Access Layer (also called the Link Layer)
33
The reason that there are alternate names for these layers is that there has never been an agreed-upon standard for the names to which the industry agrees. Each of these layers are detailed as follows: The Application Layer is the highest layer in the model, and communicates with the software that requires the network. In our example, the software is the web page request from a browser.
network: Two or more machines interconnected for communications.
The Transport Layer is where the reliability of the communication is dealt with. There are two protocols that work at this layer, TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). An immediate difference between the two is that TCP does provide for reliable delivery of data, whereas UDP provides no such guarantee. The Internet Layer (or Network Layer) provides the mechanism required to address and move the data from one host to the other. The primary protocol you will examine at this layer is IP (Internet Protocol). The Network Access Layer (or Link Layer) is where the data communication interacts with the physical medium of the network. This is the layer that does the actual sending and receiving of the data.
As you saw in Figure 2-1, as the web page request was initiated on the host, it moved down the layers, was transmitted across the network, and moved up the layers on the web server. These are the layers on which all network communication using TCP/IP is based. There is a different set of layers, however, called the OSI Model.
The OSI Model

The TCP/IP Model works well for TCP/IP communications, but there are many protocols and methods of communication other than TCP/IP. A standard was needed to encompass all of the communication protocols. The standard developed by the International Organization for Standardization (ISO) is called the OSI Model. The Open Systems Interconnect (OSI) Model has seven layers, compared to the four layers of the TCP/IP Model. The seven layers of the OSI Model are: The Application Layer The Presentation Layer The Session Layer The Transport Layer The Network Layer The Data Link Layer The Physical Layer
OSI: (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components.
34
The names of these layers are xed, as this is an agreed upon standard. The details of each layer are as follows: The Application Layer is the highest layer of the OSI Model, and deals with interaction between the software and the network. The Presentation Layer is responsible for data services such as data compression and data encryption/decryption. The Session Layer is responsible for establishing, managing (such as packet size), and ending a session between two hosts. The Transport Layer is responsible for error control and data recovery between two hosts. Both TCP and UDP work at this layer. The Network Layer is responsible for logical addressing, routing, and forwarding of datagrams. IP works at this layer. The Data Link Layer is responsible for packaging data frames for transmission on the physical medium. Error control is added at this layer, often in the form of a Cyclic Redundancy Check (CRC). This layer is subdivided into the LLC (Logical Link Control) and MAC (Media Access Control) sublayers. The MAC sublayer is associated with the physical address of the network device and the LLC sublayer makes the association between this physical address (such as the 48-bit MAC address if using Ethernet) and the logical address (such as the 32-bit IP address if using IP) at the Network Layer. The Physical Layer is responsible for the actual transmission and receipt of the data bit stream on the physical medium.
packet: A block of data sent over the network transmitting the identities of the sending and receiving stations, errorcontrol information, and message.
The OSI Model and the TCP/IP Model do t together. In Figure 2-2, you can see that the two primary layers of concern in the TCP/IP Model (the Transport and Internet Layers), match directly with the Transport and Network Layers of the OSI Model, while the other two TCP/IP Model layers encompass two or more layers of the OSI Model.
Figure 2-2: A comparison of the OSI and TCP/IP Models. As the data from one host ows down the layers of the model, each layer attaches a small piece of information relevant to that layer. This attachment is called the header. For example, the Network Layer header will identify the logical addresses (such as IP addresses) used for this transmission. This process of adding a header at each layer is called encapsulating. Figure 2-3 shows a visual representation of the header and the encapsulation process.
Lesson 2: Advanced TCP/IP 35
Figure 2-3: Headers and the encapsulation process as data moves down the stack. When the second host receives the data, and as the data moves up the layers, each header will let the host know how to handle this piece of data. After all the headers have been removed, the receiving host is left with the data as it was sent.
RFCs
With all the standards dened in the previous section, you may be asking where to go to nd the standards. The answer is to the RFCs. A Request For Comments (RFC) is the industry location for standards relating to TCP/IP and the Internet. RFCs are freely available documents to read and study, and if you ever want to go directly to the source, be sure to use the RFC. Although you will nd RFCs listed all over the Internet, to view them all online go to: www.rfc-editor.org. This is the website with a searchable index of all RFCs. There are several RFCs you should be familiar with, and that you should know by name to look up. This way you will not have to search hundreds of responses to nd what you need. The RFCs you should know are: The Internet Protocol (IP): RFC 791. The Internet Control Messaging Protocol (ICMP): RFC 792. The Transmission Control Protocol (TCP): RFC 793. The User Datagram Protocol (UDP): RFC 768.
The Function of IP
The Internet Protocol (which works at the Network layer of both the OSI and the TCP/IP models), by denition, has a simple function. IP identies the current hostvia an addressand using addressing, moves a packet of information from one host to another. Each host on the network has a unique IP address, and each packet the host sends will contain its own IP address and the IP address to which the packet is destined. The packets are then directed, or routed, across the network, using the destination address, until they reach their nal destination. The receiving host can read the IP address of the sender and send a response, if required.
36
Although it sounds straightforward, and does work, there are drawbacks. For instance, when packets are sent from one host to another, they may be received out of order. IP has no mechanism for dealing with that problem. Also, packets can get lost or corrupted during transmission, again a problem IP does not manage. These problems are left to an upper protocol to manage. Often that protocol will be TCP, as you will see in the following topic.
Binary, Decimal, and Hexadecimal Conversions

Even though you may be familiar with the concept of binary math, you may wish to review this section briey. In binary, each bit has the ability to be either a 1 or a 0. In computers, these bits are stored in groups of 8. Since each bit can be either a 1 or a 0, each location is designated a power of 2. A byte, therefore, has binary values from 20 through 27 . In Figure 2-4, you can see the value of each of the 8 bits in a byte. When the bits are presented as a byte, the value of each of the 8 locations is added to present you with the decimal equivalent. For example, if all 8 bits were 1s, such as 11111111, then the decimal value would be 255 or 128+64+32+16+8+4+2+1. Here are a few other quick binary to decimal conversions: Binary 11000000 is decimal 192 or 128+64+0+0+0+0+0+0 Binary 10000000 is decimal 128 or 128+0+0+0+0+0+0+0 Binary 10000010 is decimal 130 or 128+0+0+0+0+0+2+0 Binary 01011010 is decimal 90 or 0+64+0+16+8+0+2+0 The IP addresses that are either manually or dynamically assigned to a host are 32-bit elds, often shown as four decimal values for ease of reading. For example, a common address would be 192.168.10.1. Each number is an 8-bit binary value, or an octet. In this example, the rst octet is 192, the second 168, the third 10, and the fourth 1. Even though the fourth octet is given a decimal value of 1, it is still given an 8-bit value in IP addressing. Each bit of the 32-bit address must be represented, so the computer sees a decimal 1 in an IP address as 00000001. Keeping this in mind, the full decimal IP address of 192.168.10.1 is seen to the computer as binary IP address: 11000000.10101000.00001010.00000001 In tools that are designed to capture and analyze network traffic, the IP address is often represented in its hexadecimal (Hex) format. The ability to view and recognize addressing in Hex format is a useful skill to have when you are working with TCP/IP. In hexadecimal format, the IP address 192.168.10.1 is C0-A8-0A01. The following is a quick summary on Hex conversions.
37
To convert the decimal address 192.168.10.1 to hexadecimal, convert each of its octets, then combine the results, as follows: 1. Divide 192 by 16. The result is 12, with a remainder of 0. Because decimal 12 is the same as Hex C and decimal 0 is the same as Hex 0, decimal 192 is equal to Hex C0. Divide 168 by 16. The result is 10, with a remainder of 8. Because decimal 10 is the same as Hex A and decimal 8 is the same as Hex 8, decimal 168 is equal to Hex A8. Decimal 10 is the same as Hex A. Decimal 1 is the same as Hex 1. Combining the results of each conversion shows that decimal 192.168.10.1 is equal to Hex C0A80A01.
2.
3. 4. 5.
Another way to derive this result is to rst convert from decimal to binary, then convert binary to hexadecimal four bits at a time, and nally, combine the results, as shown here: 1. 2. 3. 4. 5. 6. 7. 8. 9. Decimal 192 is the same as binary 11000000. Decimal 168 is the same as binary 10101000. Decimal 10 is the same as binary 00001010. Decimal 1 is the same as binary 00000001. Binary 1100 (the rst four bits of the rst octet) is the same as Hex C. Binary 0000 is the same as Hex 0. Binary 1010 is the same as Hex A. Binary 1000 is the same as Hex 8. Binary 0000 is the same as Hex 0.
10. Binary 1010 is the same as Hex A. 11. Binary 0000 is the same as Hex 0. 12. Binary 0001 is the same as Hex 1. 13. Combining the Hex equivalents shows that decimal 192.168.10.1 is equal to Hex C0A80A01.
IP Address Classes
There are ve dened classes of IP addresses: Class A, Class B, Class C, Class D, and Class E. The details of each class are as follows: Class A IP addresses use the rst 8 bits of an IP address to dene the network, and the remaining 24 bits to dene the host. This means there can be more than 16 million hosts in each Class A network (2242, because all 1s and all 0s cannot be used as host addresses). All Class A IP addresses will have a rst octet of 0xxxxxxx in binary format. 10.10.10.10 is an example of a Class A IP address. Class B IP addresses use the rst 16 bits to dene the network, and the remaining 16 bits to dene the host. This means there can be more than 65,000 hosts in each Class B network (2162). All Class B IP addresses will have a rst octet of 10xxxxxx in binary format. 172.16.31.200 is an example of a Class B IP address. Class C IP addresses use the rst 24 bits to dene the network, and the remaining 8 bits to dene the host. This means there can be only 254 hosts
38
in each Class C network (282). All Class C IP addresses will have a rst octet of 110xxxxx in binary format. 192.168.10.1 is an example of a Class C IP address. Class D IP addressing is not used for hosts, but is often used for multicasting (which will be discussed later), where there is more than one recipient. The rst-octet binary value of a Class D IP address is 1110xxxx. 224.0.0.9 is an example of a Class D IP address. Class E IP addressing is used for experimental functions and for future use. It does have a dened rst-octet binary value as well. All Class E IP addresses have a rst octet binary value of 11110xxx. 241.1.2.3 is an example of a Class E IP address.
Figure 2-4: IP address classes and their rst-octet values.
Private IP Addresses and Special-function IP Addresses

There are several ranges of IP addresses that are not used on the Internet. These addresses are known as private, or reserved, IP addresses. Dened in RFC 1918, any host on any network can use these addresses, but these addresses are not meant to be used on the Internet, and most routers will not forward them. By using these reserved IP addresses, organizations do not have to be as concerned with address conicts. The dened private addresses for the three main address classes (A, B, and C) are: Class A: 10.0.0.0 to 10.255.255.255 Class B: 172.16.0.0 to 172.31.255.255 Class C: 192.168.0.0 to 192.168.255.255
In addition to the private address ranges listed, there are a few other address ranges that have other functions. The rst, is the range of 127.0.0.0 to 127.255. 255.255. This address range is used for diagnostic purposes, with the common address of 127.0.0.1 used to identify IP on the host itself. The second range is 169.254.0.0 to 169.254.255.255. This address range is used by Microsoft to allocate addresses to hosts, for Automatic Private IP Addressing (APIPA).
39
The Subnet Mask

Along with an IP address, each host that uses TCP/IP has a subnet mask. The subnet mask is used during a process called ANDing to determine the network to which the host belongs. The way the mask identies the network is by the number of bits allocated, or masked, for the network. A bit that is masked is identied with a binary value of 1. By default, a Class A IP address has 8 bits masked to identify the network, a Class B IP address has 16 bits masked to identify the network, and a Class C IP address has 24 bits masked to identify the network. These default subnet masks use contiguous bits to create the full mask. The following table shows the default subnet masks for the three classes, rst in binary, then in the more traditional dotted decimal format. Default Subnet Masks Class
A B C
Binary Format
11111111.00000000.00000000.00000000 11111111.11111111.00000000.00000000 11111111.11111111.11111111.00000000
Dotted Decimal Format

255.0.0.0 255.255.0.0 255.255.255.0
The subnet mask can be represented in different formats. For example, one common format is to list the IP address followed by the full subnet mask, such as this: 192.168.10.1 255.255.255.0. Another option, and one that is easier to write, is to count and record the number of bits that are used as 1s in the subnet mask. For example, in the default subnet mask for Class C, there are 24 bits designated as 1. So, to use the second format, list the IP address followed by a slash and the number of bits masked, such as this: 192.168.10.1/24.
Subnetting Example
In the event that you need to split a network into more than one range, such as having different buildings or oors, you will need to subdivide the network. The following example will step you through the process of splitting a network and creating the subnet mask necessary to support the resulting subnetworks. Lets say you have been assigned the 10.0.0.0 network with the 255.0.0.0 subnet mask, and need to break this up into 12 network ranges to support, for example, the 12 major departments in your corporate building. Heres what you should do: 1. Determine how many bits, in binary, it takes to make up the number of subnetworks you need to create. In binary, 12 is 1100, so you will need 4 bits. 2. Take 4 bits from the host side of the subnet mask and, AND them to the network side, effectively changing your subnet mask from 255.0.0.0 to 255. 240.0.0. As you know, the subnet mask tells you where the dividing line between network and host bits reside. You started with a network ID of 10.0.0.0 and subnet mask of 255.0.0.0, which in binary looks like this: 00001010.00000000.00000000.00000000 (IP address for network) 11111111.00000000.00000000.00000000 (subnet mask) Your dividing line is at the end of the rst octet (eight bits starting from the left). You have one big network with a network ID of 10.0.0.0, a
40
range of usable addresses from: 10.0.0.1 to 10.255.255.254, and a broadcast address of 10.255.255.255. The new, divided network looks like this: 00001010.0000 0000.00000000.00000000 (IP address for network) 11111111.1111 0000.00000000.00000000 (subnet mask) Notice that the network/host dividing line is now in the middle of the second octet. All of your networks will have binary addresses that will look like this: 00001010.xxxx yyyy.yyyyyyyy.yyyyyyyy, where x represents one of the variable bits used to create your subnetworks and y represents a bit on the host side of the address.
3.
Determine the subnetwork addresses by changing the value of the x bits. The rst possible permutation is the 00001010.0000 network; the second is the 00001010.0001 network, and so forth. The following table lists all of the possible subnetwork addresses (notice the pattern?). Subnetwork
First Second Third Fourth Fifth Sixth Seventh Eighth Ninth Tenth Eleventh Twelfth Thirteenth Fourteenth Fifteenth Sixteenth
Binary Address
00001010.0000 0000.00000000.00000000 00001010.0001 0000.00000000.00000000 00001010.0010 0000.00000000.00000000 00001010.0011 0000.00000000.00000000 00001010.0100 0000.00000000.00000000 00001010.0101 0000.00000000.00000000 00001010.0110 0000.00000000.00000000 00001010.0111 0000.00000000.00000000 00001010.1000 0000.00000000.00000000 00001010.1001 0000.00000000.00000000 00001010.1010 0000.00000000.00000000 00001010.1011 0000.00000000.00000000 00001010.1100 0000.00000000.00000000 00001010.1101 0000.00000000.00000000 00001010.1110 0000.00000000.00000000 00001010.1111 0000.00000000.00000000
Decimal Address
10.0.0.0 10.16.0.0 10.32.0.0 10.48.0.0 10.64.0.0 10.80.0.0 10.96.0.0 10.112.0.0 10.128.0.0 10.144.0.0 10.160.0.0 10.176.0.0 10.192.0.0 10.208.0.0 10.224.0.0 10.240.0.0
For the rst network, the network ID is 10.0.0.0 with a subnet mask of 255.240. 0.0. The rst usable address is 10.0.0.1, and the last usable address is 10.15.255. 254. The broadcast address is 10.15.255.255 (the next possible IP address would be 10.16.0.0, which is the network ID of the second network). The second network has an ID of 10.16.0.0, a usable range of 10.16.0.1 to 10.16.255.254, and a broadcast address of 10.16.255.255. Notice that you needed only 12 networks, but you have 16. That can happen, depending on the number of networks needed. For example, if you had needed 20 networks, you would have needed to move the network/host dividing line over 5 bits to the right (20 in binary is 10100, so 5 bits must be used). In that case, you would have had a subnet mask of 255.248.0.0 (instead of the 255.240.0.0 that you used for the rst example), which would have given you 32 subnetworks, even though you needed only 20. Consider it room for corporate growth!
41
Note that any combination of addressing can be represented in different text. For example, you may come across a resource that denes the IP address in decimal, and the subnet mask in hexadecimal. You must be able to quickly recognize the addressing as dened. Use the following task to test your ability to quickly perform these conversions.
TASK 2A-1
Layering and Address Conversions
1. Describe how layering is benecial to the function of networking. By using a layered model, network communications can be broken into smaller chunks. These smaller chunks can each have a specic purpose, or function, and in the event an error happens in one chunk, it is possible that only that error be addressed, instead of starting over from scratch. 2. If you have an IP address of 192.168.10.1 and a subnet mask of FF-FF00-00, to which IP network does your computer belong? Provide both decimal and Hex notations. In decimal, the network address is 192.168.0.0; in Hex, the network address is C0-A8-00-00. 3. If you have an IP address of C0-A8-0A-01 and a subnet mask of /16, to which IP network does your computer belong? Provide both decimal and Hex notations. In decimal, the network address is 192.168.0.0; in Hex the network address is C0-A8-00-00.
Routing
You will get into routing in more detail later, but at this stage, you will address the basics. Being familiar with a network and how one host will communicate with another host within the same network, what do you think will happen if a host needs to send information to a host that is not in its network? This is exactly the situation where routing is needed. You need to route that information from your network to the receiving hosts network. Of course, the device that makes this possible is the router. The rst router you will encounter on your way out of your network is the default gateway. This is the device that your computer will send all traffic to, once it determines that the destination host is not local (on the same network as itself). After the default gateway gets a packet of information destined for host User1 on network X, it looks at its routing table (think of this as a sort of directorytelling the router that traffic destined for networks C, G, F, and X should go out interface 1, traffic destined for networks E, A, B, and R should go out interface 2, and so forth), then the router forwards the packet out through interface 1. The destination network may or may not be attached to interface 1the router doesnt really care at this pointit just forwards the packet on according to the information in its routing table. This process
router: An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the Network Layer.
42
repeats from one router to the next until the packet nally reaches the router that is attached to the same network as the destination host. When the packet reaches this router, which is usually also the destination hosts default gateway, it is sent out on the network as a unicast directed to the destination host User1.
VLSM and CIDR

The standard methods of subnet masking discussed earlier are effective; however, there are instances where further subdividing is required, or more control of the addressing of the network is desired. In these cases, you can use either of the following two options: Variable Length Subnet Masking (VLSM) or Classless Interdomain Routing (CIDR). Think back to the previous example of subnet masking. In particular, lets take a closer look at the fourth network. It was intended to be used by the IT staff; however, they want to break the rather large network block given to them into smaller, more manageable blocks. Specically, they need ve smaller subnetworks to be created from their network block of 10.48.0.0 with a subnet mask of 255.240.0.0. This time, lets represent the IP addresses and subnet masks using the slash method: 10.48.0.0/12. Notice the IP address stays the same, but we replace the subnet mask with /12 to tell others that the subnet mask has 12 1s in it (which, of course, corresponds to 255.240.0.0). Now, back to the IT staffs networking issue. You have an already subnetted network (10.48.0.0/12) that you would like to split into ve smaller networks. To begin, you need to ask the same starting question: How many bits does it take to make 5? In binary, 5 is 101, so you will need three bits. Then, add three bits to the present subnet mask (dont worry that it has already been subnetted before that doesnt matter). So, now you have 10.48.0.0/15 as your rst network address and new subnet mask. The new variable range is 00001010.0011xxx y.yyyyyyyy.yyyyyyyy, where the binary numbers will not change, x represents the variable bits that will make up the networks, and y designates the host bits. So, what are the new network addresses? Subnetwork
First Second Third Fourth Fifth Sixth Seventh Eighth
Binary Address
00001010.0011000 0.00000000.00000000 00001010.0011001 0.00000000.00000000 00001010.0011010 0.00000000.00000000 00001010.0011011 0.00000000.00000000 00001010.0011100 0.00000000.00000000 00001010.0011101 0.00000000.00000000 00001010.0011110 0.00000000.00000000 00001010.0011111 0.00000000.00000000
Decimal Address
10.48.0.0 10.50.0.0 10.52.0.0 10.54.0.0 10.56.0.0 10.58.0.0 10.60.0.0 10.62.0.0
43
For the rst network, the network ID is 10.48.0.0, the usable addresses are 10.48. 0.1 to 10.49.255.254, and the broadcast address is 10.49.255.255; for the second, the network ID is 10.50.0.0, the usable addresses are 10.50.0.1 to 10.51.255.254, and the broadcast address is 10.51.255.255, and so forth. Did you notice that you have eight possible networks when you needed only ve? Again, you can consider it just having more room for expansion.
X-casting
When a packet is sent from one host to another, the process of routing functions and the packet is sent as dened. However, the process is different if one host is trying to reach more than one destination, or if one message is to be received by every other host in the network. These types of communication are referred to as broadcasting, multicasting, and unicasting. Unicast is a term that was created after multicasting and broadcasting were already dened. A unicast is a directed communication between a single transmitter and a single receiver. This is how most communication between two hosts happens, with Host A specically communicating with Host B. A broadcast is a communication that is sent out from a single transmitting host and is destined for all possible receivers on a segment (generally, everyone in the network, since the routers that direct traffic from one network to another are generally used to stop broadcasts, thereby creating broadcast domain boundaries). Broadcasting can be done for many reasons, such as locating another host. For a MAC broadcast, the broadcast address used is FF:FF:FF:FF:FF:FF. For an IP broadcast, the address used is based on the network settings. For example, if you are on network 192.168.10.0/24, the broadcast address is 192.168.10.255. A multicast is a communication that is sent out to a group of receivers on the network. Multicasting is often implemented as a means for directing trafc from the presenter of a video conference to the audience. In comparison to the broadcast, which all receivers on the segment will receive, those who wish to receive a multicast must join a group to do so. Group membership is often very dynamic and controlled by a user or an application. Currently, Class D addresses are used for multicasting purposes. Remember, Class D has IP addresses in the range of 224.0.0.0 to 239.255.255.255.
TASK 2A-2
Routers and Subnetting
1. You are using a host that has an IP address of 192.168.10.23 and a subnet mask of 255.255.255.0. You are trying to reach a host with the IP address 192.168.11.23. Will you need to go through a router? Explain your response. Yes, you will need to go through a router. Your subnet mask denes you as belonging to network 192.168.10.0, and the remote host you are trying to reach does not belong to your network. 2. Boot your computer to Windows Server 2003, and log on as Administrator, with a blank (null) password.
44
3. 4. 5.
Choose StartSettingsNetwork Connections. Right-click the network interface and choose Properties. Select Internet Protocol (TCP/IP) and click Properties. Click the Advanced button, and verify that the IP Settings tab is displayed. Under Default Gateways, record the IP address here: For the LEFT side of the classroom, the Default Gateway is 172.16.0.1. For the RIGHT side, it is 172.18.0.1.
Be prepared to diagram or otherwise explain the classroom setup.
6. 7.
Select the Default Gateway IP address you just recorded, and click Remove. Click OK twice and click Close twice. Open a command prompt and ping an address that is not on your local network. For instance, if you are on the LEFT side of the classroom, you could ping an address in the 172.18.10.0 network, and if you are on the RIGHT side of the classroom, you could ping an address in the 172.16.10.0 network. Observe the message you receive. The text Destination Host unreachable is displayed. Your computer knows that the ping packet is supposed to go to a computer that is outside your local network but it does not know how to get it there. Switch to the Network Connections Control Panel and display the properties of the network interface.
The recommended classroom layout is shown in the gure in the setup.
8.
9.
10. Select Internet Protocol (TCP/IP), click Properties, and then click Advanced. On the IP Settings tab, click the Add button found in the Default Gateway area. 11. In the TCP/IP Gateway Address box, enter the IP address you recorded earlier in the task and click Add. Click OK twice and click Close twice. 12. Switch back to the command prompt and try to ping the remote address again. 13. Observe the message you receive. This time, as long as the other computers default gateway is correctly congured, you should be successful in pinging the remote computer. This is because your computer now knows to send traffic to the router if that traffic is destined for another network. (How the routers know where to send the traffic is covered later in the course.) Contact your instructor if your ping attempt is not successful. 14. Close all open windows.
Students must be able to ping all computers within the classroom for the remaining tasks to work properly. If any students are not successful in the second ping attempt, help them troubleshoot the issue.
45
Topic 2B
Analyzing the Three-way Handshake
Although a great deal of emphasis is given to IP due to the addressing and masking issues, TCP deserves equal attention from the security professional. In addition to TCP, the other protocol that functions as a transport protocol is UDP. This topic will concentrate on TCP; however, a brief discussion on UDP is warranted. The following table provides a brief comparison of the two protocols. Comparing TCP and UDP TCP
Connection-oriented Slower communications Considered reliable Transport Layer
security: A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or inuences.
UDP
Connectionless Faster communications Considered unreliable Transport Layer
TCP provides a connection-oriented means of communication, whereas UDP provides connectionless communication. The connection-oriented function of TCP means it can ensure reliable transmission, and can recover if transmission errors occur. The connectionless function of UDP means that packets are sent with the understanding they will make it to the other host, with no means of ensuring the reliability of the transmission. UDP is considered faster because less work is done between the two hosts that are communicating. Host 1 simply sends a packet to the address of host 2. There is nothing built into UDP to provide for host 1 checking to see if host 2 received the packet, or for host 2 sending a message back to host 1, acknowledging receipt. TCP provides the functions of connection-oriented communication by using features such as the three-way handshake, acknowledgements, and sequence numbers. In addition to these features, a signicant part of TCP is the use of control ags. There are six TCP control ags in a TCP header, each with a specic meaning.
46
TCP Flags
The TCP ags are: SYN, ACK, FIN, RESET, PUSH, and URGENT. These ags may also be identied as S, ack, F, R, P, and urg. Each of these ags occupies the space of one bit in the header, and if they are assigned a value of 1, they are considered on. The function of each ag is identied as follows: The SYN, or S, ag represents the rst part of establishing a connection. The synchronizing of communication will generally be in the rst packet of communication. The ACK, or ack, ag represents acknowledgement of receipt of data from the sending host. This is sent during the second part of establishing a connection, in response to the sending hosts SYN request. The FIN, or F, ag represents the senders intentions of terminating the communication in what is known as a graceful manner. The RESET, or R, ag represents the senders intentions to reset the communication. The PUSH, or P, ag is used when the sending host requires data to be pushed directly to the receiving application, and not ll in a buffer. The URGENT, or urg, ag represents that this data should take precedence over other data transmissions.
Sequence and Acknowledgement Numbers

In addition to the TCP ags, another critical issue of TCP is that of numbers: sequence and acknowledgement numbers, to be specic. Because TCP has been dened as a reliable protocol that has the ability to provide for connectionoriented communication, there must be a mechanism to provide these features. Sequence and acknowledgement numbers are what provide this.
Sequence Numbers
The sequence number is found in the TCP header of each TCP packet and is a 32-bit value. These numbers allow the two hosts a common ground for communication, and allow for the hosts to identify packets sent and received. If a large web page requires several TCP packets for transmission, sequence numbers are used by the receiving host to reassemble the packets in the proper order and provide the full web page for viewing. When a host sends the request to initiate a new connection, an Initial Sequence Number (ISN) must be chosen. There are different algorithms by different vendors for the choosing of an ISN; however, RFC 793 states that the ISN is to be a 32-bit number that increments by one every 4 microseconds.
Acknowledgement Numbers
The acknowledgement number is also found in the TCP header of each TCP packet, and is also a 32-bit value. These numbers allow the two hosts to be given a receipt of data delivery. An acknowledgement number is in the packet header in response to a sequence number in the sending packet. In the event that the sending host does not receive an acknowledgement for a transmitted packet in the dened timeframe, the sender will retransmit the packet. This is how TCP provides reliable delivery. If a packet seems to have been lost, the sender will retransmit it.
47
Connections
All communication in TCP/IP is done with connections between two hosts. Each connection is opened (or established), data is sent, and the connection is closed (or torn down). These connections have very specic rules they must follow. There are two different states of the open portion of this process: Passive Open and Active Open. Passive Open is when a running application tells TCP that it is ready to receive inbound requests via TCP. The application is assuming inbound requests are coming, and is prepared to serve those requests. This is also known as the listening state, as the application is listening for requests to communicate. Active Open is when a running application tells TCP to start a communication session with a remote host (which is in Passive Open state). It is possible for two hosts in Active Open to begin communication. It is not a requirement that the remote host be in Passive Open, but that is the most common scenario.
Connection Establishment
In order for the sequence and acknowledgement numbers to have any function, a session between the two hosts must be established. This connection establishment is called the three-way handshake. The three-way handshake involves three distinct steps, which are detailed as follows (please refer to Figure 2-5 when reading this section): 1. Host A sends a segment to Host C with the following: SYN = 1 (The session is being synchronized.) ACK = 0 (There is no value in the ACK eld, so this ag is a 0.) Sequence Number = x, where x is a variable. (x is Host As ISN.) Acknowledgement Number = 0 2. Host C receives Host As segment and responds to Host A with the following: SYN = 1 (The session is still being synchronized.) ACK = 1 (The acknowledgement ag is now set, as there is an ack value in this segment.) Sequence Number = y, where y is a variable. (y is Host Cs ISN.) Acknowledgement Number = x + 1 (The sequence number from Host A, plus 1.) 3. Host A receives Host Cs segment and responds to Host C with the following: SYN = 0 (Session is synchronized with this segment; further requests are not needed.) ACK = 1 (The ack ag is set in response to the SYN from the previous segment.) Sequence Number = x + 1 (This is the next sequence number in series.) Acknowledgement Number = y + 1 (The sequence number from Host C, plus 1.) At this point, the hosts are synchronized and the session is established in both directions, with data transfer to follow.
Figure 2-5: The three-way handshake.
Connection Termination
In addition to specic steps that are involved in the establishment of a session between two hosts, there are equally specic steps in the termination of the session. There are two methods of ending a session using TCP. One is considered graceful, and the other is non-graceful. A graceful shutdown happens when one host sends a message (using the FIN ag) to the other, stating it is time to end the session; the other acknowledges; and they both end the session. A non-graceful shutdown happens when one host simply sends a message (using the RESET ag) to the other, indicating the communication has stopped, with no acknowledgements and no further messages sent. In this section, we will investigate the details of the standard graceful termination. As you saw earlier, it requires three segments to establish a TCP session between two hosts. The other side of the session, the graceful termination, requires four segments. Four segments are required because TCP is a full-duplex communication protocol (meaning data can be owing in both directions independently). As per the specications of TCP, either end of a communication can end the session by sending a FIN, which has a sequence number just as a SYN has a sequence number. Similar to the Active and Passive Opens mentioned earlier, there are also Active and Passive Closes. The host that begins the termination sequence, by sending the rst FIN, is the host performing the Active Close. The host that receives the rst FIN is the host that is performing the Passive Close. The graceful teardown of a session is detailed as follows (please refer to Figure 2-6 when reading this section): 1. Host A initiates the session termination to Host C with the following: FIN = 1 (The session is being terminated.) ACK = 1 (There is an ack number, based on current communication.) Sequence Number (FIN number) = s (s is a variable based on the current communication.) Acknowledgement Number = p (p is a variable based on the current communication.) 2. Host C receives Host As segment and replies with the following: FIN = 0 (This segment is not requesting closure of the session.) ACK = 1 (This segment does contain an ack number.) Sequence Number = Not Present (As there is no FIN, there is no sequence number required.)
Acknowledgement Number = s + 1 (This is the response to Host As FIN.) 3. Host C initiates the session termination in the opposite direction with the following: FIN = 1 (The session is being terminated.) ACK = 1 (There is an ack number.) Sequence Number = p (p is a variable based on the current communication.) Acknowledgement Number = s + 1 (This is the same as in the previous segment.) 4. Host A receives the segments from Host C and replies with the following: FIN = 0 (This segment does not request a termination, there is no SYN.) ACK = 1 (This segment does contain an ack number.) Sequence Number = Not Present Acknowledgement Number = p + 1 (This is Host Cs sequence number, plus 1.) At this point the session has been terminated. Communication in both directions has had a FIN requested and an acknowledgement to the FIN, closing the session.
Figure 2-6: Connection termination.
Ports
You have been introduced to the fact that IP deals with addressing and the sending/receiving of data between two hosts, and you have been introduced to the fact that TCP can be selected to provide reliable delivery of data. However, if a client sends a request to a server that is running many services, such as WWW, NNTP, SMTP, and FTP, how does the server know which application is supposed to receive the request? The answer is by specifying ports.
50
Port numbers are located in the TCP or UDP header, and they are 16-bit values, ranging from 0 to 65535. Port numbers can be assigned to specic functions or applications. Ports can also be left open for dynamic use by two hosts during communication. There are ranges of ports for each function. There are three main categories of ports: well-known, registered, and dynamic. The well-known ports (also called reserved ports by some) are those in the range of 0 to 1023. These port numbers are assigned to specic applications and need to remain constant for the primary services of the Internet to continue to provide the exibility and usefulness it does today. For example, the WWW service is port 80, the Telnet service is port 23, the SMTP service is port 25, and so on. The well-known port list is maintained by the Internet Assigned Numbers Authority (IANA), and can be found here: www.iana.org/assignments/port-numbers. Registered ports are those in the range of 1024 to 49151. These port numbers can be registered to a specic function, but are not dened or controlled by a governing body, so multiple functions could end up using the same port. Dynamic ports (also called private ports) are those from 49152 to 65535. Any user of the Internet can use dynamic ports.
When a client connects to a server and requests a resource, that client also requires a port. The client ports (also called ephemeral ports by some) are used by a client during one specic connection; each subsequent connection will use a different port number. These ports are not assigned to any default service, and are usually a number greater than 1023. There is no dened range for client ports; they can cover the numbers of both the registered and dynamic port ranges. When a client begins a session by requesting a service from a server, such as the WWW service on port 80, the client uses an ephemeral port on the client side. This enables the server to respond to the client. Data is then exchanged between the two hosts using the port numbers established for that session: 80 on the server side, and a dynamic number greater than 1023 on the client side. The combination of the IP address and port is often referred to as a socket, and the two hosts together are using a socket pair to communicate for this session. The following table lists some of the well-known ports and their associated services. Some Well-known Ports and their Services Port
23 80 443 20 and 21 53 25 119
Service
Telnet HTTP (Standard web pages) Secure HTTP (Secure web pages) FTP (Data and control) DNS SMTP NNTP
51
In addition to known valid services, such as those listed previously, there are many Trojan Horse programs that use specic ports (although the port can usually be changed).
Trojan Horse: An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsication, or destruction of data.
Ports Associated with Trojan Horses Port Number

12345 1243 27374 31337 54320 (TCP) 54321 (UDP)
Name of Trojan Horse

NetBus Sub Seven Sub Seven 2.1 Back Orice Back Orice 2000 (BO2K) Back Orice 2000 (BO2K)
Network Monitor
There is a very valuable tool available with Windows called Network Monitor. This tool allows for full packet capture and lets the analyst (you) peer into the packets contents, examining both the payload, or data, and the headers, in detail. You can see any set agss dened sequence and acknowledgement numbers, packet size, and more. The following is a discussion on the use of Network Monitor, provided as background for you to be able to perform the tasks in this lesson. Some of the things you can do with Network Monitor are: Monitor real-time network traffic. Analyze network traffic. Filter specic protocols to capture.
In this lesson, you will be focusing on the capture and analysis of IP packets, and on the details of the protocol suite.
52
Figure 2-7: The default view of Network Monitor, showing the various panes. In Figure 2-7, you can see the default view of Network Monitor. In this view, the screen is split into several sections. The top bar is the standard menu bar found in Microsoft programs. The basic functions on the toolbar that you will use in this lesson are contained in the File and Capture menus. The File menu contains three commands: Open, Save As, and Exit. Choose Open to open a previously saved Network Monitor capture. Choose Save As to save a Network Monitor capture. Choose Exit to exit.
The Capture menu has more commands: Start, Stop, Stop And View, Pause, and Continue. The Start, Pause, and Continue commands are self-explanatory. The difference between Stop and Stop And View is that the Stop command ends the capture. The Stop And View command ends the capture and switches Network Monitor to its next mode, Display View.
The other sections of the Capture View are panes (windows in a window) called Graph, Session Stats, Station Stats, and Total Stats. The Graph pane provides ve bars that measure percentages of pre-dened metrics. The top graph indicates the percentage (%) of network utilization, meaning how much the network is being used. The second graph indicates the number of frames per second, meaning frames transmitted per second over the network. The third graph indicates the number of bytes per second that are transmitted over the network.
The fourth graph indicates the number of broadcasts per second that are transmitted over the network. The fth graph indicates the number of multicasts per second that are transmitted over the network. While a capture is running, these graphs work in real time, providing current data.
The next pane is the Session Stats pane. In this pane, you can see the sessions that are taking place during the capture. Following the Session Stats is the Station Stats pane. In this pane, you can see statistics per interface on the host, per broadcast, per multicast, and more. The nal pane in this view is the Total Stats pane. The Total Stats pane is subdivided into sections: Network Statistics, Captured Statistics, Per Second Statistics, Network Card (MAC) Statistics, and Network Card (MAC) Error Statistics. From this pane, you can identify frames, broadcasts, multicasts, network utilization, errors, and more, all in real time during the capture.
Displaying Captures
After you have captured network traffic, you can begin your analysis, which requires a different view of Network Monitor. You will need to use the Display View. You can switch to the Display View by either using the CaptureStop And View command or by using the Display Captured Data command after a capture session has been stopped.
Figure 2-8: The Summary View of Network Monitor. When you rst open the Summary View, as shown in Figure 2-8, you will see a timeline of packets captured. By double-clicking any packet that was captured, you can look into its details and bring up the next view of Network Monitor. Once you have selected a packet, Network Monitor displays three panes for presenting information to you.
Figure 2-9: The details of a packet in Network Monitor. The top pane shown in Figure 2-9 is the Summary pane. This pane provides the basic details of a packet, such as: Frame number Time the packet was captured Destination and source MAC addresses Protocol used Destination and source IP addresses
The middle pane shown in Figure 2-9 is the Detail pane. This pane provides the actual details of the protocol for the selected packet. Any line that has a plus sign next to it can be expanded for further detail. The bottom pane in Figure 2-9 is the Hex pane. This pane provides the actual Hex value for the raw data that each frame is comprised of. When you select something in the Detail pane, it is highlighted in the Hex pane for comparison. Also, in this pane, the ASCII characters are visible. In the event that cleartext is captured, this is where it will be readable.
Network Monitor Filters

Because Network Monitor has the ability to capture all network traffic, it would be very easy to capture too much information and have difficulty in nding what you were looking for. This is where ltering comes into play. There are two types of lters available in Network Monitor: capture lters and display lters. For example, if you wanted to capture only TCP messages, you could create a capture lter so that only TCP messages are captured. If you wanted to view only ICMP messages, you could create a display lter so that all you see are ICMP messages. Figure 2-10 and Figure 2-11 show the dialog boxes used for each lter type.
55
To create or use lters, choose CaptureFilter. Using lters not only makes it easier for you, as an analyst, to nd what you are looking for, but they allow for the buffer that stores the capture to not be lled with useless information.
Figure 2-10: Network Monitors Capture Filter dialog box. Figure 2-11 shows the Display Filter dialog box.
Figure 2-11: Network Monitors Display Filter dialog box.
56
When using ltering, you will likely use either protocol or address ltering. With protocol ltering, you identify a specic protocol to work with. With address ltering, you again dene the specic address to lter. Filters can be implemented in different directions, either traffic into this host, outbound from this host, or in both directions. These options are implemented by selecting the appropriate arrow (one of these three: --->, ---<, or <-->) for the function you want to perform.
TASK 2B-1
Using Network Monitor
1. Open a command prompt, and enter ipcong /all If you are on the LEFT side of the classroom, your IP addresses will be 172. 16.10.x. If you are on the RIGHT side of the classroom, your IP addresses will be 172.18.10.x. 2. Record the MAC and IP address for the network card in your computer.
MAC address IP address Each card will have a unique MAC address. Each card will have a unique IP address.
3. 4. 5.
Close the Command Prompt window. Open Network Monitor. (From the Start menu, choose All Programs Administrative ToolsNetwork Monitor.) If you see the Microsoft Network Monitor message box, click OK to display the Select A Network dialog box. Expand the + sign next to Local Computer, select the interface with the MAC address associated with the network interface you recorded in Step 2, and click OK. From the Capture menu, choose Start, or press F10 to start a capture. If you are on the LEFT side of the classroom, ping the IP address 172.16. 0.1. If you are on the RIGHT side of the classroom, ping the IP address 172.18.0.1. This will create network traffic for you to capture. Wait for 20 to 30 seconds. As you wait, watch the real time statistics change in the Network Monitor Capture window. Choose CaptureStop And View. You should now see the Display View, including the timeline of the packets captured.
6. 7.
8. 9.
10. Double-click any packet to change to the Detail View. 11. Observe the structure of the three panes in this view, and expand any + signs displayed in the middle pane. 12. From the Display menu, choose Filter. 13. Highlight Protocol==Any, and click the Edit Expression button.
14. With the Protocol tab selected, click the Disable All button. 15. Scroll down to ICMP, select ICMP, and click the Enable button. The Expression eld at the top of the dialog box should now display Protocol == ICMP. Click OK. 16. Click OK to implement this lter on your capture. 17. Observe that only ICMP frames are visible in your window now. 18. From the File menu, choose Save As, and save the capture as First_ Capture.cap in the default location. 19. Close Network Monitor.
Wireshark
Another product you can use to capture data is called Wireshark. (Wireshark was formerly known as Ethereal, with the name change taking place in 2006.) With Wireshark, data can be captured off the wire or read from a captured le. Data can also be saved to a le format that Microsoft Network Monitor can understand. Wireshark supports analysis on over 750 Data Link, Network, Transport, and Application layer protocols. Wireshark can be downloaded from www.wireshark.org To perform promiscuous mode captures on a Windows machine, you have to rst download and install the latest stable version of WinPcap; do not install any alpha or beta versions. WinPcap is the Windows equivalent of libpcap (LIBrary for Packet CAPtures) for Linux. It can be obtained from www.winpcap.org. In fact, you will use WinPcap later in the course, along with other tools such as windump, tcpdump, nmap, and snort.
promiscuous mode: Normally an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination.
TASK 2B-2
Installing and Starting Wireshark
1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartMy Computer. Open C:\Tools\Lesson2.. Note: If you do not have a C:\Tools folder, please review the tools section of the Setup Guide. Double-click the WinPcap_4_0.exe le. In the WinPcap_4_0.exe Installer Welcome screen, click Next. In the WinPcap 4.0 Setup Wizard screen, click Next. Read the License Agreement, and click I Agree. To close the WinPcap install wizard, click Finish. Double click the Wireshark_setup-0.99.5.exe le. In the Wireshark Setup Wizard Welcome screen, click Next.
58
10. Read the License Agreement, and click I Agree. 11. Accept the Default Components (do not make any changes), and click Next. 12. Accept the Default Additional Tasks (do not make any changes), and click Next. 13. Accept the Default Destination Folder, and click Next. 14. You have already installed WinPcap, so do not check any boxes on the WinPcap screen, and click Install. 15. In the Installation Complete screen, click Next. 16. In the Completing The Wireshark 0.99.5 Setup Wizard, check the Run Wireshark0.99.5 check box and click Finish. 17. Leave Wireshark open for the following tasks.
Wireshark Overview
When you rst start Wireshark (formerly called Ethereal), you will see a GUI with three panes. The top pane lists the captured frames in sequence. When you highlight a frame, the middle pane provides protocol layer information about that frame, and the bottom pane shows the details of the frame in both Hex and ASCII values.
Figure 2-12: The Ethereal (Wireshark) GUI.

At the top of the GUI there is a menu bar, with File, Edit, View, Go, Capture, Analyze, Statistics, and Help. Just above the top pane is a Filter button, a dropdown menu, an Expression button, a Clear button, and an Apply button. These buttons allow you to lter through the captured data, which as you will see, is a very important feature. When you wish to start a capture in Wireshark, you have several options. You can go to the Capture drop-down menu and select Start or you can simply press the third icon from the right in the icons listed just below the main menu bar. However, as this is the rst time you are running Wireshark, you must dene some options. A quick way to the option screen is to press Ctrl+K combination. When you do so, you will see a window that has many options, where you can make some specic selections, including the following: The interface to capture packets from. The limit to the number of packets to capture (if any). Whether you wish to capture packets in promiscuous mode or not. Any lters you wish to use. The le name for the capture le. If you wish to view the packets onscreen in real time. Parameters to dene when the capture should stop. Whether you wish to enable or disable name resolution at the Data Link, Network, and Transport layers.
60
Figure 2-13: Ethereal (Wiresharks) Capture Options dialog box. When you click OK, capture will start on the selected network interface and you will see another pop-up informing you that. Wireshark will continue with the capture until you click the Stop button.
Figure 2-14: Ethereal (Wireshark) pop-up displaying capture information.
61
Once you have selected your options and clicked OK, the capture will start on the selected network interface, and you will see a pop-up window informing you of the capture in progress. Wireshark will continue with the capture until you press the Stop button or an option you congured tells the capture to stop.
Figure 2-15: The many Save As options in Ethereal (Wireshark). After you stop a capture, you can view and analyze the data for your current use. You when you are done and wish to save the le for future analysis, you have many options. Notice how many choices you have for saving a captureyou can save to Network Monitors format if you want. (Conversely, Wireshark will read a capture saved by any of the protocol analyzers in the list.) When you are done with capture and analysis and want to close the program, choose FileQuit or press Ctrl+Q.
TASK 2B-3
Using Wireshark
Setup: Wireshark has been successfully installed and is running on your computer. 1. 2. 3. From the menu options, choose CaptureOptions. In the Interface drop-down list, select you local area network adapter. Notice that when you select your adapter, directly below the word Interface, the program has listed your LAN address.
62
4. 5. 6. 7. 8. 9.
Make sure that the Capture Packets In Promiscuous Mode check box is checked. Under Display Options, check the Update List Of Packets In Real Time check box. Click the Start button and open a command prompt. Ping your Default Gateway IP Address. When the ping has completed, close the command prompt, return to Wireshark, and choose CaptureStop. Double-click any frame where your computer is the Source and the Destination is the Default Gateway IP Address you just pinged. The protocol will be listed as ICMP.
10. Expand and view the frame details. 11. Note that you can analyze data in a similar fashion as in Network Monitor. 12. Once you are done with this initial look at Wireshark, close the application. 13. Click the Continue Without Saving button.
TCP Connections
Earlier, you were introduced to the function and the process of control ags, the three-way handshake, and the session teardown. In this section, you are going to use Network Monitor to view the three-way handshake, packet by packet, and to view the teardown, packet by packet. Remember, the three-way handshake is used by two hosts when they are creating a session. The rst host begins by sending out a packet with the SYN ag set, and no other ags. The second packet is a response with both the SYN and ACK ags set. The third part of the session establishment will have the ACK ag set.
TASK 2B-4
Analyzing the Three-way Handshake
1. 2. 3. 4. 5. 6. Choose StartAdministrative ToolsServices. Right-click Telnet and choose Properties. In the Startup type drop-down menu, select manual. Click Apply. Click the Start button. Click OK.
63
7. 8. 9.
Close the Services window. Open Network Monitor, and start a capture. At a command prompt: If you are on the LEFT side of the classroom, enter telnet 172.16.0.1 If you are on the RIGHT side of the classroom, enter telnet 172.18.0.1 Enter y, at the Login type anonymous press Enter, and at the Password prompt, press Enter.
10. Press Enter repeatedly or a bad password until your connection to the host is lost. Your screen may resemble the following graphic.
Minimize the command prompt window. 11. Switch back to Network Monitor, and choose CaptureStop And View. 12. In the Summary pane, identify the frames that are involved in the threeway handshake. 13. Once you have identied the frames that are part of the three-way handshake, based on the discussion, look for the following: a. b. c. In the rst frame, what are the SEQ number, ACK number, and ags? In the second frame, what are the SEQ number, ACK number, and ags? In the third frame, what are the SEQ number, ACK number, and ags?
14. Expand each of the three frames in the handshake, and examine them in greater detail in the Detail pane. 15. Using the Hex pane, identify the value for the ags that are set for each frame of the three-way handshake. 16. Leave Network Monitor open, along with this capture, for the next task.
The Session Teardown Process

Previously, you examined the session teardown process. Here, you will examine the details of the session teardown. Remember, there are four parts of session teardown.
TASK 2B-5
Analyzing the Session Teardown Process
Setup: Network Monitor is running, and the last capture you performed is displayed. 1. 2. 3. In the Summary pane, identify the frames that are involved in the session teardown. Once you have identied the frames, examine them in greater detail in the Detail pane. In each frame, identify at least the following: a. Flags that are set. b. c. 4. 5. Sequence number. Acknowledgement number.
Save the capture as TCP_Connections.cap and close the capture. Minimize Network Monitor.
Topic 2C
Capturing and Identifying IP Datagrams
Along with TCP, the protocol you will spend the most time analyzing will be IP. This protocol is the one that does the most work of the entire TCP/IP suite. In Figure 2-16, you can see the actual format of the IP datagram. There are seven rows of information in the gure, with the critical rows being the rst ve. When a computer receives an IP datagram, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on.
To work with IP further, refer to RFC 791.
65
Figure 2-16: An IP datagram with all elds shown. Using Figure 2-16, we will move through the header, identifying the function of each area. After identifying the header elds, we will use Network Monitor to capture and analyze the IP header. Starting on Row One, on the left side is a eld called Version. This is a 4-bit eld that denes the version of IP that is currently running. Right now, this will likely be a value of 4, as that is the current industry standardIPv4, or IP version 4. Some instances may be using IP version 6, or IPv6, which you will examine later in the course. Moving to the right of the Version is a eld called Header Length (IHL). This is a 4-bit eld that denes the number of 32-bit words in the header itself, including options. In most captures, this value will be 5, for no options set, the normal value. Continuing to the right of Header Length is a eld called Type Of Service. This is an 8-bit eld that denes the quality of service for this packet. Different applications may require different needs of available bandwidth, and Type Of Service is one way of addressing those needs. The last eld on Row One is the eld called Total Length. This is a 16-bit eld that denes the length of the entire IP datagram in bytes. Starting on Row Two, on the left side is a eld called Identication. This is a 16-bit eld that denes each datagram sent by the host. The standard for this eld is for the identication value to increment by one for every datagram sent. Following the Identication eld is a eld called Flags. Not to be confused with the ags of TCP, which you have seen, this is a 3-bit eld that is used in conjunction with fragmentation. The rst of the three bits is to be set at 0,
66
as a default. The next bit is known as the DF bit, or Dont Fragment. The third bit is known as the MF bit, or More Fragment. The last eld on Row Two is a eld called Fragment Offset. This is a 13-bit eld that is used to dene where in the datagram this fragment belongs. (If there is fragmentation, the rst fragment will have an offset of 0.) Starting on Row Three, on the left side, is a eld called Time To Live. This is an 8-bit eld that is used to dene the maximum amount of time this datagram may be allowed to exist in the network. The TTL is created by the sender and lowers by 1 for every router that the datagram crosses. If the TTL reaches 0, the packet is to be discarded. Moving to the right is a eld called Protocol. This is an 8-bit eld that is used to dene the upper-layer protocol that is in use for this datagram. There are many unique protocol numbers, and if you wish to study all of the numbers, please refer to RFC 790. However, the following list identies several important Protocol ID numbers: Protocol ID Number 1: ICMP Protocol ID Number 6: TCP Protocol ID Number 17: UDP
The nal eld on Row Three is a eld called Header Checksum. This is a 16-bit eld that is used to provide a check on the IP header only; this is not a checksum for any data following the header. This checksum provides integrity for the header itself. The Fourth Row is a single eld, the Source IP Address. This eld is a 32-bit value that identies the IP address of the source host of this packet. The Fifth Row is also a single eld, the Destination IP Address. This eld is a 32-bit value that identies the IP address of the destination host for this packet. The Sixth Row contains any options that may be present. This is a variable, with no absolute xed size to the options. Some of the options that may be in this eld are those that are related to routing or timekeeping. If options are used, there will be padding added so this eld equals 32 bits in size. The Seventh and nal Row is the representation of the data. By this point, the header is complete and the data the user wishes to send or receive is stored in the packet.
integrity: Assuring information will not be accidentally or maliciously altered or destroyed.
TASK 2C-1
Capturing and Identifying IP Datagrams
Setup: You are logged on to Windows Server 2003 as Administrator. A command prompt and Network Monitor are running. 1. 2. In Network Monitor, start a new capture, and leave the capture running. Open a command prompt and enter ftp ip_address where ip_address is the address of a neighbor computer.
67
3. 4. 5.
At this time, the connection will not be successful, type bye and close the command prompt. Return to Network Monitor and choose CaptureStop And View. Observe the Protocol column. Apply a lter to only show TCP. For the specic steps, see Task 2B-1, step 12 through step 16. Click any of the frames and observe that the TCP control bits includes FTP. Examine the IP header, compared to the discussion. Look for the following: a. Version Number. b. c. d. e. Time To Live. Protocol ID. Source Address. Destination Address.
6.
7.
Once you are done examining the IP header, save the capture as IP_Header.cap and close the capture le.
Topic 2D
Capturing and Identifying ICMP Messages
When you are analyzing protocols, it should become immediately apparent that there are differences between ICMP and the other protocols discussed in this lesson. There is a similar concept in that the ICMP message is encapsulated in the IP datagram, just as you saw with TCP and UDP. In Figure 2-17, you can see the actual format of the ICMP message. There are only two rows of information shown in the gure.
To work with ICMP further, refer to RFC 792.
Figure 2-17: An ICMP message with all elds shown.
68
Using Figure 2-17, we will move through the header, identifying the function of each area. After identifying the header elds, we will use Network Monitor to capture and analyze an ICMP message. Starting on Row One, on the left side, the rst eld is called Type. This is an 8-bit value that identies the specic ICMP message. For example, a Type could be 3, which is a type of unreachable message. Following Type on Row One is a eld called Code. This is an 8-bit value that works in conjunction with Type to dene the specic details of the ICMP message. For example, using Type 3, the Code could be 1, which is destination host unreachable. Moving along on Row One, the nal eld is called Checksum. This is a 16-bit value that checks the integrity of the entire ICMP message. The Second Row has no xed elds. Depending on the Type and Code of the ICMP message, this eld may contain many things. One example of what may go in this eld is the time stamping of messages.
TASK 2D-1
Capturing and Identifying ICMP Messages
Setup: You are logged on to Windows Server 2003 as Administrator. A command prompt and Network Monitor are running. 1. 2. Begin a new capture. Switch to the command prompt, and ping a valid IP address of another host in your subnet. Wait for the ping to nish, and then minimize the command prompt. In Network Monitor, stop and view the capture. Scroll down the packets captured to identify ICMP messages, or create an ICMP lter. Analyze the captured frames to identify the ping process between your computer and the host you pinged. Compare the messages to the discussion, looking for the following: a. Source IP Address. b. c. d. e. 7. 8. Destination IP Address. Type. Code. Payload for ping.
3. 4. 5. 6.
Save this capture as Valid_Ping.cap and close it. You are going to run another capture. Begin a new capture.
69
9.
Switch to the command prompt, ping a known invalid IP address for your network, wait for the ping to nish, and minimize the command prompt. For instance, if you were to ping the address 208.18.24.2, you should receive a message indicating that the request timed out. Or, if you are on the 172.16.10.0 network, you might try to ping the address 172.16.10. 201, as that address is unlikely to be in use on your network.
10. In Network Monitor, stop and view the capture. 11. Scroll down the packets captured to identify ICMP messages.
Based on your network environment, you may not receive these ICMP messages.
12. Analyze the captured frames, and compare them to the discussion, looking for the following: a. Source IP Address. b. c. d. Destination IP Address. Type. Code.
13. Save this capture as icmpheader.cap and close.
Topic 2E
Capturing and Identifying TCP Headers
When investigating TCP/IP, you will nd that TCP data is encapsulated in the IP datagram. Since you have already looked into the IP datagram itself, at this stage you will examine TCP further. In Figure 2-18, you can see the actual format of the TCP header. There are seven rows of information in the gure, with the critical ones for this discussion being the rst ve. Just as with IP, when a computer receives the TCP header, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on.
To work with TCP further, refer to RFC 793.
Figure 2-18: A TCP header with all elds shown.
70
Using Figure 2-18, we will move through the header, identifying the function of each area. After identifying the header elds, we will use Network Monitor to capture and analyze the TCP header. Starting on Row One, on the left side is a eld called Source Port Number. This eld is a 16-bit number that denes the upper-layer application that is using TCP on the source host. The second eld on Row One is a eld called Destination Port Number. This is a 16-bit eld that denes the upper-layer application that is using TCP on the destination host. The combination of an IP address and a port number is often called a socket. A socket pair identies both ends of a communication completely, by using the host IP address and port, and the destination IP address and port. Moving onto Row Two, the entire row is a single eld called Sequence Number. This is a 32-bit value that identies the unique sequence number of this packet. The sequence numbers are used to track communication and are part of the reason TCP is considered a connection-oriented protocol. In Row Three, you can see that the entire row is also a single eld, called Acknowledgement Number. This is a 32-bit value that provides a response to a sequence number. Under normal operations, this value will be the value of the sequence number of the last packet received in this line of communication, plus 1. There will be a value in this eld only if the ACK ag is turned on (ags are in the next row). Continuing on to Row Four, starting on the left side is a eld called Offset (sometimes also called Header Length). This is a 4-bit value that denes the size of the TCP header. Because this is a 4-bit value, the limit on the size of the header is 60 bytes. If there are no options set, the size of the header is 20 bytes. Moving to the right is a eld called Reserved. This is a 6-bit value that is always left at 0 for functioning hosts using TCP/IP. It is not used for any normal network traffic. After the Reserved eld are the six Control Flags. Each ag is only 1 bit, either on or off. There are six control ags, and they are listed as follows in the left-to-right order they occupy in the TCP header: URG: If this is a 1, the Urgent ag is set. ACK: If this is a 1, the Acknowledgement ag is set. PSH: If this is a 1, the Push ag is set. RST: If this is a 1, the Reset ag is set. SYN: If this is a 1, the Synchronize ag is set. FIN: If this is a 1, the Finish ag is set. For a detailed discussion on the ags and their functions, please review that section earlier in this lesson. Following the Control Flags on Row Four is a eld called Window Size. This is a 16-bit value that identies the number of bytes, starting with the one dened in the Acknowledgement eld, that the sender of this segment is willing to accept. Moving on to Row Five, on the left side, there is a eld called TCP Checksum. This is a 16-bit value that is used to provide an integrity check
71
of the TCP header and the TCP data. The value is calculated by the sender, then stored and the receiver compares the value upon receipt. Following the TCP checksum on Row Five is a eld called Urgent Pointer. This is a 16-bit value that is used if the sender must send emergency information. The pointer points to the sequence number of the byte that follows the urgent data, and is only active if the URG ag has been set. The Sixth Row has only one eld, called Options. This is a 32-bit value that is often used to dene a maximum segment size (MSS). MSS is used so the sender can inform the receiver of the maximum segment size that the sender is going to receive on return communication. In the event that the options set do not take up all 32 bits, padding will be added to ll the eld. The Seventh and nal Row is the representation of the data. By this point, the header is complete and the data the user wants to send or receive is stored in the packet.
TASK 2E-1
Capturing and Identifying TCP Headers
Setup: You are logged on to Windows Server 2003 as Administrator. A command prompt and Network Monitor are running. 1. 2. 3. 4. 5. 6. 7. 8. 9. Begin a new capture. Switch to the command prompt and initiate a Telnet session to a neighboring host. To begin the Telnet session, type y, and press Enter At the login prompt, type Administrator, leave the password blank, and press Enter. If the Telnet session starts, exit the Telnet session; otherwise, close the command prompt. Stop and view the capture. Add a lter so that all you see are TCP frames. For the specic steps to add lters, see Task 2B-1, step 12 through step 16. Analyze the TCP headers in the frames. When analyzing the headers, look for the following: a. Sequence Numbers. b. c. d. Acknowledgement Numbers. Source Port Numbers. Destination Port Numbers.
10. Once you have analyzed the header, save the capture as Telnet_Attempt.cap and close the capture le.
72
Topic 2F
Capturing and Identifying UDP Headers
Compared to TCP, UDP is a very simple transport protocol. The UDP header and data will be completely encapsulated in the IP datagram, just as with TCP. In Figure 2-19, you can see the actual format of the UDP header. There are three rows of information in the gure. Just as with TCP, when a computer receives the UDP header, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on.
To work with UDP further, refer to RFC 768.
Figure 2-19: A UDP header with all elds shown. Using Figure 2-19, we will move through the header, identifying the function of each area. After identifying the header elds, we will use Network Monitor to capture and analyze the UDP header. Starting on Row One, on the left side is a eld called Source Port Number. This eld is a 16-bit value that denes the upper-layer application that is using UDP on the source host. The second eld on Row One is called Destination Port Number. This eld is a 16-bit value that denes the upper-layer application that is using UDP on the destination host. On the Second Row, the eld on the left is called UDP Length. This is a 16-bit value that identies the length of the UDP data and the UDP header. The second eld on Row Two is a eld called UDP Checksum. This is a 16-bit value that is used to provide an integrity check of the UDP header and the UDP data. The value is calculated by the sender, then stored, and the receiver compares the value upon receipt. Row Three is where the actual user data is stored. It is possible for a user to send a UDP datagram with zero bytes of data.
TASK 2F-1
Working with UDP Headers
Setup: You are logged on to Windows Server 2003 as Administrator, and Network Monitor is running. 1. Browse to C:\Tools\Lesson2. In that folder is a le called tftp.cap. Open tftp.cap in Network Monitor.
73
2.
Expand the details of any UDP frame, and compare it to the discussion. Look for the following: a. b. c. Source Port. Destination Port. What the actual UDP data is.
3. 4.
As you are analyzing this traffic, verify that no session was established, as UDP is connectionless. Close the capture.
Topic 2G
Analyzing Packet Fragmentation
Packet-switched networks will all, at one time or another, experience fragmentation. This is due to the fact that all complex networks are made up of various physical media and congurations. So, a packet of a certain size might t ne on one segment, but may suddenly be many times larger than the capacity of the next segment. The size limit that is allowed to exist on a network varies from network to network and is referred to as the Maximum Transmission Unit (MTU). In the event that a datagram gets fragmented, it is not reassembled until it reaches its nal destination. When the datagram is fragmented, each fragment becomes its own unique packettransmitted and received uniquely. TCP segments are sent using IP datagrams. TCP expects a one-to-one ratio of segments to datagrams. Therefore, IP on the receiving end must completely reassemble the datagram before handing the segment to TCP. In the relationship between TCP and IP, the following rules that affect fragmentation are dened: The TCP Maximum Segment Size (MSS) is the IP Maximum Datagram Size minus 40 octets. The default IP Maximum Datagram Size is 576 octets. The default TCP Maximum Segment Size is 536 octets.
Fragmentation will rarely happen at the source of a datagram, but it is possible. For example, if a receiving host says it can accept segments that are many times larger than what the sender normally sends. Another example would be a host on a small-packet-sized network, such as PPP, and using an application with a xedsize message. The common location then for fragmentation is at a gateway, where the odds of different MTUs on different interfaces are very high. The following list shows the MTU for various media: PPP: 296 bytes Ethernet: 1500 bytes FDDI: 4352 bytes Token Ring (4 MB/s): 4464 bytes Token Ring (16 MB/s): 17914 bytes
The ofcial minimum MTU is 68, and the maximum is 65535.
74
Figure 2-20: How fragmentation works.
TASK 2G-1
Analyzing Fragmentation
Setup: You are logged on to Windows Server 2003 as Administrator, and Network Monitor is running. 1. 2. 3. 4. Navigate to C:\Tools\Lesson2 and open fragment.cap in Network Monitor. Expand the details of frame 1, looking for the Fragment ag. Observe that, in frame 1, there is no Fragment Offset, as this is the rst fragment. Select several consecutive frames. Observe that each successive frame has a higher Fragment Offset as it gets farther from the beginning of the original datagram. Observe that the IP ID stays constant for each fragment. Expand the details of frame 16. Observe that the Fragment ags are now both 0, indicating this is the last of the fragments. Close the capture.
5. 6. 7. 8.
75
Topic 2H
Analyzing an Entire Session
Now that you have analyzed IP, TCP, UDP, ICMP, fragmentation, handshakes, and teardowns, it is time to put them together. In this topic, you will follow along using two sample captures that were made specically for this purpose. One capture is a PING capture, and the other is an FTP capture. By analyzing them, you will see how TCP/IP functionsfrom start to nish.
About the Tasks

In the following tasks, Windows Server 2003 Network Monitor was used to capture a ping between two hosts and an ftp session between two hosts. The ping and ftp commands were run from the command prompt, and the output saved to the text les ping.txt and ftp.txt, respectively. The Network Monitor captures were saved to les ping.cap and ftp.cap, respectively. You can open the TXT les with Notepad to see the commands and responses. You can open the CAP les with Network Monitor and see the frames captured as a result. Lets take a look.
TASK 2H-1
Performing a Complete ICMP Session Analysis
Objective: To use the supplied capture and text les to examine the TCP/IP headers, in order to understand how a session is set up, used, and torn down. Setup: You are logged on to Windows Server 2003 as Administrator, and Network Monitor is running. 1. Start Notepad and open the le ping.txt. This le is in C:\Tools\Lesson2. You should see the output shown in the following graphic.
2. 3.
Keep this le open. Switch to Network Monitor, and open the le ping.cap. Its also located in C:\Tools\Lesson2
76
4.
Observe that frame 1 is an Ethernet broadcast trying to resolve the target IP address to its MAC address.
5.
Observe that frame 2 is a reply from the target machine with the appropriate resolution. From now on, the two hosts can communicate.
77
6.
Observe the next two frames. They are ICMP echo messages going back and forth between the two hosts, corresponding to the output in the text le. Examine the ICMP messages, and see the details in frames 3 and 4 as shown in the following graphics.
7. 8.
Observe that, for the ping command, no session was set up or torn down just a simple ICMP echo request, followed by an ICMP echo reply. Close ping.cap and ping.txt.
78
Continuing the Complete Session Analysis

In the last task, one host successfully pinged another, in preparation for establishing an FTP transaction. Well look at the FTP portion of the session, but before we do, a quick differentiation between active and passive FTP is in order.
FTP Communication
Up to this point you have been examining ICMP communication. Now you will examine an active FTP session. There are two different types of FTP, something that many administrators are unfamiliar with. The two FTP types are simply called passive and active. The mode most people think of with FTP is active FTP. In active FTP, a client makes a connection to the FTP server. The client uses a port higher than 1024 (well call it X) to connect to the server, which then uses port 21, and the FTP command and control session is established. The server responds with the data transfer, sent on port 20. The client will receive the data transfer on a port one higher than the client used for command transfer, or X+1. In passive mode FTP, the client initiates both connections between the client and the server. When the FTP client begins an FTP session, the client opens two ports (again one higher than 1024, and the next port higher, or X and X+1). The rst connection and port is the session to the server for command and control on server port 21. The server then opens a random port (again higher than 1024, referred to as Y in this section), and sends this port information back to the client. The client then requests the data transfer from client port X+1 to server port Y. When active FTP is used, there can be a situation that rewalls dislike. The rst part of the FTP session, from client to server is not a problem. However, when the server responds to the client, it can seem to the rewall to be a new session started from an untrusted network, trying to gain access to the private network. Passive FTP solves this problem on the rewall, as both parts of the FTP session originate from the FTP client, and no session starts from an untrusted network. There is a different problem with passive FTP. This problem is not on the rewall, but on the server conguration itself. Because the FTP client starts both sessions, the FTP server must be able to listen on any high port, meaning all high ports must be open and available. To deal with this situation, many FTP applications now include features that limit the port range that the server can use.
79
TASK 2H-2
Performing a Complete FTP Session Analysis
Objective: To use the supplied capture and text les to examine the TCP/IP headers, in order to understand how a session is set up, used, and torn down. Setup: You are logged on to Windows Server 2003 as Administrator. Notepad and Network Monitor are running. 1. Switch to Notepad and open ftp.txt. This le is located in C:\Tools\ Lesson2. You should see the results shown in the following graphic.
2.
Observe that, in this session, when the ftp server asks for a password, the user enters it but it is not recorded on screen.
80
3.
Switch to Network Monitor, and open ftp.cap in C:\Tools\Lesson2. You should see results similar to those shown in the following graphics. (Depending on the version of Network Monitor you are using, MAC and IP addresses might be displayed in Hex, and the time might be in a different format.)
If you would like to change the format of the addresses from Hex to more readable names, choose Display Addresses, and click Add. In the box that is displayed, enter FTPSITE for the Name, add 002B32CFC72 for the Address, verify that the Type is Ethernet, and click OK. Click Add again, then enter LOCAL for the Name, add 0002B32C5B13 for the Address, verify that the Type is Ethernet, and click OK twice.
There are 51 frames involved in this capture. 4. If you would like to change the color of the FTP packets for easier viewing, choose DisplayColors. Scroll down and select FTP; then, from the Background drop-down list, select a mild color such as gray or teal, and click OK. If you select a darker color, it might make it more difficult to read the text.
5.
Observe that frames 3, 4, and 5 represent the TCP handshake involved in establishing the session. Frames shaded gray (6, 8-9, 11-12, 14, 16-19, 23, 29, 31-34, 38, 44, and 46-47) are all directly involved with the ftp applicationauthentication, ftp requests for directory information, an actual le transfer, followed by a quit, and bye response. Observe that in frame 8, you can see the user name being supplied. Observe that in frame 9, you can see the request for a password. Observe that in frame 11, you can see the password being supplied. Isnt this a good enough reason to employ some secure authentication such as encryption? Lets view the three-way handshake frames in a bit more detail.
6. 7. 8.
9.
Frame 3 starts the three-way handshake Active Open by setting the SYN bit to 1, offering source port no. 2025 (07E9 in Hex), while at the same time directing the request to port number 21 (15 in Hex) on the server. A sequence number 2052360112 (7A5487B0 in Hex) is associated with this frame to uniquely identify it, even in the event of multiple sessions between the same two hosts.
82
10. Lets look at the reply.
The reply from the ftp server in frame 4 includes an ACK, while simultaneously including a SYN. This is the Passive Open. 11. Observe that frame 5 includes an ACK from the client.
Once the session is established, FTP can continue on with its setup. This includes a login and a password (to be supplied if anonymous access in not supported), followed by le requests.
83
12. Observe that frame 6 shows the ftp server asking for user identication. Frame 8 shows the ftp client supplying the user name of test user.
13. Observe that this is met by the ftp server asking for the password in frame 9.
84
14. Observe that in frame 11, you can see the password being offered. Because no secure methods for authentication were set up, you can see the actual password (the word plaintext).
15. Observe that once the user has been authenticated, the ftp session is allowed to continue. The ftp server puts out the welcome message shown in frame 12.
85
16. Observe that the rest of the frames dealing with FTPframes 14, 16-19, 23, 29, 31-34, 38, and 44have to do with directory listings and le transfers.
86
87
17. Observe that in frame 38, you can see the actual contents of the le as it is being transferred In this case, and because it is just a text le, you can read the contents.
18. Observe that in frame 46, you can see the client attempt to close the connection with the Quit command.
88
19. Observe that in frame 47, you can see the server communicate with the client with the message See ya later.
89
20. Observe that these messages are followed by TCP terminating the session from both ends in frames 48 and 49, and 50 and 51, respectively, where the FIN bits are set to 1 and the corresponding frame contains the ACK bit set to 1.
90
21. Close Network Monitor. If you are prompted to save addresses, click No. 22. Close Notepad.
91
Summary
In this lesson, you looked deep into the structure of the TCP/IP protocol. You reviewed the RFCs associated with IP, ICMP, TCP, and UDP. You then used Network Monitor and Wireshark to capture and analyze IP packets. You examined captures associated with network traffic. You learned to read the actual data being transmitted between two or more hosts. Finally, you analyzed a complete session, frame-by-frame.
Lesson Review
2A How many layers are in the OSI Model?
Seven. How many layers are in the TCP/IP Model? Four. What are the assignable classes of IP addresses? A, B, and C. What are the three private ranges of IP addresses, as dened in the RFCs? a. b. c. 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.131.255.255 192.168.0.0 to 192.168.255.255
2B How many control ags are in a TCP header?

Six. What is the function of an acknowledgement number? To provide an acknowledgement for a received packet. The value is usually tied into the SYN number on the received packet. How many steps are required to establish a TCP connection? Three. How many steps are required to tear down a TCP connection? Four. What are the two main views of Network Monitor? Display View and Capture View.
2C What is the rst eld that is read by the computer in the IP header?
Version.
92
What is the Protocol ID of ICMP in the IP header? 1. What is the Protocol ID of TCP in the IP header? 6. What is the Protocol ID of UDP in the IP header? 17.
2D What is the rst eld that is read by the computer in the ICMP message?
Type. How many bits make up the Type eld? Eight. How many bits make up the Code eld? Eight.
2E What is the rst eld that is read by the computer in the TCP header?
Source Port Number. How many control bits are in the TCP header? Six. How many bits is the Sequence Number? 32. How many bits is the Acknowledgement Number? 32.
2F What is the rst eld that is read by the computer in the UDP header?
Source Port Number. What is the UDP header and data encapsulated in? An IP datagram. How many bits are both the source and destination port numbers? 16. What is in the payload of the tftp.cap le that you analyzed? Cisco Router Conguration and Access Lists.
2G In the fragment.cap le that you analyzed, how do you suppose this fragmentation happened?
By a user sending a large ping. (See the le fragment.txt, in the same folder as fragment.cap, to understand how this was initiated.)
93
Why is there no upper-layer protocol list in the Detail pane for frames 2 through 13? These are the subsequent fragments whose upper-layer protocol is referred to in the rst fragment; therefore, they do not have any header information other than IP. What was the upper-layer protocol that caused the fragmentation? ICMP.
2H In the FTP capture le that you analyzed in this topic, what pair of sockets are involved in the initial three-way handshake?
On the client: IP address 172.16.30.2, port 2025. On the FTP Server: IP address 172.16.30.1, port 21. In the FTP capture le that you analyzed in this topic, what pair of sockets are involved in the exchange of FTP data in response to the request for directory listing? On the FTP Server: IP address 172.16.30.1, port 20. On the client: IP address 172.16.30.2, port 2026. In the FTP capture le that you analyzed in this topic, what frames indicate that a three-way handshake is taking place between the FTP server and the client in preparation for the sending of FTP data in response to the request for the le textle.txt? Frames 35, 36, and 37.
94
Routers and Access Control Lists

Overview
In this lesson, you will be introduced to the functioning of routers and routing protocols. The examples in this lesson are shown on Cisco Routers, specically the 2500 series. You will examine the issues of securing routers and routing protocols. You will remove unneeded services and create access control lists to manage and secure the network. The lesson ends with the creation of logging options on the Cisco router.
LESSON
3
Data Files ping-arp-mac.cap rip update.cap ripv2withAuthentication. cap PuTTy.exe Lesson Time 6 hours
Objectives
To understand the functions of routers and routing protocols, you will: 3A Congure fundamental router security. You will create the required congurations to secure connections, create banners, and implement SSH. 3B Examine principles of routing. You will capture routing protocols and analyze the IP and MAC relationship in a routed environment. 3C Congure the removal of services and protocols. You will create the required congurations to harden the core services and protocols on a Cisco router. 3D Examine the function of Access Control Lists on a Cisco router. You will create wildcard masks to be used in conjunction with the implementation of Access Control Lists. 3E Implement Cisco Access Control Lists. You will create the required congurations to implement Access Control Lists to defend against network attacks on a Cisco router. 3F Congure logging on a Cisco router. You will create the required congurations to enable logging on a Cisco router.
Lesson 3: Routers and Access Control Lists
95
Topic 3A
Fundamental Cisco Security
Although this lesson is not designed to make you a Cisco or a routing expert, you will become familiar with the core functions of routers and how to best harden this critical component of the infrastructure.
Cisco Router Language

A Cisco router has one or more connections to networks. Each of these connections is referred to as an interface. To further dene this interface concept, Cisco uses the type of interface as part of the name as well. Therefore: An interface that is connected to an Ethernet segment of the network always starts with an E. A Fast Ethernet interface always starts with an F. An interface that is connected to a serial connection always starts with an S. An interface that is connected to a Token Ring segment always starts with To.
Along with the interface type, Cisco routers are numbered. The interface numbering begins with a zero. In other words: The rst Ethernet interface on the router is known as E0. Likewise, the rst serial interface on the router is S0. Finally, the rst Token Ring interface on the router is To0.
Cisco Operating System

The Cisco routers have their own operating system, which is known as the IOS (Internetworking Operating System). The IOS is found on all Cisco routers and can be uploaded to or downloaded from a tftp site. It is common to copy the IOS image to the tftp location as a quick backup in the event that the running IOS gets corrupted. Most of the current routers in production are running versions 11.x or 12.x of the Cisco IOS. When Cisco makes a major release of the IOS, it is assigned a number, such as 11 or 12. Major releases can also be added to the numbers, such as 11.2 or 12.2. You might also see an IOS listed as version 12.0(3). The 3 in parenthesis is the third maintenance revision of the major release. Maintenance revisions are released every eight weeks and contain bug xes and/or updates, as Cisco dictates.
bug: An unwanted and unintended property of a program or piece of hardware, especially one that causes it to malfunction.
Accessing the Router

Cisco provides a wide variety of access points for their routers. Each method of access can provide the ability to view the router differently. Some methods require the network to be functioning and active, while others do not require any network connectivity at all. The methods of access include the console port, the auxiliary port, or network access. Network access can, in turn, include VTY (terminal access), HTTP, TFTP, and SNMP. Each of these methods is detailed here: The console port is the main point of access on a Cisco router. This is a direct physical connection, requiring the router to be in the presence of the person using the port. This is the connection method used to create the ini-
SNMP: (Simple Network Management Protocol) Software used to control network communications devices using TCP/IP.
96
tial conguration and in the event of an emergency, such as password recovery. Because it has direct physical access, the console port should not be the primary method of accessing the router. The auxiliary port can be used to connect to the router via a modem. This can be a functional method of accessing the router if the primary network is down and you are not able to gain physical access to the router. The VTY sessions provide for terminal access to the router. These connections require the network to be functioning to provide access. The most common method of accessing a VTY session is telnet, althoughfor security purposesSSH is supported, and is recommended. There are ve VTY ports on the router by default, and they are numbered 0 though 4. In this course, access will be provided by using VTY sessions. Other network access points like HTTP, TFTP, and SNMP are also supported on newer versions of the IOS. HTTP can be used if the router runs as a web server, authenticating users for access. TFTP is used for loading IOS and conguration les, and SNMP can be used in full network management congurations.
Modes of Operation
In the router, there are several different modes an administrator can use. These range from simple, informational modes, to the complex modes of router conguration. There are several examples of the different modes listed below: User Mode: In this mode, users can see the conguration of the router, but will not be able to make any signicant changes to the router. The prompt for User Mode looks like this: Router>. Enable Mode: In this mode, users can make more signicant changes to the router, including some of the router conguration options. The prompt for Enable Mode looks like this: Router#. Global Conguration Mode (also known as Congure Terminal Mode): In this mode, users can make conguration changes that will affect the entire router. The prompt for Global Mode looks like this: Router(config)#.
Generally, once you connect to the router, you will move to Enable Mode right away, since that is where much of the router management happens. As a side note, Enable Mode is often called Privileged Mode in text. So, you can consider Enable Mode and Privileged Mode to mean the same thingthe next level of router access beyond User Mode.
Configuration Fragments
In this lesson, you will see many examples of congurations of the router. It is not practical to list every step and every line entered for every option. Therefore, what you will see are called conguration fragments. For example, to navigate to an Interface Mode of a router, the following commands are required: 1. Connect to the router via an access method, such as telnet: Telnet 10.10.10. 10. 2. 3. 4. 5. Enter the password for VTY access: L3tm3!n. Enter the password for Enable Mode: P0w3r. Enter the command for Congure Terminal Mode: Congure Terminal. Enter the command for Interface Mode: Interface Ethernet 0.
Lesson 3: Routers and Access Control Lists 97
In this course, the command sequence listed previously will not be described lineby-line but with a conguration fragment. So, the steps to access Interface Mode will look like this: 1. Router#Config Terminal 2. Router(Config)#Interface Ethernet0 This conguration fragment goes right to the concept, or function, of the discussion. In this example, you cannot be in Enable Mode (identied by the Router# prompt), without rst accessing the router (probably by using Telnet), and entering the required credentials.
Navigating in the Router

The Cisco router interface is a command-line interface, with a format that is similar to UNIX. For those of you getting started with the router, if you get lost in the command structure, here are some of the more common commands to learn and use. First is the question mark (?). This simple single character command will list for you all the available options at a given point in the router. For example, if you enter the question mark at the User Mode prompt, like so: Router>?, you will be given an alphabetical list of the commands that are options at this point. This command will yield a different set of commands than using the same question mark at the Enable Mode prompt (Router#?). If you recall the rst letter of a command, but not the entire string, again the question mark can come in handy. For example, if you are trying to enter Enable Mode, but forgot how to spell enable, you can use the following command: Router>E? This command lists all the commands starting with the letter E with brief descriptions of their functions.
Other shortcuts to use are the Up Arrow and Down Arrow keys. Using these will scroll you through commands you have entered into the router for quick access. Finally, using key combinations can be helpful as well. Two examples of key combinations are Ctrl+A and Ctrl+E. Using the Ctrl+A key combination moves the cursor to the beginning of a command line. Using the Ctrl+E key combination moves the cursor to the end of a command line.
As an FYI, if the Up Arrow and Down Arrow keys do not function on your system, you can use the key combination Ctrl+P in place of the Up Arrow key, and Ctrl+N in place of the Down Arrow key.
Authentication and Authorization

In order for someone to have access to control a router, there must be both authentication and authorization. It is important to not get these two confused, as they are so similar. Authentication is the process of identifying a user, generally granting or denying access. Authorization is the process of dening what a user can do or is authorized to do. So, a user gains access to the router via authentication and gains control of the router via authorization.
In Cisco routers, there are two main categories of authentication. They are the AAA method and the non-AAA method (called traditional by some). AAA stands for Authentication, Authorization, and Accounting. Earlier, you were introduced to the methods of access, such as console, auxiliary, and VTY sessions. These are considered non-AAA access methods. Another non-AAA access method is called Terminal Access Controller Access Control System, or TACACS for short. They use a local username and password for authentication. AAA methods include RADIUS and Kerberos. These methods provide for the full level of Authentication, Authorization, and Accounting that are required for AAA access methods.
Configuring Access Passwords

Because there are several different methods of accessing the router, in order to provide security, you must be able to lock down these access points. The rst line of defense is to provide a password for these forms of access.
Setting the Console Password

Because the console-port connection is used for direct access, it must have a strong password. This can be, and usually is, created during the initial setup of the router. In order to set the Console password, you will need to enter Congure Terminal Mode, and then enter the command line console 0. This is what gets you into the mode where the password can be created. The login command tells the router that a password is required, and the password command is used to enter the actual password. The conguration fragment looks like this:
Router#config terminal Router(config)#line console 0 Router(config-line)#login Router(config-line)#password l3tm3!n Router(config-line)#^Z Router#
Setting the Enable Passwords

The process for setting the Enable password is similar to the process for setting the Console password. And, you will notice the process for the following sections are all similar, only the object (such as the console or vty) is the difference. As to the password itself, there are two different Enable passwords. The rst is the standard Enable password; the second is the Enable Secret password. The standard Enable password is used only for backwards compatibility. If the Enable Secret password has been congured, it will take precedence. The reason that the Enable Secret password is used over the standard Enable password is that the Enable Secret password is encrypted and cannot be read in plaintext in the router. The conguration fragment for setting the Enable Secret password looks like this:
Router#config terminal Router(config)#enable secret p@55w0rd Router(config)#login Router(config)#^Z Router#
99
Setting the VTY Password

Conguration of the password for the VTY sessions are similar to creating the Console password. Remember that there are ve VTY sessions, numbered 0 through 4. When you are setting the VTY password, you can create a password for one or for all of these sessions. In this rst conguration fragment, the password is set for just the rst VTY session:
Router#config terminal Router(config)#line vty 0 Router(config-line)#login Router(config-line)#password l3tm3!n Router(config-line)#^Z Router
In the following conguration fragment, the password is set for all VTY sessions, 0 through 4. Note that the process is nearly identical.
Router#config terminal Router(config)#line vty 0 4 Router(config-line)#login Router(config-line)#password l3tm3!n Router(config-line)#^Z Router
TASK 3A-1
Configuring Passwords
1. Create the conguration fragment that you would use to set the Console password of ACC3$$, and to set all VTY sessions to use the password of +3ln3+.
Router#configure terminal Router(config)#line console 0 Router(config-line)#login Router(config-line)#password ACC3$$ Router(config-line)#^Z Router# Router#configure terminal Router(config)#line vty 0 4 Router(config-line)#login Router(config-line)#password +3ln3+ Router(config-line)#^Z Router#
Creating User Accounts

Although for regular operation of the router, individual user accounts are not required, when you do add them, it allows for another level of control over the router and over router access. To create local user accounts, the command syntax is only one line. In organizations where there are multiple people managing the router, this is a solid practice. The following conguration fragment shows the creation of several user accounts:
100
Router#configure terminal Router(conf)#username Auser Router(conf)#username Buser Router(conf)#username Cuser Router(conf)#username Duser Router(conf)#^Z Router#
password password password password
u$3r1 u$3r2 u$3r3 u$3r4
Implementing Banners
In addition to having proper passwords on the router, it is important to have adequate warning banners. It is highly recommended that you view these banners as warning banners and not as welcome banners, as they used to be called. A warning banner is not designed to be the end-all of security; most people know a banner will not stop a determined attacker. However, a banner can provide some legal backing for you and your organization. There are four general functions that warning banners should provide. Although you should look to legal counsel for the exact wording, your banner should address each of these. The banner should: Not provide useful technical or non-technical information that an attacker can use. Inform users of the system(s) that their actions are subject to recording, and may be used in a court of law. Dene who is and who is not an authorized user of the system(s). Provide adequate legal standing to both prosecute offenders and protect the administrators of the equipment.
The following is an example of what a banner could look like for an organization:
Warning!!! This system is designed solely for the authorized users of Company X on official business. Users of this system understand that there is no expectation of privacy, and that use of the system may be monitored and recorded. Use of this system is consent to said monitoring and recording. Users of this system acknowledge that if monitoring finds evidence of misuse, abuse, and/or criminal activity, that system operators may provide monitoring and recording data to law enforcement officials.
Implementing Cisco Banners

On the Cisco router, there are several types of banners available: MOTD banner: The MOTD banner is for setting Messages Of The Day. The MOTD banner is shown to all terminal users who are connected to the router, before they are asked to input username and password. This may not be an efficient location for your warning banner, if your company literally uses this banner to list day-to-day information. You do not want to be setting the warning banner each and every day, and worrying about missing a day.
101
This banner is used for sending notices to users, such as if there is an upcoming system shutdown for upgrading the IOS. Login banner: The login banner is where the warning banner should be located. This banner will be shown to each user every time a login attempt happens. The banner is set in Congure Terminal Mode, and uses a beginning and ending delimiter character. The delimiter can cause confusion, but is quite simple. Any character can be used as a delimiter, just must make sure to use the same character at the beginning and the end. In the following conguration fragment, the letter C is used as the delimiter character:
Router#configure terminal Router(config)#banner login C Warning!!! This system is designed solely for the authorized users of Company X on official business. Users of this system understand that there is no expectation of privacy, and that use of the system may be monitored and recorded. Use of this system is consent to said monitoring and recording. Users of this system acknowledge that if monitoring finds evidence of misuse, abuse, and/or criminal activity, that system operators may provide monitoring and recording data to law enforcement officials. C Router(config)#^Z Router#
EXEC banner: The EXEC banner is used for setting a message for users who enter EXEC, or Privileged, Mode. You can create a new banner; use the same warning banner, or whatever else you wish. The process for setting a new banner is nearly identical to the process for the login banner. The difference is in the command. Instead of the command banner login, you use the command banner exec. In the following conguration fragment, you can see the exec banner created, with a delimiter of the pound sign (#):
Router#configure terminal Router(config)#banner exec # Reminder!!! When you logged into this system, you acknowledged that you are an authorized user of Company X systems. You also acknowledged that your use of this system may be monitored and recorded. Finally, you agreed that if misuse, abuse, and/or criminal activity are found while monitoring, that law enforcement officials may be contacted. # Router(config)#^Z Router#
102
TASK 3A-2
Configuring Login Banners
1. Create the conguration fragment that you would use to create a login warning banner. You can include whatever text you like for the banner, but use the letter B as your delimiter. A possible response is:
Router#configure terminal Router(config)#banner login B Warning!!! This is the login banner for the SCNS TPD class. If you are not a member of this class, you may not access this system. Users of this system are advised that nearly everyone is running packet-capturing utilities and everyone is watching you! B Router(config)#^Z Router#
SSH Overview
Although Telnet is used in this courseand is often the method of choice for many administratorsfrom a security perspective, it is not a solid option. This is due to the fact that there is no encryption on the session; all commands and responses are cleartext and can be viewed by any packet-capture utility. SSH, or Secure Shell, provides for a higher level of security on remote connections to the router. Using RSA public key cryptography, SSH establishes a secure channel of communication between client and server. Cisco IOS support for SSH is not present in older versions of the IOS, such as 11.2 and 11.3. After version 12.0(5) with IPSec, support for SSH was included. And, only IOS versions that have IPSec will have SSH support. In order for SSH sessions to be established, there is some preparation that must take place on the router. The router must have usernames dened, must have a hostname dened, and must have a domain name set.
Not all versions of the IOS support SSH. Versions that support IPSec also support SSH.
Router Configuration to use SSH

In implementing SSH, you should use Access Control Lists, controlling VTY access. A later section fully details an Access Control List (ACL). However, in brief, the ACL is used to regulate access (denial or permission) to an object on the router. In this conguration fragment, ACL 23 is used to dene the host that is allowed to access the router for administration. The host name of the router is simply Router and the domain will be scp.mil. The username is SSHUser and the password for this user is No+3ln3+.
103
Router#configure terminal Router(config)#ip domain-name scp.mil Router(config)#access-list 23 permit 192.168.51.45 Router(config)#line vty 0 4 Router(config-line)#access-class 23 in Router(config-line)#exit Router(config)#username SSHUser password No+3ln3+ Router(config)#line vty 0 4 Router(config-line)#login local Router(config-line)#exit Router(config)#
The router conguration is close to being nished, but there is still some work to be done. RSA must be enabled so that the key pair can be generated and used. When creating a new key pair, be aware that it may take some time for the pair to complete. In this fragment, all you will see is the command of creating the key pair crypto generate RSA and the use of 1024 as the number of bits (Cisco recommended minimum), and the OK when the calculation is done.
Router#configure terminal Router(config)#crypto key generate rsa The name for the keys will be: Router.scp.mil Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 Generating RSA keys ... [OK] Router(config)#
You have now enabled SSH to run on your router. There are some commands that you can use to ne-tune the SSH function, and you will need to congure your client to use SSH. The following conguration fragment is used to dene the time-out, in seconds, that the server will wait for the client to provide a password. The default is 120 seconds, and the Cisco recommended time is 90 seconds. In this fragment, the time has been changed to 45 seconds.
Router#configure terminal Router(config)#ip ssh timeout 45 Router(config)#^Z Router#
The next fragment is used to dene the number of retries that will be allowed before the router drops the connection. The default for this setting is 3, and the maximum is 5. This is a setting that you may rarely change, but in the fragment, the retries are set to 2, so after the second bad try, the connection is dropped:
Router#configure terminal Router(config)#ip ssh authentication-retries 2 Router(config)#^Z Router#
Finally is the conguration to let the VTY sessions on the router accept both SSH and Telnet as valid connection types. If you want to have only SSH used, which is the point here, you would not add the word Telnet to the command.
104
Router#configure terminal Router(config)#line vty 0 4 Router(config-line)#transport input ssh telnet Router(config-line)#^Z Router#
SSH Verification
On the router, you will want to run some diagnostic commands to nd out who is connected and how. These commands will show you the state of your SSH connections. There are some differences based on the IOS version you are running, so note that in the following. If you are running IOS version 12.1, and you want to see the state of SSH connections, including who is connected, use the command show ip ssh. The following fragment lists what this command will reveal.
Router#show ip ssh Connection Version 0 1.5 Router# Encryption 3DES State 4 Username SSHUser
If you are running IOS version 12.2, there are two commands for viewing SSH information. First is the show ip ssh command, only here it lists the details, such as time-out and version. The second command is show ssh, and this shows the user connected. The following fragment shows both commands used, one after the other, and their result onscreen.
Router#show ip ssh SSH Enabled - version 1.5 Authentication timeout: 45 secs; Authentication retries: 2 Router#show ssh Connection Version Encryption State Username 0 1.5 3DES Session Started SSHUser Router#
INSTRUCTOR TASK 3A-3

Configuring SSH on a Router
Setup: Observe as your instructor performs the SSH conguration on the LEFT and RIGHT routers. 1. 2. 3. 4. Console in to the LEFT router, and switch to EXEC mode. At the LEFT# prompt, enter conf t to switch to cong mode. The LEFT(cong)# prompt should be displayed. Enter ip domain-name left.com to provide a domain name. Enter crypto key generate rsa to create key pairs. When you are prompted for the number of bits in the modulus, press Enter to accept the default of 512. Enter ip ssh time-out 120 to set the time-out value to 2 minutes. Enter is ssh authentication-retries 3 to limit the number of unsuccessful attempts.
5. 6.
7. 8. 9.
Enter line vty 0 4 to begin the line conguration. The LEFT(cong-line)# prompt is displayed. Enter transport input ssh to limit the VTY sessions to accept only SSH connections. Enter login local to provide for local login.
10. Enter exit to return to the LEFT(cong)# prompt. 11. Enter username sshl01 privilege 15 password sshpass to assign a user name and password for student station L01. Repeat this command to assign user names and passwords for all other student stations on the left side of the classroom. 12. Enter exit to return to the LEFT# prompt. 13. Enter copy ru st to save the conguration changes. Press Enter to accept the default le name. 14. Enter exit to return to the LEFT> prompt. 15. Disconnect from the LEFT router, and console in to the RIGHT router. 16. Use the steps listed previously as a guide to set up SSH on the RIGHT router. Use the domain name right.com, and create user names such as sshr01, sshr02, and so forth. 17. Disconnect from the RIGHT router, and close the console. 18. Try to Telnet to either of the ssh-enabled routers, and ask students to do the same. None of the attempts should be successful, as you have blocked Telnet connections on both routers.
Client Configuration to use SSH

Just as there was some conguration required on the server, some conguration is needed on the client side to run SSH. However, the conguration on the client is not nearly as complex. In general, a client SSH application must be installed, and the client must be congured to use the application in communication with the router. There are several SSH Client programs available, and in this example, the PuTTY program is used. Figure 3-1 shows an example of the settings for this application.
106
Figure 3-1: The client conguration for an SSH session. During the conguration, you will be asked to provide input on the cryptography used, and you will select RSA. Additionally, you will be required to present proper credentials when connecting, meaning the local username on the router and the password. Once you enter the proper credentials, you will have secure access, and operation will be no different than using Telnet.
TASK 3A-4
Configuring the SSH Client
Setup: You are logged on to Windows Server 2003 as the renamed Administrator account. The routers have a limited number of simultaneous logins, so you might need to take turns accessing the routers if your class has many students in it. 1. 2. 3. Navigate to the putty.exe le located in C:\Tools\Lesson3. Double-click putty.exe. For Host Name, enter the IP address for your router. Your instructor will provide the router IP addresses. The router you use is named LEFT or RIGHT, based on your location in the classroom. Click SSH (Port 22). Click Open to initiate the connection.
Provide students with the IP addresses for the LEFT and RIGHT routers. Provide students with the location of the PuTTY installation program.
4. 5.
107
6. 7. 8. 9.
When you are prompted, click Yes to accept the key, and click Yes to continue the connection. Press Enter to display the login prompt. Enter your ssh user name, such as sshl01. You should be prompted for a password. Enter sshpass to complete the login sequence. After authentication has taken place, log out and close PuTTY.
Topic 3B
Routing Principles
To be able to secure your routers and routed networks, you need to understand some basic principles related to routing in general. Lets begin by looking at how routers and routing t into the OSI Model.
The ARP Process

Most people are aware that routers function at the Network layer, but that statement must be understood as routers route at the Network layer. Routers are affected by and operate at other layers as well, including the Data Link layer. The OSI model is the foundation of all network communication. Routers t into the OSI model just as other devices do, with their primary functionality being at the Network layer. In this lesson, the vast majority of the content will be focusing on the Network layer; however, there are important areas of the Data Link layer that must be investigated as well. MAC addresses are split into two parts, each containing six hexadecimal digits. The rst six digits represent the vendor code (manufacturer indicator) or OUI (Organizational Unique identier), and the second six are left for denition by the vendor and are often used as a serial number. These unique 48-bit numbers are designed to be globally unique, meaning that there is only one NIC with a given MAC address on the entire planet. ARP (RFC 826) is used to make the connection between the Layer Two and Layer Three addresses. ARP is used in the following examples of data moving from one host to another.
The IEEE (Institute of Electrical and Electronic Engineers) issues MAC addresses to network hardware vendors to ensure that MAC addresses remain unique.
Layer Two addresses are used to get data packets from one local node to another local node, while Layer Three addresses are used to get data packets from one network to another network.
108
The rst example shows data moving from node 1 to node 2 on a local network segment. In order for the data to arrive properly, the following steps must occur: 1. Node 1 (knowing the Network layer address of node 2) sends a local broadcast on the LAN indicating that Node 1 wishes to learn the Data Link address for Node 2. Since Node 1 sent a broadcast, all nodes on the local segment receive and process the request, discarding it when they identify that the broadcast was not intended for them. Node 2 identies the message requesting its MAC address and responds by sending its Data Link address. Node 2 also stores the MAC address of Node 1 for future use. Node 1 sends the packet directly to the Data link address of Node 2.
2.
3.
4.
Figure 3-2 shows this process between Node 1 and Node 2 on the same segment.
Figure 3-2: This example shows the process of a local ARP broadcast between two nodes. To take this concept a bit further, lets look at the process of MAC address resolution if Node 2 is not on the local segment (see Figure 3-3). In order for communication to take place between Nodes 1 and 2, the following steps must occur: 1. Node 1 determines that it needs to communicate with Node 2. As with all TCP/IP communication, Node 1 ANDs its IP address with its subnet mask, then it ANDs Node 2s IP address with the Node 1 subnet mask. 2. Node 1 compares the results of the two AND processes to determine if they are the samemeaning that the nodes are on the same networkor differentmeaning that the nodes are on different networks. In this example, the results are different, so Node 1 can conclude that Node 2 is situated on a different network than Node 1. If Node 1s TCP/IP stack is congured with a Default Gateway, Node 1 will use ARP resolution for the Default Gateway address, as explained in the previous example (because Node 1s Default Gateway will most likely be on the same network as Node 1), and store the Default Gateway address as the address to use for reaching Node 2.
3.
109
Note: If a Default Gateway is not congured for Node 1, then Node 1 will not be able to communicate with Node 2. In fact, if a Default Gateway is not congured and Node 1 attempts to ping Node 2, it should receive a message stating that the destination host is unreachable. For a ping to be successful across a routed network such as the one in this example, Node 2 should also have an appropriate Default Gateway in its IP conguration. If Node 2 exists but is not congured with a Default Gateway, and if Node 1 attempts to ping Node 2, Node 1 should receive a message stating that the request timed out.
Figure 3-3: This example shows the process of a router returning the ARP request of a remote node. These examples are geared towards TCP/IP as a protocol, and we will use TCP/IP throughout this lesson. IP addressing is the primary example of Network layer addressing used today.
LAN-to-LAN Routing Process

The process of moving data from one host to another and from LAN to LAN is not complex. In the example shown in Figure 3-4, there is one router connecting two networks. There are two hosts dened, one on either network, using TCP/IP.
110
Figure 3-4: Two networks connected by a single router. From this diagram, you can see the networks are connected via a single router. Both interfaces are Ethernet interfaces, and the IP addresses are given. In this example, node 7 is trying to get a packet to node 10. Since the nodes are in different networks, the packet will need to be routed to reach its goal. An Ethernet packet will be generated at Node 7 with the IP source address as 10.0.10.115 and the source MAC address as Node 7. The destination IP address will be 20.0.20.207 with the destination MAC address still unknown. When the router hears the request for the MAC address of host 20.0.20.207, it replies to node 7 with its MAC address. Node 7 then sends the packet to the router with a destination IP address of 20.0.20.207 and the MAC address of the E0 interface of the router. Once the router receives the packet, it in turn sends a broadcast for the MAC address of 20.0.20.207. Node 10 responds to this request, and the router receives the response. A new packet is then generated by the router, addressed to IP address 20.0.20.207 from IP address 10.0.10.115 with the source MAC address of the router, and destination MAC address of Node 10. Node 10 receives the packet and responds, following the same steps.
111
LAN-to-WAN Routing Process

The LAN-to-WAN routing process is not much different than the previous examplethere are simply more steps involved and the packet may change encapsulations along the way from Ethernet to something else and back to Ethernet. In the example shown in Figure 3-5, there is a routed network with two LANs connected via multiple routers in a WAN conguration.
Figure 3-5: Two end nodes connected over multiple routers in a WAN conguration.
112
For a packet to get from Node 7 to Node 10 in this conguration, there are several steps that must happen: 1. 2. Node 7 creates a request for the MAC address of node 50.0.50.150. The router connected to Network 10.0.10.0 sees this request, and realizes it is the path to the destination network. It replies to Node 7 with its MAC address. Node 7 creates a packet with the source IP address of 10.0.10.115 and the destination IP address of 50.0.50.150 and a source MAC of Node 7 and destination MAC of the network 10.0.10.0 router. As the local router receives the packet, the IP source and destination IP addresses do not change. The encapsulation may change to t the wire, PPP or Frame Relay for example. The packet is sent from one router to another, each time the IP address does not change. Once the packet reaches the router for segment 50.0.50.0, the encapsulation is removed, and you are left with an Ethernet packet with source IP address 10.0.10.115 and destination IP address 50.0.50.150, and source MAC of the local E0 interface of the local router and destination MAC address of Node 10.
3.
4.
5. 6.
TASK 3B-1
Performing IP and MAC Analysis
Setup: You are logged on to Windows Server 2003 as the renamed Administrator account. 1. 2. Navigate to C:\Tools\Lesson3 and open ping-arp-mac.cap. The le should open in Network Monitor. Quickly scroll through the main capture, noting the frames and their functions. You will see it is a capture of an initial ARP process, then two consecutive pings (Echo and Echo:Reply) packets. Expand Frame Four. Record the source and destination IP addresses and the source and destination MAC addresses here: Source IP address: 172.16.10.1 Destination IP address: 172.17.10.1 Source MAC address: 00 D0 09 7F 0D 73 Destination MAC address: 00 00 0C 8D B8 54 If you need to, expand IP and Ethernet so that you can see the addresses. 5. Expand Frame Five, and record those IP and MAC addresses as well.
3. 4.
113
Source IP address: 172.17.10.1 Destination IP address: 172.16.10.1 Source MAC address: 00 00 0C 8D B8 54 Destination MAC address: 00 D0 09 7F 0D 73 6. 7. 8. Observe that, when pinging 172.17.10.1 from 172.16.10.1, the destination MAC address is 00000C8DB854. Examine the exchanges in frames 6 and 7, 8 and 9, and 10 and 11 to see the ping process complete. Expand Frame Twelve, and record those IP and MAC addresses as well. Source IP address: 172.16.10.1 Destination IP address: 172.18.10.1 Source MAC address: 00 D0 09 7F 0D 73 Destination MAC address: 00 00 0C 8D B8 54 9. Expand Frame Thirteen, and record those IP and MAC addresses as well. Source IP address: 172.18.10.1 Destination IP address: 172.16.10.1 Source MAC address: 00 00 0C 8D B8 54 Destination MAC address: 00 D0 09 7F 0D 73 10. Observe that when pinging 172.18.10.1 from 172.16.10.1, the destination MAC address is 00000C8DB854. 11. Examine the exchanges in frames 14 and 15, 16 and 17, and 18 and 19 to see the ping process complete. 12. Close the capture le, and leave Network Monitor open.
The Routing Process

Figure 3-6 shows a complex network, with many possible paths for the data to take across the network. The routers will have to communicate with each other in order to determine the path for the given situation.
114
Figure 3-6: Potential paths that data can take to get from one node to another. In order for the routers to exchange their data, they must have mutual paths of communication. These paths are the actual connections between the routers. By using logical addressing, the routers are able to have dened networks to transmit data on. The logical addressing minimizes the use of broadcasting, with the end result being more bandwidth for data transmission. In Figure 3-7, each segment with a letter is a unique Layer Three network segment.
115
Figure 3-7: Logical network addressing used in an internetwork. The routers will use the information about the paths to which they are connected, including the type of connection and available bandwidth, to determine the routes for data to take. For example, the routers might now say for a packet to get from network A to network N that the packet should take network A to network B to network D to network H to network J to network K to network M to network N. There are many times when the fastest route is not a straight path!
Static and Dynamic Routing

In order for the router to be able to make decisions on where data should go, it needs to consult its routing table. The routing table is the list of available networks and the paths to reach those networks. (Routing tables will be discussed in detail in the next topic.) Every time a packet reaches a router, the router needs to review the routing table to determine the appropriate path for the packet. The router must be aware of the other potential networks and the way to reach these networks.
Static Routes
The creation of these paths can happen either dynamically (automatically) or statically (manually). The rst of these two concepts, static routing, is dened here.
116
A static route is a route that has been manually entered into the router to dene the path to the remote network. Although its use is not desirable for every situation, static routing has many advantages, such as: Precise control over the routes data will take across the network. Easy to congure in small networks. Reduced bandwidth use, due to no excessive router traffic. Reduced load on the routers, due to no need to make complex routing calculations.
Figure 3-8 shows a simple network conguration with two routers and their dened networks.
Figure 3-8: Two routers, Finance and Marketing, and the networks they connect. The conguration fragments for the static routes of the above routers look like the following:
MarketingRouter#config terminal MarketingRouter(config)#ip route 10.0.10.0 255.255.255.0 20.0.20.1 MarketingRouter(config-line)#^Z MarketingRouter# FinanceRouter#config terminal FinanceRouter(config)#ip route 30.0.30.0 255.255.255.0 20.0.20.2 FinanceRouter(config-line)#^Z FinanceRouter#
Dynamic Routes
From the previous example, you can see that the command syntax and time to enter the static routes is not complex and will not take a lot of time. However, the previous example is a very small simple network, and it is because of its simplicity that static routes will work. When the networks become more complex, static routing is not always a reasonable option. If there were a dozen routers, for example, each connected to several networks, static routing would become much more complex.
117
This is where dynamic routing enters the equation. Dynamic routing protocols can change the conguration of the network when a link goes down. Dynamic routing protocols can converge to be sure that all routers have a consistent view of the network. And, dynamic routing protocols have the means to calculate the best path through an internetwork. Dynamic routing protocols use mathematical algorithms to determine routes and communicate with one another. These same routers exchange their information at dened intervals, and these updates are used to make decisions on routes to take and reconguration, when required. Because the routers are exchanging this data frequently, they are able to change paths and update as needed. This exibility is what makes dynamic routing protocols so desirable. If a router goes down somewhere in the network, the remaining routers will recongure and nd a way for the data to reach the other side of the network. An example of this is shown in Figure 3-9.
Figure 3-9: There are several routers and multiple paths data can take across this internetwork. In the event that Finance Router 2 goes offline, and these routers are using dynamic routing, the other routers will recongure themselves to use only the other Finance Router. When the offline router comes back online, the other routers in the network will recongure themselves accordingly.
118
Comparing Routed Protocols and Routing Protocols

One area where people tend to have confusion when dealing with routers is the difference between routed protocols and routing protocols. They are distinctly different. In this section, you will learn to differentiate between the two and draw the boundaries clearly around them so that you can easily and quickly identify one or the other.
What are Routed Protocols?

For a protocol to be considered a routed protocol, it must have the following characteristics: It must contain Network-layer addressing information. It must have a method of locating a single host on a given network.
Routed protocols are those that have the given information so that user data may have an addressing method to use in the transportation of data between and across networks. The routed protocols have enough internal information to dene the structure and function of various elds inside a given packet. The most common routed protocol of today (and of the last decade) is the Internet Protocol, or IP. Other routed protocols are Novells IPX/SPX (Microsofts version of IPX/SPX is NWLink), and AppleTalk. TCP/IP, IXP/SPX, and AppleTalk all allow for addressing at the Network layer of the OSI model.
What are Routing Protocols?

While a routed protocol is used to carry data from one host to another, a routing protocol is used to carry data from one network to another, across multiple routers. The routing protocol is also the method of transmitting the routing updates and messages between routers. Routers will use their assigned routing protocols to create, maintain, and exchange routing data. The routers can use the same routing protocols to actually forward the data packets from one network to another, including the decisions on which path is the best path to take for the data. These routing protocols can also be used by routers to learn the status and congurations of networks they are not directly connected to. In addition to learning about other remote networks, the routers will use their routing protocols to tell remote routers about networks that the remote router is not directly connected to. Regardless of the routing protocol chosen, the routers must have consistent and open communication between each other in order to maintain a reliable picture, or map, of the network. It is this map of the network that all the routers will use to assist in forwarding data packets from network to network. Some examples of routing protocols are RIP (Routing Information Protocol), IGRP (Interior Gateway Routing Protocol), and OSPF (Open Shortest Path First). Whether the protocol used is RIP, IGRP, or OSPF, it is important to consider that there is no actual end-user data carried by the routing protocol messages. The user data is carried by the routed protocol.
119
The Routing Protocols

The last area to cover in this topic is the actual protocols themselves. Here, we will discuss the common types of protocols, and look at some examples of the protocols in action. The two common types of protocols are Distance Vector and Link-State. Regardless of whether the protocol is Distance Vector or Link-State, for dynamic routing to function, two critical router functions must exist: An updated and consistent routing table. Scheduled updates between routers.
For the routing protocols to perform these two critical processes, they must conform to a given set of rules. These rules are part of the operation of the routing protocol. Examples of what rules these protocols can dene include: The frequency of updates between routers. The amount of data contained in the updates. The process of nding proper recipients of the router data.
Calculation of the different data paths, and ultimately choosing the most efficient one based on the given protocol, requires a dened formula. The formula in the case of routers is known as a routing algorithm. The routing algorithm is responsible for the actual calculation on determining the path the data will take as it moves throughout the network. To make this calculation, the algorithm must use certain variables to create what is known as a metric. The metric is then what is used in path determination. Some of the variables that are used to crate the overall metric of a given path are: Hop Count: This is the number of routers that a data packet must go through to reach its destination. The formula is that the lower the number of hops, the lower the overall data has to travel, and therefore is the better path. Cost: The cost of a link can be dened by the administrator or calculated by the router. Generally the lower the cost, the faster the route. Bandwidth: This variable is dened by the overall bandwidth that the link provides. MTU (Maximum Transmission Unit): The MTU is the largest message size (in octets) that a link will route. Load: This variable is based on the amount of work the CPU has to perform, and the number of packets the CPU must analyze and make calculations on.
metric: A random variable x representing a quantitative measure accumulated over a period.
Regardless of the routing protocol chosen, there is no single rule for selecting the best protocol based on its algorithm. The routing protocol must change to adapt to the network in the event there are network changes, and both Distance Vector and Link-State have this ability. When the routers change their tables based on this update information from the routing protocol, this is called convergence. When all routers have the same view of the network, the network is converged. It is the goal of all routing protocols to have fast convergence, so that the routers maintain a consistent view of the routes available to network segments, and do not use incorrect data to make routing decisions.
120
Distance Vector Routing

Distance Vector routing calculates the distance to a given network segment and the direction (or vector) required to reach the segment. The algorithm of Distance Vector (Bellman-Ford) is designed to pass the routing table from neighbor to neighbor. The passing of the routing table is called the update between routers. In the event there is a topology change, as a router goes offline, an update will be sent immediately from one router to another.
topology: The map or plan of the network. The physical topology describes how the wires or cables are laid out, and the logical or electrical topology describes how the information ows.
Figure 3-10: Routers passing the routing table. In Distance Vector routing, the routing table is passed between routers along the shared segments. In Figure 3-10, Router A and Router B will share their routing tables over the segment between them, out Interface E2 of Router A and out of Interface E0 of Router B. When the routers receive an update, they add any new information on how to get to new routes, or better paths (lower hop counts) to known routes. The algorithm adds one hop to the hop count for every hop that must be crossed to reach the destination. Figure 3-11 shows a basic routing table with hop count included.
Figure 3-11: A routing table with interfaces dened and hop counts. In this example, the routing table has been created, and convergence has been achieved. Both routers have a consistent view of the network, and the routing tables dene the path to the networks and the interface to forward packets out to reach the required destinations.
121
Link-State Routing
Where Distance Vector routing uses hop counts to make the decisions in the routing table on path determination, Link-State routing uses a more complex metric system. In Link-State routing, all routers maintain a consistent view of the network, as they do in Distance Vector routing, but they also are all aware of the complete network topology. The Link-State routers know each network segment, and the different options for reaching each segment. Convergence is just as critical in Link-State routing, and in order to have a converged network, there are steps that must be followed. Figure 3-12 shows a complex network, and after the diagram, the steps for convergence will be outlined.
Figure 3-12: In this complex network, 7 routers and 14 network segments are dened. The steps for network convergence are as follows: 1. The routers identify the routers that are their direct neighbors. For example, Router 3 will identify Router 6 and Router 4 as neighbors. 2. The routers send LSP (Link State Packets) to the network. The LSPs contain data on which networks the router can reach. For example, Router 7 would send LSPs indicating that Router 7 is connected to segments 10.0.0.0, 11.0. 0.0, 12.0.0.0, and 14.0.0.0. The routers in the network accept all the LSPs and build a topology database of the network. The LSPs from all routers are used to build this consistent view. The SPF (Shortest Path First) algorithm is used to determine the accessibility of each network and the shortest path between networks. The SPF algorithm
3.
4.
122
is executed on all routers, so that they all end up with the same topology view of the network. Each router knows the best path to every segment. 5. The router uses the SPF calculations to determine the best (shortest) path for reaching each destination network on the internetwork.
Common Protocols
Here is a quick list of common routing protocols used on Cisco routers: RIP (Routing Information Protocol) is a Distance-Vector protocol that uses hop count as its metric. IGRP (Interior Gateway Routing Protocol) is a routing protocol that uses a combined metric for routing decisions. EIGRP (Enhanced Interior Gateway Routing Protocol) is an enhanced version of IGRP that combines properties of Link-State and Distance Vector protocols. OSPF (Open Shortest Path First) is a Link-State protocol that commonly replaces RIP in growing internetworks. BGP (Border Gateway Protocol) is an interdomain routing protocol often used by Internet Service Providers. RTMP (Routing Table Maintenance Protocol) is Apples routing protocol. RTMP routers dynamically update topology changes in the network.
Administrative Distances
As the router has the ability to use static routes, dynamic routes, and multiple protocols, the ability to see the current routing table becomes even more critical as the networks complexity increases. There is a function in the router called administrative distance. The administrative distance function has one obvious use, and that is managing when two or more methods in the router are aware of a path to a destination. For example, if you entered a static route on how to get to a location, then RIP identied a route to that location, which route should the router use? This is where the administrative distance comes into play. The lower a value, the higher the level of trust the router places in that route. Some default administrative distances are listed in the following table. Route Type
Directly connected interface Static route IGRP route OSPF route RIP route
Distance
0 1 100 110 120
Therefore, if you had a static route and a RIP route, the static route would be the preferred route that the router uses. When viewing the routing table, not only will you be shown the current routes to destination networks, but you will also see the method used. The following conguration fragments show a portion of the routing tables for three routers in a network:
123
LEFT#show ip route R 192.168.10.0/24 [120/1] via 192.168.20.2, 00:00:13, Serial1 C 192.168.20.0/24 is directly connected, Serial1 C 172.16.0.0/16 is directly connected, Ethernet0 R 172.17.0.0/16 [120/1] via 192.168.20.2, 00:00:13, Serial1 R 172.18.0.0/16 [120/2] via 192.168.20.2, 00:00:13, Serial1 CENTER#show ip route C 192.168.10.0/24 is directly connected, Serial1 C 192.168.20.0/24 is directly connected, Serial0 R 172.16.0.0/16 [120/1] via 192.168.20.1, 00:00:13, Serial0 C 172.17.0.0/16 is directly connected, Ethernet0 R 172.18.0.0/16 [120/1] via 192.168.10.1, 00:00:18, Serial1 RIGHTt#show ip route C 192.168.10.0/24 is directly connected, Serial0 R 192.168.20.0/24 [120/1] via 192.168.10.2, 00:00:20, Serial0 R 172.16.0.0/16 [120/2] via 192.168.10.2, 00:00:20, Serial0 R 172.17.0.0/16 [120/1] via 192.168.10.2, 00:00:20, Serial0 C 172.18.0.0/16 is directly connected, Ethernet0
In these fragments, you can identify the routes on each router. You can also identify the routes that are directly connected and the routes that are using RIP. The way that you identify this is by the letter in front of each route. For example, in these examples, all routes with a letter C are connected interfaces. Routes with an R are using RIP. If a route had been input statically, it would have an S in front of it. For the RIP routes shown, note that the number 120 is displayed in brackets after the route. The 120 is an indicator of the administrative distance of this route. (The number following the slash is the hop count.)
RIP
RIP, or the Routing Information Protocol, is one of the most straightforward routing protocols that can be implemented. It also has no signicant security, is broadcast-based, and is noisy. RIP functions by informing neighboring routers of the routers that the current router can reach. The current routes are created during the simple conguration process of setting up RIP in the router. The following conguration fragments show the conguration of RIP on three routers, LEFT, RIGHT, and CENTER:
LEFT#configure terminal LEFT(config)#router rip LEFT(config-router)#network 172.16.0.0 LEFT(config-router)#network 192.168.10.0 LEFT(config-router)^Z LEFT# RIGHT#configure terminal RIGHT(config)#router rip RIGHT(config-router)#network 172.18.0.0
124
RIGHT(config-router)#network 192.168.20.0 RIGHT(config-router)^Z RIGHT# CENTER#configure terminal CENTER(config)#router rip CENTER(config-router)#network 172.17.0.0 CENTER(config-router)#network 192.168.10.0 CENTER(config-router)#network 192.168.20.0 CENTER(config-router)^Z CENTER#
In these fragments, RIP routing has been congured with the networks that each router can reach. For example, the LEFT router will announce that if there is a packet destined for network 172.16.0.0, then the other routers should send it to the LEFT router. Because RIP is broadcast-based, any host on a segment where RIP broadcasts are sent can receive the update. Only the router has a legitimate routing function, but an attacker can learn valuable information, such as the conguration and addressing of a network.
TASK 3B-2
Viewing a RIP Capture
Setup: You are logged on to Windows Server 2003 as the renamed Administrator account, and Network Monitor is running. 1. 2. 3. 4. 5. 6. Open rip update.cap located in C:\Tools\Lesson3. Expand Frame One, and observe the contents of the packet. Look for the destination address of the packet. Find the IP and MAC destination addresses. Observe the source address. You can conclude that this is likely the source address of a router in the network. Expand the RIP portion of the frame capture. Examine the network details sent in the packet. Even though you are a random user on the network, you have captured the packet and are able to learn quite a few things about the network in a very short amount of time. Close the capture le, and leave Network Monitor open.
7.
RIPv2
In order to address some of the issues associated with RIP, RIPv2 was introduced as a routing protocol. A security advantage was the ability to require and use authentication for RIP updates. From a networking perspective, the conguration is very similar to RIPv1, as shown previously. The following conguration fragment shows the same three routers congured to use RIPv2 instead of RIPv1:
LEFT#configure terminal LEFT(config)#router rip LEFT(config-router)#version 2 LEFT(config-router)#network 172.16.0.0 LEFT(config-router)#network 192.168.10.0 LEFT(config-router)^Z LEFT# RIGHT#configure terminal RIGHT(config)#router rip RIGHT(config-router)#version 2 RIGHT(config-router)#network 172.18.0.0 RIGHT(config-router)#network 192.168.20.0 RIGHT(config-router)^Z RIGHT# CENTER#configure terminal CENTER(config)#router rip CENTER(config-router)#version CENTER(config-router)#network CENTER(config-router)#network CENTER(config-router)#network CENTER(config-router)^Z CENTER#
2 172.17.0.0 192.168.10.0 192.168.20.0
The authentication used is a key and MD5. The following conguration fragment shows the setup of RIPv2 authentication. In this fragment, rst the router is told that RIP authentication is required, then the key (the word strongpassword) is created.
Router#configure terminal Router(config)#interface ethernet0 Router(config-if)#ip rip authentication key-chain 3 Router(config-if)#ip rip authentication mode md5 Router(config-if)#exit Router(config)# interface serial0 Router(config-if)#ip rip authentication key-chain 3 Router(config-if)#ip rip authentication mode md5 Router(config-if)#exit Router(config)# interface serial1 Router(config-if)#ip rip authentication key-chain 3 Router(config-if)#ip rip authentication mode md5 Router(config-if)#^Z Router#configure terminal Router(config)#key chain 3 Router(config-keychain)#key 1 Router(config-keychain-key)#key-string strongpassword Router(config-keychain-key)#^Z Router#
All routers that will exchange routing updates on the same network must use the same conguration, so the authentication will match. Once the router is congured, if you were to enter the show running-config command, you would get the following new pieces in the output:
126
enable secret 5 $1$v13S$Nk8zY5NcYor5VvAfcfZCn0 enable password 2501 ! ! key chain 3 key 1 key-string strongpassword ! interface Ethernet0 ip address 172.16.0.1 255.255.0.0 ip rip authentication mode md5 ip rip authentication key-chain 3 no mop enabled interface Serial0 no ip address shutdown
TASK 3B-3
Viewing a RIPv2 Capture
Setup: You are logged on to Windows Server 2003 as the renamed Administrator account, and Network Monitor is running. 1. 2. 3. 4. 5. 6. 7. Open ripv2withAuthentication.cap, located in C:\Tools\Lesson3. Expand Frame One (the only frame) and observe the contents of the packet. Look for the destination address of the packet. Find the IP and MAC destination addresses. Observe the source address. You can conclude that this is likely the source address of a router in the network. Expand the RIP portion of the frame capture. Examine the network details sent in the packet. Observe the addition of the Authentication portion of the capture and the additional elds not present in the RIPv1 packet. Second, observe that the Routing Data is still visible. Close Network Monitor.
8.
127
Topic 3C
Removing Protocols and Services
The fundamental concept of hardening the router is no different than hardening Linux or Windows. You must remove all of the protocols and services that are unused. You must congure the required protocols and services so that they are secured for access. In this topic, you will look at removing many of the protocols and services that are often not used on a router and continue to harden the device.
CDP
The Cisco Discovery Protocol (CDP) is a protocol used by Cisco routers to exchange information, such as platform information and status, with each other. In general, CDP can be a useful thing to use when troubleshooting in a simple environment. Unfortunately, like most things that can make our lives as administrators a little easier, CDP can make an attackers job a little easier because it gives out important information such as the IOS version that the router is running. And, of course, knowing what IOS version is running makes an attackers job much easier since he or she will have a much better idea of what exploits will work against such a target. In the following conguration fragment, you can see that turning off CDP for the entire router is not a complex set of commandsonly two commands are required:
Router#config terminal Router(config)#no cdp run Router(config)#^Z Router#
However, it may be desirable to stop CDP only on those interfaces that are not connected directly to another router. Perhaps there is only a direct link between two serial interfaces, and you want to allow CDP to run there, but not on the internal Ethernet network. In the following conguration fragment, CDP is disabled just for the Ethernet interface. Note that the only addition is the dening of the interface, and the command is no cdp enable, instead of no cdp run:
Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no cdp enable Router(config-if)#^Z Router#
128
TASK 3C-1
Turning Off CDP
1. Create the conguration fragment that you would use for turning off CDP on Ethernet 0, Ethernet 1, and Serial 1.
Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no cdp enable Router(config-if)#interface Ethernet 1 Router(config-if)#no cdp enable Router(config-if)#interface Serial 1 Router(config-if)#no cdp enable Router(config-if)#^Z Router#
ICMP
ICMP provides, among other functions, the ability to use the often-required ping and traceroute commands. However, ICMP has become one of the most misused of all protocols. DoS and DDoS attacks use ICMP, and more and more attacks take advantage of this function of the network. In this section, only a few examples of hardening ICMP are discussed.
ICMP Directed Broadcast

Smurf is an attack that takes advantage of ICMP. Specically, what Smurf does is to get many machines to ood a single host with ICMP packets, effectively shutting down that host. The way this attack works is to ping an entire network, using a spoofed IP address. When every host of the network responds to the IP address, that machine has been attacked. This can easily lead to hundreds of machines responding to a host simultaneously. The following conguration fragment shows the disabling of ICMP directed broadcasts on the Serial 1, Serial 0, and Ethernet 0 interfaces. To protect fully against this attack, you should turn off broadcasts like this on all interfaces.
Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no ip directed broadcast Router(config)#interface Serial 0 Router(config-if)#no ip directed broadcast Router(config)#interface Serial 1 Router(config-if)#no ip directed broadcast Router(config-if)#^Z Router#
traceroute: An operation of sending trace packets for determining information; traces the route of UDP packets for the local host to a remote host. Normally traceroute displays the time and location of the route taken to reach its destination.
ICMP Unreachable
Another very common attack is for a potential intruder to scan your system(s) looking for services that are open and that can be exploited. It is common to use ICMP to perform these scans of systems. If you remove the ICMP Unreachable message, be aware that your system will not respond to desired unreachable mes-
129
sages, such as when your internal users legitimately need them, such as during time-outs. The following conguration fragment shows the disabling of ICMP Unreachable messages on the Serial 0 interface. To remove ICMP Unreachable messages on the entire router, this command needs to be entered for each interface.
Router#config terminal Router(config)#interface Serial 0 Router(config-if)#no ip unreachables Router(config-if)#^Z Router
TASK 3C-2
Hardening ICMP
1. Create the conguration fragment that you would use to disable ICMP Directed Broadcasts and ICMP Unreachable messages on the entire router, which has the Ethernet 0, Serial 0, and Serial 1 interfaces.
Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no ip directed broadcast Router(config-if)#no ip unreachables Router(config)#interface Serial 0 Router(config-if)#no ip directed broadcast Router(config-if)#no ip unreachables Router(config)#interface Serial 1 Router(config-if)#no ip directed broadcast Router(config-if)#no ip unreachables Router(config-if)#^Z Router#
Source Routing
A feature that was added to routers to increase the control administrators had over the network was source routing. This feature has become a vulnerability that attackers now use. Source routing is used to allow a packet to dictate the path it should take through a routed network. This packet does not follow the routing tables as designated by the routing protocols. Doing so may allow an attacker to bypass critical systems, such as a rewall or an IDS. In most situations, there is no need for source routing to be allowed on any router. The conguration fragment that follows shows the disabling of the source routing service:
Router#config terminal Router(config)#no ip source-route Router(config)#^Z Router#
130
Small Services
TCP and UDP small services are enabled on some routers by default (generally IOS 11.3 and previous versions). Small services are not often used anymore and include echo, discard, daytime, and chargen. On most routers, be sure to disable these services. The conguration fragment that follows shows the disabling of small services for both TCP and UDP:
Router#config terminal Router(config)#no service tcp-small-servers Router(config)#no service udp-small-servers Router(config)#^Z Router#
Small services are also known as small servers.
Finger
Finger is another older service that is rarely used in modern networks. The Finger service is used to nd information about users who are logged into a router. On older versions of the IOS (11.2 and older), Finger is disabled by using the no service finger command. On newer versions of the IOS (11.3 and newer), Finger is disabled by using the no ip finger command. In the following code, the rst conguration fragment shows the removal of the Finger service from an older router, and the second fragment shows the removal of the Finger service from a newer router:
Router#config terminal Router(config)#no service finger Router(config)#^Z Router# Router#config terminal Router(config)#no ip finger Router(config)#^Z Router#
131
Remaining Services
As a security professional, you know that hardening a piece of equipment means disabling or removing all of the services and protocols that you are not using. In this section, you will see several other services that you should consider disabling for your router. In consideration of space, every service and protocol cannot be listed in this sectiononly several of the signicant services can be highlighted. The BootP service is used to remotely boot computers via the network. This service can be disabled by using the no ip bootp server command. The DNS function is enabled on Cisco routers, but there is no dened name server. The net result is broadcasting for all DNS requests. To disable this function, use the no ip name-server command. The Network Time Protocol (NTP) is used for time synchronization on the network. This service can be disabled by using no ntp server. If you want to disable this protocol for only a single interface, use ntp disable, when you are in the Interface Mode. The Simple Network Management Protocol (SNMP) is used to communicate between network devices. SNMP left as-is on routers can provide information about the router to attackers. Disable SNMP by using no snmp-server. HTTP is used on some routers to allow for remote access and management. Unless specically required in your organization, this should be disabled. To disable HTTP, use no ip http server.
When NTP is used in conjunction with syslog services, therefore keeping accurate timestamps on log entries, it can be useful for forensic purposes.
The conguration fragment that will disable all of the above services will look like this:
Router#config terminal Router(config)#no ip bootp server Router(config)#no ip name-server Router(config)#no ntp server Router(config)#no snmp-server Router(config)#no ip http server Router(config)#^Z Router#
132
TASK 3C-3
Removing Unneeded Services
1. Create the conguration fragment that you would use to remove the following services from the whole IOS v12.x router: CDP, ICMP Directed Broadcasts, Small Servers, Source Routing, and Finger. For this exercise, you can assume that the interfaces are named E0, S0, and S1.
Router#config terminal Router(config)#no cdp run Router(config)#interface Ethernet 0 Router(config-if)#no ip directed broadcast Router(config)#interface Serial 0 Router(config-if)#no ip directed broadcast Router(config)#interface Serial 1 Router(config-if)#no ip directed broadcast Router(config-if)#^Z Router# Router#config terminal Router(config)#no service tcp-small-servers Router(config)#no service udp-small-servers Router(config)#no ip source-route Router(config)#no ip finger Router(config)#^Z Router#
AutoSecure
A newer security feature, built into the IOS starting with version 12.3(1) is called AutoSecure. AutoSecure is essentially a script designed to help you secure the router by following a set of questions versus coding line-by-line the services and interfaces you want to secure. AutoSecure can also address your passwords, ensuring that no simple words are used, prompt for the conguration of SSH, and can enable console logging, among other security issues. AutoSecure has its security features divided into two core groups (Cisco calls these groups: Planes). These two groups are called the Management Plane and the Forwarding Plane.
The Management Plane

The Management Plane of the AutoSecure feature is where the majority of your services are addressed. Both the global services, and the services that are unique to each interface are dealt with in this Plane. The following list details the services that are specic to each interface that can be disabled with AutoSecure: ICMP (including redirects, unreachables, and mask replies) Directed broadcasts Maintenance Operations Protocol (MOP) services Proxy-Arp
133
You know by now that there are many more security issues other than the ones addressed in the previous list. The following list, details the services that are global, to the whole router, which can be disabled with AutoSecure: BootP CDP Finger HTTP Server IdentD protocol Network Time Protocol (NTP) Packet Assembler and Disassembler (PAD) Source Routing Small Servers (both TCP and UDP)
The Forwarding Plane

In the context of this course, the only feature of The Forwarding Plane that will be discussed is the Context-based Access Control (CBAC). If you are using this feature, AutoSecure will prompt you through the congurations. CBAC will be addressed later in this lesson.
Topic 3D
Creating Access Control Lists
Access Control Lists (ACLs) enable network administrators to not only control access from a security standpoint, but also can be used to restrict bandwidth use on critical links. In this and the following topic, the discussion will be on IP access lists, but be aware that access lists can exist for other routed protocols, such as AppleTalk and IPX/SPX. An ACL is a packet lter that compares a packet with a given set of criteria. The ACL checks the packet and acts upon the packet as dened by the list. Access Control Lists are divided into several main categories, and for this course, you will focus on three categories: Standard ACLs, Extended ACLs, and Contextbased ACLs. Standard ACLs are designed to look at the source address of a packet that has been received by the router. The result of the list is to either permit or deny the packet based on the subnet, host, or network address. A standard access list takes effect for the full IP protocol stack. Extended ACLs are designed to look at both the source and destination packet addresses. Not limited to source IP address, extended lists allow for checking of protocol, port number, and destination address. This additional exibility is the reason that many administrators implement extended lists on their networks. Context-based ACLs are designed to look at information from layer 3 all the way through layer 7. This becomes the Cisco IOS stateful rewall function inside the Cisco Router.
packet lter: Inspects each packet for user dened content, such as an IP address, but does not track the state of sessions. This is one of the least secure types of rewall.
134
Access Control List Operation

The function of an access list is the same internally in the router, regardless of the type of list (standard, extended, and so on). An ACL can be designed to function for both inbound and outbound packets. When an ACL is checking inbound packets, the list is checked to see if the packet is allowed prior to the router checking to see if the packet has a destination in the routing table. When an ACL is checking outbound packets, the packet will rst run through the routers table, looking for a match. If there is a route for the packet, then the ACL is applied to the outbound packet.
Figure 3-13: The Access Control List process. Figure 3-13 illustrates this outbound process. A packet is taken in via Interface E0. In this example, the packet is incoming on Interface Ethernet 0 and destined to be outgoing on Interface Ethernet 1. Because the list is used to determine whether or not the packet is to exit on interface Ethernet 1, this list can be determined to be an outgoing list.
The Access List Process

A critical component of access list is to understand that they operate in sequence, from the top down. In other words, the rst statement of an access list is checked. If the packet does not match the rules of that statement, then the packet is sent to the next statement, and on and on, until there is a match. Once there is a match, the packet will follow that rule. In the event that there are two rules that can apply to the same packet, whichever rule the packet hits rst is the one that it will follow. There will always be a match, since the end of every access list is an implicit deny, meaning that every list must have at least one permit statement or all packets will be denied! Figure 3-14 shows a graphical example of an access list statement process.
135
Figure 3-14: The list process of an ACL.
The Wildcard Mask

IP access lists use a value known as the wildcard mask to determine whether or not a packet matches a given statement in the list. The wildcard mask uses 1s and 0s to identify the dened IP address(es) for permission or denial. Wildcard masks are 32-bit values that look like traditional subnet masks, but they do not function in the same manner. A wildcard mask uses the 1s and 0s to match dened bits of an IP address. The rules of the bits of a wildcard mask are as follows: If the wildcard mask bit is a 1, then do not check the corresponding bit of the IP address for a match. If the wildcard mask bit is a 0, then do check the corresponding bit of the IP address for a match.
The chart in Figure 3-15 shows several examples of the wildcard mask checking options. Where there is a 0, the values are checked for a match, and where there is a 1, the value is not checked.
136
Figure 3-15: Examples of wildcard masks. As you can see from this chart, if there were a mask of 11111111, then none of the eight bits of the corresponding IP address would be checked. Likewise, if there were a wildcard mask of 00000000, then all eight bits of the corresponding IP address would be checked.
Wildcard Mask Examples

If an administrator wanted to have an access list statement match a single host in a network, the following wildcard mask could be used. Item
IP Address Subnet Mask Wildcard Mask
Value
10.15.10.187 255.255.255.0 0.0.0.0
This tells the router to check every bit of the IP address, and if those bits are 10.15.10.187, then this access list statement applies to this host. If the goal is to have an access list statement match an entire network, the following wildcard mask could be used. Item
IP Network Subnet Mask Wildcard Mask
Value
10.15.10.0 255.255.255.0 0.0.0.255
This tells the router to check only the rst 24 bits of the IP address, and if the decimal value of those bits are 10.15.10, then this access list statement applies to this host. If the goal is to block a specied subnet, the mask requires a bit more calculation, but still functions the same way. In the event that the administrator wants to have subnet 10.15.10.32 match an access list statement, the mask would be as follows. Item
IP Subnet Address
Value
10.15.10.32
137
Item
Subnet Mask Wildcard Mask
Value
255.255.255.224 0.0.0.31
This tells the router to check all but the last ve bits of the fourth octet. If the checked bit equals 10.15.10.32, then the access list statement applies to this host.
TASK 3D-1
Creating Wildcard Masks
1. If your goal is to block out a single host, such as 192.168.27.93, that uses 255.255.255.0 as the subnet mask, what wildcard mask would you use? 0.0.0.255 2. If your goal is to block out a subnet of 10.12.24.0 that uses 255.255.248.0 as the subnet mask, what wildcard mask would you use? 0.0.7.255 3. If your goal is to block out network 172.168.32.0 that uses 255.255.255.0 as the subnet mask, what wildcard mask would you use? 0.0.0.255
Topic 3E
Implementing Access Control Lists
In this topic, we will detail the implementation of and rule-creation for access lists. There will be examples of access lists and their syntax on a Cisco router. Examples will include both standard and extended IP access lists, the most common lists for networks connected to the Internet today.
Although you have the option of using standard or extended access lists, the extended lists are preferred because they provide more granularity when you are permitting and denying trafc.
Access Control Lists are implemented in two stages on Cisco routers. The rst stage is to create the list, including all of its statements. The second stage is the implementation of the list on an interface of a router, dening whether the list is to lter packets as an inbound or outgoing list.
Standard Access Control List Command Syntax

To create a standard ACL, the following line shows the proper syntax. Items in italics are variables to be lled in. Router(config)#access-list access-list-number {permit|deny} source [ source-mask ]
138
Where: access-list is the actual command to create a list. access-list-number is a value between 1 and 99, that is selected to create a standard ACL. permit|deny is the value that denes whether the list will grant or block access. source is the value that is the actual source address to match. source-mask is the value that species the wildcard mask for the dened host.
Once the list has been created, the second stage is to apply the list to an interface. Before you do this, however, make sure that you have specied the interface that you want to be affected by the list. The syntax for list application is shown here. Again, items in italics are variables to be lled in. Router(config-if)#ip access-group access-list-number {in|out} Where: ip access-group is the command to link (implement) a list to an interface. access-list-number is the value assigned to the actual list to be implemented on this interface. in|out is the value that denes whether the list will lter inbound or outbound packets.
Extended Access Control List Syntax

To create an extended ACL, the following line shows the proper syntax. Remember, items in italics are variables to be lled in. Router(config)#access-list access-list-number {permit|deny} protocol source source-mask destination destination-mask [operator|operand] Where: access-list is the actual command to create a list. access-list-number is a value between 100 and 199, that is selected to create an extended ACL. permit|deny is the value that denes whether the list will grant or block access. protocol is the value that denes what protocol to lter. source is the value that denes the source IP address. source-mask is the value that denes the wildcard mask for the source. destination is the value that denes the destination IP address. destination-mask is the value that denes the wildcard mask for the destination. operator|operand is the value that denes the options for the list. Options include: GTGreater than LTLess than
EQEqual to NEQNot Equal to
Once the list has been created, the second stage is to apply the list to an interface. The syntax for list application is shown. As before, items in italics are variables to be lled in. Router(config-if)#ip access-group access-list-number {in|out} Where: ip access-group is the command to link (implement) a list to an interface. access-list-number is the value assigned to the actual list to be implemented on this interface. in|out is the value that denes whether the list will lter inbound or outbound packets.
Figure 3-16: A sample network for ACL implementation. Use Figure 3-16 with the network and host IP addresses dened to look at several examples of access lists. The same gure will be used for all examples, only with different lists, different goals, and different implementations. These examples will be using both standard and extended IP access lists.
Denial of a Specific Host

Our rst example will be the simple denial of a dened host into the router. This can be accomplished by using a standard ACL.
140
The conguration fragment for this example is:

Router#configure terminal Router(config)#access-list 23 deny 192.168.10.7 0.0.0.0 Router(config)#access-list 23 permit 0.0.0.0 255.255.255.255 Router(config)#interface Ethernet 0 Router(config-if)#ip access-group 23 in Router(config-if)#^Z Router#
The third line is permitting all trafc not denied by the second line. The word any can be used in place of 0.0. 0.0 255.255.255.255.
Denial of a Subnet
Our second example will be the denial of a dened host out to the Internet and the denial of an entire network to the Internet. This can also be accomplished by using a standard ACL. The conguration fragment for this example is:
Router#configure terminal Router(config)#access-list 45 deny 192.168.10.7 0.0.0.0 Router(config)#access-list 45 deny 192.168.20.0 0.0.0.255 Router(config)#access-list 45 permit 0.0.0.0 255.255.255.255 Router(config)#interface Serial 0 Router(config-if)#ip access-group 45 out Router(config-if)#^Z Router#
The fourth line is permitting all trafc not denied by the second and third lines.
Denial of a Network
Our third example will be the denial of an entire network from another network. This can be accomplished by using a standard ACL. The conguration fragment for this example is:
Router#configure terminal Router(config)#access-list 57 deny 192.168.20.0 0.0.0.255 Router(config)#access-list 57 deny 192.168.10.0 0.0.0.255 Router(config)#access-list 57 permit 0.0.0.0 255.255.255.255 Router(config)#interface Ethernet 0 Router(config-if)#ip access-group 57 out Router(config-if)#interface Ethernet 1 Router(config-if)#ip access-group 57 out Router(config-if)#^Z Router#
Granting Telnet from One Specific Host

Our fourth example will be limiting the permission of given hosts to telnet to the Internet and the denial of a network telnetting to the Internet. This can be accomplished by using an extended ACL, due to the need to control access to individual ports. The conguration fragment for this example is:
Router#configure terminal Router(config)#access-list 123 permit tcp 192.168.20.16 0.0.0.0 0.0.0.0 255.255.255.255 eq 23 Router(config)#access-list 123 permit tcp 192.168.10.7 0.0.0.0 0.0.0.0 255.255.255.255 eq 23 Router(config)#access-list 123 deny tcp 192.168.0.0 0.0.255.255 0.0.0.0 255.255.255.255 eq 23 Router(config)#access-list 123 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Router(config)#interface Serial 0 Router(config-if)#ip access-group 123 out Router(config-if)#^Z Router#
For the fth line, permit ip any any could be used to shorten the syntax.
141
Granting FTP to a Subnet

Our fth example will be granting one subnet the ability to ftp to the Internet, while denying the other subnet. Again, this can be accomplished by an extended ACL, due to the need to control access to individual ports. The conguration fragment for this example is:
Router#configure terminal Router(config)#access-list 145 permit tcp 192.168.20.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 20 Router(config)#access-list 145 permit tcp 192.168.20.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 21 Router(config)#access-list 145 deny tcp 192.168.10.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 20 Router(config)#access-list 145 deny tcp 192.168.10.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 21 Router(config)#access-list 145 permit ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 145 out Router(config-if)#^Z Router#
Defending Against Attacks with ACLs

ACLs can be used for much more than simply granting or denying access to a service or utility. They can be used to guard against known attacks on the network, such as SYN and DoS attacks. This is due to the fact that many tools use known and identiable patterns in their attacks.
Anti-DoS ACLs
These ACLs work by recognizing the protocol and port selection of the DoS attack. It is possible that by using these ACLs, you may block legitimate applications that have chosen the same high port values, so that must be taken into account. In order to prevent hosts inside the network from participating in a DoS on an Internet host, you should consider placing these on all interfaces, in both directions. At the minimum, you will place these lists on the inbound interfaces that are connected to the Internet. In the conguration fragment that follows, the rst section (ports 27665, 31335, 27444) of the list is designed to block the TRINOO DDoS, and the second section (ports 6776, 6669, 2222, 7000) is designed to block the SubSeven DDoS.
Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list 160 160 160 160 160 160 160 deny deny deny deny deny deny deny tcp udp udp tcp tcp tcp tcp any any any any any any any any any any any any any any eq eq eq eq eq eq eq 27665 31335 27444 6776 6669 2222 7000
Anti-SYN ACLs
The TCP SYN attack is where the attacker oods the target host and disallows any legitimate connections to be made by the target host. To work on blocking this, the ACL must allow legitimate TCP connections, which are created by hosts inside the network, but disallow connections to those hosts from outside (like on the Internet).
In this rst conguration fragment, traffic that is established internally is allowed out, and incoming connections are not able to create new sessions.
Router#configure terminal Router(config)#access-list 170 permit tcp any 192.168.20.0 0.0.0.255 established Router(config)#access-list 170 deny ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 170 in Router(config-if)#^Z Router#
Anti-Land ACLs
Another type of attack that has been around for some time is the Land attack. The Land attack is rather simple in design, but it can cause serious network damage to unprotected systems. The attack works by sending a packet from an IP address to the same IP address, and using the same ports. So, a packet would be sent from 10.10.10.10:5700 to 10.10.10.10:5700 causing a signicant slowdown or DoS of the target. The following conguration fragment shows the defense against a Land attack on host 10.20.30.50, which is an IP address of an external interface on the router.
Router#configure terminal Router(config)#interface Serial 0 Router(config-if)#ip address 10.20.30.50 255.255.255.0 Router(config-if)#exit Router(config)# Router(config)#access-list 110 deny ip host 10.20.30.50 host 10.20.30.50 log Router(config)#access-list 110 permit ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 110 in Router(config-if)#^Z Router#
Anti-spoofing ACLs
Spoong of packets has become more commonplace due to the increased number of tools that provide this function. You can use your router to combat this issue by not allowing packets to enter the network if they are coming from an internal IP address. When you create these lists, you want them to be complete. In other words, do not forget to block the broadcast addresses (to prevent attacks like the Smurf attack), the network addresses themselves, and private or reserved addresses. In the following conguration fragment, the internal network is 152.148.10.0/24, and you will see that there are quite a few lines necessary to provide for full spoof protection:
143
Router#configure terminal Router(config)#access-list 130 deny ip 152.148.10.0 0.0.0.255 any Router(config)#access-list 130 deny ip 127.0.0.0 0.255.255.255 any Router(config)#access-list 130 deny ip 0.0.0.0 255.255.255.255 any Router(config)#access-list 130 deny ip 10.0.0.0 0.255.255.255 any Router(config)#access-list 130 deny ip 172.16.0.0 0.0.240.255 any Router(config)#access-list 130 deny ip 192.168.0.0 0.0.255.255 any Router(config)#access-list 130 deny ip host 255.255.255.255 any Router(config)#access-list 130 permit ip any 152.148.10.0 0.0.0.255 Router(config)#interface Serial 0 Router(config-if)#ip access-group 130 in Router(config-if)#^Z Router#
TASK 3E-1
Creating Access Control Lists
Setup: Use the network as diagrammed in Figure 3-16 for this task. 1. Create the conguration fragment that you would use to create an Access Control List to prevent a SYN attack coming from the Internet into the private networks.
Router#configure terminal Router(config)#access-list 135 permit tcp any 192.168.20.0 0.0.0.255 established Router(config)#access-list 135 permit tcp any 192.168.10.0 0.0.0.255 established Router(config)#access-list 135 deny ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 135 in Router(config-if)#^Z Router#
Context-based Access Control

Although a detailed discussion of Ciscos Context-based Access Control is out of the scope of this book, this feature is quite valuable, and worth some investigation. The Cisco Context-based Access Control Lists function is part of the Cisco IOS Firewall Feature Set, and provides powerful options if your router is going to play a signication part of your rewall system.
144
Cisco Context-based Access Control (CBAC) works by ltering TCP, UDP, and in more recent revisions, ICMP network traffic. CBAC is able to inspect inside the packet looking at the actual application. CBAC essentially works by creating a dynamic (temporary) connection in your router, by keeping track of the state of your network traffic. For example, assume you had an access control list that said no Telnet connections are to be accepted inbound from the Internet to your router. With CBAC, you can build your system to allow an inbound Telnet connection, IF the router recognizes that packet as the return traffic of a session that was started by an authorized internal user. When packets enter the router, they are rst processed through the running of access control lists. If a packet is denied, it will not move on to the CBAC inspection. If the packet is allowed after running through the ACLs, then that packet will move on to CBAC inspection.
Since UDP communications do not establish a session, the CBAC system approximates the time (as dened by the administrator) a session should remain open.
Topic 3F
Logging Concepts
Although it does not get the credit or generate a high level of interest, logging on the router is a critical aspect of router hardening. Logs enable you to investigate attacks, nd problems in the network, and analyze the network. When you are conguring the logging options on a router, just as logging elsewhere in the network, you must walk a ne line between gathering too much and too little information. Log too much, and you will have a difficult time nding that single piece of critical information you need to make a decision or to perform an action. Log too little, and you do not have enough information to make an informed decision or to take proper action. There are many different kinds of logging applications and software products that can track and record logs from all over the network. These applications can then send messages to a pager or cell phone when signicant events happen. In this section, you will look at just the options that the actual router can manage, without using any major third-party applications.
Cisco Logging Options

On a Cisco router, the device can log information using several different methods, such as: Console Logging: Log messages are sent to the console port directly. Terminal Logging: Log messages are sent to the VTY sessions. Buffered Logging: Log messages are kept in the RAM on the router. Once the buffer lls, the oldest messages are overwritten by newer messages. Syslog Logging: Log messages can be sent to an external syslog server to store and sort the messages there. SNMP Logging: Log messages are sent (by using SNMP traps) to an SNMP server on the network.
145
Log Priority
The router has a built-in function of priority listing for log messages. The levels range from 0 to 7. If a message is given a lower number, it is considered to be a more critical message. So, Level 1 is more critical than Level 6. When you select a level, that level and all others of a lower number will be displayed. For example, if you select level 3, you will be presented with messages from level 3 to 0. If you select level 7, you will be presented with messages from level 7 to 0. The following table lists the level of logs, along with their titles and descriptions. Level
0 1 2 3 4 5 6 7
Title
Emergencies Alerts Critical Errors Warnings Notications Informational Debugging
Description
System is (or is becoming) unusable. Immediate action is needed. A critical condition has occurred. An error condition has occurred. A warning condition has occurred. Normal, but noteworthy event. Informative message. Debugging message.
The following table lists an example event for each level of severity. Level
0 1 2 3 4 5 6 7
Example
The IOS was unable to initialize. The core router temperature is too high. A problem in assigning memory occurred. The memory size allocated is invalid. Cryptography operation is unable to complete. An interface changed state to up or down. (This is a very common event.) A packet has been denied by an Access Control List. No event triggers this level; debug messages are displayed only when the debug option is used.
An example of what a log line will look like in the router is:
%SYS-5-CONFIG_I: Configured from console by vty1 (172.16.10.1)
In this line, the %SYS-5-CONFIG_I indicates that a Level 5 message was logged. Following the colon is the message itself. In this case, the router had a conguration change made via a VTY session using IP address 172.16.10.1.
146
Configuring Logging
In the following examples, you will see how to congure different forms of logging. Some will use the buffer, others the console. Viewing the conguration fragments through this section will enable you to determine which type of logging you will use in given situations. On the Cisco router, the command to enable logging is entered in Global Conguration Mode, using the logging on command.
Timestamping
In order for you to properly analyze the logs, you will need to know what happened when, not just that something happened. The assignment of a time that an event occurred, or to timestamp, is an option in the router. The Cisco command to congure the timestamp option is service timestamp log datetime. There are three options that can be added to this message. The msec option will include the millisecond in a log entry. This may or may not be required, based on your goals. If not added, the log will round the event to the nearest full second. The localtime option will make the router stamp the logs using the local time, so that it is easier for people to read and analyze the logs. When using a syslog server, this option is often left off. The show-timezone option adds the time zone to the log message. This can be useful when working with log les from many locations and regions.
When you are conguring logging in IOS 11.3 and earlier versions, the command must include the name of the level, such as Alerts. In IOS 12.0 and newer versions, you can use either the name of the level or the number of the level.
Console Logging
Console logging is perhaps the most straightforward of all of the logging options in the Cisco router. The following conguration fragment shows logging set to level 5 and to use the console as the method.
Router#configure terminal Router(config)#logging on Router(config)#logging console notification Router(config)#^Z Router#
In this example, level 5 logging has been congured, This means that items in the access list level will not be logged, nor will any debug messages. Had the goal been to see only those log messages that are level 2 or more critical, the proper command would have been logging console critical.
Buffered Logging
Buffered logging requires you to dene the memory size that will be used for the logs. The general formula that many follow is that if the router has less than 16 MB of RAM, your log can be 16 kilobytes. If your router has more than 16 MB of RAM, then your log can go as high as 32 or even 64 KB. On all logs, the time and date can be added to the messages, which is a recommended procedure. On buffered logging, however, it goes from a recommended to a required procedure. This is due to the fact that the router discards old messages and replaces them with new messages, when the buffer space is lled. So, the time of the log is a critical component to buffered logging. The following conguration fragment shows logging set to level 2, and using a timestamp.
147
Router#configure terminal Router(config)#logging on Router(config)#logging buffered 16000 critical Router(config)#service timestamp log date msec localtime show-timezone Router(config)#^Z Router#
In this example, the amount of memory that has been allocated is 16 KB. The logs will go to the buffer and will be recorded if they are level 2 (Critical) or higher. Finally, full timestamping is used, including the local time and the time zone options.
Terminal Logging
Normally, there are no messages sent to terminal sessions. This is for bandwidth purposes and, in some situations, security purposes. In order to allow logging to be visible on a VTY session, the terminal monitor command must be used. The following conguration fragment shows logging set to level 5, and to be sent to the VTY sessions.
Router#configure terminal Router(config)#logging on Router(config)#logging monitor 5 Router(config)#^Z Router#terminal monitor Router#
In this example, the terminal session will receive all level 5 and higher messages. This is the rst example that uses the numeric value of the level instead of the name, an indicator that the router must be at least IOS version 12.0. There is a second part for terminal logging. The above fragment will tell the router to log messages to the VTY sessions, but the VTY sessions have not been congured to see the messages. The terminal monitor command enables the VTY session to actually view the messages on screen. In the event that the logs become to numerous or are no longer needed, the terminal no monitor command can be used to stop viewing the logs on the VTY session.
Syslog Logging
Cisco routers have the ability to send their log messages to a server that is running as a syslog server. This is a highly recommended method of logging in a production environment. Routers collect the log messages, just as they normally do. However, instead of showing them on the console, or storing them in memory, they are sent to a server that will manage the messages and store them to the servers hard drive. This will allow for long-term storage and analysis of the information and will not be subject to real time analysis or memory constraints. Most UNIX and Linux servers have some version of the syslog server function, and there are many syslog applications for Windows systems on the market.
148
To congure syslog logging on a Cisco router, there are four components: The destination host is any host that can be located using a host name, DNS name, or an IP address. The syslog facility is the name to use to congure the storage of the messages on the syslog server. Although there are quite a few facility names, the routers will use the ones named Local0 through Local7. The severity level of the logs can be viewed as similar to that of the other log messages, using the Cisco severity levels. The source interface for the messages is the actual network interface that will send the messages to the Syslog server.
The following conguration fragment shows the setup of a router to use a syslog server.
Router#configure terminal Router(config)#logging on Router(config)#logging trap 5 Router(config)#logging host 10.20.30.45 Router(config)#logging facility Local5 Router(config)#logging origin-id hostname Router(config)#logging source-interface Ethernet 0 Router(config)#^Z Router#
In this example, logging has been enabled. Logging is going to be sent to a syslog server, logging messages that are level 5 or more critical. The IP address of the syslog server is 10.20.30.45. (Additional servers can be used with multiple commands using different IP addresses here, for redundancy.) The facility on the syslog server is Local5, the origin-id is the hostname (Router in this example), and the source for these messages is Ethernet 0 on the router.
TASK 3F-1
Configuring Buffered Logging
1. Create the conguration fragment you would use for buffered logging, using 32 kilobytes of memory. Include all timestamping options and log level 4 events. Assume that the router is running IOS version 12.2.
Router#configure terminal Router(config)#logging on Router(config)#logging buffered 32000 4 Router(config)#service timestamp log date msec localtime show-timezone Router(config)#^Z Router#
ACL Logging
The previous section on logging focused on the system log events, critical errors, and messages. Another important area to investigate is the use of logging in relationship to your Access Control Lists. When implemented, ACL logs are listed as Level 6 events.
In order to implement ACL logging, the commands are very simple. All you need to add is the keyword log or log-input to the end of the ACL statements. You do not want to add this line to all your ACL statements, however, or you will ood your logs with so much information that you will be virtually unable to identify anything useful. Use of the log keyword will list the type, date, and time in the ACL log, and is a valid option only for standard ACLs on IOS version 12.0 and newer. The log-input keyword adds information on the interface and source MAC address, and an example of the use of this is if the same ACL is to be applied to more than one interface. Logging may be one reason that you do not count on the default deny all rule of an ACL. If a packet is dropped due to the default deny all statement, that packet will not be logged. If, however, you add the following line as your last statement in the ACL, then packets will be logged: access-list 123 deny ip any any log.
Anti-spoofing Logging
Earlier, you looked at the creation of anti-spoong ACLs. In this section, you will see these ACLs used with the logging function to gather information for analysis. In these examples, assume that the internal network is 172.16.0.0/16. First, the conguration fragment of the list itself:
Router#configure terminal Router(config)#access-list any log-input Router(config)#access-list Router(config)#access-list any log-input Router(config)#access-list Router(config)#^Z Router# 123 deny ip 172.16.0.0 0.0.255.255 123 permit ip any any 145 permit ip 172.16.0.0 0.0.255.255 145 deny ip any any log-input
For the next example, assume that the router has one internal Ethernet interface (where the trusted network is located) and has two external serial interfaces. The following conguration fragment shows the application of the ACLs, rst list 123 then list 145, on their proper interfaces.
Router#configure terminal Router(config)#interface Serial 0 Router(config-if)#ip access-group 123 in Router(config-if)#exit Router(config)#interface Serial 1 Router(config-if)# ip access-group 123 in Router(config-if)#exit Router(config)#interface Serial 0 Router(config-if)# ip access-group 145 out Router(config)#^Z Router#
VTY Logging
When gaining access to the router, a primary method used was through VTY sessions. These sessions may come under frequent attacks at larger organizations. You will want to know who is and who is not successful at gaining access via VTY sessionsagain, logging is the answer to that need.
150
In this example, you will again assume the internal network 172.16.0.0/16, and that there is only one trusted host that has authorized VTY access, 172.16.23.45. With those variables dened, the following is the conguration fragment that will log VTY sessions on the router.
Router#configure terminal Router(config)#access-list 155 permit host 172.16.23.45 any log-input Router(config)#access-list 155 deny ip any any log-input Router(config)#^Z Router#
Once you have created the list, as shown, you will need to apply the list. In the following conguration fragment, the list is applied to VTY sessions 0 through 4.
Router#configure terminal Router(config)#line vty 0 4 Router(config)#access-class 155 in Router(config)#^Z Router#
TASK 3F-2
Configuring Anti-spoofing Logging
1. Create a logged ACL that is used for anti-spoong, using the following information: The router has interfaces Ethernet0, Serial0, and Serial1. Ethernet0 is connected to the only trusted network, which has the IP address 192.168.45.0/24. For this exercise, and in the interest of time, only create anti-spoong for the dened network. If you want to expand this to include all private and reserved networks, you can do so, but it is not required.
Router#configure terminal Router(config)#access-list 160 deny ip 192.168.45.0 0.255.255.255 any log-input Router(config)#access-list 160 permit ip any any Router(config)#access-list 170 permit ip 192.168.45.0 0.255.255.255 any log-input Router(config)#access-list 170 deny ip any any log-input Router(config)#^Z Router# Router#configure terminal Router(config)#interface Serial 0 Router(config-if)#ip access-group 160 in Router(config-if)#exit Router(config)#interface Serial 1 Router(config-if)# ip access-group 160 in Router(config-if)#exit Router(config)#interface Serial 0 Router(config-if)# ip access-group 170 out Router(config)#^Z Router#
151
Summary
In this lesson, you examined the fundamentals of router security and the principles of routing. You created the congurations that are required to harden a Cisco router and congured the removal of services and protocols. You examined the process of the wildcard mask and how it relates to the Cisco ACL. You created the congurations for ACLs to defend the network against attacks. Finally, you examined the process of logging on a Cisco router and congured buffered and anti-spoong logging.
Lesson Review
3A What is authentication?
Authentication is the process of identifying a user, generally granting or denying access. What is authorization? Authorization is the process of dening what a user can do, or is authorized to do. What is AAA? Authentication, Authorization, and Accounting. What are the methods of access to a Cisco router? Console port Auxiliary port VTY sessions HTTP TFTP SNMP
3B List some of the advantages of using static routing.

Responses might include: Precise control over the routes that data will take across the network. Easy to congure in small networks. Reduced bandwidth use, due to no excessive router traffc. Reduced load on the routers, due to no need to make complex routing calculations.
What is a security advantage to using RIPv2 over RIPv1? Using RIPv2 provides the security advantage of authentication, enabling the routers to identify who is and who is not able to update routing information.
152
3C What is a security reason for disabling CDP?

CDP might be broadcasting information about the router that is not intended to be public knowledge. What is an attack that you can defend against by disabling ICMP directed broadcasts? Smurf.
3D What type of Access Control List allows for the checking of port numbers?
Extended ACLs allow for port checking. When a packet enters the router, what is the rst thing the router will check regarding that packet? Is there a route for this packet? If yes, send to the ACLs if there are any; if no, discard the packet (and respond to the sender if need be).
3E What is the syntax for a standard Access Control List?

Router(config)#access-list access-list-number {permit|deny} source [source-mask]
What is the syntax for an extended Access Control List?

Router(config)#access-list access-list-number {permit|deny}protocol source source-mask destination destination-mask [operator|operand]
What is the syntax for implementation of a standard Access Control List?

Router(config-if)#ip access-group access-list-number {in|out}
3F When a conguration change is made to the router, such as an interface being brought down, what level of message will this generate?
Level 5. What is the command for an access list to be implemented on the VTY sessions? access-class [access list number] in
153
154
Designing Firewalls
Overview
In this lesson, you will be introduced to the concepts and technologies used in designing rewall systems. You will identify the methods of implementing rewalls in different scenarios, using different technologies. The strategies and concepts in this lesson are important in understanding later lessons.
LESSON
4
Objectives
To identify the design and implementation issues of rewall systems, you will: 4A Examine the principles of rewall design and implementation. Given a rewall system, you will identify and describe methodologies of rewall function and implementation. 4B Create a rewall policy based on provided statements. Given the answers to questions regarding the rewall, you will create a rewall policy statement. 4C Create a rule set to be used with a packet lter. Given a network scenario, you will create a rule set for a packet ltering rewall. 4D Describe the function of a proxy server. Given a network scenario, you will describe the process of internal clients using a proxy server to access Internet web pages. 4E Describe how a bastion host is included in the security of a network. Given a network scenario, you will describe how the creation of a bastion host functions in the security of the network. 4F Describe the function of a honeypot in a network environment. Given a network running Windows 2003, describe the function of an effective honeypot in the security of the network.
Lesson 4: Designing Firewalls
155
Topic 4A
Firewall Components
The concept of Network Security today is a varied and challenging topic to discuss. There are so many different areas of the network architecture to be concerned with, ranging from messaging systems to databases, from le and print solutions to remote network access. In between these areas of our network, we nd things such as access control solutions, user control policies (group policies in a Windows environment), and a host of settings, functionality and options that serve to confuse and confound the average user of a computer in a domain based network today. It was not that long ago that security and the protection of network based assets was clearly the domain of the network engineer, that person who was technically savvy, highly skilled, and often times hard to talk to and understand if you were not also a network engineer. The challenges faced by these network engineers, access control, asset protection, and risk mitigation, have not changed at all, and yet at the same time, the technology used to address these issues has undergone startling transformations in both the areas of complexity, as well as capability. One need only look at the advances in the area of the rewall to see all too clearly how this transformation has had a direct, undeniable, and profound impact both on network security and on users perceptions of that security, and the people that provide it. The following image in an example of a simple rewall
Figure 4-1: An example of a single rewall. The rewall itself is positioned logically between the internal network (the LAN) and the external network (the WAN). The rewall sits there performing its job, denying and granting access based on rules that the network/security administrator has created and assigned to the device.
156
Over the last few years, providing this option to simply grant or deny access has typically been enough to provide a basic level of security and protection to most, if not all of our networks. The challenge that has been steadily rising in relation to the provision of basic security, has been that the hackers and the enemies of the networks that are protected by rewalls have not been content to sit back and quit trying to gure out how to break the security afforded by the rewalls. As a result, the addition of new features and options for the rewall has become a very important part of the continuing evolution of network security overall, and the ability to protect our networks from unauthorized and unwanted network access and traffic in particular. In addition to denying and granting access, now a rewall may offer one or more of the following services: Network Access Translation (NAT): NAT is used by the router to translate internal private IP addresses to external IP addresses. Data Caching: This option allows the router to store data that is accessed often by network clients. Restriction on Content: This option is available in many newer systems, allowing the administrator to control Internet access based on keyword restrictions.
Firewall Methodologies
Firewalls have two general methods of implementing security within a network. Although there are variations of these two, most modications still boil down to one or the other. They are: Packet ltering Proxy servers (application gateway) Packet ltering was the rst type of rewall used by many organizations to protect their networks. The general method of implementing a packet lter was to use a router. These routers had the ability to either permit or deny packets, based on simple rules the administrator would create. Even though these rewalls could perform this type of ltering, they were limited by the fact that they were designed to look at the header information of the packet only. An example of this drawback would be that a lter could block FTP access but could not block only a PUT command in FTP. The addition of proxy server (also known as an application gateway) capabilities to the rewalls created a much more solid security product than a pure packet lter was capable of providing on its own. The proxy software can make decisions based on more than the header of a packet. Proxy servers use software to intercept network traffic that is destined for a given application. The proxy recognizes the request, and on behalf of the client makes the request to the server. In this case, the internal client never makes a direct connection to the external server. Instead of a direct connection, the proxy functions as the man-in-the-middle and speaks to both the client and server, relaying their messages back and forth. The major advantage to this is that the proxy software can be instructed to permit or deny traffic based upon the actual data in the packet, not simply the header. In other words, the proxy is aware of communication methods, and will respond accordingly, not just open and close a port in a given direction.
Lesson 4: Designing Firewalls 157
What a Firewall Cannot Do

So if a rewall can use packet ltering, proxy services, a combination of both, or custom ltering to create secure environments for our data, the logical question that we have to ask is what cant a rewall do to protect the network? All too often a network/security administrator is told to go and buy a rewall to secure the network. Unfortunately, as is usually the case, this is the extent of the conversation. No other discussion(s) takes place that would allow the network/security administrator to gain a better understanding of the reason(s) behind the need for a rewall, and what the goal of placing the rewall within the network topology is supposed to accomplish. In relation to our network/security administrator, and their quandary about having to purchase a device that will do a large number of things, all, or most of which, might or might not be necessary for the network security issue(s) in question, it will be helpful for us to briey look at what a rewall cannot do, so we can begin to understand what it can do. A few areas where a rewall will have difficulty in securing the network are as follows: Viruses: Some rewalls do have the ability to detect virus traffic, however attackers can package a virus in so many forms and rewalls are not designed as anti-virus systems, that this is not a primary function of a rewall. Your rewalls may be able to identify some virus traffic, but you should always use internal anti-virus software. Employee misuse: This is a hard point, but a valid one. Employees often do things unknowingly. They may respond to forged email addresses, or they may run programs that come from friends, assuming they are safe. Secondary connections: If employees have modems in their computers and/or are able to use a wireless network connection, they may make new connections to the Internet for personal reasons. These connections render much of the rewall useless to this client. If File and Print Sharing is turned on, this can lead to adverse results, while the rewall itself may be properly congured. Social engineering: If the network administrators gave out rewall information to someone calling from your ISP, with no verication, there is a serious problem. Poor architecture: Without a well thought out and vetted rewall design, it becomes very difficult, maybe even impossible to congure the rewall properly in order to ensure that the necessary security precautions are in place within the network at all times.
Implementation Options for Firewalls

There is no one correct standard for implementing a rewall within a network. The following concepts show several different possibilities for rewall implementations.
158
A Single Packet Filtering Device

As shown in the following gure, the network has been protected by a single device congured as a packet lter, permitting or denying access based on the contents of the packet headers.
Figure 4-2: An example of a single packet ltering device.
A Multi-homed Device
As shown in the following gure, the network is being protected by a device (most likely a computer) that has been congured with multiple network interfaces. Proxy software will run on the device to forward packets between the interfaces.
Figure 4-3: An example of a single multi-homed device as a proxy server.
159
A Screened Host
As shown in the following gure, the network is protected by combining the functions of proxy servers and the function of packet ltering. The packet lter accepts incoming traffic from the proxy only. If a client directly communicates with the proxy lter, the data will be discarded.
Figure 4-4: An example of a screened host running behind a packet ltering device.
A Demilitarized Zone (DMZ)

In the following gure, the network has a special zone, or area, that has been created to allow for the placement of servers that need to be accessed by both Internet and intranet based clients. This special zone, the DMZ, requires two ltering devices, (rewalls will traditionally be used for this) and can have multiple machines existing within its boundary.
160
Figure 4-5: An example of a Demilitarized Zone (DMZ).
161
TASK 4A-1
Firewall Planning
Objective: In order to implement rewall systems, you will need to be able to diagram the different methods used for implementation. 1. Diagram the method described in this topic for the rewall implementation that most accurately reects your current network design.
162
If you had a blank check and could design a rewall implementation for your network, what would that design look like? If it differs from your current design, please diagram the new solution that you would build.
Topic 4B
Create a Firewall Policy
Before you can identify conguration options, or implementation techniques, you must have a rewall policy. In many instances, organizations rush into rewall selection and installation, without enough thought on how this complex device is to be used. For a rewall to be designed and deployed correctly, there must be a rewall policy in place. While not as complete as an organizational security policy, the rewall policy has its place. The policy items in place for the rewall are part of the overall security policy the organization uses. The rewall policy can generally have one of two viewpoints: either deny everything except what is explicitly allowed, or permit everything except what is explicitly denied. It is general consensus that the former of the two viewpoints is used.
163
It is a good starting point to assume that all traffic is to be denied, except that which the policy has identied as explicitly being allowed. This also usually turns out to be less work for the network/security administrator. Imagine creating a list of all the ports Trojans use, and all the ports for applications your users are not authorized to use, and then creating rules to block each of them. Compare that to creating a list of what the users are allowed to use, and granting them access to those services and applications explicitly. There are different names for the items that can be included in the security policy, and the ones that follow are very common. The items include the Acceptable Usage Statement, the Network Connection Statement, the Contracted Worker Statement, and the Firewall Administrator Statement. After building the overall security policy, if it becomes very large (some organizations have policies that are hundreds of pages long), you may want to pull out and copy the sections related to the rewall and have a separate subdocument for the rewall alone. Having subdocuments is not a requirement, but it makes reading the policy much easier. The subdocuments are easier to index, reference, and view. Many organizations now run an internal web server to house important documents, such as the policies, for employees. The policy is one of those documents, and the subdocuments are easier to view and read when only a handful of pages, versus scrolling through 200 pages of content.
The Acceptable Use Statement

This portion of the policy can take the most time, energy, meetings, and effort to create. To be able to describe, in detail, the proper usages of a computer within the network is a difficult task for some organizations. There is a necessary balance that must be achieved between wanting to maintain tight security and giving employees the ability to do their jobs. Of all the potential devices in an organization however, the computer is often the most misused. It is this misuse that the security policy attempts to control. Several points to consider when creating this portion of the policy are as follows: Applications other than those supplied by, or approved by the company are not to be installed on any computer. This includes any programs that can be downloaded from the Internet or brought in on CD-ROM, DVD-ROM, USB device, or oppy disk. Applications that have been provided for the individual computer in the organization may not, under any circumstances, be copied or installed onto any other computer, including the users home computer, unless the organization has made it clear, through written policy, and participation in an appropriate licensing program authorized by the vendor, that employees have the ability to exercise Home Use Rights for the particular software in
164
question. If a backup copy is required for archive, the organization will be responsible for creating and storing the archive copy. Computers may not be left unattended with a user account still logged on. If a user is temporarily away from the computer, the computer must be left in a locked state. Screensavers must employ the password protection option. The computer and its installed applications are to be used for organizational related activity only. The computer and its installed applications may not be used in any way to threaten or harass another individual. The installed email application is the only authorized email service allowed for use, and employees may not use this email service for personal use.
From this list, you can see the types of things that are to be covered in the policy. If there are examples that cannot be implemented on the rewall, even in part, they may be best located in the overall security policy document for the organization. Some of the examples given in the previous list fall into that category; for example, screensavers, installing applications at home, or threatening of individuals. These items clearly must be in the security policy, but may not be items that can be directly implemented on the rewall.
The Network Connection Statement

This portion of the policy involves the types of devices that are to be granted connections to the network. Here is where you can dene the issues related to the network operating systems, devices that use the network, and how those devices must be congured in order to use the network in a secure fashion.
165
This section may have the most functional use on the rewall, as this section is dening actual network traffic. Some of the items that may be included in this portion are: Network scanning is not to be permitted by any user of the network, other than those in network administration roles. Users may access FTP sites to upload and download needed les, but internal user computers may not have FTP server software installed and running. Users may access WWW on port 80 as required. Users may access email on port 25 as required. Users may not access NNTP on any port. Users in subnet 10.0.10.0 are allowed to use SSH for remote administration purposes. Users not in subnet 10.0.10.0 are not allowed to use SSH to connect to any location or device. Users may not run any form of chat software to the Internet, including, but not limited to, AOL Instant Messenger, Yahoo Chat, IRC, ICQ, and MSN Chat. Users may not download les over 5 MB in size. Anti-virus software must be installed and running on all computers. Anti-virus updates are required weekly on user computers. Anti-virus updates are required daily on all servers. No new hardware (including network cards and modems) may be installed in any computer by any party other than the network administrators. No unauthorized links to the Internet from any computer are allowed under any circumstances.
As you can see this list could go on and on. These are only examples to get you started. This section can get technical, as in deciding which ports to allow to and from subnets or computers in the network. This may be where you spend the most time developing the rewall policy, as it is most relevant to implementation on the rewall.
The Contracted Worker Statement

This portion of the policy is often overlooked. The policy must address the issue of contracted, or temporary, workers. These individuals may require only occasional access to resources on the network. The list of items for the contracted worker statement may overlap with other areas of the policy but this does not present a problem. Obviously, the feature or rule would only be implemented once, but it is better to list an item twice than to assume the item has been covered elsewhere.
166
Some examples of items in the contracted worker statement portion of the policy are: No contractors or temporary workers shall have access to unauthorized resources. No contractor or temporary worker shall be permitted to scan the network. No contractor or temporary worker shall copy data from a computer to a form of removable media, such as CD-ROM, DVD-ROM, USB device, or oppy disk. No contractor or temporary worker may use FTP, unless specically granted permission in writing. No contractor or temporary worker will have access to Telnet or SSH unless specically granted permission in writing.
From these examples, you can see that there are areas which overlap. As the saying goes, it is better to be safe than sorry.
The Firewall Administrator Statement

Some organizations may not have a separate statement for the administrator of the rewall itself. If yours is one that will require such a statement, here are some possible examples of the items that could appear in it: The rewall administrator must be certied by the vendor of the rewall. The rewall administrator must have SCNA certication. The rewall administrator must know all the applications authorized to be installed on computers in the network. The rewall administrator shall report directly to the Chief Security Officer. The rewall administrator must be reachable at all times24 hours a day, 7 days a week.
As you can see, this area can almost be considered the job role of the rewall administrator. Some organizations will have such a policy, others will not. It can be a benet in a large organization to know these items, and to have them written in the policy. From these examples, you can start to build the framework for the security policy, and, in this case, the specic rewall portion of the policy. The rewall policy should be a working document that can be modied on a regular basis. The security world is ever-changing, so be sure your policy changes with it!
TASK 4B-1
Creating a Simple Firewall Policy
1. Read through the following scenario of a corporate network. The network is a single office, with 200 nodes. Currently, it is connected to the Internet through a single 64K ISDN, but they are getting 1.5M SDSL installed in a week, and want to use a rewall on their new connection. The network is a single Windows NT 4.0 domain with an internal web server and an internal email server. The internal servers are accessed by employees and customers over the Internet.
The CEO has stated that email must not be used for personal use and that no one can download anything harmful to the network or organization. You are the rewall administrator and have given the CEO a more specic set of questions, which are answered here: Your Question
Can the users use newsgroups? Can the users run Telnet to the Internet? Can the users visit external websites? Are there any websites to be dened as off limits? Can users use Instant Messaging software? Can users upload to FTP? Can users download from FTP? Can users access external email servers? Who is the rewall administrator? Is 24x7 rewall support expected?
The CEOs Answer

No. No. Yes. Anything pornographic. Only internally. No. Only if it is not a dangerous le. Yes, if it is company-related. You are. Yes.
Topic 4C
Rule Sets and Packet Filters
Having a solid policy is one important part of preparing to implement the rewall. Another, is being aware of the different types of rewalls that exist. We briey discussed rewall methodologies earlier, and now we will focus on packet ltering. Packet lters were the rst types of rewalls used to protect networks. Traditionally, packet lters were (and are still) implemented as access control lists on routers. This single border security device was all that was needed for quite some time. The router becomes the single access point to the network, and the place where the packet ltering functions. In the following gure, you can see examples of where the router may be located. The function of the packet lter will differ based on its location in the scheme of the network.
168
Figure 4-6: An example of the location of packet lters. In the rst example, there is only a single device running as the packet lter for the network. This device will have to be congured very well, as the security of the network is riding on its rules. In the second example, the packet lter must be carefully congured not to allow direct access from clients on the internal network to the Internet. Likewise, it must be congured so that traffic from the Internet cannot directly reach the internal clients. In the third example, a DMZ has been created. This requires the two devices to be congured differently. As such, the packet lter directly connected to the Internet must be secured to allow access to the hosts on the DMZ, but not the internal network. The packet lter connected to the internal network must be secured so that clients can access the hosts on the DMZ, but not the Internet directly.
The Packet Filter Rules

Regardless of the implementation of packet lter that is used, there must be a set of rules in place for the packet lter to use in making decisions. For creating the rules, you can consult your rewall policy, as discussed earlier. The general questions that should be answered are: Which services are to be allowed to access the Internet from the intranet? Which services are to be allowed to access the intranet from the Internet? Which hosts are allowed specic access that others do not have?
169
Although each product will have different methods of implementing these rules, there are some basic considerations that apply to nearly all packet ltering devices. They include: The interface to which the rule will apply. For example, is it the internal network interface, or the external Internet connection? The direction of the packet. Will this rule apply to packets that are entering on the dened interface, or does it apply to packets that are leaving on the interface? Addresses used to make the decision. Will the rule base its decision on the source IP address, destination IP address, or both? Ports used to make the decision. Will the rule base its decision on the source port, destination port, or both? Higher level protocols. Is this rule to be based on the protocol using IP, such as UDP or TCP?
Ports and Sockets

Before we can get into the specics of the rules, we need to review TCP/IP, ports, and sockets. This is shown in the following gure. The IP address species the host that is communicating, and the port identies the actual end-points of the network communication. Ports allow for multiple connections to different applications via the same two hosts at any given moment. A socket is an IP address combined with a port number. Since the rst 1023 ports are dened as privileged, ports higher than 1023 must be used for return communication of common protocols. In other words, when you request a web page at port 80, it is returned to you at a port higher than 1023.
Figure 4-7: An example showing ports in exchange of a web page. Keeping this in mind, lets look at some rules that can be created with the packet lter. Assume it is the goal to only allow access to web pages on the Internet and the DMZ; the Internet can access web pages on the web server, and all other services are not to be allowed access to the Internet. The following gure depicts rules for a rewall.
170
Figure 4-8: Building rules for the rewall. In this case, the rst rule allows the Internet to access port 80 of the web server, which can respond on any port higher than 1023, the second rule. The third rule allows outbound requests to external web servers on port 80, and the fourth allows those requests to be returned. The nal rule disallows all other traffic. Is this a good set of rules? No! While it may initially look like it does the requested job, it has in fact left most of the network side open. The rewall will accept connections from the whole world on ports higher than 1023. This was not the intention. A simple Trojan horse program could take the network down, as if there were no rewall in place. To increase the security of the network then, another level is required. This next level is used to dene the source and destination ports. For example, rule number 2 should add port information for both the source and destination. It could then state: outbound traffic is ne to go to ports higher than 1023, if the data originated from port 80. Likewise, rule 4 could state that data may be accepted higher than 1023 if it came from port 80. Youll see an example of what rule 4 should not look like in the following gure.
Figure 4-9: The highlighting of rule 4, adding source and destination ports. Note this example leaves the high ports open, which is not considered good security. These additions increase the security of the rule set substantially. There should never be an open rule like rule number 4 shown here.
The Ack Bits

Another option to add to the rule set that can increase security involves the ack bit. This bit is set only in response to a request. When a packet is sent to establish the connection, this bit is a zero; when the reply is returned, the bit is set to a one. Your rewall can examine this bit to ensure that the packet is indeed a reply to communication that originated inside the network. Adding the ack bit on top of the source and destination ports in the previous example increases security. An example of what this rule may now look like is shown in the following gure.
171
Figure 4-10: Rule 4, with the additional ACK bit. Now if we look at this same rule with our added functions of source and destination port, and the inclusion of the ack bit, we can see that the rewall rule has become more secure. In order for a packet to meet this rule, it must have originated from port 80, have the ack bit set, and a destination port higher than 1023. We can feel comfortable with this rule now that it has been tightened.
Stateless and Stateful Packet Inspection

Now that you have an idea of where and how packet lters can be placed in the defense of a network, we will discuss the types of packet lters. Packet lters fall into one of two major categories: Stateless packet lters, sometimes called standard packet lter. Stateful packet lters.
Stateless Packet Filters

As we have discussed, packet lters are generally implemented on border routers, using a given set of rules. The theory behind a packet lter is that it may make a decision about a packet based on any portion of the protocol header; however, the vast majority of lters are based on the most signicant information in the header. Those areas being: IP address ltering. TCP or UDP port numbers. Protocol type. Fragmentation.
IP Address Filtering
IP address ltering is perhaps the oldest form of packet ltering. If you want to block access to a specic host, create a rule that says that IP address is off-limits. If you want to grant access to an entire subnet, create a rule that says that subnet has access. The IP address lters allow for permitting or denial of addresses, using only the IP address to make the decision. If the lter were to try to dene all the hosts that are to be denied, the rule set would get very long, and a rule like that for individual hosts in a large organization is unreasonable. Since the rule set can get very long, the odds of making a mistake are increased, and therefore, it is not a good way to implement strong security in a large organization. Using the lter to specically grant access by an IP address, on the other hand, can be much more effective. The areas that hosts will be allowed to access will be, by the very nature of security, a lesser number than the areas in which hosts are not allowed access.
172
Using primarily allowed addresses over denied addresses makes the implementation of the rules easier. And, it makes the task of the attacker a bit harder. The attacker would have to learn the list of approved addresses to attempt an attack. When the attacker does nally learn the addresses, he or she can spoof the source IP address and get a packet past the lter. If the attacker was trying to execute a denial of service attack (DoS), this will get them past the packet lter with no problems. If the attacker was performing a different type of attack, where the return packet was not needed, this type of lter is easily bypassed with spoofed source packets.
TCP and/or UDP Port Numbers

Dealing with the Internet, using TCP and/or UDP port numbers in the packet lter will increase its effectiveness. Filtering at this level, in addition to the IP address, is commonly used in most networks today. If the host is running only the WWW service, there is no need to have any port open other than 80 (or 443, if SSL has been added). As with IP addresses, it is much easier to open the ports that are needed, versus closing the ports that are to be denied. With over 65,000 ports to open or close, no doubt most people would agree.
Protocol Filtering
In the event that using port numbers of UDP and TCP are still not enough, you can resort to protocol ltering. Packet ltering of this type investigates the contents of the header to determine the upper layer protocol used. If there is a match, accept or discard. The protocols you may choose to block or accept are few: TCP UDP ICMP IGMP
Although this type of ltering can be used, it is very limitinguse caution when employing this strategy. If you have a server running a service that uses UDP, and that is the only authorized service on the server, then allow only UDP. But, be aware that such a move removes the option of troubleshooting utilities such as ping, due to the lack of ICMP.
Fragmentation
When networks and routing were rst developed, many of the links used had very small bandwidth capabilities. Due to this, large les transmitted across the Internet had to be broken into several pieces. This is known as fragmentation. When packet lters inspect the header, if the packet is a fragment, they will see the port number, protocol type, IP address, and an indicator that this is fragment 0. Herein lies the problem: fragments 1 through x do not contain this same information, so the packet lter has nothing to use in making a decision. The packet lters would drop fragment 0, and allow the remaining packets through. The logic was that without the fragment 0, the packet could not be used. This was not always the case.
173
Smart and very TCP/IP savvy attackers would create entire attacks that begin with fragment 1. The attackers were aware that many versions of TCP/IP would go ahead and reassemble fragments even if fragment 0 was missing. These attacks would pass through the packet lter as if it were not even there.
Stateful Packet Filters

It should be obvious by now, that despite their best efforts, stateless packet lters simply are not good enough for the security needs of todays networks. The logic a stateless packet lter employs is not complete. Stateful packet lters still employ the same techniques as stateless packet lters, but they do not base their decisions on single packets. A decision cannot be made on a single packet-by-packet basis alone, if the network is expected to be safe. That single packet does not describe the overall communication that is occurring between the two hosts. The way that stateful packet lters have increased security is by remembering the state of connections at the network and the session layers as they pass through the lter. This session information is stored and analyzed on all packets moving through the lter. For example, if a client on the internal network initiates a connection to an unknown host on the Internet, it sends the SYN along with the IP address and port number for the destination host. As this packet passes through the lter, an entry is made into the state table logging the connection information. When the lter receives the return packet, it can look at its table and see that the address, port number, and SYN/ACK setting match what is expected. In the event that a packet is received and there is no entry in the table for this packet, then the packet is dropped. The following gure shows an example of the steps of the stateful packet inspection.
Figure 4-11: The Stateful Packet Filter function.
174
The stateful packet lter will remove entries in the state table if there is no response, usually within a few minutes. This is to ensure there are no holes left open for an attacker to exploit. The rules are programmed into the stateful packet lter, just as they are in a stateless packet lter, although they may be called policies instead of rules.
How Attackers Get Around Packet Filters

Although packet lters are solid security devices, they need to be supplemented with other services the rewall can perform, such as proxy and NAT. Still, you may be wondering how attackers get around packet lters. Some of the exploits are due to poor design by the rewall administrator, yet others are limitations imposed by packet ltering itself. Many packet lters will drop fragment 0 (called the 0th fragment), but allow the remaining fragments through. This can be a serious security hole, so be sure to check how your rewall handles fragmentation. The attacker can simply place a whole valid packet in one that has been marked as fragment 1, effectively bypassing the security of the packet lter completely. One of the most critical errors is not in the technology, but in the implementation of the lter. If you had only a web server and email server on your network, and you congured the packet lter to only allow ports 80, 443, and 25 in, all other inbound ports were closed, and all outbound ports open, you have a very insecure network. The outgoing ports are as critical to congure as the inbound ports. Make sure you do not fall into this trap of blocking only inbound ports. It may look secure, but it is not. These are two examples of how packet ltering can be bypassed, and examples of why additional security services are needed.
TASK 4C-1
Firewall Rule Creation
1. Read through the following scenario of a corporate network. Your network is a mixed environment of Windows NT, Windows 2000, UNIX, and Linux. Your users in the network need to access FTP sites for upload and download, websites, and email servers on the Internet. Your net-
175
work provides a web server and email server that need to be accessed by the Internet.
2.
Based on this scenario, create a sample rule set, or portion thereof, needed for this packet lter.
Topic 4D
Proxy Server
As you have seen, packet lters are a great start to securing the network with a rewall. But, they also require help to create a more secure environment. One of the ways to increase security is to add the services of a proxy server. Proxy servers were initially used to cache commonly visited web pages, speeding up the network and Internet use. They have evolved to not only cache web pages, but have become part of the security system of a network. The packet lter, as discussed, works by inspecting the header information and basing the decision on dened rules or policies. The proxy works at the application layer, and is able to provide services to the network. The proxy acts as a sort of gateway (which is why it is also called an application gateway), for all packets to ow through. When a proxy is congured and running on the network, there is no direct communication between the client and the server. The packet lter allows for this direct communication, while the proxy prevents it. A signicant distinction then between a packet lter and a proxy server is that the proxy understands the application or service that is used, and the packet lter does not. The proxy server can then permit or deny access, based on what actual function the user is trying to perform.
176
Proxy Process
In this example, the client has requested a web page, and identied the server that has the web page. The request for the web page is passed to the proxy server. At this point, the proxy server does not act as a router and forward the packet. What it does is consult its set of rules regarding this service (WWW in this case), and decide if the request is to be granted or not. Once the proxy has made the decision to allow the request, a new packet is created with a source IP address of the proxy server. This new packet is the request for the web page from the destination server. The web server receives the request, and returns the web page to the requesting host. Since the proxy is running, the requesting host is the proxy server. When the proxy receives the web page, it checks its rules to see if this page is to be allowed. Once the decision is made to proceed, the proxy makes a new packet with the web page as the payload, and sends this to the original client. The following gure is an illustration of the basic function that a proxy server plays in the network. Notice the client packet never directly reaches the server, and vice versa.
Figure 4-12: A WWW proxy running in a network. This type of service can increase the security of the network considerably, as no packets can pass directly from the client to the server. The proxy service will need to be congured for each type of service that is allowed. For example, a separate proxy will be needed for SMTP, WWW, FTP, and Telnet, if all these services are to be used. The proxy server needs to be congured to work in both directions, just as a packet lter. This is the only way to be sure no packets are passed by the proxy server.
177
Proxy Benefits
There are several benets to the network, from a security point of view, that a proxy can provide. The list of advantages can be large; provided are the major benets: Client invisibility. Content ltering. Single point of logging.
Client Invisibility
The basic proxy process highlights this feature. The ability to have the clients inside IP address never appear to the Internet is a great benet. Attackers not knowing the internal structure of the network have a harder time gaining access and attacking internal clients.
Content Filtering
In the modern era, businesses have to be very sensitive to the needs of employees. This includes exposure to any offensive material, as much as can be prevented. Content lters can be programmed for many types of inspection. They may be programmed to look for certain keywords or phrases. Many employers use ltering to block the websites of major headhunters and resume posting sites. These lters can also be used to prevent Active-X controls from being downloaded, Java Applets being run, or executables being attached to email.
Single Point of Logging

One of the more signicant benets of proxy servers may be the ability to have a single point of reference for logging data. Since all traffic is owing through a single point, it is relatively easy to re-create an entire session of web browsing for a user to identify problems.
Proxy Problems
Even though it seems as if there are only benets to adding proxies, and in most cases this may be true, you need to be aware of potential problems of using proxies. As with all technologies, there are possible issues that may arise, such as: Single point of failure. A proxy for each service. Default congurations.
Single Point of Failure

Perhaps one of the most serious issues with a proxy server is the creation of a single point of failure. If the entire network is running through the same proxy, that machine becomes quite critical, and must be congured properly. A common mistake is to forget that the proxy itself is unprotected. Although it is protecting the internal network, if there is an interface directly connected to the Internet, it is wide-open to attack, both to Denial of Service and intrusion attempts.
Be sure that the proxy is, in addition to other security mechanisms (such as a packet lter), used to reduce the likelihood of a direct intrusion attack on the proxy. If the entire network is dependent on this machine, you need to take good care of it!
A Proxy for Each Service

More of a conguration issue, but still worth noting, is that the proxy must be congured for each service. If the network is allowing many different types of services in both directions, this can create considerable work. When services are added, it is important that the proxy server remain securely congured.
Default Configurations
The majority of proxy server software is designed for functionality over security. The applications are created to get users up and running quickly, and give them access to the resources they need. This is the opposite of security. Therefore, when implementing a proxy, it is recommended to not use the default congurations. Take the time to implement the rules and restrictions, as they are needed.
TASK 4D-1
Diagram the Proxy Process
1. Diagram the process of an internal client in the network requesting an email message from the remote server running SMTP.
179
Topic 4E
The Bastion Host
In order to create a rewall or proxy, there must be a platform for the software to use. In some instances, there is a dedicated piece of hardware that will run the rewall software. In this topic, you will learn about the process of setting up a server to run the software. This server is called the bastion host. Bastion host is a term used for a computer that has been hardened in a manner much more securely than any other computers in the network. This server is using every security option that comes with the operating system to the maximum that it can be used. All auditing has been congured, all authentication has been congured, and encryption (where relevant) has been congured. Further conguration would be the removal of all services and applications not deemed absolutely necessary for the server to function. All user accounts are removed, except for those required for server management. Every service, application, and user account that is removed is one less target for a potential attacker. Once the computer has been congured, then the software may be installed and congured on top of the base operating system. This computer should not be considered the single line of defense, but rather, one link in a chain. The security of the network cannot rely on a single component, so the bastion host is one of several in a well designed network, as shown in the following gure. The rst line of defense is the router, connecting the network to the Internet, which should be congured with appropriate packet ltering. Following the packet ltering router is where the bastion host running proxy services is located. If the network is small, one bastion host running the proxy services for the entire network may be ne. In a large network, there are likely to be many bastion hosts, each running different proxy services.
Figure 4-13: : The most likely location of a bastion host.
180
The basic steps that must be followed in setting up a host as a Bastion are: Remove unused applications. Remove unused services. Remove unused user accounts. Enable auditing. Install the operating system from scratch, formatting the disk rst. Do not use a dual-boot computer. Remove unused hardware, such as modems or sound cards. Use very strong authentication methods, such as a tokens or biometrics. Implement a utility to check les for tampering, such as TripWire.
Other standard techniques for creating a Bastion host to run as a rewall are:
An Attack on the Bastion Host

Since this computer is the machine that is providing many services to your network, it is likely to be the target for many different attacks. However, since you have set up the computer properly ahead of time, you have the ability to deal with these attacks. Since you have enabled logging and auditing, the intrusion should be detected quickly with a scan of the logs and generated reports. Inevitably, there may be an attack you do not catch right away. It is this part of security that drives administrators mad. Once you catch the intrusion, you must investigate further to determine the cause. This is where your le tampering software comes into play. You must identify if there has been a Trojan placed on the host, or if any system les have been accessed. Once the bastion host has had an intrusion, it is critical that the remaining computers in the DMZ or network, be examined quickly for possible intrusions. A compromised bastion host often leads to a compromised network. An important point that must be made is in relation to the knee-jerk reaction that many administrators have in these situations, which is to attempt the restoration of the system from backup once it has been compromised. Unless you can identify the date that the intrusion happened, how can you be sure your backup is not also infected? The best solution is to begin from scratch and re-create the bastion host, starting with formatting the disk. It will take time, but it is the best way to restore this host to the network.
181
TASK 4E-1
Describing a Bastion Host
1. Describe the function of a bastion host in creating a secure network environment. Bastion host is a term used for a computer that has one or more network interfaces exposed to the Internet. The OS (typically a server OS) on such a device is hardened in a much more secure manner than any other computers in the network. Further conguration would be the removal of all services and applications not deemed absolutely necessary for the server to function. Once the computer has been congured, then the software that dictates rule sets for internal or external traffc may be installed and congured on top of the hardened OS.
Topic 4F
The Honeypot
One area that is the subject of much discussion in security circles is the use and deployment of honeypots. For some security professionals, network security is not fully functional without one, while others feel it is an unneeded and potentially dangerous part of the network.
What is a Honeypot?
Just as honey attracts bears, a honeypot is a computer designed to attract attackers. If an attacker has managed to get past your packet lter into your DMZ and is scanning for options, the honeypot should be the one computer that sticks out. This is depicted in Figure 4-14.
182
Figure 4-14: Two examples of where the honeypot may be located.
Goals of the Honeypot

There are several goals for the honeypot. You would like the honeypot to provide enough of a lure that attackers stay away from your other equipment. You want the attacker to see a vulnerability that they know they can exploit and use to gain access to the computer. This vulnerability needs to be such that the attacker focuses their energy on exploiting this computer, as opposed to the email server (for example) sitting right next to it. In addition to trying to keep attackers away from your more secure systems, one of the goals of a honeypot is for logging. Knowing that this system is one that will be attacked, you can take extra measures in logging. These logs should be moved off the system frequently, perhaps hourly or daily if your network is a high prole target. Another goal of the honeypot is to increase the ability to detect and respond to incidents. The theory is that if you are aware of what the attacker is doing to your honeypot, you can be better prepared to defend or, if possible, prevent that attack from being carried out successfully against your production systems. To take the concept of the honeypot further, there are instances of honeynets. A honeynet is an entire network designed to be an attractive alternative to the production network(s) it is deployed to screen from view. The premise is the same, only the scale is bigger.
183
Legal Issues
A discussion of honeypots would not be complete without a discussion of the legal issues surrounding this use of technology. Perhaps the single biggest issue involving a honeypot today is the issue of entrapment. Some people feel that the setup of a honeypot is entrapment, and therefore, the same rules apply as in the real world. Up to this point, that is not yet the case. Although, it should be noted that defense attorneys have tried using entrapment as a defense. Another issue is that of privacy. If an attacker were to set up an IRC server on the honeypot, it is possible for the administrator to log all conversations on that server. For now, this issue is more of a moral and ethical dilemma than a legal one, since there is no dened law regarding this subject. However, it should be noted again that this could be a viable defense for an attorney to work with. The current standard for this issue is the Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. This publication is by the Computer Crime and Intellectual Property Section, Criminal Division, United States Department of Justice, and is part of the Computer Crime and Intellectual Property Section (CCIPS). The entire document can be found atwww.usdoj.gov/ criminal/cybercrime/searching.html#searchmanual
TASK 4F-1
Honeypot Configuration
1. What are the services most likely to be enabled in creating a honeypot, and why? Most likely services would include the normal WWW, TFP, SMTP, POP3,and Telnet. It is important to offer the normal services, since the honeypot must appear to be a productive, live computer in the network, and should be congured the same as a production WWW server, perhaps with looser permissions and solid logging.
Summary
In this lesson, you identied the major components used in building rewall systems; you learned to detail the methods used to create a rewall policy in a network scenario. You now know how packet lters are used in rewall systems. You can also describe the process of creating a bastion host, as well as how to use proxy servers in rewall systems. You are also aware of the process involved in creating a honeypot and can differentiate between a honeypot and a honeynet.
184
Lesson Review
4A Name two methodologies for rewalls.
Packet ltering and proxy servers (application gateway). What are three services a rewall can provide? Network Access Translation (NAT), data caching, and restricting access to content. How can a second connection to a client computer make an impact on rewall security? A second connection will render much of the rewall useless to this client, and maybe even the network. Name four different methods of implementing a rewall. A Single Packet Filtering Device. A Multi-homed Device. A Screened Host. A Demilitarized Zone.
4B What is the difference between a rewall policy and a security policy?

A rewall policy is generally a subset of the overall security policy. List three items that should be in a security policy, but not part of a rewall policy. Many portions of the following items may address issues broader than that addressed by the Firewall policy: The Acceptable Use Statement. The Network Connection Statement. The Contracted Worker Statement.
List at least three items that would be specic to the rewall policy. Answers may include: Users may access WWW on port 80 as required; users may not access NNTP on any port; users not in subnet 10.0.10.0 are not allowed to Telnet to any location; any policies dealing with rewall administration.
4C What is the primary difference between stateful and stateless packet lters?
Stateless packet lters make a decision about a packet based on any portion of the protocol header; however, the vast majority of lters are based on the most signicant information in the header. Stateful packet lters encompass the techniques used by stateless packet lters; however, they do not base their decisions on individual packets. Stateful packet lters increase security by remembering the state of connections at the network and the session layers as they pass through the lter. This session information is stored and analyzed on all packets moving through the lter.
In addition to IP addresses, what else can a packet lter use to make a decision on a packet? Fragmentation, IP Protocol ID, Protocol Type, and TCP or UDP Port Numbers. How can an attacker use fragmentation to get through a packet lter? By encapsulating the entire payload in one or more fragments following the rst fragment.
4D What are the benets of implementing a proxy server?

While packet lters allow for direct communication between a client and a server, proxy servers prevent it. The proxy works at the application layer (application gateway). Proxies can inspect packet content and make decisions based on this inspection. Describe three potential problem issues for proxy servers. Single point of failure: If the entire network is running through the same proxy, that machine becomes quite critical, and must be congured properly. The proxy itself is unprotected if there is an interface directly connected to the Internet. You have to add at least a packet lter in front of the proxy. A proxy for each service: The proxy must be congured for each service. If the network allows many different types of services in both directions, this can create considerable work. Default conguration: Using the default (out-ofthe-box) conguration is generally not secure.
4E What are the steps that must be followed to create a bastion host? 1. Remove unused applications. 2. Remove unused services. 3. Remove unused user accounts. 4. Enable auditing.
What are some additional steps that are recommended in securing the bastion host? Install the operating system from scratch, formatting the disk rst. Do not use a dual-boot computer. Remove unused hardware, such as modems or sound cards. Use very strong authentication methods, such as a tokens or biometrics. Implement a utility to check les for tampering, such as TripWire. How should a compromised bastion host be recovered? A compromised bastion host often leads to a compromised network. Once the bastion host has had an intrusion, it is critical that the remaining computers in the DMZ or network be examined quickly for possible intrusions. Identify the date of the intrusion before you restore the bastion host from backup. The best solution is to begin from scratch and re-create the bastion host, starting with formatting the disk.
4F Where should a honeypot be located in the network?

In the screened subnet or DMZ.
186
What are two of the goals of a honeypot? Answers may include: Lure the attacker; log visits; and respond to incidents. What are some potential legal issues of honeypots? Entrapment and privacy issues.
187
188
Configuring Firewalls
Overview
In this lesson, you will rst review rewalls from a conceptual viewpoint to learn about the types of rewalls, how each of these types work, and what protection they can provide for your network. After you have the foundational concepts under your belt, you will go through a series of exercises to actually implement two different rewall solutions: Microsofts Internet Security and Acceleration server, which runs on top of the Windows platform; and IPTables, which runs on top of the Linux platform. This will provide you with the practical working knowledge to implement a rewall in your network environment.
LESSON
5
Data Files ISAScwHlpPack.exe Lesson Time 5 hours
Objectives
To congure network rewalls in the defense of a network, you will: 5A Describe standard rewall functionality and common implementation practices. Firewalls come in a wide variety of avors today. In addition to the many vendor offerings, there are also many versions of build your own rewalls. Regardless of the rewall implementation you are working with, there are commonalities between them, both functionally and in implementation methodologies. Exploring these commonalities will provide you with a solid foundation for developing mastery of rewall implementation. 5B Install, congure, and monitor Microsoft ISA Server 2006. In this topic, you will install Microsoft ISA Server 2006 and work with the built-in conguration tools. In addition, you will explore options for managing, monitoring, and auditing ISA Server 2006. 5C Examine the concepts of Linux IPTables. In this topic, you will examine how IPTables creates a chain of rules that can control the egress and ingress of specic network traffic. IPTables is a popular build-your-own type of rewall that you will nd implemented in many networks. 5D Apply rewall concepts and knowledge to a scenario. In this topic, you will be given a specic network situation, and you will then design rewall topology and rule sets to create the required rewall security posture.
Lesson 5: Conguring Firewalls
189
Topic 5A
Understanding Firewalls
Technology-based rewalls rst appeared on the networking scene in the early 1990s. As the Internet and networks in general have developed and progressed, so have the potential digital dangers. Firewalls have progressed right along side, developing from simple gatekeepers to comprehensive security tools that can work in conjunction with intrusion detection systems and malware scanners. Security has become increasingly problematic for systems connected to the Internet. Network intrusions and attacks have now become so common that the risk is understood as an unavoidable part of conducting business in the digital age. In a modern network, rewall technology is a mainline component for any organization that has dened a network security architecture. Even home users connected to the Internet through commercial ISP connections regularly install software and hardware rewalls to provide a measure of protection for their personal systems. Fear notin this module we are going to lift the veil of mystery and discover what a rewall does and how rewalls actually work. Firewalls generally comprise the rst line of defense for a network and, therefore, a solid working understanding of rewalls is essential in todays modern networked world. You will also examine how to implement and congure two popular platform specic rewalls: Microsoft Internet Acceleration Server 2006 and the built-in Linux rewall, IPTables. Lets examine some rewall basics now.
Firewall Basics
A basic understanding of what rewalls are and how they work will give us a common framework of reference. We can then build our practical skills on top of this framework when we investigate how to implement and congure our two rewalls. This will be most effective if we can derive the answers to the following questions: What is a network rewall? What are common rewall related terms? What are the basic functions of a rewall? What do addresses, ports, protocols, and services have to do with a rewall? What are the common types of rewalls? How are rewall rules built? What are the common rewall network topologies? Why would I want a rewall? What can a rewall not protect me from?
What is a Network Firewall?

A rewall can be described as a security mechanism that places limitation controls on all inbound and outbound network communications between individual systems or entire networks of systems by permitting, denying, or acting as a proxy for all data connections.
190
Figure 5-1: Firewalls control network communication. A rewall is generally comprised of a software program (code) that works in conjunction with a hardware device that is responsible for physically transmitting network data. Firewalls can exist as a software program installed on top of an operating system or as a specialized hardware device running proprietary code. Depending on the size and complexity of the environment being protected, rewalls can be congured as a single system or have multiple systems working in concert. Many rewalls are capable of handling multiple types of transport protocols (TCP/IP, IPX/SPX, etc.). However, for the purposes of our discussion here, we will operate under the assumption that you are going to be using the current industry standard, TCP/IP, as your network transport protocol of choice.
Firewall Terms
We know that networks are made up of multiple connected systems, all with varying degrees or levels of trust between them. Your daily interactions with the network of humans around you is a good illustration of the principal of networked trust. For example, you might trust your best friend with the keys to your car, but certainly not the person who you just met at the car wash. In a networked environment, these areas of interaction can be referred to as zones of trust. Some common examples of these zones would be the Internet, which is a zone with little or no trust; and your internal network, which would a zone with a high level of trust.
Figure 5-2: Firewalls separate zones of trust.
191
The networking world has spawned a variety of terms such as Internet, Extranet, intranet, and DMZ. We can use these terms to dene the zones of trust that commonly occur in any given network environment. Internet: This zone of trust corresponds to the worldwide public network of systems. Since this zone is accessible by anyone, it is our least trusted zone. In rewall terminology, this is often referred to as an unprotected or external network. Intranet: An intranet is a private network that is used to securely share an organizations information or operations within the organization. In rewall terminology, this is often referred to as a protected or internal network. Extranet: This zone of trust is a semi-private network that an organization creates to share parts of their private network with business partners such as customers, suppliers, or other collaborative partners. Basically, this is an extension of the private zone of trust to include specic types of access to approved outside entities. DMZ: The Demilitarized Zone of trust is a network segment or segments located between protected and unprotected networks. DMZs are generally congured in one of two basic topologies: chained and three-legged. A chained DMZ is isolated in a linear fashion between the trusted and un-trusted zones by a rewall on either side, whereas a three-legged DMZ is connected to a third interface off of a single rewall that separates the trusted and un-trusted zones creating a third network spoke off of the rewall.
Basic Functions of a Firewall

A rewalls primary function is to control the communications between systems and or networks that exist in zones with differing trust levels. The rewalls control of network communication across zones of trust allows us to enforce our security policy. This enables us to create a network connectivity model based on the principle of least privilege and set up varying levels of access based on the source, destination, and type of network communication.
Figure 5-3: Firewalls enforce access rules between zones of trust.
192
Address, Port, Protocol, and Services: The Building Blocks of Firewall Rules
In order to really understand what a rewall does, it will be helpful to take a quick review of how network communications work, especially in respect to the Internet Protocol. All Internet Protocol communications have several properties in common. It is these common properties that allow a rewall to perform most of its functionality. There are ve basic commonalities generally present in network communications over the Internet Protocol: Source address: This is where the communication originated from. Destination address: This is where the communication is going to. Protocol used: This could be TCP, UDP, ICMP, IGMP, etc. Target port: A port is an endpoint to a logical network connection. This port number is how a network request species a specic service from a remote resource on a network. (IANA RFC 1700 species well known port numbers.) Service: This is the application that is offering the data or functionality requested by the connection. Generally, services listen for requests on a specic port over a specic protocol.
We use similar types of mechanisms in our non-digital daily lives to move information from one place to another. A good example of this would be returning a defective computer part to a manufacturer. We know that we are sending the part from ourselves (the Source). Then, we obtain the manufacturers address (the Destination). We decide on a shipper: FedEx , UPS, DHL, etc. (the Protocol). We also add Attention: RMA department to the label (the Port). Because of how we addressed, shipped, and labeled the package, when it arrives at the manufacturer, it will be handed over to the warranty service department for repair or replacement (the Service).
From this example, you can see that the concepts of source, destination, protocol, port, and service are commonly used in our daily lives. In relationship to a rewall, these commonalities that occur in network communication form the building blocks of rule sets that rewalls use to control access to and from network entities.
Firewalls and the OSI Model

To simplify the complexities of networking heterogeneous systems it is often useful to use the Open Systems Interconnect (OSI) model as a frame of reference. The OSI model is an abstraction of network communications between computer systems and network devices.
193
Figure 5-4: The Open Systems Interconnection (OSI) model. In a nutshell, the layers of the OSI model perform the following functions: Layer 7: Application - Interface from network to applications Layer 6: Presentation - Handles data representation and encryption Layer 5: Session - Manages connections between applications Layer 4: Transport - Provides end-to-end connections and reliability Layer 3: Network - Path determination and logical addressing (IP) Layer 2: Data Link - Physical addressing (MAC & LLC) Layer 1: Physical - Media, signal, and binary transmission
A full discussion of the OSI model is outside the scope of this module, but those layers relevant to the topic of rewalls will help us understand how they function. Current rewall technology operates on the OSI model layers as shown in the following gure.
Figure 5-5: Firewalls operate at Layers 2, 3, 4, and 7 of the OSI model.
194
Firewalls generally operate at the levels corresponding to OSI Layers, 2, 3, 4, and 7. The common network functionalities of source and destination address, protocol, port, and services that we examined earlier are described as operating on these layers of the OSI model. Layer 2 (Data Link) is the lowest layer that contains addressing that can uniquely identify a single specic source or destination. These addresses are the MAC, or Media Access Control addresses, and are assigned to physical network interfaces. For example, a MAC address belonging to a standard Ethernet card is an example of a Layer 2 address. This is one layer that can be used by a rewall to discriminate source and destination addresses for communications control. Layer 3 (Network) is the layer that handles the delivery of network traffic by providing switching and routing technologies, creating virtual circuits (logical paths), and transmitting data from node to node. Source and destination addressing, routing, forwarding, packet sequencing, error handling, and ow control are handled at this layer. Like layer 2, Layer 3 can also be used by a rewall to discriminate source and destination addresses for communications control. Layer 4 (Transport) is the layer that identies end-to-end network communication mechanisms and communication sessions. This is the layer where the transport protocol is assigned, e.g. TCP, UDP, ICMP, etc., and the source and destination ports are specied. Firewalls can examine the protocol and port information from Layer 4 and use these values to control network communication. Layer 7 (Application) supports both application (service) and end-user processes. This layer is where such things as communication partners, authentication, quality of service, and any data syntax constraints are identied. Everything at this layer is application specic. Data is passed from the program in an application-specic format, then encapsulated and passed to the layers below. Firewalls can use a host of information, such as service specic information that occurs at the application layer to inspect and control inbound and outbound data communication to enhance your security posture. The additional layer coverage enables the rewall to handle advanced applications and protocols. A good example of this would be user authentication. A simple rewall that functions only on Layers 2 and 3 will not normally be able to distinguish individual users, whereas a rewall with awareness of the application level (level 7) can enforce communications policies based on user authentication.
Classifying Firewalls
Firewalls have continued to evolve since their inception and are continuing to grow more sophisticated. As with any sophisticated system, a methodology for classication can facilitate understanding. The simplest way for you to classify rewalls is by how they handle the process of controlling network communications. Is the communication control being done between a single system and a network, or between two or more network segments? Firewalls that control communication with a single system are generally called Personal Firewalls. Firewalls that control communication between network segments are called Network Firewalls.
Is the communication intercepted and inspected at the network layer or at the application layer? Network-layer rewalls are called Packet Filter Firewalls.
Lesson 5: Conguring Firewalls 195
Application-layer rewalls are called Application Gateways or Proxy Firewalls. If the rewall does not track the communication state, it is classied as a Stateless Firewall. If the rewall tracks the state of connections, it is classied as a Stateful Firewall.
Is the communication state being tracked and maintained by the rewall?
Examining the Common Types of Firewalls

For both Personal Firewalls and Network Firewalls, there are three common types of rewalls in general use today: Simple Packet Filter Firewalls, Stateful Packet Filter Firewalls, and Application Level Firewalls. Lets examine the strengths and weaknesses of each of these types of rewalls.
Simple Packet Filtering Firewalls

Simple packet lters are the most fundamental type of rewall. They inspect the individual inbound or outbound packets of network data and compare them against a rule set to determine if the packet should be permitted or denied. In their most basic form, packet lter rewalls operate at the OSI model Layers 2 (Data Link) and 3 (Network). They provide network access control by comparing the rule set to information contained in the network packet such as: The source address of the packet, which is the IP address of the system the network packet originated from. The destination address of the packet, which is the IP address of the system the network packet is sent to. The network protocol being used to communicate between the source and destination addresses. Some simple packet lters will also include some characteristics of Layer 4 communications such as the source and destination ports of the connection. If the rewall is multi-homed to three or more network segments (such as in a three-legged DMZ conguration), a packet lter rewall also reads the packet information pertaining to which interface of the rewall the source packet arrived from and which interface of the rewall the packet is destined for.
196
Figure 5-6: OSI Layers of inspection for a Simple Packet Filter Firewall.
Weaknesses of Simple Packet Filter Firewalls

If you are using a simple packet lter rewall, there are several inherent weaknesses in this type of rewall that you should be aware of and take special care to overcome where possible. Application Specic Vulnerabilities: Packet lter rewalls do not inspect upper layer data, and therefore cannot protect against intrusions that make use of application specic vulnerabilities. Limited Logging: Since so little information is gathered by the rewall, the simple packet lter has limited logging capabilities, which limits the data available for policy making decisions and can hamper intrusion investigations. No Authentication: Because they operate at the OSI layers below where authentication happens, simple packet lter rewalls cannot generally make use of user authentication as part of their control mechanisms. Vulnerable to Spoong: There are several weaknesses in the TCP/IP specication and protocol stack that packet lters have a tough time overcoming. A good example of this would be network layer address spoong. Many simple packet lter rewalls cannot detect whether the OSI Layer 3 addressing information in a packet has been altered. This leaves them vulnerable to spoong attacks. Large Attack Surface: Another weakness of simple packet lter rewalls is due to the way that TCP connections are established. In general, network services are requested on a well-known low numbered port (<1023) and the return client connection is established on a random high numbered port (>1023). So if you are using a simple packet lter rewall, you normally have to open all ports greater than 1023 inbound so they are available for return client connections. This leaves a very large attack surface exposed to the outside network. Easy to Miscongure: Simple packet lter rewalls have very few variables to use for inspection and rule set creation. When attempting to create complex and comprehensive rule sets, it is easy to accidentally congure a rule
197
to either allow or fail to deny network traffic that your network policy states should be denied. Conversely, it is also easy to block traffic that should be permitted.
Stateful Packet Filter Firewalls

We have already discovered that simple packet lter rewalls operate across levels 2 and 3 of the OSI model. The stateful packet rewall adds level 4 awareness in addition to levels 2 and 3. Because they can keep track of logical virtual connection circuits, these rewalls are also sometimes referred to as Circuit Level rewalls.
Figure 5-7: OSI Layers of inspection for a Stateful Packet Filter Firewall. Stateful packet lters control traffic in basically the same manner as a simple packet lter by using rule sets, but they have additional intelligence in their logic that enhances their performance and solves several challenges with simple packet lter rewalls. The stateful moniker comes from the fact that these rewalls keep track of the state of all accepted connections in a data table that resides in memory. This enables the rewall to determine if an incoming packet is either a new connection or is part of an existing established connection. Once the connection session has ended or has timed out, its corresponding entry in the state-table is discarded. Some applications can send periodic keepalive packets in order to stop a rewall from dropping the connection during periods of low user-activity.
198
Figure 5-8: Example of a connection state table. This ability to discriminate between new connections and existing ones brings several advantages to this type of rewall over a simple packet lter. Lower Attack Footprint: Stateful rewalls can take additional actions based on data residing in the state tables such as dynamically opening return client ports for each individual connection. This lowers your attack footprint, which increases your security posture. Less Susceptible to Spoong: A stateful rewall is able to hold in memory key attributes of individual connections. These attributes help the rewall track the state of the connection. Attributes stored in memory include the IP addresses and ports for both ends of the connection and also the sequence numbers of the data packets sent through the connection. The stateful rewalls awareness of IP addresses and sequence numbers makes it far less susceptible to spoong. Easy Black hole conguration: Stateful rewalls can easily be congured to pass all outgoing packets through, but to only permit incoming packets if they are part of an established connection that is listed in the state table. This prevents intruders from starting unsolicited connections to resources in the protected network. Coupled with a rule to discard unsolicited packets, this turns your network into a black hole on the Internet. Less Resource Intensive: Tracking the connection state gives stateful rewalls an increased efficiency in their packet inspection process. Packets for existing connections through the rewall only have to be checked against the state table, which is less resource intensive than checking the packet against the rewalls lter rules set.
Stateful inspection rewalls share some of the weaknesses of packet lter rewalls; however, the advantages created by the state table implementation means that stateful inspection rewalls are generally more secure than simple packet lter rewalls.
Application Level Firewalls

Application level rewalls (also sometimes called Application-Proxy Gateways) are sophisticated rewalls that combine inspection of both the lower layer access controls with the upper 7th layer of the OSI model (Application Layer). Application level rewalls control the routing of packets between the trusted and un-trusted zones congured on the rewall based on what application or service is sending or receiving the data packets. All network data packets that pass through the rewall do so under the control of the application-proxy software.
199
Figure 5-9: OSI Layers of inspection for an Application Level Firewall. Application level rewalls are capable of doing deep packet inspection in order to make accurate appraisals of which connections to allow and which to deny. By reading the actual data inside of a packet, application level rewalls are able to detect bypass attempts such as masking non-permitted communications inside of packets sent over permitted ports, for example, hiding IRC communications packets by using port 80 to masquerade as http. Traditional stateful rewalls cannot detect this, while an application level rewall can inspect and deny HTTP packets if the content does not match the packet type. Application level rewalls also generally have the ability to require authentication of each user or system attempting to transmit data across the rewall. A wide variety of authentication forms are available, including: User ID and Password Authentication Hardware or Software Token Authentication Source Address Authentication Biometric Authentication
Application level rewalls have several advantages over both types of lower level packet lter rewalls we previously examined. Extensive Logging Capabilities: Application level rewalls have extensive logging capabilities because the rewall is able to examine the entire network packet contents instead of just the lower level network addresses and ports. Application level rewall logs often will contain application-specic commands issued over the network data packets. This can be very useful for both policy management and intrusion incident investigation. Enforcement of Authentication: The authentication capabilities built into application level rewalls are vastly superior to those found in packet lter or stateful inspection packet lter rewalls. Application level rewalls allow you to set enforcement rules on the available types of authentication that are most appropriate for a network environment as opposed to just using lower level source, destination, and port addresses. Less Susceptible to TCP/IP Vulnerabilities: Application level rewalls can inspect the entire contents of a packet to ensure that the contents are appro-
200
priate for the target destination. This greatly improves the rewalls ability to block spoong attacks and other TCP/IP vulnerabilities. The deep packet inspection of an application level rewall can be a resourceintensive to process. Therefore, most application level rewalls include stateful inspection to optimize resource utilization. One potential danger to application level rewalls is that savvy intruders may attempt to defeat the deep level inspection by encrypting their packet contents such as tunneling with SSL. This is why it is important for application level rewalls to create a rule that denies any inbound encrypted communication unless the connection originated from inside the trusted zone and is listed in the state table.
Building Firewall Rules to Control Network Communications

We have discovered that modern rewalls can control network traffic based on a wide range of packet or application attributes contained in the layers discussed previously. When a packet is received by the rewall, it inspects the packets attributes that were included in the packet as it passed through the various networking layers. This information is then compared to rules that have been congured for the rewall. Based on the outcome of the comparison, the communications traffic packet can be handled in any of the following manners by the rewall. Accept: The rewall passes the packet through the rewall to the destination requested by the packet. Deny: The rewall drops the packet, without passing it through the rewall. After the rewall drops the packet, an error message is returned to the source address. Discard: The rewall drops the packet, but does not return an error message to the source address. This creates the appearance that the rewall is not even on the network, and it is often referred to as a black hole because it does not reveal its presence by error messages.
201
A partial list of attributes that can be examined by a rewall and used for rule set comparison would look like this: Source address Destination address Protocol Source port Destination port Source service Destination service TTL values Originators netblock Destination netblock Domain name of the source Domain name of the destination Application source Application destination Authentication And many other attributes
Firewall rules are the heart of your rewall system. These rules build on one another and are generally parsed in sequence. The rst rule the rewall discovers that matches the attributes of the data packet is the rule that will be applied rst. Most rewalls will have a conguration option that allows you to manage the ow of how rules are parsed within a give rule set. Ordering your rewall sets correctly is an important step in ensuring that the rewall behaves as expected. View the following gure and look at rule number seven (the default deny rule). This rule is the last rule in the set. If this rule was placed anywhere but last in the list, all other rules below it would not have any effect, because all traffic is denied by this rule. Without careful ordering of your rules, you will nd your rewall producing unexpected results. One thing you can count on is that a rewall will do exactly what you tell it to do. It is a wise rewall administrator who plans his or her rules carefully and keeps them well documented!
Figure 5-10: Example rewall rule set.

Common Firewall Topologies

Firewalls can be congured in a variety of topologies to meet the needs of any size or style of network environment. There are three standard rewall topology congurations that are commonly used in modern networks. Each of these topologies is applicable to a specic network environment. Choosing the correct rewall topology for your network is the rst step in successfully implementing a rewall on your network. We have discovered that rewalls are used to enforce access controls between systems or network segments linked across zones with varying levels of trust. It should not be surprising, therefore, when we examine the common rewall topologies to nd a rewall at each location where different trust zones connect. Perimeter Firewall: The perimeter rewall topology (also referred to as edge conguration, bastion host, or screened conguration) is the most common rewall topology. This topology places a single rewall directly between the trusted and un-trusted systems or networks.
Figure 5-11: Example of a perimeter rewall topology. Perimeter rewalls are the simplest conguration to use when no trusted resources need to be available to the un-trusted network. One exception would be remote users; in this case, the rewall is often combined with VPN technology to allow external users to securely access the internal network. This is a good choice for a topology when you want to allow access to the Internet from your trusted network, but do not wish to make internal resources available to users on the Internet. You can congure a perimeter rewall to allow access to specic internal resources by creating rewall rules that allow outside access to only those resources, such as an SMTP server or web server. In fact, many people do exactly that. Be aware, however, that if the internal resource should be compromised over the externally accessible resource port, it opens your whole network to further attacks. If you need to make resources available to users on un-trusted networks, the best choice is to choose one of the following DMZ congurations. Three-Legged (DMZ) Firewall Topology: The three-legged DMZ topology is commonly used where you need to publish resources to an un-trusted network such as the Internet. This topology uses a single rewall such as the perimeter topology; however, in this conguration, the rewall has an additional network interface that is connected to a network containing the externally available resources.
203
Figure 5-12: Example of a three-legged (DMZ) rewall topology. The three-legged rewall topology allows you to publish resources while still blocking all inbound access to your internal network. In this topology, the rewall rules are congured differently for the internal and DMZ interfaces. The internal interface is congured to deny external access to the internal network, while the DMZ interface is congured to allow access to specic resources in the DMZ from the external network. This conguration increases the security posture of your internal network by removing the need to open any inbound ports to the internal network other than for client return connections. An additional security benet of this topology is that if one of the publicly accessible resources is compromised, your internal network remains secure. Chained (DMZ) Firewall Topology: Another rewall DMZ topology commonly used where you need to publish resources to an un-trusted network such as the Internet is the chained DMZ. This topology uses a pair of rewalls to create the DMZ. The two rewalls sandwich the DMZ between the internal and external networks. Since this conguration contains two rewalls and subsequently two sets of rewall rules, it can be considerably more complex to setup. However, when this topology is correctly congured, it brings a high level of protection to your network.
Figure 5-13: Example of a chained (DMZ) rewall topology.
204
This topology is commonly used where both the external network and the internal network need to access to resources in the DMZ, and those DMZ resources also require communication with other servers and services that reside inside the internal network. A good example of this would be a mail server that needs to authenticate internal users against a directory service that resides on a server in the internal network. The mail server in this scenario has two requirements. It must be able to exchange inbound and outbound SMTP packets with the Internet and be able to authenticate internal users against a directory service that resides on a server in the internal network. Another situation where this topology would be an appropriate choice is where you have an e-commerce site that connects to a database containing sensitive customer information. In this scenario, you would place the front end web server in the DMZ behind the front side rewall; then place the database server on the segment behind the backside rewall. The front side rewall rules would be congured to only allow inbound TCP port 80 and port 443 to the web server, while the backside rewall rules would only allow the web server to query the backend database server, effectively isolating the database server from the Internet. When correctly congured, the chained DMZ rewall topology offers a high level of threat protection from external network access, while providing ample exibility for communications between the DMZ and the internal network.
Why Would I Want a Firewall on My Network?

The Wild Frontier
The Internet is sometimes referred to as the new frontier. And like any frontier setting, it has its share of undesirable elements. Out on the frontier, the only safety that you can count on is the safety you create for yourself. Placing a rewall on your network is like the old time explorers building a fort for protection. It does not guarantee total immunity, but it provides much more safety than a canvas tent when danger approaches. Like the frontier, the Internet is lled with opportunity. This includes the opportunity to carry out business, to learn, grow, discover, and connect with new people. But close on the heels of frontier-style opportunity come the scavengers and villains. Almost any day, in almost any media you care to name, you will nd a new report about some digital danger that has reared its ugly head on the Internet. The net is a representation of society in all its glory and disgrace. From nuisance hackers to serious criminals, the complete gamut of less than well-adjusted societal members can be found. In our normal lives, we install locks on our houses and employ police forces to deter would-be vandals and thieves from taking or damaging our property. Firewalls fulll this role on our networks. If you dont protect it, you wont own it for long.
205
Regulatory Compliance
The prominence of Internet dangers has even prompted legislation in many countries that places responsibilities for data protection on the organization that owns the information. This is especially true of government, banking, and the healthcare industries. Organizations now nd themselves with compliance responsibilities for protecting sensitive data that sometimes carry stiff penalties for noncompliance. This has spawned a general move in most organizations towards a formal set of computing security policies. These policies dictate how an organizations resources must be protected and show that they are meeting regulatory compliance. A rewall is one of the key elements in enforcing the organizations written policy.
Public Image
A rewall can also serve to protect not only your organizations data, but also its public image. Almost every organization has a website today. If these publicly accessible resources are not protected and get hacked, either through defacement or denial of service attacks, the organizations image will be tarnished in the eyes of the website users. This impact can, and usually does, make itself felt on the organizations bottom lineeither through your customers going to the competition because they lost trust in your organization as the result of website defacement or data theft or through lost sales as the result of a denial of service attack on your e-commerce site. Firewalls cant always prevent this, but they can mitigate the dangers down to an acceptable level of risk.
What Can a Firewall Not Protect You From?

A rewall is a powerful tool in your security tool box, but there are certain types of dangers that a rewall can do nothing about. For example, because the purpose of a rewall is to control and limit inbound and outbound network communications between networks or systems of differing trust levels, it stands to reason that it cannot protect against attacks that dont traverse your rewall. The following is a partial list of things that a rewall cannot protect you from: Firewalls cannot protect against internal threats: This type of threat originates from the zone of trust where the attack is targeted. This would include such things as: Disgruntled or unscrupulous workers. This is actually one of the greatest dangers to any network and coincidently how the greatest number of intrusions actually occur. Weak password policies or other poor system administration practices. Firewalls will not be very effective in securing something that has gaping security holes in it to start with. Make sure you follow industry standard best practices throughout your network environment. Personal Modem or Wireless connections. It is worth noting that this issue has evolved into a real danger in the era of mobile wireless Internet access. A mobile user who attaches his or her laptop to your trusted network and then connects to the Internet via a 3G GSM satel-
Firewalls cannot protect against attacks that dont traverse your rewall:
206
lite or other wireless connection has effectively punched a hole right through your carefully congured security measures. Social engineering. This is a proven methodology to break into networks that are otherwise secured. It is simply astounding what villainous social engineers can get a user (or even a sys admin), who is otherwise an intelligent human being, to reveal about his or her computing environment. Your best line of defense against this type of attack is user education.
Cannot protect against attacks on services that are allowed through your rewall: Allowed inbound traffc. This would include attacks on web and email services that external access to has been permitted to. If you allow access to your web server through the rewall, and the web server has an un-patched vulnerability that works over port 80 (http), your rewall cannot protect the web server from that type of attack. Malware and browser threats. Firewalls cannot protect your network against threats that the user brings into the network themselves. This includes the many forms of malware such as email viruses, Trojans, browser-based attacks, spyware, and phishing sites. Again, we are back to defense in depth and user education as our best defense against these types of threats.
Some modern application layer rewalls capable of deep packet inspection also have varying levels of intrusion detection capabilities built in. These rewalls can potentially mitigate this type of risk. But better safe than sorry. Patch, Patch, Patch!
To have the best chance at defending your network, a well-congured rewall must be augmented by good conguration control, secure OS baselines, patch management, anti-malware programs, sound network administration basics, and a user education program. Defense in depth is the security-conscious administrators motto.
Things to Consider About Firewall Implementation

Before we move on to the next topic, lets discuss a few simple concepts concerning the real world implementation of a rewall in your network. If you keep these concepts in mind when you work with an organizations rewall, you will enjoy greater success in securing the network, while keeping management and your users content and supportive.
Firewalls are an Enforcement Tool for Security Policies

A rewall enforces your inter-network access security policy. If you didnt have an access security policy before you put the rewall in place, you do now. It may not be a written policy, but effectively its still an access security policy. If you havent made explicit decisions about what you want your inter-network access security policy to be, you will likely wind up with less than optimal congurations on your rewall, and it will certainly be more difficult for you to maintain its effectiveness over time. In order to have an effective rewall, you really do need a good security policyone that is well thought out, written down, and widely agreed to and supported within your organization. It is almost axiomatic in the security eld that if you do not have published, formal, written security policies that have received full management approval and support, implementing a rewall will max your job pain threshold. This is primarily because your users (and management) will not understand why the network doesnt work like it used to and the ill will and blame will wind up on your door step. Before implementing the rewall, you should have created a written
Some modern application layer rewalls capable of deep packet inspection also have varying levels of malware detection capabilities built in. These rewalls can potentially mitigate this type of risk. But again, better safe than sorry. Always use anti-malware software and keep it up-todate!
207
policy that explicitly outlines your overall security goals, policies, and procedures including your rewall conguration and rule sets. Obtaining management support and backing for the policy is critical, as they are the ones with the nal authority and responsibility for the organizations operations and information.
A Firewall by Itself is Not a Security Solution

Firewalls can only protect networks and information from certain types of digital dangers. They are designed to control and limit external access to resources. Firewalls can only protect you against threats they can detect, and unfortunately there are no magical all-seeing rewalls. Also, a rewall cannot protect against internal attacks against your network or data. To gain maximum effect, your rewall should be just one layer in a comprehensive defense in depth security program. Remember that an attacker doesnt often go through security but looks for ways to go around it! Make it difficult by having more than one layer of defense.
Use a Deny All, Permit by Exception Approach

This is a tried and true approach to conguring rewalls safely. If you deny everything and only allow what you know to be secure or mandatory, you will spend much less time reconguring the rewall or responding to intrusions. New vulnerabilities continually pop up in the digital world; the permit all, deny what is dangerous approach means you will have a constant battle to keep up. The permit all, deny dangerous methodology would only work if you knew every dangerpast, present, and future. This is just not a realistic approach to security.
Enforce the Least Privilege Rule

This is a basic axiom of all forms of security, regardless of if it is physical security; user accounts; le, share, and applications permissions; or rewall transversal access. You should only grant users, systems, and applications the least amount of privileges or access that they require to carry out their functions. Be leery of anything that requires high levels of privilege or access to function. You can only empty the vault if you have access and the keys.
Be Gracious, but Not Compliant

Enforcing security and dealing with user requests is a delicate balancing act with a little public relations magic sprinkled in. This is especially true if you are trying to secure a network that has been insecure before. Some people will simply not care if what they do create security risks if it makes their life more convenient. If you open up the rewall a little more at every users request, you will wind up with a wide open network in the end. At the same time, if you always deny requests, people will turn bitter. It is a simple fact of life that people who feel they cant work with you will nd a way to work around you. Security is always a tradeoff against convenience. It is not convenient to have to reach into your pocket to get your house keys to unlock the house when your arms are full of grocery bags after you arrive home from the market. However, we tolerate this inconvenience because we value the items in our house. User education and gracious manners when you deal with users will go a long way to meeting both their needs and keeping the network risks at an acceptable level. Remember, the network is there to meet the business needs of the organization, not because the organization needs a secure data vault. You need to nd ways to meet the users needs while controlling the risks.
208
Firewalls Are Not Just Perimeter Protection

Last, but certainly not least, expand your view of what rewalls can be used for. In general, we think of rewalls in the context of perimeter protection when connecting to external networks . However, this is a very limited view of a rewalls usefulness in a modern networked environment. It is becoming more and more common for organizations to employ additional rewalls within their internal networks (intranet) to control data ow and protect critical resources or information from unauthorized internal access. For example, an organization might employ an internal rewall to provide an additional layer of security for its nancial or human resources information. Examine the following gure and notice the network segments the internal rewall is placed between.
Figure 5-14: Using an internal rewall to secure sensitive internal resources. In this context, the rewalls are not only controlling access from the external network, the DMZ, and the partner networks, but also from within the organizations internal network itself. Employing rewalls in this manner can signicantly increase the security of your sensitive data against internal attacks.
209
Topic 5B
Configuring Microsoft ISA Server 2006
Introduction to ISA Server 2006
Microsofts Internet Security and Acceleration Server (ISA) 2006 is what Microsoft calls its integrated edge security gateway. Microsofts security offerings in the rewall arena have come a long way since its release of Proxy Server 2.0, which had rewall style features. This continued development has resulted in ISA Server 2006 being a robust and mature multilayer rewall. It has a wide range of features and capabilities that will meet the needs of almost any network environment: from small businesses to global enterprises. ISA Server 2006 features the following functionalities: Internet Access Control (Proxy) Flexible Conguration Controls Including Easy-to-use Wizards Conguration Export/Import to XML Customizable Protocol Denitions Secure Application Publishing Server Publishing Web Publishing SharePoint Publishing SSL Bridging Application Layer Filtering (Deep Packet Inspection) Intrusion Detection Capabilities Flood Resiliency Conguration Forward and Reverse Web Caching Remote User or Branch Office VPN Capability
Common Deployment Scenarios for ISA Server 2006

Networking professionals around the world have had long-standing concerns about performance impact, operational costs, and manageability whenever they deploy a new technology on their networks. This is especially true when you need to deploy a rewall for security purposes. Microsoft spent considerable research effort to discover what the real pain points are when deploying a rewall solution. Fortunately, the ISA Server 2006 design team was the recipient of all this research. Their efforts at making ISA Server 2006 highly deployable in the most common scenarios is evident. They targeted their efforts to make ISA Server 2006 very straightforward to deploy in several common scenarios. Protecting your network against external and internal Internet based threats. Publishing content to external consumers in a secure fashion. Securely connecting remote branch offices. Providing secure access to remote users of the internal network.
In each one of these scenarios, ISA Server 2006 provides a robust solution with streamlined deployment, conguration, management, and reporting.
Protecting Your Network Against External and Internal Internet-Based Threats

Organizations can use ISA Server 2006 to mitigate or eliminate damage to their network resources from the Internet including unauthorized access and even malware attacks by using the full-featured suite of tools in ISA Server 2006 to inspect for and block harmful network traffic and content. With its hybrid rewall-proxy architecture, application level deep content packet inspection, granular security policies, comprehensive monitoring, and alerting capabilities, ISA Server 2006 makes it easier to protect and manage your connected network resources. Some of the features that enable ISA Server 2006 to protect your network are: Simplied Management Tools: ISA Server 2006 has a suite of management tools that simplify conguration and ongoing administration. As rewall tools go, these tools are relatively intuitive and have a very low learning curve. Multilayer deep content inspection: ISA Server 2006 has a comprehensive set of customizable policies, customizable protocol lters, and network topology relationship models that allow you to thoroughly inspect and control the traffic that transverses the rewall. Flood resiliency: ISA Server 2006 now features enhanced ood resiliency for network event handling and monitoring. This feature provides a more robust rewall resistance to threats such as denial of service and/or distributed denial of service attacks. Unied management and monitoring with MOM: For those organizations that have deployed the Management Pack for Microsoft Operations Manager, ISA Server 2006 can be integrated into your enterprise- and array-level policies. This gives administrators the ability to easily control security and ISA access rules throughout the organization. Enhanced worm resiliency: ISA Server 2006 can help to mitigate the overall damage an infected computer will have on the network. This is accomplished through client IP alert pooling and connection quotas that monitor and block unusual connection patterns. Quicker attack response times: ISA Server 2006 has a comprehensive set of alert triggers with congurable responses. When congured, this can quickly notify you of network threats targeted against your network. Extensive software developers kit (SDK): The ISA Server 2006 SDK aids third parties in the development of ISA Server 2006 add-ons. These add-ons enrich the feature set of ISA Server 2006 by providing a wide range of additional protections such as anti-virus or custom web ltering controls. Improved resource management: ISA Server 2006 gives you extensive log throttling, memory consumption control, and pending DNS queries. This improved resource management contributes to ISA Servers greater overall performance levels.
Versions of ISA Server 2006

Before you deploy ISA Server 2006, you will need to decide which version to purchase. ISA Server 2006 is available in two versions: Standard and Enterprise. You should install the version that is appropriate for your network environment and security needs. A short comparison of the two versions follows:
211
Figure 5-15: ISA Server 2006 version comparison chart.

Several manufacturers such as HP, Avantis, Whale, Celestix, SecureGUARD, and OSST now offer ISA Server 2006 in a rewall appliance. This combines the power and conguration ease of ISA Server and the convenience of an appliance.
TASK 5B-1
Preparing for the ISA Server 2006
Setup: Lab Prerequisites Task Note: Firewalls are primarily designed to control network traffic between network segments, so you will need to have more than one network adapter in your computer in order to congure ISA Server 2006 in the most common rewall topologies. Since the classroom computers have only one physical network card, we will install and congure the Microsoft Loopback Adapter to represent our internal network interface, while conguring the physical network card as our external network interface. 1. 2. 3. 4. 5. 6. 7. Choose StartControl PanelAdd Hardware. In the Welcome dialog box, click Next, the wizard will search for your hardware. Select Yes, I Have Already Connected The Hardware, then click Next. Scroll to the bottom of the Installed Hardware list box and select Add A New Hardware Device. Then, click Next. Select Install The Hardware That I Manually Select From A List (Advanced) option, then click Next. Under Common Hardware Types select Network Adapters, and click Next. Under Manufacturer, select Microsoft.
212
8.
Under Network Adapter, select Microsoft Loopback Adapter.
9.
Click Next twice.
10. If prompted, click OK in the Insert Disk dialog box, enter the path to the Windows 2003 Server installation source les in the Files Needed dialog box, and then click OK. 11. Click Finish. 12. Choose StartControl PanelNetwork ConnectionsLocal Area Connection 2. 13. In the Local Area Connection 2 dialog box, click Properties. 14. In the This Connection Uses The Following Items list, select Internet Protocol (TCP/IP) and then click Properties. 15. On the General tab select Use The Following IP Address and then enter the address from the following table that corresponds to your computer name.
WIN-R01 - 10.16.1.1/24 WIN-R02 - 10.16.2.1/24 WIN-R03 - 10.16.3.1/24 WIN-R04 - 10.16.4.1/24 WIN-R05 - 10.16.5.1/24 WIN-R06 - 10.16.6.1/24 WIN-R07 - 10.16.7.1/24 WIN-R08 - 10.16.7.1/24 WIN-L01 10.18.1.1/24 WIN-L02 10.18.2.1/24 WIN-L03 10.18.3.1/24 WIN-L04 10.18.4.1/24 WIN-L05 10.18.5.1/24 WIN-L06 10.18.6.1/24 WIN-L07 10.18.7.1/24 WIN-L08 10.18.8.1/24
213
16. Leave the DNS value blank and then click OK. 17. Click OK, and close the Local Area Connection 2 Properties window.
The subnet mask is 255.255. 255.0 for all these IPs.
18. Choose StartControl Panel and right-click Network Connections. From the pop-up context menu, choose Open. 19. Right-click the Local Area Connection and choose Rename. 20. Name the connection External 21. Right-click the Local Area Connection 2 choose Rename. 22. Name the connection Internal 23. Close the Network Connections window. You have now installed the Microsoft loopback adapter and assigned it a unique IP address. We will be using this adapter to function as our internal network adapter for ISA Server 2006. You also renamed the two available network connections so they can easily be identied as either the external or internal networks.
ISA Server Installation Requirements

System Requirements for ISA:
Figure 5-16: ISA Server hardware requirements.
214
TASK 5B-2
Install Microsoft ISA Server 2006
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous task. This task requires you have the Microsoft ISA Server 2006 software available. 1. 2. Browse to the location of the ISA Server 2006 installation les and double-click isaautorun.exe. Click the Install ISA Server 2006 link.
3. 4.
At the Installation Wizard, click Next. Read the License Agreement, select I Accept Terms In The License Agreement and click Next.
215
5.
In the Customer Information dialog box, enter your name, company, and license if necessary, and then click Next.
6. 7. 8. 9.
In the Setup Type dialog box, select the Typical radio button, then click Next. In the Internal Network dialog box, click the Add button. In the Addresses dialog box, click the Add Adapter button. In the Select Network Adapters dialog box, check the box next to your Internal network card, and then click OK.
216
10. In the Addresses dialog box, click OK. 11. In the Internal Network dialog box, click Next. 12. In the Firewall Clients dialog box, accept the default and click Next. (Do not check the box to Allow non-encrypted Firewall Client Connections.) 13. Read the Services warning dialog box and then click Next. 14. In the Ready to Install the Program dialog box, click Install. (The Microsoft ISA Server 2006 - Installation Wizard will start and a File Progress window will appear. Be patient, it will take several minutes to install all the components.) 15. In the Installation Wizard Finished dialog box, click Finish. 16. In the pop-up window, click OK. The Windows Internet Explorer window opens with some information on how to protect ISA. Read the page and then close the Internet Explorer window. 17. Close the Microsoft ISA Server 2006 Setup dialog. ISA Server 2006 is now installed.
Configuring ISA Server 2006

There are ve basic steps to conguring your ISA Server 2006 Firewall. The ISA Server Getting Started guide provides a simple path through these processes to ensure that you can congure your ISA Server rewall with a minimum of confusion. The ve basic steps to congure an ISA Server 2006 rewall are: 1. Dene your ISA Server network conguration. 2. 3. 4. 5. Create Firewall Policy Rules. Dene how ISA Server caches web content. Congure VPN access (if required). Set up Monitoring on your ISA Server.
Each of these tasks has a conguration page that guides you step by step through the various wizards and conguration pages associated with the individual tasks. In the following tasks, you will explore the ISA Server Management Console and congure each of these options for your ISA Server 2006 rewall.
Understanding the ISA Server Management Console

You manage your ISA Server 2006 rewall through the ISA Server Management Console. This console has three basic areas that you can use to navigate and congure ISA Server 2006: Console Tree (left pane) Details pane (center pane) Tasks pane (right pane)
217
Figure 5-17: The ISA Server Management Console panes. In the following task, you will explore the ISA Server Management Console and familiarize yourself with its functions and behaviors. The tool is very intuitive, but it does have a lot of moving parts, so the more time you spend getting comfortable with it, the more efficient you will become at conguring ISA Server.
TASK 5B-3
Exploring the Microsoft ISA Server 2006 Interface
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed task 3B-2. 1. 2. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. Notice that the ISA Server Management console is divided into three panes: The left hand pane is your Console Tree pane. This pane contains a short list of navigable containers. The containers in this pane logically group related management or conguration settings. The center pane is your Details pane. For each container in the Console Tree pane, the Details pane will contain information related to the conguration container selected in the Console Tree. Depending on the conguration container selected, the Details pane may have multiple tabs of information. The right pane is your Tasks pane. The Tasks pane contains two tabs the Tasks tab has a list of relevant tasks that can be performed for the selected container in the Tree pane. If the conguration container
218
selected in the Tasks pane shows multiple tabs of information in the Details pane, the Tasks tab is contextual, that is, it will contain Tasks that can be performed for any selected tab in the Details pane of a particular conguration container. In addition, the Tasks pane also contains a Help tab with context-sensitive help for the selected Details pane tab. 3. Notice that the Details pane defaults to the Welcome information. In this section, you can nd links to guides on Getting Started, Securing your ISA Server, and Internet Websites with ISA Server Information. In the Console Tree pane, expand the container with your server name by clicking the + symbol. In the Console Tree pane, expand the Conguration container by clicking the + symbol. You have now exposed the whole conguration container chain for a standalone ISA Server 2006 rewall. The Console Tree can/will contain other items if the ISA Server is part of an ISA Array in a domain.
4. 5.
6. 7.
In the Console pane, select the WIN-R01 conguration container. Notice that this places the Getting Started information in the Details pane. This lists out the ve conguration steps for ISA Server. Briey read down the list of items in the Details pane. In the Details pane, click the Dene Your ISA Server Network Conguration link. Notice that the selected container in the Console Tree pane changed to the Networks container. The three panes found in the ISA Server Management console are linked. Clicking a link in any of the panes will take you to the correct conguration container for the property you are trying to congure.
8. 9.
10. Explore the four tabs in the Details pane of the Networks container.
219
11. Notice that as you move between tabs in the Details pane, the Tasks pane changes to show contextually relevant links for each tab.
12. On the middle of the vertical divider between the Details pane and the Task pane, click the arrow icon. Notice that the Tasks pane collapses to create a larger viewable area for the Details pane. 13. Click the arrow icon again. The Tasks pane expands again to allow access to the tasks listed for the Details pane tab. 14. In the Console Tree pane, select the Monitoring container. 15. Notice that this container has seven tabs in the Details pane. 16. In the Details pane, select the Services tab. 17. On the Services tab, select the Microsoft Firewall item. 18. On the Task pane under Services Tasks, click the Stop Selected Service link. 19. Notice that after the service stops, the Tasks link changes context from Stop to Start. 20. Restart the service after it stops by clicking the Start Selected Service link. 21. In the Details pane, after the service restarts, click the Alerts tab. 22. On the Tasks pane, click the Refresh now link. 23. Notice that the action of starting and stopping the service generated an alert entry. 24. Click the Dashboard tab.
220
25. Notice that Alerts is one of the items on the Dashboard. The Dashboard gives you a quick overview of the current state of activity on your ISA Server. 26. In the Console Tree pane, select the Firewall Policy container. 27. Notice in the Details pane that one rule, the Default Rule of deny all trafc for all networks, exists.
ISA Server installs only this default Deny All rule during installation. To allow traffic to pass through the ISA Server, you must congure rules to permit it to pass. 28. Notice on the Tasks pane for the Firewall Policy container that there is a long list of tasks that can be performed. 29. Explore the list of tasks in the Firewall Policy Tasks section of the Task pane. 30. Notice that these tasks are broken down into four categories: Firewall Policy Tasks Policy Editing Tasks System Policy Tasks Related Items
Again, the Tasks pane is context sensitive to the container selected in the Console Tree pane and the tab selected in the Details pane. If you are having trouble locating a task, be sure you have selected the right container and Details tab. 31. Notice that the Tasks pane now has a third tab called Toolbox. 32. Select the Toolbox tab in the Tasks pane. 33. Notice that the Toolbox tab has ve expandable sections.
221
34. Browse through the Toolbox tab sections. Be sure to expand and explore a few sub-containers under the various sections also.
222
35. Explore the remaining Console Tree pane conguration containers and their associated Details and Tasks panes. 36. After you have explored a bit, close the ISA Server 2006 Management console window.
This conguration area of the ISA Server Management console is where you can create and manage all of the various items that can be used in rewall policy rule congurations. A strong familiarity with these items will greatly benet you when you create custom rewall policy rules for your network. We will return to this area later when we create custom rules.
Exporting/Importing ISA Server 2006 Configurations as XML Files

One of the features that makes ISA Server 2006 easy to manage is the ability of ISA Server to export the current conguration as an XML le. It is now simpler than ever to back up and restore your rewall conguration. To return to that conguration, you simply import the XML conguration le back into ISA Server. Exporting your working conguration before making any adjustments to the rewall conguration is always a good idea, especially when the rewall policy is complex with many layers of rules applied. This will ensure that you can return to the last known good conguration with a minimum of hassle or down time.
TASK 5B-4
Exporting the Default Configuration
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed task 3B-2. 1. 2. 3. 4. 5. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. In the Console Tree pane, select the container with your ISA server name. On the Tasks tab, click the Export (Backup) this ISA Server Conguration link. In the Export Wizard dialog box, click Next. In the Export Preferences dialog box, select Export User Permissions. We have no condential information, such as user passwords and certicates, to export so we will leave that check box unchecked. Click Next. In the Save The Data To This File eld, enter C:\originalcfg.xml and click Next. Click Finish. After the le nishes exporting, click OK.
Right-clicking any item in a container in the toolbox will give you a context menu listing available actions that can be taken on that object.
Be sure to cancel out of any dialog boxes you may open and discard any changes to the conguration. This is important so that your rewall will behave as expected in the remaining ISA task exercises.
6. 7. 8. 9.
10. Close the ISA Server 2006 Management Console.
223
We now have the ability to return to our default conguration if we accidentally miscongure our rewall. Adding the exported ISA Server conguration XML les to your regular backups would be a good conguration management tool and policy.
ISA Server 2006 Firewall Policies

ISA Server 2006 manages network access through the rewall using layered rewall policies. These rewall policies can contain a set of access rules, publishing rules, and network rules. Each type of rule in a policy controls a different form of access across the rewall. These rules contained within an ISA Server rewall policy determine how and what network traffic can access resources through the rewall.
Access Rules
In ISA Server 2006 (like most other rewalls), the access rules are built from the following building blocks: Rule Name Rule Action (Allow, Deny) Protocol and Port Traffic Source Traffic Destination User Sets Content Groups
The parameters specied during the rules construction will create the constraint set that the rule set will enforce through the rewall policy of the ISA Server that the rule was created on. A best practice is to evaluate, dene, and document each rule before you implement it in ISA Server. This will ensure you get the expected results by applying the rule. Some rewall administrators nd it helpful to diagram the rule and include the diagram with the rule documentation. ISA Server has three basic types of rules: Access rules: In ISA Server, an access rule controls what network traffic from the internal network is allowed to access the external network. Access rules can apply to all traffic, to only a selected set of protocols, or to all trafc except a selected set of protocols. The same thing applies to source, destination, or user sets. A rule can apply to all, only a selected subset, or all but a selected subset. Publishing rules: ISA Server denes publishing rules as rules that control access requests from the external network for internal resources. This type of rule is applied to a web server that you want to provide public access to or to an SMTP server that needs to accept inbound mail delivery. In actuality, these are simply access rules applied to inbound traffic as opposed to outbound traffic. They can apply to the full set of rule building blocks or a selected subset just like access rules. Network rules: ISA Server network rules are built by dening the traffic source, traffic destination, and the network relationship (how the traffic is handled, for example, NAT or Routed). Network rules can be combined with access or publishing rules to provide granular control over the traffic that transverses the ISA Server rewall.
224
Processing Firewall Policies

ISA Server deals with access requests in two directions: outgoing requests and incoming requests. As ISA Server receives a request and it processes the information contained in the packet and compares it against the rewall policy that contains the congured rule set.
Outgoing Requests
The process of access control for outgoing requests looks like this: ISA Server rst checks any dened network rules and veries that the two networks are connected. If a common connection between the source and destination network exists, ISA Server will then process the access policy rule set. If no connection is dened in the network rules, the packet is dropped. ISA Server now parses the access rules in the order that they are congured. If an allow rule applies to the request, ISA Server will allow the request. The rst rule that is a match for the traffic being inspected is the rule that will apply. This is why ordering is important. ISA Server checks the rule elements that make up an access rule in this order: Protocol Source address and port Schedule Destination address User set Content groups
Incoming Requests
ISA Server calls rules that control incoming requests publishing rules. These rules are designed to allow you to securely allow access to servers by clients on a different network. Incoming requests are controlled by the ISA Server publishing policy. The publishing policy is built from web publishing rules, server publishing rules, secure web publishing rules, and mail server publishing rules. These rules, in addition to any web chaining rules, control how incoming requests to published servers are handled. ISA Server has several types of publishing rules that you can use to control how resources are accessed. These are: Web publishing rules. Used to publish web server content. Secure web publishing servers. To publish Secure Sockets Layer (SSL) content. Mail Server publishing rules: Used to publish Mail servers across ISA Server. Server publishing rules. Used to publish all other internal resource content.
Access rules that deny trafc are processed before publishing rules that allow trafc. If a request matches a deny access rule, the request will be denied, because ISA Server will never get to the publishing rule that would have permitted the request.
Remember that access rules that deny traffic are processed before publishing rules that permit traffic. Your access rules must not explicitly deny any traffic that you intend to publish.
225
TASK 5B-5
Creating a Basic Access Rule
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this task, you will work with a partner in the classroom to test your conguration of an access rule. You will need to ask your partner for his or her IP address before you being the task. 1. 2. 3. 4. 5. 6. 7. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. In the Console Tree pane, expand the container named after your server. Select the Firewall Policy container. Notice in the Details pane that the only rule that exists is the default deny rule. Open a command prompt. Type ipconfig and then press Enter. Ping your default gateway. What was your result? Outbound Ping Allowed from your ISA Server. 8. Ping your partners External IP address. What was your result? Your partners ISA Server blocked the inbound Ping request on his or her external interface. 9. Minimize the command prompt.
10. In the Tasks pane, under Firewall Policy Tasks, click the Create Access Rule link.
226
11. On the New Access Rule Wizard dialog box, in the Access Rule Name eld,enter Inbound Ping to External Interface and then click Next.
12. In the Rule Action dialog box, select the Allow option and then click Next. 13. In the Protocols dialog box, click the Add button. 14. In the Add Protocols dialog box, expand Common Protocols and select PING, click Add, and then click Close.
15. In the Protocols dialog box, click Next.
227
16. In the Access Rule Sources dialog box, click the Add button. 17. In the Network Entities dialog box, expand Networks, select External, and click Add. Then, click Close. 18. In the Access Rule Sources dialog box, click Next. 19. In the Access Rule Destination dialog box, click the Add button. 20. In the Network Entities dialog box, expand Network Sets, select All Protected Networks, and click Add. Then, click Close. 21. In the Access Rule Destination dialog box, click Next. 22. In the User Sets dialog box, accept the default of All Users and click Next. 23. Click Finish. 24. At the top of the Firewall Policy Details pane, click Apply. 25. In the Saving Conguration Changes dialog box click OK. 26. Wait at this step until both partners have completed the previous steps. 27. Restore the command prompt. 28. Ping your partners external IP address. What was your result? Ping was allowed to the external interface of your partner. 29. Minimize the command prompt. 30. In the Details pane, select the Inbound Ping To External Interface rule.
228
31. In the Tasks pane, click the Disable Selected Rules link.
32. At the top of the Firewall Policy Details pane, click Apply. 33. In the Saving Conguration Changes dialog box, read the note below the progress bar and then click OK. 34. Wait at this step until both partners have completed the previous step. 35. Restore the command prompt. 36. Ping your partners external IP address. What was your result? Ping was allowed to the external interface of your partner even though the rule was disabled. This is because you already had an existing connection to your partner from the initial successful ping test. Note: If you are not able to ping your partners IP address, enable the rule again, ping your partner, and then disable the rule. 37. Choose StartControl PanelNetwork ConnectionsExternal. 38. In the External Status dialog box, click the Disable button. This will break your existing connection to your partner. 39. Wait at this step until both partners have completed the previous step of disabling the External NIC. 40. Choose StartControl PanelNetwork ConnectionsExternal. This will enable your external connection. 41. Wait at this step until both partners have completed the previous step. 42. Restore the command prompt.
43. Ping your partners external IP address. What was your result Ping is now blocked again by the ISA Server rewall policy. 44. In the Details pane, select the Inbound Ping To External Interface rule. 45. In the Tasks pane, click the Delete Selected Rules link. 46. In the Conrm Delete dialog box, click Yes. 47. At the top of the Firewall Policy Details pane, click Apply. 48. In the Saving Conguration Changes dialog box, click OK. 49. Close all open windows. It is important to remember that any rules you add to the rewall policy will not take effect on any connections that are already established. This is because ISA Server 2006 is a stateful rewall and those connections are currently listed in the state tables. Stateful rewalls consult the state tables before parsing the rewall rules. If the connection is listed in the state table, it will not be checked against the rule set again until it is removed from the state table either through a time out or by the source terminating the connection. You can force the state table to reset for all connections by disabling and enabling the network interface that the connection is associated with.
ISA Server 2006 Access Rule Elements

There are eight basic access rule elements that are used to build ISA Server 2006 access rules when creating a rewall policy. These elements describe specic characteristics of a network traffic packet that ISA Server can inspect and use for rule comparison. The elements that ISA Server 2006 uses to create a protocol rule are: Name: This is used by ISA Server to display the rules contained in the rewall policy container in the management console. Using descriptive, easy to understand names will help you keep track of what each rule is intended to do. Action: This is the action ISA Server will take when the rule is triggered by a match. The two possible actions are Allow or Deny. Action elements can also be congured to log requests that match a rule or redirect HTTP requests on a rule match to a web page. Protocols: This element describes the protocol and port that the rule will match. Network: These elements describe the device addresses or network nodes that the rule will apply to. It is used in building the following two rule elements: Source: This element describes where the packet is coming from.
230
Destination: This element describes where the packet is going to.
Users: This element describes the user or groups of users that the rule will apply to. Schedule: This element describes the days and times that the rule will be enforced. Content Types: This element describes the network data packet contents that the rule will be applied to.
ISA Server 2006 has a robust set of access rule elements pre-congured when it is installed. However, you can easily create additional rule elements that meet your specic requirements when the default rule elements will not address the rule you are trying to create. Since it is impossible to predict what type of traffic any given network may require, the ability to create additional rule elements gives ISA Server 2006 the exibility to adapt to any requirements.
TASK 5B-6
Creating a Protocol Rule Element
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this exercise, you will create a custom protocol element that you could use to network traffic for a custom network application that uses TCP port 2120 inbound across your rewall with return client connections dynamically established across the range of 49152-65535. 1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. Expand the Console Tree pane and select the Firewall Policy container. In the Tasks pane, select the Toolbox tab. On the Toolbox tab, expand the Protocols container. Explore the various default protocol elements that are dened by default. On the Toolbox tab, under the Protocols container, click the New dropdown menu, and select Protocols. In the New Protocol Denition Wizard dialog box, in the Protocol Denition Name eld, type Custom Application Protocol and then click Next. In the Primary Connection Information dialog box, click the New button. In the New/Edit Protocol Connection dialog box, enter the following values and then click OK. Protocol type: TCP Direction: Inbound Port Range: From: 2120
To: 2120
10. In the Primary Connection Information dialog box, click Next. 11. In the Secondary Connections dialog box, under Do You Want To Use Secondary Connections? select the Yes radio button, and then click New. 12. In the New/Edit Protocol Connection dialog box, enter the following values and then click OK. Protocol type: TCP Direction: Outbound Port Range: From: 49152 To: 65535
13. In the Secondary Connection Information dialog box, click Next. 14. In the New Protocol Denition Wizard, click Finish. 15. Notice that your new User-Dened protocol now shows in the Toolbox Protocols area. 16. At the top of the Details pane, click the Apply button. 17. In the Saving Conguration Changes dialog box, click OK. 18. Close the ISA Server 2006 Management console.
232
TASK 5B-7
Creating a User Rule Element
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this exercise, you will create a user element just for the administrator account. As an example, this user element could then be used in an access rule to deny the administrator account access to any external resources on the external network. 1. 2. 3. 4. 5. 6. 7. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. Expand the Console Tree pane and select the Firewall Policy container. In the Task pane, select the Toolbox tab and then expand the Users container. Notice that ISA Server has three default user elements pre-dened. At the top of the Users container, click the New link. In the New User Set Wizard, in the User Set Name eld, type Administrator Account and then click Next. In the Users dialog box, click the Add button, and from the pop-up menu, choose Windows Users And Groups.
8. 9.
In the Select User Or Groups dialog box, click the Advanced button. In the Select User Or Groups dialog box, click the Find Now button.
10. In the Search results list, select the Administrator account and then click OK. Note, be sure you do not select the Administrators Group. 11. In the Select User Or Groups dialog box, verify that the Administrator account appears and then click OK. 12. In the Users dialog box, click Next. 13. In the New Users Set dialog box, click Finish. 14. Notice that your new user set appears in the toolbox pane.
233
15. At the top of the Details pane, click the Apply button. 16. In the Saving Conguration Changes dialog box, click OK. 17. Close the ISA Server 2006 Management console.
Content Types
ISA Server 2006 comes precongured with a variety of content types by default. If your targeted content type is not already dened, it is an easy task to congure a custom content type to suit your organizations needs. ISA Server 2006s deep packet inspection allows ISA Server to control not only traffic based not only on source, destination, protocol and port, but also on content type. This is useful in enforcing an organizations security policy when it forbids certain types of content for security or other reasons. For example, your organizations security policy forbids the downloading of executable .exe les from the Internet. You could create a content type for .exe les and then assign the new content type to a deny access rule to block any content that contains a .exe le.
TASK 5B-8
Creating a Content Group Rule Element
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1. 2. 3. 4. 5. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. Expand the Console Tree pane and select the Firewall Policy container. In the Task pane, select the Toolbox tab. In the Toolbox tab of the Task pane, expand the Content Types section. Examine the pre-dened content types. Notice that .exe les are not dened.
234
6.
Under the Content Types heading, click the New link.
7. 8.
In the New Content Type Set dialog box, in the Name eld, type Exe Files In the New Content Type Set dialog box, from the Available Types dropdown list, select the .exe type and then click Add.
9.
In the New Content Type Set dialog box, click OK. The new Exe Files content type appears in the Content Types list.
10. At the top of the Details pane, click Apply. 11. In the Saving Conguration Changes dialog box, click OK.
235
ISA Server 2006 Scheduling

ISA Server 2003 has the ability to create and use schedules to control when certain access rules are in effect. Schedules can be used in conjunction with other access rule components when creating an access rule to specify the times and/or days that the rule is enforced.
TASK 5B-9
Creating and Modifying Schedule Rule Elements
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1. 2. 3. 4. 5. 6. 7. 8. 9. In ISA Server Management, expand the Console Tree pane and select the Firewall Policy container. In the Task pane, select the Toolbox tab. In the Toolbox tab of the Task pane, expand the Schedules section. Notice that there are two pre-dened schedules: Weekends and Work Hours. Select the Work hours schedule and then click the Edit link. In the Work hours Properties dialog box, click the Schedule tab. Notice that the schedule contains a grid comprised of 7 week days and 24 hours in one-hour increments. Notice that each one-hour block of time can be set to either Active or Inactive on the schedule. Click and drag your cursor from Monday 8:00 A.M. to Friday 8:00 P.M. and then click the Active radio button to extend the work hours to start at 8:00 A.M. instead of 9:00 A.M, and extend to 9 P.M. Monday through Friday.
10. Click and drag your cursor from Monday 12:00 P.M. to Friday 12:00 P.M. and then click the Inactive radio button to remove the lunch hour from the Work hours schedule. 11. Click OK to close the Work Hours Properties dialog box. 12. On the Toolbox tab, under the Schedules area, click the New link. 13. In the New schedule dialog box, in the Name eld, type After hours 14. Click and drag your mouse pointer in the schedule eld from Monday at 8:00 A.M. to Friday at 8:00 P.M. to cover the workday hours and then click the Inactive radio button. 15. In the New Schedule dialog box, click OK.
236
16. At the top of the Details pane, click Apply. 17. In the Saving Conguration Changes dialog box, click OK. You have now modied the existing Work hours schedule and created a new schedule for After hours. These schedules can be used in rule creation to control what times a rule is enforced by ISA Server 2006. This adds a great deal of exibility to your ability to congure and enforce rewall policies.
Using Content Types and Schedules in Rules

You have discovered that ISA Server has Content Types and Schedules that can be used in rule creation. As a practical example, these objects could be used to enforce an organizations acceptable use policy that states that viewing video content is prohibited during normal work hours but allows video content during lunch and after hours. Using the schedule feature in ISA Server 2006 allows you to create a schedule that can be incorporated into a rule governing video content to enforce the organizations acceptable use policy.
TASK 5B-10
Using Content Types and Schedules in Rules
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1. 2. 3. In ISA Server Management, expand the Console Tree pane and select the Firewall Policy container. In the Task pane, select the Tasks tab. In the Tasks pane, under Firewall Policy Tasks, click the Create Access Rule link.
237
4.
In the New Access Rule Wizard dialog box, in the Access Rule Name eldtype Enforce Video Content Policy and click Next.
5. 6. 7. 8. 9.
In the Rule Action dialog box, select the Deny radio button and then click Next. In the Protocols dialog box, from the This Rule Applies To drop-down list, select All Outbound Traffic and then click Next. In the Access Rule Sources dialog box, click the Add button. In the Network Entities dialog box, expand Network Sets, select All Protected Networks, click Add, and then click Close. In the Access Rule Sources dialog box, click Next.
10. In the Access Rule Destination dialog box, click the Add button. 11. In the Network Entities dialog box, expand Network Sets, select All Networks (and Local Host), and click Add. Then, click Close. 12. In the Access Rule Destination dialog box, click Next. 13. In the User Sets dialog box, accept the default of All Users and click Next. 14. Click Finish. 15. On the Tasks tab, under Policy Editing Tasks, click the Edit Selected Rule link.
238
16. Notice that the rule property dialog box has tabs for each of the items we congured during rule creation (General, Action, Protocols, From, To and Users) and it also contains two additional tabs: Schedule and Content type.
17. Click the Schedule tab, and from the Schedule drop-down list, select Work hours. 18. Click the Content Types tab and select the Selected content type radio button. 19. Scroll down in the Content Types list and select the Video Content Type and then click OK. 20. At the top of the Firewall Policy Details pane, click Apply. 21. In the Saving Conguration Changes dialog box, click OK. 22. The ISA Server rewall will now enforce our video policy during work hours.
ISA Server 2006 Network Rule Elements

You have discovered that ISA Server 2006 uses a set of elements as the building blocks for access rules. Networks are rule elements, which are made up of one or more ranges of network IP addresses or other network identier characteristics.
239
ISA Server 2006 network elements include one or more computers, typically corresponding to a physical network. You can apply rules to one or more networks or to all addresses except those in the specied network. ISA Server 2006 creates network elements for the following objects: Networks Network Sets Computers Address Ranges Subnets Computer Sets URL Sets Domain Name Sets Web Listeners Server Farms
ISA Server 2006 has a set of default network elements that are pre-dened. You can use these default elements as part of an access rule denition or you can create custom network elements to meet your specic needs.
TASK 5B-11
Creating a Network Rule Element
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous task. 1. 2. 3. 4. In ISA Server Management, Expand the Console Tree pane and select the Firewall Policy container. In the Task pane, select the Toolbox tab. In the Toolbox tab of the Task pane, expand the Network Objects container. Examine the pre-dened Network Objects.
240
5.
On the Toolbox tab, at the top of the Network Objects container, click the New drop-down menu, and choose Computer from the pop-up menu.
6.
In the New Computer Rule Element dialog box, enter the following values and then click OK: Name: [Your computer name] Computer IP Address: [Your computer IP address] Description: ISA Firewall
7. 8.
At the top of the Firewall Policy Details pane, click Apply. In the Saving Conguration Changes dialog box, click OK.
We could now use this new Network Object as an element in an access rule that would only apply to the ISA Server 2006 rewall at our IP address.
241
ISA Server Publishing Rules

Up to this point, we have primarily been concerned with access rules and their constituent elements. Access rules in ISA Server 2006 are designed to control traffic that transverses the rewall from the unprotected network (external) to the protected network (internal). But how does ISA Server 2006 make protected resources, such as a web server, available to external access? For this external access purpose, ISA Server has publishing rules. Publishing rules apply to traffic requests for resources on the internal protected network. Publishing rules are made up of similar elements to an access rule with one notable exception: Publishing rules require a Listener element to be created. The listener element describes what interface ISA Server should be listening on for access requests to the internal resource dened in the publishing rule.
Figure 5-18: Features and benets of ISA Server content publishing.
TASK 5B-12
Configuring a Web Publishing Rule
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this exercise, you will create an ISA Server publishing rule to allow external access to an internal website. 1. 2.
In ISA Server Management, expand the Console Tree pane and select the Firewall Policy container. In the Tasks pane, select the Tasks tab.
3. 4. 5. 6. 7.
On the Tasks tab, under the Firewall Policy Task section, click the Publish Web Sites link. In the New Web Publishing Rule Wizard, in the Web Publishing Rule Name eld, type Public Web Server and click Next. In the Select Rule Action dialog box, select the Allow radio button and click Next. In the Publishing Type dialog box, select the Publish A Single Web Site Or Load Balancer option and click Next. On the Connection Security tab, select the Use Non-secured Connections To The Published Web Server Or Server Farm option and then click Next. In the Internal Publishing Details dialog box, enter the following values: Internal site name: www.securitycertied.net. Computer name or IP address: 10.X.Y.100 (Where X and Y are the second and third octets of your internal interface (loopback adapter).
8.
Click Next. 9. In the Internal Publishing Details dialog box, in the Path (Optional) eld, type /* and click Next.
10. In the Public Name Details dialog box, in the Public Name eld, type www. securitycertied.net and click Next. 11. In the Select Web Listener dialog box, click the New button.
12. In the New Web Listener Denition Wizard dialog box, in the Web Listener Name eld, type Public Web Listener and click Next. 13. In the Client Connection Security dialog box, select the Do Not Require SSL Secured Connections With Clients option and click Next. 14. In the Web Listener IP Addresses dialog box, select the External Network and click Next. 15. In the Authentication Settings dialog box, from the Select How Clients Will Provide Credentials To ISA Server drop-down list, select No Authentication and click Next. 16. Read the Single Sign On Settings dialog box and then click Next. 17. In the Completing The New Web Listener Wizard, click Finish. 18. In the Select Web Listener dialog box, click Next. 19. In the Authentication Delegation dialog box, select the No Delegation, and client cannot authenticate directly option and click Next. 20. In the User Sets dialog box, accept the default of All Users and click Next. 21. In the Completing the New Web Publishing Rule Wizard dialog box, click Finish. 22. At the top of the Firewall Policy Details pane, click Apply. 23. In the Saving Conguration Changes dialog box, click OK. 24. The new publishing rule appears at the top of the Details pane. 25. In the Tasks pane, click the Toolbox tab and then expand the Network Objects container. 26. Expand the Web Listener container. (Note: you may need to refresh your screen with F5 to perform this step.) 27. The web listener created during the publishing rule creation is now listed. You may have to click another container in the Console Tree pane and then reselect the Firewall Policy container to refresh the screen. You have now congured a Web Publishing rule that will use a web listener to listen for inbound requests from the external network for www.securitycertied. net and then forward them to the internal web server. Since only port 80 is exposed to the external network, and ISA Server is inspecting the inbound HTTP packets before passing them on to the internal web server, the security footprint of your web server is greatly enhanced.
244
ISA Server 2006 Caching

Caching is a method where frequent requests for remote resources or content are stored locally on the ISA Server. By maintaining a centralized cache of frequently requested content, both network bandwidth consumption and browser performance are enhanced. Caching is disabled by default when you install ISA Server 2006, so you will need to enable and congure caching if you want to take advantage of the performance benets this feature offers. ISA Server supports two types of caching: forward caching and reverse caching. Forward caching provides internal clients with improved access times to external resources, while reverse caching provides the same benets to external clients accessing web content that has been published through ISA Server. When you create a cache rule, it applies to all applies to requested sites, regardless of the source network. ISA Server allows organizations to congure caching to preload entire websites into cache on a dened schedule. Scheduling cache downloads will help keep cache content up-to-date for your users and also ensure that content for offline web servers that have been cached is available to your users. ISA Server has a caching algorithm that allows it to make intelligent decisions about when certain content is no longer requested on a regular basis. This algorithm enables ISA Server to ush low request content from RAM cache to disk cache so that cache remains as efficient as possible. ISA Server has three main conguration items for controlling caching: Cache Drive Settings Cache Drive Rules Content Download Jobs
TASK 5B-13
Enabling and Configuring Caching
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1. 2. 3. 4. 5. 6. In ISA Server Management, expand the Console Tree pane and select the Cache container. Notice that the Cache container has a red down arrow on it in the Console Tree pane, indicating that it is currently not enabled. Notice that the Details pane contains three tabs corresponding to the three conguration items for caching discussed earlier. Notice that the Cache Size on NTFS Drives is currently zero. In the Tasks pane, under Cache Drive Tasks, click the Dene Cache Drives (Enable Caching) link. In the Dene Cache Drives dialog box, in the Maximum Cache Size (MB) eld, type 100 and then click the Set button.
245
7.
Drive C now shows a cache size of 100. If you had multiple drive arrays on your ISA Server, each partition formatted with NTFS would show as an option in this dialog box. In the Dene Cache Drives dialog box, click OK. At the top of the Firewall Policy Details pane, click Apply.
8. 9.
10. In the ISA Server Warning dialog box, select Save The Changes And Restart The Services radio button and click OK. (This may take a momentbe patient!) 11. In the Saving Conguration Changes dialog box, click OK. 12. In the Details pane, click the Cache Rules tab. 13. Notice that two default rules have been pre-dened.
ISA Server comes with a pre-dened cache rule for the Microsoft Update site. This can help speed up automatic downloads of patches by clients or WUS servers. 14. On the Tasks tab, under the Cache Rules Tasks, click the Create A Cache Rule link. 15. In the New Cache Rule Wizard, in the Cache Rule Name eld, type Security Certied Web Site and click Next. 16. In the Cache Rule Destination dialog box, click Add. 17. In the Add Network Entities dialog box, expand the Network Sets object. 18. In the Add Network Entities dialog box, select the All Protected Networks object. 19. In the Add Network Entities dialog box, click Add . 20. In the Add Network Entities dialog box, click Close. 21. In the Cache Rule Destination dialog box, click Next. 22. In the Content Retrieval dialog box, select the Only If A Valid Version Of The Object Exists In The Cache. If No Valid Version Exists, Route The Request To The Server. option and then click Next. 23. In the Cache Content dialog box, check the Dynamic Content check box.
246
24. In the Cache Content dialog box, check the Content For Offline Browsing (302, 307 Responses) check box and click Next.
25. In the Cache Advanced Conguration dialog box, click Next. 26. In the HTTP Caching dialog box, accept the defaults and click Next. 27. In the FTP Caching dialog box, deselect the Enable FTP Caching option and then click Next. 28. In the New Cache Rule Wizard dialog box, click Finish. 29. At the top of the Details pane, click the Apply button. 30. In the Saving Conguration Changes dialog box, click OK. 31. In the Details pane, select the Content Download Jobs tab. 32. In the Tasks pane, click the Schedule A Content Download Job link. 33. Read the Enable Schedule Content Download Jobs dialog box and then click Yes. (This will congure the required options to schedule a content download job.)
34. At the top of the Details pane, click the Apply button.
35. In the Saving Conguration Changes dialog box, click OK. 36. In the Task pane, click the Schedule A Content Download Job link. 37. In New Content Download Job Wizard dialog box, in the Content Download Job Name eld, type Security Certied Web Site Download and click Next. 38. In the Download Frequency dialog box, select the Daily option and click Next. 39. In the Daily Frequency dialog box, under the Job Start Date eld, set the date to start tomorrow and then click Next. 40. In the Content Download dialog box, type http://www.securitycertied.net as the URL, select the Do Not Follow Link Outside The Specied URL Domain Name option. 41. In the Content Download dialog box, select the Maximum Depth Of Links Per Page option. 42. In the Content Download dialog box set the Maximum Depth Of Links Per Page value to 4 and click Next.
43. In the Content Caching dialog box, accept the default Cache Content and TTL settings and click Next. 44. In the Completing the Scheduled Content Download Job Wizard dialog box, click Finish. 45. Your new content download job appears in the details pane. 46. Close ISA Server 2006 Management console.
248
Configuring ISA Server 2006 Network Templates

Earlier in this topic, we discovered that ISA Server 2006 uses rule elements called networks to dene one or more ranges of IP addresses. Networks usually correspond to a physical network. In addition to the access rule network element, ISA Server 2006 includes a new feature: network templates, which are aligned to the common rewall network topologies. These network templates can be used to congure the rewall policy required rule elements that are used in ISA rulesbased traffic control between networks. The Console Tree pane networks container provides you with three tabs in the Details pane that allow you to congure your network elements. These conguration tabs are: Network Sets Network Rules Web Chaining
Currently, our ISA Server rewall is congured as a perimeter or edge rewall. If we add a third network interface to the ISA Server, we can then re-congure the network topology to include a DMZ and create a three-legged DMZ rewall topology. This type of upgrade is not uncommon in the real world. ISA Server makes it easy to re-congure through the use of pre-dened network templates.
TASK 5B-14
Install Second Microsoft Loop Back Adapter and Assign an IP Address
Setup: You must be logged on to Windows 2003 Server as an administrator, have completed the previous tasks, and have access to the Windows 2003 Server installation source les. 1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartControl PanelAdd Hardware. In the Welcome dialog box, click Next. Select Yes, I Have Already Connected The Hardware and click Next. Scroll to the bottom of the Installed Hardware list box and select Add A New Hardware Device. Then, click Next. Select the Install The Hardware That I Manually Select From A List (Advanced) option and click Next. Under Common Hardware Types, select Network Adapters, and then click Next. Under Manufacturer, select Microsoft. Under Network Adapter, select Microsoft Loopback Adapter. Click Next twice.
10. If required, click OK in the Insert Disk dialog box.

11. Enter the path to the Windows 2003 Server installation source les in the Files Needed dialog box and then click OK. (Windows Server 2003 should remember that source path from the rst loopback adapter we installed earlier). 12. Click Finish. 13. Choose StartControl PanelNetwork ConnectionsLocal Area Connection. 14. In the Local Area Connection dialog box, click Properties. 15. In the This Connection Uses The Following Items list, select Internet Protocol (TCP/IP) and then click Properties. 16. On the General tab, select Use The Following IP Address and enter the address from the table below that corresponds to your computer name.
WIN-R01 - 192.168.16.1/24 WIN-R02 - 192.168.16.2/24 WIN-R03 - 192.168.16.3/24 WIN-R04 - 192.168.16.4/24 WIN-R05 - 192.168.16.5/24 WIN-R06 - 192.168.16.7/24 WIN-R07 - 192.168.16.8/24 WIN-R08 - 192.168.16.8/24 WIN-L01 192.168.18.1/24 WIN-L02 192.168.18..2/24 WIN-L03 192.168.18.3/24 WIN-L04 192.168.18.4/24 WIN-L05 192.168.18.5/24 WIN-L06 192.168.18.6/24 WIN-L07 192.168.18.7/24 WIN-L08 192.168.18.8/24
Note that the subnet mask is 255.255.255.0 for all these IPs. 17. Leave the DNS value blank and then click OK. 18. Click Close to close the NIC Properties. 19. Choose StartControl Panel and right-click Network Connections. From the context menu, choose Open. 20. Right-click the Local Area Connection, and from the context menu, choose Rename. 21. Name the connection DMZ 22. Close the Network Connections window. You have now installed a second Microsoft Loopback adapter and assigned it a unique IP address. We will be using this adapter to function as our DMZ network adapter to congure ISA server 2006 in a three-legged DMZ.
250
TASK 5B-15
Configure ISA Server 2006 in a Three-legged DMZ
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. You will recongure your network as a three-legged DMZ topology. To accomplish this, you must rst import the originalcfg.xml le to remove the web access policy listener that you congured in the publishing task. 1. 2. 3. 4. 5. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. In the Console Tree pane, select the [Your Server Name] container. In the Tasks pane, click the Import (Restore) This ISA Server Conguration link. In the Import Wizard dialog box, click Next. In the Select The Import File dialog box, in the File Name eld, type C:\originalcfg.xml and click Next. Alternatively, you could use the Browse button to locate the le. In the Import Action dialog box, select the Overwrite (Restore) option and then click Next. In the Import Preferences dialog box, check the Import User Permission Settings check box, and then click Next. In the Completing The Import Wizard dialog box, click Finish. Read the ISA Server warning dialog box and then click OK twice.
6. 7. 8. 9.
10. At the top of the Details pane, click the Apply button. 11. In the Saving Conguration Changes dialog box, click OK. 12. In the Console Tree pane, select the Firewall Policy container. Notice that the rewall rule sets in the Details pane are back to the defaults. 13. In the Console Tree pane, select the Networks container. 14. In the Tasks pane, expand Conguration, and select the Templates tab.
251
15. On the Templates tab, select the 3-Leg Perimeter template.
16. In the Welcome To The Network Template Wizard dialog box, click Next. 17. In the Export The ISA Server Conguration dialog box, click Next. 18. In the Internal Network IP Addresses dialog box, click Next. 19. In the Perimeter Network IP Addresses dialog box, click Add Adapter. 20. In the Select Network Adapters dialog box, select the DMZ network and click OK. 21. In the Perimeter Network IP Addresses dialog box, click Next. 22. In the Select A Firewall Policy dialog box, scroll down and select the Allow Limited Web Access policy. Then, click Next. 23. In the Completing The Network Template Wizard dialog box, click Finish. 24. At the top of the Details pane, click the Apply button. 25. In the Saving Conguration Changes dialog box, click OK. 26. In the Console Tree pane, select the Firewall Policy container. 27. Highlight the Web Access Only Firewall Policy. 28. Notice that there are new access rules congured based on the template options we chose in the previous steps.
252
Configuring ISA Server Monitoring

ISA Server 2006 has a robust set of monitoring features. By conguring alerts, reporting, performance monitoring and logging, you can see at a glance the status and health of your ISA Server 2006 rewall. The Monitoring Details pane has the largest number of tabs associated with it of any of the ISA Console Tree pane containers. Spend plenty of time learning about each of the monitoring features and working with their conguration. The more skilled you are with this toolset, the easier it is to manage your ISA Server 2006 rewall. These features are summarized in the following table.
Figure 5-19: ISA Server 2006 monitoring features. The ISA Server 2006 Management console can be used to gather at a glance information on the status of your ISA Server. To view the real-time monitoring information, open the Management console and select the Monitoring container from the Console Tree pane. This will activate the Monitoring Details pane. On the Dashboard tab of the Monitoring Details pane, you will nd visual displays of current monitoring information. The refresh rate of this display is congurable in the task pane. Each of the individual information displays can also be collapsed to make more screen room for other displays.
253
Figure 5-20: The Monitoring Details pane Dashboard tab.
TASK 5B-16
Working with Alerts
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this task, you will congure a custom alert for network disconnections and assign it actions to perform when the alert is triggered. 1. 2. 3. In ISA Server, with the Console Tree pane open, select the Monitoring container. In the Details pane, select the Alerts tab. In the Tasks pane, click the Congure Alert Denitions link.
254
4.
In the Alerts Properties dialog box, scroll briey though the list and look at the wide range of pre-congured alerts in ISA Server. Then, click Add.
5. 6.
In the New Alert Wizard dialog box, in the Alert Name eld, type Network Interface Disconnected and click Next. In the Events And Conditions dialog box, from the Event drop-down list, select Network Conguration Changed, from the Additional Condition drop-down list, select Network Disconnected. Click Next. In the Category And Severity dialog box, from the Category drop-down list, select Network Load Balancing, from the Severity drop-down list, select Error and click Next. In the Actions dialog box, select the Send An E-mail Message and the Report The Event To The Windows Event Log options and then click Next.
7.
8.
255
9.
In the Sending E-mail Messages dialog box, enter the following values: SMTP server: smtp.securitycertied.net From: isa2006@securitycertied.net To: yourname@securitycertied.net
Click Next. 10. In the Completing The New Alert Conguration Wizard, click Finish. 11. In the Alerts Properties dialog box, scroll down and ensure that your new Network Interface Disconnected alert is selected, then click OK. 12. At the top of the Details pane, click the Apply button. 13. In the Saving Conguration Changes dialog box, click OK. 14. You have now congured ISA Server 2006 alerts to send you an email message and log a Windows Event Viewer event whenever a network interface is disconnected. This could speed up your response time to physical problems with the ISA Server network segments. 15. Minimize your ISA Server 2006 Management console. Alerts associated with actions such as sending an email will help you respond to critical ISA Server events in a timely fashion. Even conguring certain warning items to send an email alert can help you take proactive steps to ensure the ISA Server 2006 rewall remains in optimum condition.
256
TASK 5B-17
Working with Reports
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. You will congure ISA Server 2006 to create a one-time report and to create scheduled reports for monitoring baselines and security performance evaluations. 1. 2. 3. 4. 5. 6. 7. 8. 9. From the Start menu, open Windows Explorer. Create the directory C:\ISA-Reports. Minimize Windows Explorer. Maximize your ISA Server. Expand the Console Tree pane and select the Monitoring container. In the Details pane, select the Reports tab. On the Tasks tab, click the Generate A New Report link. In the New Report Wizard dialog box, in the Report Name eld, type Snapshot Report and click Next. In the Report Content dialog box, accept the default of all content choices and click Next.
10. In the Report Period, leave the default start and stop date and click Next. 11. In the Report Publishing dialog box, check the Publish reports to a directory check box. 12. In the Report Publishing dialog box, click the Browse button. 13. In the Browse For Folder dialog box, browse to C:\ISA-Reports, select it, and click OK. 14. In the Report Publishing dialog box, check the Publish Using This Account check box and then click the Set Account button. 15. In the Set Account dialog box, click the Browse button. 16. In the Select User dialog box, in the Enter The Object Name To Select eld, type Administrator and then click Check Name. Click OK. 17. In the Password and Conrm Password elds, type the Administrator password and then click OK. (Your password should be blank.)
257
18. In the Report Publishing dialog box, click Next.
19. In the Send E-mail Notication dialog box, leave the defaults blank, and click Next. 20. In the Completing The New Report Wizard dialog box, click Finish. 21. Restore your minimized Windows Explorer and browse to the C:\ISAReports directory. 22. Open the Snapshot Report [Date Range] folder and double-click the contents.htm le. 23. Right-click the Allow Blocked Content bar at the top of the browser screen and choose Allow Blocked Content. Then, click Yes.
24. On the Summary page, click the Protocols link. Scroll through the report and examine the types of items that are reported. 25. The report contains no signicant data because your ISA Server has not passed a large number of packets to register monitoring statistics yet.
26. When you nished examining the report, close your Internet Explorer windows and close Windows Explorer. 27. In the Tasks pane, click the Create And Congure Report Jobs link. 28. In the Report Jobs Properties dialog box, click Add. 29. In the New Report Job Wizard dialog box, in the Report Job Name eld, enter Daily Report and click Next. 30. In the New Report Content dialog box, accept the default all content types and click Next. 31. In the Report Job Schedule dialog box, select the Daily option and click Next. 32. In the Reports Publishing dialog box, check the Publish Reports To A Directory check box. 33. In the Report Publishing dialog box, click the Browse button. 34. In the Browse For Folder dialog box, browse to C:\ISA-Reports, select it, and then click OK. 35. In the Report Publishing dialog box, check the Publish Using This Account check box and then click the Set Account button. 36. In the Set Account dialog box, click the Browse button. 37. In the Select User dialog box, in the Enter The Object Name To Select eld, type Administrator and then click Check Name. Type Administrator (no password) and click OK.
259
38. In the Report Publishing dialog box, click Next.
39. In the Send E-Mail Notication dialog box, leave the defaults blank, and click Next. 40. In the Completing The New Report Job Wizard dialog box, click Finish. 41. In the Report Jobs Properties dialog box, select the Daily Report option and click OK. 42. At the top of the Details pane, click the Apply button. 43. In the Saving Conguration Changes dialog box, click OK. In this task, you successfully congured ISA Server 2006 reporting options. You examined a snapshot report and created a scheduled reporting job. ISA Server reports are very comprehensive and can give you an accurate picture of what is taking place on your ISA Server rewall.
ISA Server 2006 Logging

While alerts give you real-time notication of ISA Server events, logging allows you to view events in an historical fashion. This can help you analyze the traffic patterns on your network for such purposes as: policy formulation, intrusion attempt analysis, network usage analysis, and as an aid in troubleshooting ISA Server.
260
Figure 5-21: ISA Server 2006 logging features. ISA Server divides logging into two logs: the Web Proxy logs, which record ISA Server traffic handled by Web Proxy Filter; and the Firewall service logs, which record ISA Server traffic handled by the Microsoft Firewall service. ISA Server features a variety of log storage options that enable you to the track traffic that has been handled by ISA Server. The default ISA Server 2006 logging location is to a local MSDE database on the ISA Server. This database le for the logs can be found in the C:\Program Files\Microsoft ISA Server\ISALogs folder and will be named ISALOG_yyyymmdd_xxx_nnn. Where: yyyy = year mm = month dd = date xxx = Log le type (ISA or WEB) nnn = order number for sequencing daily logs
Using a database for logging instead of logging to a text le gives ISA Server powerful reporting capabilities for the log information. ISA Server can redirect the log le storage location to either a SQL database or to text les. The ability to use a single SQL database server for multiple ISA servers allows you to centralize the management, auditing, and backup of the ISA logs. And of course, if you need the log les to be stored in a .txt le format for any reason, that option is available. If you choose to store the ISA Server logs on a centralized SQL server, you need to ensure that ISA Server and the SQL Server have reliable high-speed Internet connections between them. This precludes ISA from logging to SQL over a slow WAN link. Microsoft recommends that you have a minimum of 100 mbps connection speed between ISA and SQL. It is also worth noting that by default access rules are congured to report packets for that match that specic rule. If you dont want logging to record actions for a specic access rule in your rewall policy, then you must disable this option on the Actions tab of the rule property sheet.
261
Figure 5-22: ISA Server 2006 Rule logging options are enabled by default.
TASK 5B-18
Configuring Logging Options
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this task, you will examine ISA Server 2003 logging options. 1. 2. 3. 4. 5. 6. In ISA Server, expand the Console Tree pane and select the Monitoring container. On the Details pane, select the Logging tab. On the Tasks tab, click the Edit Filter link. In the Edit Filter dialog box, under the Filter By column, select the Action lter and then click the Remove button. In the Edit Filter dialog box, from the Filter By drop-down list, select Protocol. In the Edit Filter dialog box, from the Condition drop-down list, select Contains.
262
7.
In the Edit Filter dialog click, from the Value drop-down list, select NetBIOS Name Service and then click the Add To List button.
8. 9.
In the Edit Filter dialog box, click the Start Query button. Notice that the Details pane now reports Fetching Results.
10. Open a command prompt and arrange your desktop where you can see the results section of the Details pane while typing in the command prompt. 11. In the command prompt, type NET VIEW and then press Enter.
263
12. Wait until logging events show in the Details pane and then close the command prompt.
13. In the Task pane, click the Stop Query link. 14. In the Task pane, click the Congure Firewall Logging link. 15. The Log tab of the Firewall Logging Properties dialog box is where you would change what log le format ISA Server uses. Examine the available properties and then click the Fields tab. 16. Examine the list of available logging elds that are available in ISA Server 2006. 17. Scroll down in the Fields tab and check the Network Interface check box. Then, click OK. 18. At the top of the Details pane, click the Apply button. 19. In the Saving Conguration Changes dialog box, click OK. 20. In the Task pane, click the Congure Web Proxy Logging link. 21. The Log tab of the Web Proxy Logging Properties dialog is where you would change what log le format ISA Server uses. Examine the available properties and then click the Fields tab. 22. Examine the list of available logging elds that are available in ISA Server 2006. 23. Scroll down in the Fields tab and check the Service check box, and then click OK. 24. At the top of the Details pane, click the Apply button.
25. In the Saving Conguration Changes dialog box, click OK. 26. Close the ISA Server 2006 Management console. You have now successfully used ISA logging to review real-time events and also congured both the Firewall logging and Web Proxy logging to log additional events. One useful tip to keep in mind is that if you are using database format as your logging method, you can use Access or other front-end tools to create custom queries and reports from the ISA Server log databases.
Additional Configuration Options for ISA Server 2006

ISA Server 2006 contains many more conguration options than can be covered in the scope of this course. There are a few options, however, that are worth taking your time here to discover and examine. The three options we are going to discuss are: Securing the ISA Server OS with the Security Conguration Wizard ISA Server Packet Prioritization Uninstalling ISA Server 2006
ISA Server 2006 runs on top of the Windows Server 2003 operating system. In order for ISA Server to be secure, the underlying OS must also be secured. Windows Server 2003 Service Pack 1 included an attack surface reduction tool called the Security Conguration Wizard. The Security Conguration Wizard allows you to select a role for the server OS and then secure it based on the template you choose. It does this by determining the minimum functionality required in the OS, and then disables functions that are not required. The default templates included with the Security Conguration Wizard do not contain a conguration for ISA Server 2006; however, you can download an update package from the Microsoft TechNet website that will update the Security Conguration Wizard with templates for ISA Server 2006. This can greatly simplify the process of securing the underlying OS for ISA Server. In order to use the Security Conguration Wizard (or update it), you must rst install it from the Add/Remove Windows Components control panel applet. Even if you have already secured the OS before installing ISA Server, the Security Conguration Wizard can ensure that you have not overlooked anything. Also, running a scan against the ISA Server OS using MBSA (Microsoft Baseline Security Analyzer) or other vulnerability scanning tool will help ensure that ISA Server is as solid as you can make it.
265
TASK 5B-19
Securing ISA Server 2006 with the Security Configuration Wizard
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. You must also have access to the Windows Server 2003 source installation les and the ISA Server 2006 Security Conguration Wizard update package (IsaScwHlpPack.EXE). 1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartControl PanelAdd Remove Programs. Click the Add/Remove Windows Components button. In the Add/Remove Windows Components dialog box, scroll down and check the Security Conguration Wizard check box and then click Next. If required, enter the path to the Windows Server 2003 source les. Click Finish and then close the Add Remove Programs control panel applet. Double-click the IsaScwHlpPack.exe located in C:\Tools\Lesson5. In the ISA Server Security Conguration Wizard Update dialog box, click Yes. In the ISA Server Security Conguration Wizard Update dialog box, type C:\Update for the path and then click OK. To create the C:\Update folder, Click Yes, and then click OK in the success dialog box.
10. Choose StartAdministrative ToolsSecurity Conguration Wizard. 11. In the Security Conguration Wizard dialog box, click Next. 12. Select the Create A New Security Policy radio button and click Next. 13. In the Select Sever dialog box, verify the name of your server and then click Next. 14. In the Processing Security Conguration Database dialog box, click Next. 15. In the Role-Based Service Collection dialog box, click Next. 16. In the Select Server Roles dialog box, de-select all options except Microsoft Internet Security and Acceleration Server 2004 and click Next. (ISA 2004 and ISA 2006 have the same OS requirements so the same template works for both.) 17. In the Select Client Features dialog box, de-select all options except Automatic Update Client and click Next.
266
18. In the Select Administration And Other Options dialog box, accept the defaults and click Next. 19. In the Select Additional Services dialog box, accept the defaults and click Next. 20. In the Handling Unspecied Services dialog box, select the Disable The Service option and click Next. 21. In the Conrm Service Changes dialog box, scroll through and review the changes that will be made and then click Next. 22. In the Network Security dialog box, ensure that the Skip This Section option is selected and then click Next. (ISA will handle our rewall requirements. We dont want to create conicts with the built in Windows Firewall.) 23. In the Registry Settings dialog box, leave the Skip option unselected and then click Next. 24. In the Require SMB Security Signatures dialog box, check both option boxes and then click Next. 25. In the Outbound Authentication Methods dialog box, select the Local Accounts On The Remote Computers option and then click Next. 26. In the Outbound Authentication Methods dialog box, select the Clocks That Are Synchronized With The Selected Servers Clock option and then click Next. 27. In the Inbound Authentication Methods dialog box, accept the defaults and then click Next. 28. In the Registry Settings Summary dialog box, review the changes and then click Next. 29. In the Audit Policy dialog box, ensure that the Skip option is not selected and then click Next. 30. In the System Audit Policy section, select the Audit Successful And Unsuccessful Activities radio button and then click Next. 31. In the Audit Policy Summary dialog box, read the summary and then click Next. 32. In the Save Security Policy dialog box, click Next. 33. In the Security Policy File Name dialog box, append \ISAConguration to the path and then click Next. 34. In the Apply Security Policy dialog box, select the Apply Now option and then click Next. 35. In the Completing The Security Conguration Wizard dialog box, click the Finish button.
267
You have successfully used the Security Conguration Wizard to congure the optimum security conguration settings for the Windows Server 2003 operating system that ISA Server 2006 is running on top of.
This wizard only makes conguration changes. It does not apply security patches or updates. You must also make sure your OS is kept up-to-date with the latest patches.
Packet Prioritization
Not all traffic that passes through your ISA Server 2006 rewall will have the same importance. This can be a real issue for an organization with limited outbound bandwidth. For example, a brokerage rm branch office might need to access up to the second information offered up over by a web service at the main office. This data would be considered high priority in making fast decisions when watching trading prices or other important nancial data. Ensuring that requests to this web service get high priority would be benecial to the brokerage rm. ISA Server 2006 provides packet prioritization for limited bandwidth scenarios by implementing the Differentiated Services (DiffServ) protocol. The DiffServ protocol provides a framework that enables deployment of scalable service discrimination over the Internet. DiffServ uses a marker in the IP header of each packet to assign it a priority level. It is important to note that this is a global setting and not assigned to a specic rule. ISA Server packet prioritization is a policy setting for HTTP traffic. It will apply to all HTTP traffic that traversing your ISA Server. The DiffServ web lter, built into ISA Server, will scan packets containing a specic set of URLs or for domain names and assign those packets a priority. The DiffServ lter has a high priority in ISA Server because it must be aware of the size of both the request and the response. To gain this awareness, DiffServ must inspect the HTTP packets at the point where ISA Server sends or receives the traffic. ISA Server can only add DiffServ bits to HTTP or HTTPS traffic. It does not ag any other protocols with a priority level nor does Microsoft guarantee that ISA Server will transmit DiffServ bits on any other protocol it receives. For packet prioritization to work, the routers in the traffic transit path must support the QoS (Quality of Service) functionality. Once you enable DiffServ on ISA Server, you can then congure the URLs and/or domains you want to prioritize.
TASK 5B-20
Configuring Packet Prioritization
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1. 2. 3. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. Expand the Console Tree pane, expand Conguration, and select the General container. In the Details pane, under Global HTTP Policy Settings, select the Specify DiffServ Preferences.
268
4. 5. 6.
In the HTTP DiffServ dialog box, select the Enable Network Traffic Prioritization According To DiffServ (Quality Of Service) Bits option. Click the Priorities tab and then click Add. In the Add Priority dialog box, in the Priority Name eld, type Branch Office Priority and then in the DiffServ Bits eld, type 010100 and click OK. (The DiffServ bits value would correspond to the value set on your routers.)
7. 8. 9.
Click the URLs tab and then click Add. On the Add URL Priority tab, in the URL eld, type brokeragehouse. securitycertied.net On the Add URL Priority tab, from the Priority drop-down list, select Branch Office Priority and then click OK.
10. In the HTTP DiffServ dialog box, click the Network tab, select the External network, and then click OK. 11. In the dialog box warning you that DiffServ is currently disabled, click Yes. 12. At the top of the Details pane, click Apply. 13. In the Saving Conguration Changes dialog box, click OK. 14. Close the ISA Server 2006 Management console. The ISA Server 2006 DiffServ lter is now enabled and congured to prioritize HTTP packets sent to the URL http://brokeragehouse.securitycertied.net.
Uninstalling ISA Server 2006

Like most Microsoft programs, ISA Server 2006 is relatively easy to uninstall. The methodology for uninstalling is similar to most programs and is accomplished through the Add/Remove Programs control panel applet. One thing to keep in mind is that in addition to removing ISA Server 2006, you may also need to change the security conguration of the underlying OS before you can use the
server for a different purpose. However, as you discovered in an earlier exercise, the Security Conguration Wizard makes this process relatively painless. Just roll back the conguration that you used for ISA Server and apply the template that is appropriate for the servers new role on your network.
TASK 5B-21
Uninstalling ISA Server 2006
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartAll ProgramsControl PanelAdd Or Remove Programs. In the Currently Installed Programs list, select Microsoft ISA Server 2006 and then click Change/Remove. When the Microsoft ISA Server 2006 - Installation Wizard dialog box appears, click Next. In the Program Maintenance window, select the Remove radio button and then click Next. In the Generated Files Removal dialog box, accept the defaults, and click Next. In the Remove The Program dialog box, click Remove. In the Installation Wizard Completed dialog box, click the Finish button. Close the Add Or Remove Programs control panel applet. Choose StartAdministrative ToolsSecurity Conguration Wizard.
10. In the Welcome To The Security Conguration Wizard, click Next. 11. In the Conguration Action dialog box, select the Rollback The Last Applied Security Policy option and then click Next. 12. In the Select Server dialog box, verify your server name and then click Next. 13. In the Rollback Security Conguration dialog box, click Next. (If you wish, you may view the rollback le before clicking Next.) 14. In the Completing The Security Conguration Wizard dialog box, click Finish. 15. You have successfully removed ISA Server 2006 and the security congurations from your server. 16. Choose StartControl Panel, right-click Network Connections, and choose Open.
270
17. Right-click each of the loopback adapters and choose Disable. 18. Close the Network Connections window. 19. If you would like to conrm that these connections are disabled attempt to ping them in a command prompt. You should not receive a response. 20. Close all open windows.
Topic 5C
IPTables Concepts
One of the primary benets touted for the Open Source model of Linux is its ability to adapt and change as people come up with bright ideas. This ability has allowed for security features to be created and modied as industry requirements and Internet threats evolve. Linux has the capacity to behave as a router, a NAT server, and a packet-ltering device. All these features are built into the core operating system.
Firewalling in Linux
Elementary rewalling via an application called ipfwadm was included in earlier kernel versions. With the development of kernel version 2.2, the rewall was built with IPChains. From kernel version 2.4 and up, IPChains is replaced with IPTables. One of the big differences between IPChains and IPTables is that the latter can be congured to be a stateful packet lter. At its very essence, the way that IPTables works is extremely simple. The headers within a packet are examined against a known set of rules (also referred to as a chain), in sequence. If the packet matches a certain rule, a decision is made for that packet based on what is specied (also referred to as the target). If a match is not found, then the packet is examined against the next rule in the sequence. This continues until all the rules are exhausted. At this point, IPTables looks to the default policy in order to make a decision. As a packet-ltering rewall, IPTables checks its rules on packets as they enter or leave an interface. Because IPTables is part of the kernel, the processing of the packets is very fast. IPTables ability to perform NAT is referred to as masquerading.
271
Essentially, there are three sets of tables that are part of IPTables: Filter, NAT, and Mangle. Throughout this topic, you will mostly discuss the Filter aspect of IPTables. NAT tables are used when IP addresses need to be substituted. This typically happens when you want to hide internal hosts from the Internet. Mangle tables are used when certain elds in the headers need to be changed, such as the TTL or TOS elds.
To be able to use IPTables, the kernel must be compiled to include support for rewalling. In this course, the version of Linux used is SUSE Enterprise Server 10, which includes IPTables. If you are using a different Linux distribution, you will need to verify if IPTables has been installed. If it has not, you will have to install it.
Depending upon the table chosen, you can manipulate certain built-in chains. For example, built into the Filter table are three rule sets (chains) that cannot be deleted: Input, Forward, and Output. If youre dealing with the NAT table, you will have to deal with the Prerouting and Postrouting built-in chains. If a packet is directed to the rewall, as it enters the computer via an interface, the Input chain is used to determine the fate of the packet. If a packet originates at the rewall, the Output chain will be checked. When the packet requires routing to another location, the Forward chain will be used. If the packet reaches the end of one of the chains and there has been no match, whatever default policy exists is used. These default policies exist only on the default chains, and the options are typically Accept and Drop. You set the default policy for the built-in chains to one of the above, and in the absence of any other rule, the action stated by the default policy is carried out. If a match is found in a rule for a packet, then the appropriate action is carried out. The action to be taken when a match is found is also referred to as target. The target could be Accept or Dropor even another chain altogether. Apart from the built-in chains, a rewall administrator can create user-dened chains. You identify such chains with a name. Unlike the built-in chains, userdened chains do not have a default policy. If a packet reaches the end of a userdened chain without any decision made about it, then the packet will return to the chain that was examining it previously, and start on the next rule in that chain.
Process of the Packet

As far as the network interfaces on a rewall are concerned, all packets are either inbound or outbound. Typically, a majority of packets received by an interface in a rewall are passed on to another interface to be sent onward. At such a time, the rewall has to decide how the packet is going to be passed on to the other interface. Packets might be simply routed from one interface to the other (forwarded), or certain information in the packet headers might have to be stripped, replaced with new information, and then sent onward, as with NAT (masquerade/ de-masquerade). The following set of gures (the circle represents a Linux box with three interfaces) show the basic movement of packets through a system running IPTables. First, lets look at inbound ow, in the following gure.
272
Figure 5-23: A packets inbound ow.
Figure 5-24: A packets outbound ow.
273
Finally, lets look at routing and NAT ow. The following shows packets being routing, or forwarded.
Figure 5-25: A packets routing (forwarding) or NAT (masquerading/de-masquerading) ow.
Figure 5-26: The multiple decisions that have to be made about a packet by a rewall.
274
When a packet rst enters an interface, the system veries the checksum value. If the checksum is correct, the packet moves to the Sanity check. The Sanity check is a feature that checks for incorrectly formed packets. After the Sanity check, the packet is moved to the Input chain. It will go through the chain, and if there is a match at any point, it follows the instructions set forth for that rule. If there is no match, then the default policy applies. If the packets destination is the rewall itself, then the Input chain is the only chain processed. If the packet is destined for another host, the routing processes take over. This is to determine if the packet is to be forwarded to another machine or to a different local process. A local process would be one that can send and receive packets. The routing process looks to the Forward chain. The packet moves down the rules in the Forward chain, and the system checks for matches. If there is a match, the matching rule species where the packet should go. If the packet does not match, then the default policy of the Forward chain takes effect. The Output chain consists of rules that examine packets generated by the rewall.
Please note that the method of checking packets against the built-in chains in IPTables is very different from the method employed by IPChains.
The Flow of the Chains

Upon entering an interface, a packet destined for the rewall is processed by the Input chain. The packet is passed down the list, one rule at a time, until a match has been found. When there is a match, the packet follows the rule assigned to the target. The target species what will become of the packet, as far as that rule is concerned. For example, the target might state that the packet can be accepted, dropped, or it could be a user-dened chain. A rule in one user-dened chain can specify another user-dened chain as the target.
Figure 5-27: The Input chain accepting a packet at the third rule. The target names are straightforwardAccept and Drop. A couple of extensions to the target are also availableLog and Reject. A small clarication is needed on the difference between Drop and Reject. As with Microsofts ISA Server, the end result (as far as the packet is concerned) is that the packet does not get through. However, by default, when TCP/IP is communicating, there is two-way
communication. When the target is set to Drop and a matching packet is found, that packet is silently dropped. When this happens, technically the function of TCP has been broken. The TCP standard states that if a connection cannot be established, an ICMP message is to be returned to the host; this is useful for troubleshooting purposes. Due to this, the second option of Reject is included. When the target is set at Reject and a matching packet is found, the packet is still dropped, but an ICMP message is sent to the host, closing the communication. The choice is yours to make. Reject might be the nice way to drop a packet, but from a security standpoint, Drop provides less information. Each rule must be created with a target, and because rules are numbered and sequential, it is critical that the correct order be maintained. You do not want an error in the rule order to mistakenly block a subnet or grant access where it should not be granted. If the default rules do not provide the level of control that is required, administrators can create their own chains and apply detailed rules to them.
Figure 5-28: The Input chain nds a match and targets the packet to a user chain. Conguring chains can quickly become an involved task. For example, the Input chain receives a packet and nds a match on the fourth rule, sending the packet to a user chain. That same packet then goes through the user chain, where there might be a match sending it to a different chain, or even back to the Input chain. Remember, if a packet does not match any of the rules in a user-dened chain, it is sent back to the previous chain, where it picks up at the rule that sent it to the user-dened chain in the rst placesee the following gure.
276
Figure 5-29: A packet being examined by rst the Input chain, then a user-dened chain, and going back to the Input chain. It is possible for an administrator to write rules that will cause the process of packet examination to loop. If this happens, the packet will be dropped.
Configuration Options
This section covers the conguration options most often used in day-to-day environments running IPTables. Not all of the options available in IPTables are covered here. For a more detailed study of IPTables, you should look around at the various sources of information available to you. To start with, the man pages for IPTables are quite extensive and worth reading. For detailed syntax issues that are not covered here, issuing the man iptables command is a good place to start. If you do not have a Linux box handy, go to www.iptables.org or www.netlter.org and read or download articles dealing with setting up a Linux box as a rewall by using IPTables. There are conguration options for creating, viewing, and managing chains. The rst command switch is in uppercase. There are command switches for managing the individual rules as well, and these also use uppercase. Within the rules, various operations are dened by using lowercase.
The iptables Command

The basic syntax of the command is:
iptables command_switch parameters [options]
The following gure shows an example of an IPTables command.
Figure 5-30: Sample command syntax for IPTables.

Cisco gurus will quickly latch on to the syntax similarities between IPTables and Cisco Access Control Lists. Basically, youre dealing with some conditions, and if those conditions are met, then this rule says, Accept the packet. The following gure shows several examples of usage syntax.
Figure 5-31: Examples of usage syntax for IPTables.
Chain Management
The following table lists some of the command switches for managing the chains. (Italicized words are variables.)
Figure 5-32: Chain management command switches.
278
Figure 5-33: Available options for IPTables.
Rule Management
The basic structure for the rule commands is the same as for the chain commands, as shown in the following table.
Figure 5-34: Example rule commands. The previous command switches are used in managing the rules, and they are in uppercase. The following table lists commands for creating the actual rules themselves.
Rule Creation
The previous command switches are used in managing the rules, and they are in uppercase. The following table lists commands for creating the actual rules themselves.
279
Figure 5-35: Rule creation commands.
Figure 5-36: Conguration options for rules in IPTables.
Other Options
In the rule sets, port numbers are congured as two values, source port, or sport, and destination port, or dport. For example, if you want a rule to govern source ports 2100 through 2200, inclusive, you can use the syntax --sport 2100:2200. Notice that two hyphens are used. Similarly, if you want a rule to address destination port 31337, you can use the syntax --dport 31337. Another very useful and important rule conguration tool is the bang (!) entry. This value, with spaces on either side, negates whatever follows it. Think of a rule as being divided into a number of elds that more or less correspond to the headers in a packet. Now, imagine that each of these elds can have certain specications. Sometimes you might want to negate whats specied (anything but this). This is where the ! comes in. The ! negates the values specied in that eld. For example, the syntax to specify any host other than 172.16.23.44 is ! 172.16.23.44. While discussing IP addresses in IPTables, the ability to specify any IP address is included as well. To do so, you can use 0/0. When choosing to block ping packets, more specically ICMP packets, be careful that you are blocking what you mean to block. Because the ICMP protocol is used for many different parts of communication, it is important that you are aware of what could happen if you blocked all ICMP traffichost unreachable
messages would not come through, source-quench messages would not come through, time-exceeded messages would not come through, and so forth. You need to specify that part of ICMP you want to work with, just as you specify ports for TCP. The syntax is to use is icmp-type typename, where typename is one of the following: Destination-unreachable Source-quench Time-exceeded Parameter-problem Echo-request Echo-reply
There are several other switches that can be used; again, check the man pages for a comprehensive list. One more that is worth mentioning is the -l option. This option turns on kernel logging of the packets that match the rule. It is possible to create a rule and use the logging feature, but have no target for the packet. This is done for tracking purposes, such as to track the number of packets that are for a particular service on a given host. To save your IPTables conguration, use the command iptables-save lename to save the current conguration to the dened le. To restore this conguration, use the command iptables-restore lename.
Rule Examples
So that the syntax can make a bit more sense, we will look at some rule examples in their syntax form, and discuss the result of each rule. By the time you reach the end of this section, you should have a solid grasp of the IPTables syntax.
Modifying a Default Chain

A simple start to working with the syntax is to modify the behavior of a default chain. As you remember, there are only three default chains: Input, Output, and Forward. In this example, we will modify the setting of the default Input chain to change the default setting to Drop. This is a common modication of the chain, and is a requirement for a secure system. You do not want to keep the default of Accept on the Input chain. The syntax to accomplish this is:
iptables -P INPUT DROP
For this chain: -P sets the default policy of a specied chain. INPUT is the chain that is getting modied. DROP is the target.
Therefore, the default policy of the Input chain is now set to Drop all packets. If this is the only conguration of the Input chain, then all packets trying to reach the rewall will be dropped! You must create rules where the targets are other than Drop if you want communications to take place at all.
281
The end result of this modication is that when a packet reaches the end of the Input chain, it will be discarded. Because the default setting of Accept can present a security risk, changing the setting to Drop is a good idea from a security perspective.
Creating a Chain
If you need to create a new chain, the syntax is:
iptables -N chainname
For this chain: -N indicates that this is a new chain. chainname is the name of the new chain.
Deleting a Chain
To delete a chain, use the syntax:
iptables -X chainname
For this chain: -X indicates that you want to delete a chain command. chainname is the name of the chain that you want to delete. A chain cannot have any rules in it prior to deletion. If rules exist, you can use the Flush command.
Flushing a Chain
If you need to delete a chain, and there are still rules in the chain, you can rst ush the chain. Because ushing removes all rules from a chain, be careful that you do not perform something unexpected. Plan carefully when deleting chains, particularly on a production machine. To ush a chain, use the syntax:
iptables -F chainname
For this chain: -F indicates that you want to ush all rules. chainname is the name of the chain that you want to ush.
Checking for Connections

If you want to be sure that inbound packets are not trying to establish connections, you can check the SYN ag. This ag alone would only be set on the initial part transmission of the three-way handshake. Checking for this ag is a good way to keep inbound connections from passing through the rule sets, while leaving the same port open for return communication. To check for connections, use the syntax:
iptables -A chainname -p TCP -s 10.0.10.10 --syn -j DROP
282
For this chain: -A indicates that you want to append a rule to a chain. chainname is the name of the chain that you want to add the new rule to. -p indicates that you want to check a protocol. TCP denes the protocol that you want to check. -s indicates that you want to check a source address. 10.0.10.10 is the source IP address that you want to check. --syn indicates that you want to check the SYN ag. -j indicates that you want to dene a target for matches. DROP denes the target.
The meaning of this rule is A packet coming from 10.0.10.10 that is trying to initiate a connection is to be dropped.
Negating Values
Here is an example of syntax that negates a value:
iptables -A OUTPUT -p TCP -d ! 172.16.35.40 --dport 80 -j ACCEPT
For this chain: -A OUTPUT species that you want to append a rule to the OUTPUT chain. -p TCP indicates that you want to check the TCP protocol. -d 172.16.35.40 species the destination that you want to check. However, because there is a ! before the destination, the rule is stating any destination other than the specied address. --dport 80 indicates that you want to check for WWW packets. -j ACCEPT denes the target as Accept.
In essence, this rule states that all TCP packets can get to the WWW service on any computerexcept for 172.16.35.40. The nal example of negating that we will look at also introduces the lo option, which is used to dene the loopback adapter. Here is the command:
iptables -A INPUT -i ! lo -j DROP
For this chain: -A INPUT indicates that you want to modify the default INPUT chain by appending a rule. -i indicates that you want to check an incoming interface, and lo denes the incoming interface that you want to check. The ! negates the denition. -j DROP denes the target as Drop.
In essence, this rule state that all incoming traffic will be deniedexcept for trafc on the loopback interface.
283
Defining a Target
To dene a target, use the following syntax:
iptables -A INPUT -s 10.0.10.100 -j DROP
For this chain: -A INPUT indicates that you want to modify the default INPUT chain by appending a rule. -s 10.0.10.100 denes the IP address to match. -j DROP denes the target as Drop.
The meaning of this rule is: All packets that are from the address 10.0.10.100 are to be denied. Here is another example of dening a target that also includes a port number:
iptables -A INPUT -p TCP -d 0/0 --dport 12345 -j DROP
The meaning of this rule is: All packets that are destined for any IP address and to port 12345 are to be denied.
Complex Rules
The different parts of the rules discussed herein can be combined to create overall rules as needed. Here are some examples of more complex rules:
iptables -A OUTPUT -p TCP -s 10.0.10.0/24 -d 0/0 --dport 80 -j ACCEPT
This rule for the OUTPUT chain states that any TCP traffic from the 10.0.10.0 network and destined for any IP address on port 80 is to be accepted:
iptables -A INPUT -p TCP -s 0.0.0.0/0 -d 10.0.10.0/24 --dport 31337 -j DROP
This rule for the INPUT chain states that any TCP traffic from any IP address destined for the 10.0.10.0 network on port 31337 is to be denied:
iptables -A INPUT -p TCP -s 0.0.0.0/0 -d 10.0.10.0/24 --dport 5000:10000 -j DROP
Similar to the previous command, the only syntax difference here is in the port numbers dened. In this rule, all ports from 5000 to 10000 are to be denied.
Configuring Masquerading
Linux does have the ability to perform IP Masquerading, which is a form of NAT. It is not difficult to implement, and the syntax is:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
284
For this command: -t nat indicates that you want to congure the NAT table. -A POSTROUTING indicates that you want to append a rule after routing decisions are made. -o ppp0 indicates the outgoing interface that should be used; in this case, the PPP dialup link. -j MASQUERADE denes the target; in this case, that the source IP address in the IP header should be masked by the IP address of ppp0.
Case Study
This section involves review of a case study of IPTables in a working environment. In this example, there is a single computer running as the rewall with two Ethernet interfaces. The Ethernet 0 Interface (172.168.25.40) goes to the Internet, and the Ethernet 1 Interface goes to the internal network. A diagram of the network is shown in the following gure.
Figure 5-37: An example network for rewall implementation. First, we need to dene the overall goals of the rewall. This should be done during the creation of the security policy, and specically during the creation of the rewall policy.
285
Firewall Goals
The intended goals of this rewall are:
Note, this is for you to manage a simple network resource, in your production environment; you would likely not allow ICMP through the rewall.
We have decided to allow ICMP pings (echo requests and echo replies) through the rewall. We will allow our external clients access to the email server. Internal clients cannot use email servers on the Internet. We will allow external clients to reach our web server. We will block attempts to spoof internal addresses.
Configuration
First, we will congure the default policies to deny all traffic:
iptables -P INPUT -j DROP iptables -P OUTPUT -j DROP iptables -P FORWARD -j DROP
Next, we will congure user-dened chains. This is done to make the chains easier to work with. For these user-dened chains, us is internal, and them is external:
iptables -N us-them iptables -N them-us
Next, we will create the jumps for the different networks:

iptables -A INPUT -s 10.0.20.0/24 -d ! 10.0.20.0/24 -j us-them iptables -A INPUT -s ! 10.0.20.0/24 -d 10.0.20.0/24 -j them-us
In the rst line, if the source is us and the destination is not us (that is, them), then the target is the user chain us-them. In the second line, if the source is not us (them), and the destination is us, then the target is the user chain them-us. Next, we will congure the internal (us) to external (them) chain. We start by dening the general rules: Allow internal machines WWW access to the outside. Allow internal machines to be able to ping hosts on the outside. Disallow all other outgoing traffic.
Once we know our general rules, we can congure the chain:

iptables -A us-them -p TCP -d 0/0 --dport 80 -j ACCEPT iptables -A us-them -p ICMP -d 0/0 -j ACCEPT
Next, we will congure the external (them) to internal (us) chain. Again, we will dene the general rules rst: Allow hosts on the outside WWW access to the Web server. Allow hosts on the outside to access the email server. Allow ping. Block internal address spoong. Disallow all other incoming traffic.
Once we know our general rules, we can congure the chain:
286
iptables iptables iptables iptables iptables
-A -A -A -A -A
them-us them-us them-us them-us them-us
-p -p -p -p -s
TCP -d 10.0.20.22 --dport 25 -j ACCEPT TCP -d 10.0.20.22 --dport 110 -j ACCEPT TCP -d 10.0.20.21 --dport 80 -j ACCEPT ICMP -d 10.0.20.0/24 -j ACCEPT 10.0.20.0/24 -j DROP
Case Study Summary

After reviewing this case study, you should be able to identify the steps of creating a basic rewall by using IPTables. To summarize: 1. 2. 3. 4. 5. 6. The overall goals and policies of the rewall were identied. The default policies were changed to be very restrictive. New chains were created for ease of management. The INPUT policy was congured to jump to the new user chains. The user-dened chains were congured to conform to the determined settings. The chains were veried with the -L switch.
This study was designed to be a simple example of one possibility to implementation. Other options that could be added include: Adding full anti-spoong, thus blocking any packet from outside that has an address of inside. Opening ports for return communication on the high ports. Adding checks for the SYN option. Dening IP Masquerading.
As you can see, there are always options in rewall design. Chances are good that while the end result may be the same, no two people will congure the rewall in the exact same fashion every time. Rules may be in different orders, for example (as long as they lter properly, of course). Or, perhaps someone is ltering everything on the INPUT chain and not making smaller chains. The exibility is yours to use as you see t.
287
TASK 5C-1
Working with Chain Management
Objective: To review a sample chain, and determine the effect it will have on traffic. Setup: The following is an example chain. Review it and identify what has been implemented. Using the space provided, diagram this network and answer the questions that follow. 1. Examine the following chain:
INPUT DROP FORWARD ACCEPT OUTPUT ACCEPT iptables -A INPUT 23:23 -j ACCEPT iptables -A INPUT 80:80 -j ACCEPT iptables -A INPUT iptables -A INPUT iptables -A INPUT iptables -A INPUT iptables -A INPUT 23:23 -j DROP -y
-p 6 -s 0.0.0.0/0 -d 192.20.0.1/32 --dport -p 6 -s 0.0.0.0/0 -d 10.168.0.3/32 --dport -s -s -s -s -p 10.168.0.0/24 -d 0/0 -i eth0 -j DROP 127.0.0.0/8 -d 0/0 -i eth0 -j DROP 127.0.0.0/8 -d 0/0 -i eth1 -j DROP ! 10.168.0.0/24 -d 0/0 -i eth1 -j DROP 6 -s 0/0 -d 192.20.0.1/32 ! --dport
288
iptables -A INPUT -p 1024:65535 -j ACCEPT iptables -A INPUT -p 1024:65535 -j ACCEPT iptables -A INPUT -p 1024:65535 -j ACCEPT iptables -A INPUT -p 1024:65535 -j ACCEPT iptables -A INPUT -p iptables -A INPUT -s ACCEPT
6 -s 0/0 -d 192.20.0.1/32 --dport ! -y 17 -s 0/0 -d 192.20.0.1/32 --dport ! -y 6 -s 0/0 -d 10.168.0.0/24 --dport 17 -s 0/0 -d 10.168.0.0/24 --dport 1 -s 0/0 -d 0/0 -j ACCEPT 10.168.0.0/24 -d ! 192.20.0.1/32 -j
2.
Diagram the network here or on another sheet. Assume the Class C address 192.20.0.1 is an external address.
What effect does this set of rules have on the network? Telnet and web traffc are allowed to dened hosts. Anti-IP-spoong rules are in place. High-level ports are allowed for the return of web traffc. What services, if any, are running on the internal network? At least web and Telnet services. What are the internal clients allowed to access externally? Web and Telnet services. Is IP spoong prevention in place? Yes. If an internal client ran a server, would external clients be able to access it? Why or why not? They could not, since the ports required to be outgoing for a server are not open.
289
Topic 5D
Implementing Firewall Technologies
In the previous topics, you were introduced to the concepts and conguration of FireWall-1, ISA Server 2006, and IPTables. In this topic, you will put that knowledge to use.
Scenario
The following conceptualization will be used for conguring the rewall for this scenario. Review the network diagram and the required rules, and then proceed.
Figure 5-38: The conceptual network. In this activity, you will be creating the conguration rst for the internal rewall and then for the external rewall.
Firewall Rules
The following gure represents the policies that have been decided upon for the internal rewall.
Figure 5-39: Internal rewall rules. The following gure represents the policies that have been decided upon for the external rewall.
290
Figure 5-40: External rewall rules.
Configuring the Internal Firewall

The IP addresses that will be used for this are listed in the following table. Use IP
Internal Subnet Security Host Internal Web Server Internal Firewall int Internal Firewall int DMZ Email Server DMZ Web Server External Firewall int 3 External Firewall int 4
Address
172.16.10.0 172.16.10.10 172.16.100.100 1 172.16.100.1 2 192.168.10.1 192.168.10.100 192.168.10.101 192.168.10.2 10.10.10.10
Subnet Mask
255.255.255.0 255.255.255.0 255.255.0.0 255.255.0.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.0.0
First of all, you need to plan the chains and rules that you will use. Decide if you will create new chains, or use the default chains. Record, on paper, the chains and/or rule sets, and determine if they are correct before you begin implementation. You should always plan the whole process rst. Here are some general steps to guide you in this rst activity. 1. Decide if you will modify the default policies, and write down what you would modify them to. 2. 3. 4. 5. 6. Decide if you want to create new rules/chains for management, and write them down. In Linux, if you created new chains, dene the jumps to these chains. Dene the general goals of the rewall. Write down the rules you will congure. Describe how you will verify that the rules and chains are correct.
Once you have your plan written down, it is time for conguration. Using the above steps as your general guidelines, go ahead and congure the rewall to meet the goals you outlined. Remember, there may be several ways to accomplish the overall goals, so no one way is to be considered correct over another. If the goals are met efficiently, then the rules and chains are correct for that scenario.
291
Suggested Solutions
The following are suggested solutions to the scenario for IPTables. Feel free to compare your results to the suggested results. Again, even though they may be different, as long as the goals are met, the rules and chains are a success. Congure the default policies to be more restrictive, by using the DROP target:
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Create new chains to make conguration easier:

iptables -N in-dmz iptables -N dmz-in iptables -N net-in
Congure the jumps to the new chains:

iptables -A INPUT -s 172.16.0.0/16 -d ! 172.16.0.0/16 -j in-dmz iptables -A INPUT -s 192.168.10.0/24 -d 172.16.0.0/16 -j dmz-in iptables -A INPUT -s 0/0 -d 172.16.10.0/0 -j net-in
Dene the overall goals. In this scenario, you are dealing with the packets that are moving between the internal network to the DMZ, the DMZ to the internal network, and the Internet to the internal network. Identify what traffic is allowed in different directions. From the guidelines given, we can identify the following: The internal network can access the WWW server on the DMZ and the Internet. The DMZ and Internet cannot access WWW on the internal network. The internal network can access the email server on the DMZ, but not on the Internet. The DMZ and Internet cannot access email on the internal network. The Security Host can Telnet to the DMZ and the Internet. The DMZ and Internet cannot telnet to the internal network. The dened internal subnet can FTP to the DMZ and the Internet. The DMZ and Internet cannot FTP to the internal network. Ping is allowed in both directions. Congure the rules.
Based on the guidelines, the following conguration is one suggestion for solving this scenario. Congure one chain at a time:
iptables -A in-dmz -p TCP -d 192.168.10.101 --dport www -j ACCEPT iptables -A in-dmz -p TCP -d 192.168.10.100 --dport smtp -j ACCEPT iptables -A in-dmz -p TCP -d 192.168.10.100 --dport pop3 -j ACCEPT iptables -A in-dmz -p TCP -s 172.16.10.10/32 -d 0/0 --dport telnet -j ACCEPT iptables -A in-dmz -p TCP -s 172.16.10.0/24 -d 192.168.10.0/24 --dport 20:21 -j ACCEPT iptables -A in-dmz -p TCP -d 0/0 --dport www -j ACCEPT iptables -A in-dmz -p ICMP -d 0/0 -j ACCEPT iptables -A in-dmz -p 6 -d 0/0 --dport 1024:65535 ! --syn -j
292
ACCEPT iptables iptables iptables --syn -j iptables ACCEPT iptables iptables --syn -j iptables ACCEPT
-A in-dmz -A dmz-in -A dmz-in ACCEPT -A dmz-in
-p 17 -d 0/0 --dport 1024:65535 -j ACCEPT -p ICMP -d 172.16.0.0/16 -j ACCEPT -p TCP -d 172.16.0.0/16 --dport 1024:65535 ! -p UDP -d 172.16.0.0/16 --dport 1024:65535 -j
-A net-in -p 1 -d 172.16.0.0/16 -j ACCEPT -A net-in -p 6 -d 172.16.0.0/16 --dport 1024:65535 ! ACCEPT -A net-in -p 17 -d 172.16.0.0/16 --dport 1024:65535 -j
As was stated before, this isnt only one possible solution. Compare the solutions you came up with to this one and to the others in the class. Discuss with each other the different points in each solution.
Configuring the External Firewall

After you have congured your rewall to simulate the rst scenario, you are ready to move on to the second scenario. The premise is the same, and the network layout is the same. The only difference is that this time you are conguring the rules on the external rewall. Before we can proceed to congure the rules, we need to remove the chains that are currently in place. Again, there are different ways to accomplish this, but here is a suggestion: 1. Flush all rules from all the chains you have created, by using the iptablesF chainname command. 2. 3. Delete the chains after the rules have been ushed, by using the iptablesX chainname command. Modify the default policies back to Accept, so that the system is back to the state it was when you began this topic (as if no rules or modications have taken place at all). Use the iptables P chain ACCEPT command.
The IP addresses that will be used for this are listed in the following table. Use
Internal Subnet Security Host Internal Web Server Internal Firewall int 1 Internal Firewall int 2 DMZ Email Server DMZ Web Server External Firewall int 3 External Firewall int 4
IP Address
172.16.10.0 172.16.10.10 172.16.100.100 172.16.100.1 192.168.10.1 192.168.10.100 192.168.10.101 192.168.10.2 10.10.10.10
Subnet Mask
255.255.255.0 255.255.255.0 255.255.0.0 255.255.0.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.0.0
293
First of all, you need to plan the chains and rules that you will use. Decide if you will create new chains, or use the default chains. Record, on paper, the chains and/or rule sets, and determine if they are correct before you begin implementation. You should always plan the whole process rst. Here are some general steps to guide you in this rst activity: Decide if you will modify the default policies, and write down what you would modify them to. Decide if you want to create new rules/chains for management, and write them down. In Linux, if you created new chains, dene the jumps to these chains. Dene the general goals of the rewall. Write down the rules you will congure. Describe how you will verify that the rules and chains are correct.
Once you have your plan written down, it is time for conguration. Using the above steps as your general guidelines, go ahead and congure the rewall to meet the goals you outlined. Remember, there may be several ways to accomplish the overall goals, so no one way is to be considered correct over another. If the goals are met efficiently, then the rules and chains are correct for that scenario.
Suggested Solutions
The following are suggested solutions to the scenario for IPTables. Feel free to compare your results to the suggested results. Again, even though they may be different, as long as the goals are met, the rules and chains are a success. Congure the default policies to be more restrictive, by using the DROP target:
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Create new chains to make conguration easier:

iptables iptables iptables iptables -N -N -N -N in-net dmz-net net-dmz net-in
Congure the jumps to the new chains, and congure IP spoong rules:
iptables iptables iptables iptables iptables dmz-net iptables iptables -A -A -A -A -A INPUT INPUT INPUT INPUT INPUT -s -s -s -s -s 172.16.0.0/16 -d 0/0 -i eth1 -j DROP 192.168.0.0/16 -d 0/0 -i eth1 -j DROP 127.0.0.0/8 -d 0/0 -i eth1 -j DROP 172.16.0.0/16 -d ! 172.16.0.0/16 -j in-net 192.168.10.0/24 -d ! 192.168.10.0/24 -j
-A INPUT -s 0/0 -d 192.168.10.0/24 -j net-dmz -A INPUT -s 0/0 -d 172.16.0.0/16 -j net-in
Dene the overall goals. In this scenario, you are dealing with the packets that are moving between the Internet, the internal network, and the DMZ. Identify what traffic is allowed in different directions.
294
From the guidelines given, we can identify the following: The internal network can access the WWW service on the Internet. The internal network cannot access email on the Internet. The internal subnet can access FTP on the Internet. The Security Host can access Telnet on the Internet. The internal network can ping the Internet. The DMZ can ping the Internet. The Internet can access the WWW server on the DMZ. The Internet can access the email server on the DMZ. The Internet cannot ping the DMZ. The Internet cannot ping the internal network. Congure the rules.
Based on the above guidelines, the following conguration is one suggestion for solving this scenario. Congure one chain at a time:
iptables -A in-net -p TCP -d 0/0 --dport www -j ACCEPT iptables -A in-net -p TCP -s 172.16.10.0/24 -d 0/0 --dport 20:21 -j ACCEPT iptables -A in-net -p TCP -s 172.16.10.10/32 -d 0/0 --dport telnet -j ACCEPT iptables -A in-net -p ICMP -d 0/0 -j ACCEPT iptables -A in-net -p TCP -d 0/0 --dport 1024:65535 ! --syn -j ACCEPT iptables -A in-net -p UDP -d 0/0 --dport 1024:65565 -j ACCEPT iptables -A dmz-net -p ICMP -d 0/0 -j ACCEPT iptables -A dmz-net -p TCP -d 0/0 --dport 1024:65535 ! --syn -j ACCEPT iptables -A dmz-net -p UDP -d 0/0 --dport 1024:65565 -j ACCEPT iptables -A net-dmz -p TCP -d 192.168.10.100 --dport pop3 -j ACCEPT
As was stated before, this isnt the only possible solution. Compare the solutions you came up with to this one and to the others in the class. Discuss with each other the different points in each solution.
Summary
In this lesson, you worked with standard rewall implementation practices. You learned that vendors implement their rewall products slightly differently from each other, but that they do follow some standard implementation practices in most situations. You worked with two industry leaders in rewall systems: Microsofts ISA Server 2006, and Linuxs embedded rewall, IPTables.
295
Lesson Review
5A What is a network rewall?
A rewall can be described as a security mechanism that places limitation controls on all inbound and outbound network communications between individual systems or entire networks of systems by permitting, denying, or acting as a proxy for all data connections. What is a rewalls primary responsibility? Controlling access requests across differing zones of trust. Name six basic building blocks or elements of rewall access rules. Source Address, Destination Address, Protocol, Source Port, Destination Port, and Service. What layers of the OSI model do rewalls operate on? Data Link, Network, Transport, Session and Application Layers (2, 3, 4, and 7). What does it mean when a rewall is stateful? The rewall keeps track of the state of all accepted connections in a data table that resides in memory. This enables the rewall to determine if an incoming packet is either a new connection or is part of an existing established connection. What are the three common rewall topologies? Perimeter topology, three-legged DMZ topology, and chained DMZ topology.
5B True or False? You need to have the install partition formatted to NTFS when installing ISA Server 2006 on a Windows 2003 Server.
True Is ISA Server Firewall available in a rewall appliance? Yes! There are a wide range of manufacturers that offer ISA-based appliances. What are the three panes in the ISA Server 2006 Management console? Console Tree, Details, and Task panes. List some things that can be a trigger for an ISA alert. Responses might include Event Log Failure, Intrusion Detected, IP Spoong, and Oversize UDP Packet. How do you back up or restore the conguration of ISA Server 2006? By exporting or importing the conguration to an XML le.
296
What is difference between an access rule and a publishing rule in ISA Server 2006? Access rules control outbound communication, while publishing rules control inbound communication. What are the features in ISA Server 2006 that can help manage bandwidth consumption? Forward and reverse caching and packet prioritization.
5C What is the difference between the DROP target and the REJECT target?
Dropping the connection complies with TCP/IP rules of communicationan ICMP message is sent back to the packets origin. Rejecting the connection simply drops a packet and does not inform the sender. What must be done before a chain can be deleted? You must ush the rules. What is the switch for deleting a rule? -D deletes a rule (-F ushes and -X deletes a chain).
5D What is the function of --dport 1024:65535 ! -syn in the exercises?

Destination port should be in the range 1024-65535, but without the SYN ag set. Why is the ltering of ping done in two lines, rst disallowing echorequests, and then allowing ICMP? Because there are many uses for ICMP other than ping, such as Timed Out and Host Unreachable messages, closing all ICMP would cause problems. Why is it a good idea to congure the default policies rst? Because those congurations are instant, no one can sneak through the rewall while the policies are being created.
297
298
Implementing IPSec and VPNs

Overview
In this lesson, you will be introduced to the concepts of IPSec. You will examine and congure the Microsoft Management Console and identify the predened IPSec policies in Windows Server 2003. You will create new policies and implement IPSec to specically use AH, ESP, or both, in Transport Mode. Finally, you will analyze IPSec traffic in Network Monitor. In this lesson, you will examine Virtual Private Networks (VPNs) and some of the security issues related to them.
LESSON
6
Data Files RFCs Lesson Time 3 hours
Objectives
To be able to implement IPSec and Virtual Private Networks, you will: 6A Dene the function of IPSec in a networked environment. Given a running network, you will examine the IPSec structure, cryptography, the Encapsulating Security Payload, the Authentication Header, the Internet Key Exchange, and modes of Implementation. 6B Examine IPSec policy management. Given a running network, you will examine the IPSec structure, cryptography, the Encapsulating Security Payload, the Authentication Header, the Internet Key Exchange, and modes of implementation. 6C Implement and examine IPSec AH congurations. Given a Windows 2003 computer, you will implement and analyze IPSec AH sessions. 6D Implement and examine IPSec AH and ESP congurations. Given a Windows 2003 computer, you will implement and analyze IPSec AH and ESP sessions. 6E Examine the business drivers and technology components for a VPN. In this topic, you will examine standard business drivers and technology components in order to successfully implement a VPN solution. 6F Examine the concepts of IPSec and other tunneling protocols. In this topic, you will investigate the components of IPSec, how IPSec works and identify other VPN tunneling protocols, such as Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP).
Lesson 6: Implementing IPSec and VPNs 299
6G
Analyze secure VPN design and implementation issues. In this topic, you will take the necessary steps required to analyze secure VPN design objectives and VPN implementation issues.
6H
Examine the issues of VPN and rewall architecture and VPN authentication. In this topic, you will address various VPN and rewall architectures and examine issues related to authentication.
6I
Congure VPN options built into Windows 2003. In this topic, you will perform tasks related to setting up VPN options built into Windows 2003 Server related to VPNs.
300
Topic 6A
Internet Protocol Security
The Internet Protocol (IP) by itself has no security. There are no built-in mechanisms to ensure the security of the packets. It has become possible for attackers to create bogus packets, posing as IP addresses that they are not. It has also become possible for attackers to intercept packets as they are transmitted on the Internet, and read into the payload of the packets. Due to the above-mentioned points, there is no way for the security professional to guarantee any of the following: That a packet is from the source IP address. That a packet was not copied or intercepted by a third party during transmission. That a packet holds the original data that was transmitted.
These issues combine to illustrate that security of the packets themselves is required. IPSec, or IP Security (described in detail in RFC 2401), can provide this security. In the simplest denition, IPSec protects IP datagrams. In a more detailed denition, IPSec provides condentiality, integrity, and authentication. Condentiality means there is a system of making the data unreadable by unauthorized individuals. Integrity means that there is a guarantee that data is not altered between the sender and the receiver. Authentication means that the receiver is guaranteed that the sender is not an imposter.
The way that IPSec is able to provide this protection is by specifying how the network traffic is going to be protected, and to whom the traffic will be sent. The way the traffic is going to be protected will be through an IPSec protocol such as the Authentication Header (AH) or the Encapsulating Security Payload (ESP). The operation of IPSec is completely transparent to the end-user. This is due to the fact that IPSec functions just above the Network layer (the IPSec protocols AH and ESP have their own IP protocol IDs), so they are well under the Application layer. Providing this automatic protection is signicant in the choice of whether or not to implement IPSec. The end result is that network traffic is encrypted on one end and decrypted on the other, without the upper-layer applications at either end worrying about the complexities of the encryption/decryption processes.
Lesson 6: Implementing IPSec and VPNs
301
Cryptography and Keys

IPSec is able to provide protection by encrypting and decrypting data. Although a detailed discussion of cryptography is beyond the scope of this book, the very basics are required. (A detailed discussion and hands-on study of cryptography and encryption techniques will be undertaken in Level 2 of the SCP.) Any le before encryption is typically referred to as plaintext. Once that le is encrypted, using a mathematical algorithm, it is referred to as ciphertext. In order to decrypt this le (or message), you must have a key that can reverse the encryption. You can think of an encryption algorithm as a lock and the key as the locks combination. If a document is locked, you need a key to unlock it. Often in cryptography, one key is used to lock (encrypt) the document, and the same key or a different key is used to unlock (decrypt) the document, depending upon the methodology chosen. If a different key is used, the two keys are linked to each other via the algorithm and the associated mathematical functions. IPSec requires that users have a method of exchanging (sometimes called negotiating) their keys.
key: A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt.
cryptography: The art of science concerning the principles, means, and methods for rendering plaintext unintelligible and for converting encrypted messages into intelligible form.
plaintext: Unencrypted data.
One method is called manual distribution. In the simplest denition, this literally means each user manually giving every other user his or her key. Manual distribution will more likely be done with what is called a KDC, or Key Distribution Center. The second method is automatic distribution. With automatic distribution, the concept is that keys are exchanged only when needed. The default IPSec implementation of automatic key distribution is called Internet Key Exchange (IKE). You can also implement an automated version of the KDC, such as Kerberos implementation.
Modes
IPSec has the ability to protect either the complete IP packet or just the upperlayer protocols. The distinction between the two creates two different modes of implementation. One mode is called Transport Mode. In this implementation, IPSec is protecting upper-layer protocols. The other mode is called Tunnel Mode. In this implementation, IPSec protects the entire (tunneled) IP payload.
When Transport Mode is used, the IPSec headers (AH and/or ESP) are inserted between the IP header and the TCP header. When Tunnel Mode is used, the IPSec header is inserted between the original IP header (now tunneled) and a new IP header. Tunnel Mode is commonly used to create VPNs between networks. Along with specifying a mode, the actual decision on the use of AH and/or ESP (or the other way around) is required. Since there are two modes of implementation, and two protocols that can be selected, there are four possible methods of protection using IPSec. You can use any of the following: ESP in Transport Mode ESP in Tunnel Mode AH in Transport Mode AH in Tunnel Mode
302
Over and above that, ESP offers message integrity (authentication) and condentiality (encryption). AH offers only message integrity. Tunnel Mode ESP encryption encrypts all of the tunneled data (that is, tunneled IP header and everything within), while Transport Mode ESP does notand cannotencrypt the IP header. Thus the IPSec implementation that offers the maximum protection is ESP in Tunnel Mode.
ESP in Transport Mode

In Transport Mode, ESP encrypts and authenticates application data, such as email, web pages, and so forth; however, it does not protect the IP addresses. If a packet is captured and analyzed by an attacker, although the data is encrypted, the sender and receiver IP address information is freely available. Both hosts who are in communication must have IPSec installed and congured to prevent this from occurring.
authenticate: To establish the validity of a claimed user or object.
ESP in Tunnel Mode

In Tunnel Mode, ESP encrypts and authenticates application data, just as in Transport Mode. In this situation, the ultimate source and destination IP addresses are also encrypted because they are encapsulated (tunneled). The reason for this is that IPSec is implemented on the tunnel endpoints, and not required on the hosts themselves. If this packet is captured and analyzed by an attacker, the attacker will be able to determine only that a packet was sent. None of the contents, including the original source and destination, can be found freely. Of course, the external IP headers (that of the tunnel endpoints) can be read.
AH in Transport Mode
AH provides authentication of application data. AH does not provide encryption services like ESP, only authentication services (as the name indicates). In Transport Mode, there is similarity to ESP, though, in that both end users must have IPSec installed and congured.
AH in Tunnel Mode
In Tunnel Mode, AH authenticates application data from one endpoint to another, often network gateways or rewalls. There is no encryption provided, only authentication. If ESP authentication is turned on, then AH is rarely implemented in Tunnel Mode.
IPSec Implementation
As you identied in the previous section, there are various modes of implementing IPSec. One of the primary questions to answer is: Where are the endpoints in your network going to be? Are the endpoints the actual hosts? Or, are the endpoints the rewalls? If true end-to-end security is required between two hosts, then implementing IPSec on each host is the way to go. However, scaling that up to all the hosts in the network can become difficult to implement and manage. Imagine that you and your coworkers all pass open notes to each other in your organization. In order to prevent a third user from seeing the note sent between any two users, you build an infrastructure of opaque PVC pipes between each coworker in your organization. If there are a total of ve workers, you have to
rewall: A system or combination of systems that enforces a boundary between two or more networks. A gateway that limits access between networks in accordance with local security policy. The typical rewall is an inexpensive micro-based UNIX box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster.
303
have an infrastructure of [5 x (51)]/2or 10 pipes. In this office, each person holds four pipes. Now, increase the number of workers to 100. You will need an infrastructure of [100 x (1001)]/2or 4950 pipes, and each person holds 99 pipes. Lots of secure links to pass things back and forth through, but not that efficient overall. This is what happens when you implement IPSec in Transport Modeyou basically create many virtual secure pipes between each host and the rest of the hosts. If host-to-host implementation is chosen, the likely solution will be to use the IPSec function of the OS, such as Windows 2000. If this is the case, IPSec functions normally, at the Network layer, performing its function and moving on. Sometimes though, IPSec may be implemented underneath an existing implementation of the IP protocol stack, between the native IP and the local network drivers (see RFC 2401). In such a scenario, this is referred to as a Bump in the Stack implementation. Yet another option for IPSec implementation is to use a dedicated piece of hardware. This equipment would attach to an interface, or a router, and perform the specic encryption functions externally of other components. This is called a Bump in the Wire implementation. This offers excellent performance in regards to the processing of encryption and decryption. It is not suitable for all implementations, however, as adding a physical dedicated piece of equipment to links may not be a budgetary option for an organization.
TASK 6A-1
Describing the Need for IPSec
1. Why is IPSec becoming a requirement in networks that need secure communication? There is no security in the standard IP that is used today. IP can be captured, analyzed, and more with no prevention. IPSec allows for the security of the actual packets themselves, without relying on Application-level encryption.
Topic 6B
IPSec Policy Management
Implementing and managing IPSec policies in Windows is accomplished by using the Microsoft Management Console. In this topic, you will use the MMC to perform the many tasks of IPSec implementation.
The MMC
Microsoft introduced the Microsoft Management Console (MMC) in Windows NT. The MMC is a highly congurable tool used to manage and congure system and application settings.
304
In the rst task, you will become familiar with the MMC conguration options and create some customized settings. The MMC, as you rst use it, will be blankyou select the conguration options. In Figure 6-1, you will see that there are two places to use a drop-down menu. The rst is the overall MMC, called Console1 by default. This menu bar has three menus: Console, Window, and Help. The second menu bar contains the commands from the current option, also called a plug-in. The default plug-in is called Console Root. This has three commands: Action, View, and Favorites. In the default plug-in, Console Root, there are two tabs: Tree and Favorites. The Tree tab shows the items that are available in this plug-in. Items can include folders, web pages, other snap-ins, and more. The Favorites tab is used to manage shortcuts to items in the Console Tree. This enables you to create a customized grouping of tools and shortcuts that you frequently use to manage aspects of your system. The Tree and Favorites tabs are located in what is called the Left Pane of the snap-in. This is where the options are expanded, selected, and possibly added to Favorites. On the right side of the dividing line is what is called the Right Pane. In the Right Pane, you will nd the details of any object that is selected in the Left Pane.
Figure 6-1: The blank MMC console.
TASK 6B-1
Examining the MMC
Setup: You are logged on to Windows 2003 Server as Administrator. 1. 2. 3. Choose StartRun. In the Run box, type mmc to start the Microsoft Management Console. Choose FileAdd/Remove Snap-In.
4. 5. 6. 7. 8.
On the Standalone tab, click Add. Scroll down, select IP Security Policy Management, and click Add. If necessary, select Local Computer, and click Finish. Click Close to close the Add Standalone Snap-in dialog box. Click OK, and leave the MMC open for the next task.
IPSec Policies
In Windows 2003, there are predened IPSec security policies. These policies allow for implementation of IPSec with minimal effort on the part of the administrator. As an administrator, you must identify the needs for IPSec in your environment, then enable the proper policy to meet those needs. The three predened policies are: Client (Respond Only): The policy of Client (Respond Only) is used for normal communication, which is not secured. What this means is that any Windows 2003 machine (Professional or Server) with this policy enabled will have the ability to communicate using IPSec if required or requested. Such a machine will not enforce IPSec when initiating communications with any other machine. Secure Server (Require Security): The policy of Secure Server (Require Security) is used when all IP network traffic is secured. What this means is that any Windows 2003 machine (Professional or Server) with this policy enabled will always enforce secure communications using IPSec. It will never fall back to unsecured communications. Server (Request Security): The policy of Server (Request Security) is used when IP network traffic is to be secured, and to allow unsecured communication with clients that do not respond to the request. What this means is that any Windows 2003 machine (Professional or Server) with this policy enabled will rst look to enforce communications using IPSec. If the other machine cannot use IPSec, the rst machine will fall back to unsecured communications.
security policies: The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
These policies are also available in Windows XP.
TASK 6B-2
Identifying Default IPSec Security Policies
Setup: You are logged on to Windows 2003 Server as Administrator, the MMC is running, and the IP Security Policy Management snap-in has been added. 1. In the left pane, select IP Security Policies On Local Machine. Three policies are shown in the right pane.
306
2.
Examine the three policies to see if any are currently assigned.
By default, they are not assigned. 3. Leave the MMC open for the next task.
Saving the Customized MMC Configuration

Since you have congured the MMC just as you wish, you should save this conguration so that it is easy to bring back up. Although you can go through the steps of adding the snap-in as you did earlier, to do so each time is cumbersome, and is not required.
TASK 6B-3
Saving a Customized MMC
Setup: You are logged on to Windows 2003 Server as Administrator, the MMC is running, and the IP Security Policy Management snap-in has been added. 1. 2. 3. 4. Choose FileExit. When you are asked if you wish to save the console settings, click Yes. Save the le to the desktop as ipsec.mmc.msc Verify the new addition by double-clicking the new ipsec.mmc.msc le on the desktop. Your saved MMC opens just as you had customized it to do so.
The Secure Server (Require Security) Policy

In the following sections, you will examine the settings of each of the three predened policies. The most secure policy, Secure Server (Require Security), is the policy that states that all communication must be secured, with no exceptions.
The General Tab

As the name implies, the General tab provides general information and conguration options for the Secure Server (Require Security) policy.
307
Figure 6-2 shows the settings for Key Exchange. Keys are used as part of the different forms of encryption that can be implemented in the IPSec policy. IKE stands for Internet Key Exchange, and deals with the method of exchanging the cryptographic key(s). SHA1 and MD5 are both algorithms that are used to verify the integrity of a message. 3DES and DES are the actual encryption algorithms that can be used, and nally, Diffie-Hellman Group will dictate the overall strength of the encryption.
Figure 6-2: The Key Exchange Security Methods dialog box. These settings work together to determine the integrity, condentiality, and strength of the secured communication. Integrity is determined by the SHA1 or MD5 algorithm.
DES: (Data Encryption Standard) Denition 1: An unclassied crypto algorithm adopted by the National Bureau of Standards for public use. Denition 2: A cryptographic algorithm for the protection of unclassied data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
Condentiality is determined by the 3DES or DES algorithm. Strength is determined by the Diffie-Hellman Group, which can be either 96-bit (the low setting) or 128-bit (the high setting) key lengths.
TASK 6B-4
Examining Security Methods
Setup: You are logged on to Windows 2003 Server as Administrator, and the ipsec.mmc.msc console is open. 1. 2. 3. In the right pane, right-click Secure Server (Require Security), and choose Properties. Select the General tab. Observe that the default value for Check For Policy Changes Every is 180 minutes. Every 3 hours, the machine (if it is a domain member) will check with Windows Active Directory to see if this policy, when assigned, has changed.
308
4. 5. 6. 7.
Under Perform Key Exchange Using Additional Settings, click Settings. In the Key Exchange Settings dialog box, click Methods. Examine the default settings for the security used in Secure Server (Require Security). Close all windows without changing the properties.
The Rules Tab for the Secure Server (Require Security) Policy
The Rules section of an IPSec policyin this case, the Secure Server (Require Security) policycontains the actual security sections of the policy pertaining to traffic and actions. The IP Filter List is used to dene the types of network traffic that are to be affected by this policy. The predened rules in a policy can be modied, but cannot be removed. The default rules are for All IP Traffic, All ICMP Traffic, and <Dynamic>. In addition to the IP Filter List is the Filter Action. In other words, what does the system do when a match to the rule is found, such as IP Traffic. There are three actions, which are listed as: Permit: Allow unsecured IP packets to pass. Require Security: Requires secured communication. Default Response: Follow the negotiations as initiated by the other computer. This is especially useful when no other rule applies. In fact, it is the only lter action for the Client (Respond Only) predened policy.
309
Figure 6-3: The default lter lists and lter actions, as shown on the Require Security Rules tab. In addition to the IP Filter List and the Filter Actions on the Rules tab shown in Figure 6-3, there are other sections that deserve noting. These are the Authentication, Tunnel Setting, and Connection Type options, described in the following section and shown in Figure 6-4. The Authentication Methods are used to dene how a trust will be established between the two communicating hosts. By default, this is the
310
Kerberos method. The other valid options (in addition to Kerberos) are to use a certicate from a Certicate Authority (CA), or to use a predened shared key string. The Tunnel Setting is used to dene if this communication is to use a tunnel, and if so, what the IP address for the end of the tunnel is. The endpoint is the tunnel computer that is closest to the IP traffic destination. The Connection Type is used to dene the types of connections to which the rule will apply. For example, the default setting is All Network Connections. The second option is to have the rule apply only to Local Area Network (LAN) traffic, and the third option is to have the rule only apply to Remote Access traffic.
LAN: (Local Area Network) A computer communication system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communication system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, frontend processors, controllers, and servers.
Figure 6-4: The authentication methods, tunnel settings, and connection types, as shown on the Require Security Rules tab.
TASK 6B-5
Examining Policy Rules
Setup: You are logged on to Windows 2003 Server as Administrator. 1. 2. 3. Reopen the ipsec.mmc.msc console. In the right pane, right-click Secure Server (Require Security), and choose Properties. If necessary, select the Rules tab.
311
4. 5. 6. 7. 8.
Examine the default settings for IP Filter List, Filter Action, Authentication Methods, Tunnel Setting, and Connection Type. Select the All IP Traffic rule, and click the Edit button. Observe the conguration options that can be adjusted in this section. When you are done reviewing the conguration options, click Cancel to close the Secure Server Properties, without making changes. Close the ipsec.mmc.msc console without saving changes.
Topic 6C
IPSec AH Implementation
You now have all of the information and tools you need to be able to implement IPSec. Lets try it out.
About the Tasks

For the following tasks, you will work in pairs. The text and activities refer to the two machines as Student_P and Student_Q. Student_P will initiate communication with Student_Q. Student_Q will dictate whether it has an IPSec policy enabled. If so, it then determines if it should request or require Student_P to do the same. On Student_P, at rst you will have no IPSec Respond policy activated, but later you will have a Respond policy. You will capture traffic between these two computers using Network Monitor, and perform an analysis on the traffic. You will also use the options for conguring policies. You will use just the AH protocol (authenticity/integrity). Then, you will use just the ESP protocol (condentiality). Following that, you will use AH with ESP. Also, ESP will be congured to use its integrity algorithm. Finally, because the integrity algorithms can be implemented in two avors (SHA-1 or MD5) and the encryption algorithms for condentiality can also be implemented in two avors (DES or 3DES), youll use combinations of these. As a policy maker for a company, youll have to make such decisions before you implement IPSec. These are the actual tools you can use in Windows 2003 to implement your policies.
Creating Custom IPSec Policies

In the previous topic, you examined the default IPSec policies in Windows 2003. For the remainder of the lesson, you will create and use your own customized IPSec policies. This will enable you to fully create and secure network traffic based on your unique conguration requirements. The following gures can be used as a reference while performing the tasks of this section.
312
Figure 6-5: Opting not to use the Add Wizard. When you are creating a new policy, you will need to add and congure all the options you previously examined. In these tasks, you will be customizing the policies, one by one, and do not want to use the Add Wizard, because the Add Wizard will walk you through specic predened steps. At this stage, you want to perform everything manually.
313
Figure 6-6: The Security Methods tab, showing the leftmost part of the Security Method Preference Order. During policy creation, you will be presented with the Security Methods tab. At this stage, you will see ve columns presented: Type, AH Integrity, ESP Condentiality, ESP Integrity, and Key Lifetimes (KB/Sec), but you might need to scroll to see all ve.
314
Figure 6-7: The Security Methods tab, showing the right-most part of the Security Method Preference Order. Security methods are listed in order of preference that this machine will use when attempting to negotiate IP Security when dealing with another machine that responds that it can use IPSec, too. You can add, edit, or remove any of these methods. In this case, since you will have named this policy 1_REQUEST_ AH(md5)_only, you will simplify the list and offer exactly one choice: Request IP Security that relies only on AH Integrity using the MD5 hashing algorithm. Do not worry about key lifetimes at this stage.
TASK 6C-1
Creating the 1_REQUEST_AH(md5)_only Policy
Note: Perform this task only if you are designated as Student_Q. 1. 2. 3. 4. 5. Open the ipsec.mmc.msc console. In the right pane, right-click and choose Create IP Security Policy, then click Next. For the IP Security Policy Name, type 1_REQUEST_AH(md5)_only and click Next. Uncheck Activate The Default Response Rule and click Next. Uncheck Edit Properties and click Finish.
6. 7. 8. 9.
Double-click the new policy 1_REQUEST_AH(md5)_only. On the Rules tab, uncheck Use Add Wizard and click Add. On the IP Filter List tab, click the radio button for All IP Traffic. Switch to the Filter Action tab.
10. Click the radio button for Request Security (Optional). 11. Click Edit. 12. Verify that the radio button for Negotiate Security is selected. 13. Read the options presented to you under Security Method Preference Order. 14. Remove all but one Security Method by holding down the Shift key, selecting all but one of the choices, and clicking Remove. You can leave any one of the Security Methods. 15. When prompted with Are You Sure?, click Yes. 16. Select the remaining method, and click Edit. 17. Under Security Method, click the Settings button found under Custom (For Expert Users)as youre on your way to becoming an expert on IPSec. 18. Verify that AH is checked and that the integrity algorithm is MD5. 19. If necessary, uncheck ESP. 20. Under Session Key Settings, uncheck both check boxes.
316
21. Click OK three times to return to the New Rule Properties dialog box. 22. Leave the New Rule Properties open for the next task.
Editing Authentication Method Policies

When you are creating this customized policy, you are going to use only AH, and not ESP. So, when you are customizing the settings, be sure to uncheck the ESP options and to check the AH options. You should also clear the check boxes for generating new keys, both for size (Kbytes) and time (seconds).
Figure 6-8: The Authentication Method tab. Notice that three authentication methods are supported: Kerberos, Certicates, and Preshared Keys. You will use the third method, as it is simple to implement, for now. In a production environment, if you have a homogenous Windows 2003 domain implementation, you could leave it at the default Kerberos; in a heterogeneous network, you could choose to set up a CA and distribute IPSec certicates.
317
TASK 6C-2
Editing the 1_REQUEST_AH(md5)_only Policy
Note: Perform this task only if you are designated as Student_Q. 1. 2. 3. 4. Verify that the New Rule Properties are displayed. Select the Authentication Methods tab. Click Edit. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide text for the preshared key. Click OK to close the Edit Authentication Methods Properties dialog box. 5. 6. 7. Switch to the Tunnel Setting tab, but leave the settings alone. You will be working in Transport Mode only. Switch to the Connection Type tab, but leave the settings alone. You will use the default of All Network Connections. Click Close to close the Rule Properties. Keep the Policy Properties open for the next task.
Setting Up the Computers Response

You have just congured a policy where Student_Q will request any other computers that attempt to communicate with it to implement AH by using the MD5 algorithm. Lets assume that this policy is put into effect, and another computer says that it can communicate with Student_Q by using AH, as well. Student_Q should be in a position to respond to this. Therefore, you should now congure the Default Response rule in this policy for Student_Q.
318
Figure 6-9: Preparing to modify the default response. To modify the rule, you will not use the Add Wizard. Once you click Edit, you will again be presented with the tabs for Security Methods, Authentication Methods, and Connection Types.
Figure 6-10: Editing security methods.

Under Security Methods, you will again see ve columns presented: Type, AH Integrity, ESP Condentiality, ESP Integrity, and Key Lifetimes (KB/Sec). As before, you can add, edit, or remove any of these methods. In this case, this policy is named 1_REQUEST_AH(md5)_only, but because it will also have to respond to the request it made, youll simplify the list and offer exactly one choice: Respond to IP Security that relies only on AH integrity using the MD5 hashing algorithm. As before, you dont need to worry about the key lifetimes.
TASK 6C-3
Configuring the Policy Response
Note: Perform this task only if you are designated as Student_Q. 1. 2. 3. 4. 5. 6. 7. 8. 9. Verify that the properties for the 1_REQUEST_AH(md5)_only policy are displayed. On the Rules tab, check <Dynamic> Default Response, and click Edit. (The Use Add Wizard check box should remain unchecked.) Remove all but one Security Method by holding down the Shift key, selecting all but one of the choices, and clicking Remove. When prompted with Are You Sure?, click Yes. Select the remaining method, and click Edit. Under Security Method, click the Settings button found under Custom. Verify that the box beside AH is checked and that the integrity algorithm is MD5. Verify that ESP is unchecked. Under Session Key Settings, verify that the options for generating new keys for both size and time are unchecked.
10. Click OK twice to return to the Edit Rule Properties. 11. Switch to the Authentication Methods tab. 12. Click Edit. 13. Click the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 14. Click OK twice to return to the policy properties. 15. Double-click All IP Traffic. 16. Switch to the Connection Type tab and verify that the setting is the default of All Network Connections.
17. Click OK, and then click OK to close. 18. Close the ipsec.mmc.msc console without saving changes.
Configuring AH in Both Directions

You have congured a policy where Student_Q will request other computers that attempt to communicate with it to implement AH by using the MD5 algorithm; Student_Q is also in a position to respond by using this algorithm. Now, lets congure Student_P to follow Student_Qs lead.
TASK 6C-4
Configuring the Second Computer
Note: Perform this task only if you are designated as Student_P. 1. 2. 3. 4. 5. 6. 7. 8. 9. Open the ipsec.mmc.msc console. In the right pane, right-click and choose Create IP Security Policy. Click Next. For the IP Security Policy Name, type 1_RESPOND_AH(md5)_only and click Next. Uncheck Activate The Default Response Rule and click Next. Uncheck Edit Properties and click Finish. Double-click the new policy 1_RESPOND_AH(md5)_only. On the Rules tab, uncheck Use Add Wizard, check <Dynamic> Default Response, and click Edit. Remove all choices but one by holding down the Shift key, selecting all but one of the choices, and clicking Remove. When prompted with Are You Sure?, click Yes. Select the remaining method and click Edit.
10. Under Security Method, click the Settings button found under Custom (For Expert Users). 11. Verify that AH is checked and that the integrity algorithm is MD5. 12. Verify that ESP is unchecked. 13. Under Session Key Settings, verify that the boxes for generating new keys for both time and size are unchecked. 14. Click OK twice to return to the Rule Properties. 15. Switch to the Authentication Methods tab.
321
16. Click Edit. 17. Click the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 18. Click OK. 19. Click OK twice, and then click Close to nish the creation of the policy. 20. Close the ipsec.mmc.msc console without saving changes.
Configuring FTP
Now that IPSec policies are congured on two machines, you need to test the policies to ensure that they work as you intended them to work. To do this, youll bring up an FTP site on Student_Q and attempt to access this FTP site from Student_P. Youll do this with IPSec implemented on one machine and then on the other. Youll run Network Monitor to capture and record traffic between the two machines. Youll examine these captures and see where (in the packet) the IPSec headers reside. For greater clarity, we can verify this with the RFCs associated with IPSec, as well.
TASK 6C-5
Setting Up the FTP Process
Note: Perform step 1 through step 17 only if you are designated as Student_Q. 1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartControl PanelAdd Or Remove Programs. Click the Add/Remove Windows Components button. Click Application Server, and click the Details button. Check the Internet Information Services (IIS) check box. Note, that when you select this option, COM+ is selected by default. With IIS selected, click the Details button. Check the File Transfer Protocol (FTP) Service check box and click OK. Click OK again to return to the Windows Components screen. Click Next. You may be prompted for your Windows Server 2003 CD-ROM. Once the installation is complete, click Finish. Close the Add Or Remove Programs window.
10. Choose StartAdministrative ToolsInternet Information Services Manager.
322
11. In the left pane expand your Server name. 12. Expand FTP Sites, right-click Default FTP Site, and choose Properties. 13. Click the Home Directory tab and verify the location of the FTP folder. The default location is C:\Inetpub\ftproot. 14. Close the IIS Manager. 15. In Explorer, locate and navigate to the folder designated as the FTP home directory. 16. In this folder, create a text document. Edit this document to input some text and save it as text1.txt 17. Create and save three more similar text documents in the same folder. Use text2.txt, text3.txt, and text4.txt as the le names. Note: Perform step 18 through step 23 only if you are designated as Student_P. 18. Open a command prompt. 19. Enter ftp IP_address_of_Student_Q to ftp to Student_Qs FTP site. 20. Log on as anonymous with no password. 21. Verify that you can access the text documents created on the Student_Q computer by using the DIR command. 22. Once you have veried that you can access the text documents, quit the ftp session by entering bye at the ftp prompt. 23. Leave this command prompt open.
Implementing the IPSec Policy

You have just tested a plain text ftp session. The following tasks will walk you through the process of implementing IPSec, and testing the results in both directions. First, you will prove that you can connect, even though IPSec is implemented on only one of the hosts.
323
TASK 6C-6
Implementing the 1_REQUEST_AH(md5)_only Policy
Note: Perform step 1 through step 4 only if you are designated as Student_Q. 1. 2. 3.
You will be using Network Monitor repeatedly throughout this course, so you might want to create a shortcut for it on the Windows desktop.
Open your ipsec.mmc.msc console. Right-click the 1_REQUEST_ AH(md5)_only policy and choose Assign. Close the ipsec.mmc.msc console. If you are prompted to save changes, click No. Start Network Monitor, and verify that it is going to collect packets from the interface connected to Student_P. Start a new capture, and allow Network Monitor to capture packets until Student_P has completed step 5 through step 9.
4.
Note: Perform step 5 through step 9 only if you are designated as Student_P. 5. At the command prompt, again enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q after a very brief delay, even though an IPSec policy is assigned on Student_Q. 6. 7. 8. 9. Log on as anonymous with no password. Enter dir to see a list of les hosted on the ftp site. Exit the ftp session. Leave the command prompt open.
Request-only Session Analysis

Why was your attempt successful? What is the reason for the brief delay? This is because the policy is designed to request onlynot demandIPSec. If the remote machine trying to communicate with Student_Q is not IPSec-aware or does not have a policy assigned to do so, then Student_Q will fall back to regular, insecure IP. The brief delay occurred because Student_Q was trying to establish an IPSec communication with Student_P.
324
TASK 6C-7
Analyzing the Request-only Session
Note: Perform this task only if you are designated as Student_Q. 1. 2. In Network Monitor, stop and view the capture. Observe that, after the ARP resolution has taken place (in frames 1 and 2), Student_P attempts to initiate a three-way handshake with Student_Q (in frame 3). Because the policy on Student_Q says to request IPSec communication, Student_Q begins the negotiation process (in frame 4). In frame 4, observe that the protocol is ISAKMP (UDP port 500). When it does not hear from Student_P, it tries again approximately a second later. When it does not hear from Student_P again, it falls back to insecure communication, and the three-way handshake proceeds as before (in frames 6, 7, and 8). Once the connection is made, the session is established in clear text, with no IPSec. You are able to see the payload and full headers of all the packets, with no evidence of IPSec. Close Network Monitor. You can save your capture to a le, if you like.
Based on your network trafc, you might have different Frame numbers in your packet captures.
3.
4.
Implementing a Request-and-Respond Policy

In the previous task, you saw that even though you had IPSec enabled in one direction, the policy allowed for unsecured communication. When Student_P responded with no IPSec, Student_Q went ahead and accepted the session, and traffic continued without IPSec. In the next task, you will congure Student_P to respond to Student_Qs IPSec policy.
For this step, and subsequent steps that deal with the ISAKMP protocol, your classroom conguration might not yield the expected results, due to timing issues as the students complete their assigned steps. You can have them try to restart the computer, and then try redoing the activity.
TASK 6C-8
Configuring a Request-and-Respond IPSec Session
Note: Perform step 1 only if you are designated as Student_P. 1. Open your ipsec.mmc.msc console. Right-click 1_RESPOND_AH(md5)_ only policy, and choose Assign. Close the ipsec.mmc.msc console, without saving changes. Then, wait until Student_Q performs the next step. Note: Perform step 2 only if you are designated as Student_Q. 2. Activate Network Monitor, and start a capture.
Note: Perform the rest of this task only if you are designated as Student_P.
325
3.
At the command prompt, again enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q.
4. 5. 6. 7.
Log on as anonymous with no password. Enter dir to see a list of les hosted on the ftp site. Exit the ftp session. Close the command prompt.
Request-and-Respond Session Analysis

In the second attempt at communication, the temporary delay that was visible in the earlier task was not present. This is because the second host was now able to respond to the IPSec request initiated by the ftp server. There was no need to move down the list to a different method of communication, therefore, saving a bit of time. In the following task, you will use Network Monitor to analyze this session, and to see how the IPSec policy was implemented. Some things to look for during this analysis include: IP identies AH with a protocol ID of 0x33 (51). AH identies TCP with a Next Header of 0x6 (6). TCP identies FTP with a destination port of 0x15 (21).
TASK 6C-9
Analyzing the Request-and-Respond Session
Based on your network trafc, you might have different Frame numbers in your packet captures.
Note: Perform this task only if you are designated as Student_Q. Student_P is advised to follow along. 1. 2. In Network Monitor, stop and view the capture. Observe that, after the ARP resolution has taken place (in frames 1 and 2), Student_P attempts to initiate a three-way handshake with Student_Q (in frame 3). Observe that, because the policy on Student_Q says to request IPSec communication, Student_Q begins the negotiation process (in frame 4) by using the ISAKMP protocol (UDP port 500). Observe that, when Student_P agrees to comply with the IPSec request (in frame 5), there is an ISAKMP interplay between the two machines for the next few frames to negotiate and establish the IPSec protocol. Observe that the actual three-way handshake is now completed in frames 14 and 15. If your network traffic is different, your frame numbers will be different.
ARP and ISAKMP may be different on your system.
3.
4.
5.
326
6. 7. 8.
Observe that, from frame 16 onward until the session teardown, the AH ensures integrity of communication between the two machines. Double-click a frame whose protocol is identied by Network Monitor as FTP. Observe the sequence of protocol identication: Ethernet, then IP, then AH, then TCP, then FTP. As noted earlier: Ethernet identies the protocol IP with an Ethertype of 0x800. IP identies AH with a protocol ID of 0x33 (51). AH identies TCP with a Next Header of 0x6 (6). TCP identies FTP with a destination port of 0x15 (21).
9.
Observe that there is no encryptionthe AH only signs the packet; it does not encrypt it.
10. In fact, look around frame 33. Near there, you should be able to see the name of the text le in response to the dir (LIST) command. 11. Close Network Monitor. You can save your capture to a le if you like.
Topic 6D
Combining AH and ESP in IPSec
In the previous topic, you examined the implementation of AH in Windows Server 2003, including viewing packet data in Network Monitor. In older systems, such as Windows 2000, you could create IPSec policies that were ESP only, but these are no longer an option. The ESP implementation in Windows Server 2003 now requires the use of the Authentication Header. In the following section of tasks, you will enable different options in the establishment of IPSec between two computers. You have congured and analyzed IPSec traffic by using AH, and IPSec traffic by using ESP. In this topic, you will congure and analyze network traffic that combines AH and ESP. When you are using both AH and ESP, you are conguring IPSec to its fullest strength.
TASK 6D-1
Creating the 5_REQUEST_AH(md5)+ESP(des) IPSec Policy and the Response Policy
Note: Perform this task only if you are designated as Student_Q. Student_P is advised to follow along. 1. Open your ipsec.mmc.msc console. In the right pane, unassign the current policy, and then create another IP Security Policy. Click Next.
327
2. 3. 4. 5. 6. 7. 8. 9.
For the IP Security Policy Name, type 5_REQUEST_AH(md5)+ESP(des) and click Next. Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish. Double-click the new policy. On the Rules tab, verify that Use Add Wizard is unchecked, and click Add. On the IP Filter List tab, select the All IP Traffic radio button. Switch to the Filter Action tab. Select the Request Security (Optional) radio button.
10. Click Edit. 11. Leave the radio button selected for Negotiate Security. 12. Read the options presented to you under Security Method Preference Order. 13. Remove all but one method by holding the Shift key, selecting all but one of the choices, and clicking Remove. Some congurations might have only one option. If so, skip the next step. 14. When prompted with Are You Sure?, click Yes. 15. Select the remaining method, and click Edit. 16. Under Security Method, click the Settings button found under Custom. 17. Verify that AH is checked. 18. Select the integrity algorithm MD5. 19. Verify that ESP is checked. 20. Leave ESPs integrity algorithm set to <None>. 21. For Encryption Algorithm, select DES. 22. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 23. Click OK three times to return to the Rule Properties. 24. Switch to the Authentication Methods tab. 25. Click Edit. 26. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key.
27. Click OK, and then click Close to return to the Policy Properties. 28. On the Rules tab, check <Dynamic> Default Response, and click Edit. The Use Add Wizard check box should remain unchecked. 29. Under Security Methods, hold the Shift key, select all but one of the choices, and click Remove. 30. Select the remaining method, and click Edit. 31. Under Security Method, click the Settings button found under Custom. 32. Verify that AH is checked. 33. Select the integrity algorithm MD5. 34. Verify that ESP is checked. 35. Leave ESPs integrity algorithm set to <None>. 36. For Encryption Algorithm, select DES. 37. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 38. Click OK twice to return to the Rule Properties. 39. Switch to the Authentication Methods tab. 40. Click Edit. 41. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 42. Click OK three times to close the Policy Properties. 43. Close the console without saving settings.
Configuring the IPSec Response

You have congured a policy where Student_Q will request other computers that attempt to communicate with it to implement AH by using the MD5 integrity algorithm and ESP by using the DES encryption algorithm; Student_Q is also in a position to respond by using this algorithm. Lets congure Student_P to follow Student_Qs lead.
329
TASK 6D-2
Creating the 5_RESPOND_AH(md5)+ESP(des) IPSec Policy
Note: Perform this task only if you are designated as Student_P. Student_Q is advised to follow along. 1. 2. 3. 4. 5. 6. 7. 8. 9. Open your ipsec.mmc.msc console. In the right pane, create another IP Security Policy. Click Next. For the IP Security Policy Name, type 5_RESPOND_AH(md5)+ESP(des) and click Next. Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish. Double-click the new policy. On the Rules tab, verify that Use Add Wizard is unchecked, check <Dynamic> Default Response, and click Edit. Remove all but one security method by holding the Shift key, selecting all but one of the choices, and clicking Remove. When prompted with Are You Sure?, click Yes. Select the remaining method, and click Edit.
10. Under Security Method, click the Settings button found under Custom. 11. Verify that AH is checked. 12. Select the integrity algorithm MD5. 13. Verify that ESP is checked. 14. Leave ESPs integrity algorithm set to <None>. 15. For Encryption Algorithm, select DES. 16. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 17. Click OK twice to return to the Rule Properties. 18. Switch to the Authentication Methods tab. 19. Click Edit. 20. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key.
330
21. Click OK three times to close the Policy Properties. 22. Close the console without saving settings.
AH and ESP IPSec Session Analysis

You have just gone through the steps of conguring IPSec on both Student_P and Student_Q. In the next task, you will initiate a communication between the two hosts, and analyze the communication in Network Monitor. The initial communication will be an attempt at using FTP. As with the 1_REQUEST_AH(md5)_only policy, this transaction is also successful between Student_P and Student_Q because Student_Qs policy is designed to requestnot demandIPSec. If a remote machine trying to communicate with Student_Q is not IPSec-aware or does not have a policy assigned to do so, then Student_Q will fall back to regular, insecure IP. The brief delay occurs because Student_Q is trying to establish an IPSec communication with Student_P. Once the connection is made, the second computer will be congured to respond to the rst properly. During the session analysis, try to note the differences from the earlier captures those resulting from the AH_only policy. Here, you are not able to see any of the TCP ags, connection setup, three-way handshake completion, or data transferin fact, you will see nothing but encrypted stuff! The protocol is listed simply as ESP. If you check the details within the IP header, IP points to AHIP protocol ID 51 (0x33) and AH points to ESPIP protocol ID 50 (0x32). After the IP header is AH/ESP. No one but these two endpoints can decrypt packets destined for them.
TASK 6D-3
Configuring and Analyzing an IPSec Session Using AH and ESP
Note: Perform step 1 through step 2 only if you are designated as Student_Q. 1. 2. Open your ipsec.mmc.msc console. Right-click the 5_REQUEST_ AH(md5)+ESP(des) policy and choose Assign. Close the console. Start Network Monitor, and start a capture.
As you assign and unassign policies, you might need to issue the command: gpupdate /force to initialize those policies right away.
Note: Perform step 3 through step 8 only if you are designated as Student_P. 3. At the command prompt, again enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q after a very brief delay, even though an IPSec policy is assigned on Student_Q. 4. 5. 6. Log on as anonymous with no password. Enter dir to see a list of les hosted on the ftp site. Exit the ftp session.
7. 8.
Open your ipsec.mmc.msc console. Right-click the 5_RESPOND_ AH(md5)+ESP(des) policy, and choose Assign. Open a command prompt and enter the following command gpupdate /force (this will ensure that your newly assigned policy will start right away).
Note: Perform step 9 through step 11 only if you are designated as Student_Q. 9. In Network Monitor, stop and view the capture.
10. Observe the session between the two hosts. Note that encryption is not used and that commands are visible in clear text. 11. Start a new capture (save the previous capture if you like). Note: Perform step 12 through step 15 on Student_P. 12. At the command prompt, again enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q. 13. Log on as anonymous with no password. 14. Enter dir to see a list of les hosted on the ftp site. 15. Exit the ftp session. Note: Perform step 16 through step 19 only if you are designated as Student_Q. 16. In Network Monitor, stop and view the capture. 17. Search the packets, and try to look for the name of the text le in response to the dir (LIST) command. 18. Observe that AH ensures integrity and ESP ensures condentiality of communication between the two machines. 19. Close Network Monitor. You can save your capture to a le if you like. Note: Perform the following step only if you are designated as Student_P. 20. Open your ipsec.mmc.msc console, unassign the 5_RESPOND_ AH(md5)+ESP(des) policy, and close the console.
332
Configuring All the Options

Now, lets step up the requirements for IPSec. Lets say you were paranoid and wanted to use all the features set to their highest security settings. You will congure an IPSec policy on Student_Q that will use the SHA-1 algorithm to ensure integrity and 3DES to ensure condentiality. You will then congure Student_Q to demand IPSec of other computers. To do so, you will use a Require policy instead of a Request policy. Finally, on Student_P, you will implement a corresponding Respond policy and establish communications with Student_Q. Someone may bring up the question, Hey, why would you use the integrity algorithm twice? At this point, well leave the answer as a smug Because we can! Actually, there is a more simplied explanation. Most books on IPSec recommend using AH to ensure the integrity of the entire packet and ESP just for condentiality of the payload. Most books on IPSec also simply say that ESP ...can also be used for integrity. Lets look at this a little more carefully. The AHs function is to sign the entire packet, including the IP header. However, there are certain elds in the IP header that have to be excluded because they are designed to change. One example of this is when traversing a routed environment, the 8-bit TTL eld will decrement by 1 at each hop. The values contained within these elds cannot be signed, as the received value would not match the value at origin. The ESPs function is to encrypt and/or sign everything but the IP header. In Transport Mode, using ESPs signing functionality might be considered redundant when AH is around to do the job, especially when AH can sign even the IP headers (mostly). Its when IPSec is implemented in Tunnel Mode, as with a VPN solution, that ESPs signing functionality has some meaning over and above that of AH. In Tunnel Mode, there are two IP headers in each packet. The outer IP header is the one used by the tunnel endpoints to communicate with each other. Encapsulated within this as payload data is the IP header, IP protocol, and the actual data of the two hosts communicating end-to-end via the tunnel. Therefore, when the tunnel endpoints use ESPs integrity algorithm, the internal IP headers are treated as data and will be completely signed. By the way, before you get carried away with IPSec, it is also recommend that you read Bruce Schneiers excellent critique on IPSec. You can nd it at his companys website, www.counterpane.com.
TASK 6D-4
Implementing the 7_REQUIRE_ AH(sha)+ESP(sha+3des) Policy
Note: Perform this task only if you are designated as Student_Q. Student_P is advised to follow along. 1. Create another IP Security Policy. Click Next.
333
2. 3. 4. 5. 6. 7. 8. 9.
For the IP Security Policy Name, type 7_REQUIRE_ AH(sha)+ESP(sha+3des) and click Next. Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish. Double-click the new policy. On the Rules tab, verify that Use Add Wizard is unchecked, and click Add. On the IP Filter List tab, select the All IP Traffic radio button. Switch to the Filter Action tab. Select the Require Security radio button.
10. Click Edit. 11. Leave the radio button selected for Negotiate Security. 12. If necessary, remove all but one security method. 13. Select the remaining method, and click Edit. 14. Under Security Method, click the Settings button found under Custom. 15. Verify that AH is checked. 16. Select the integrity algorithm as SHA1. 17. Verify that ESP is checked. 18. Select ESPs integrity algorithm as SHA1. 19. For Encryption Algorithm, select 3DES. 20. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 21. Click OK three times to return to the Rule Properties. 22. Switch to the Authentication Methods tab. 23. Click Edit. 24. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 25. Click OK, click Close, then click OK to exit the Policy Properties.
334
Configuring the AH-and-ESP IPSec Response Policy

In order for the two hosts to communicate, they must have compatible IPSec policies implemented. By now, you are familiar with the procedure, so the following task should be rather straightforward.
TASK 6D-5
Implementing the 7_RESPOND_ AH(sha)+ESP(sha+3des) Policy
Note: Perform this task only if you are designated as Student_P. Student_Q is advised to follow along. 1. 2. 3. 4. 5. 6. 7. 8. 9. Create another IP Security Policy. Click Next. For the IP Security Policy Name, type 7_RESPOND_ AH(sha)+ESP(sha+3des) and click Next. Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish. Double-click the new policy. On the Rules tab, verify that Use Add Wizard is unchecked, check <Dynamic> Default Response, and click Edit. Remove all but one security method. Select the remaining method, and click Edit. Under Security Method, click the Settings button found under Custom.
10. Verify that AH is checked. 11. Select the integrity algorithm as SHA1. 12. Verify that ESP is checked. 13. Select ESPs integrity algorithm as SHA1. 14. For Encryption Algorithm, select 3DES. 15. Under Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 16. Click OK twice to return to the Rule Properties. 17. Switch to the Authentication Methods tab. 18. Click Edit.
335
19. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 20. Click OK twice, and then click Close to exit the Policy Properties. 21. Close the console without saving settings.
Implementing the Full IPSec Session

So far, you have congured a policy where Student_Q will require other computers that attempt to communicate with it to implement AH by using the SHA-1 algorithm and ESP by using both the SHA-1 and 3DES algorithms; Student_Q also will respond only by using this algorithm. Now, lets see what happens when Student_P follows Student_Qs lead. When you perform the nal analysis in Network Monitor, keep the following in mind: If you were to perform a Hex-to-Hex comparison of the two captures, you would see that due to the additional overhead imposed by the 7_REQUIRE_ AH(sha)+ESP(sha+3des) policy over the 6_REQUIRE_AH(md5)+ESP(des) policy, the actual number of bits is greater. In fact, if you had tried to actually transfer large les between the two machines, then the number of frames would have actually been greater.
TASK 6D-6
Implementing and Analyzing an AH(sha) and ESP(sha+3des) IPSec Session
Note: Perform step 1 through step 2 only if you are designated as Student_Q. 1. Open your ipsec.mmc.msc console. Assign the 7_REQUIRE_ AH(sha)+ESP(sha+3des) policy. When you assign this policy, the previously assigned policy is automatically unassigned. Start Network Monitor, and start a capture.
2.
Note: Perform step 3 through step 7 only if you are designated as Student_P. 3. 4. Open your ipsec.mmc.msc console. Assign the 7_RESPOND_ AH(sha)+ESP(sha+3des) policy. At the command prompt, enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q. 5. 6. 7. Log on as anonymous with no password. Enter dir to see a list of les hosted on the ftp site. Exit the ftp session.
336
Note: Perform the rest of this task only if you are designated as Student_Q. 8. 9. In Network Monitor, stop and view the capture. Observe that once ISAKMP establishes the encryption method, all data is encrypted with ESP.
10. Identify any differences with respect to the negotiation process, encryption, or integrity algorithms. 11. Where does the Packet identify that AH is in use? In the IP Header. What is the Protocol ID assigned to AH? (0x33) Where does the AH information dene the use of ESP? In the AH Next Header. What is the Protocol ID assigned to ESP? 50 (0x32) 12. Close Network Monitor. You can save your capture to a le if you like. 13. Unassign all IPSec policies on all machines.
Topic 6E
VPN Fundamentals
A Virtual Private Network (VPN) provides a private tunnel through a public cloud (such as the Internet). A VPN enables a group of two or more computer systems to communicate over the Internet or any other public network. VPNs can exist between an individual machine and a private network (client-to-server) or a remote LAN (like a branch office) and a private, enterprise network (server-toserver). Secure VPNs make use of tunneling and security protocols to maintain the privacy of data transactions over the Internet. A VPN is virtual, as opposed to a real private network. The idea is to make a private network that provides a secure tunnel for the exchange of data between two or more parties. If this were done over a real private network, the dedicated lines/bandwidth and service would make it cost prohibitive. But when this idea of a secure tunnel is implemented over a public network such as the Internet, the costs as well as the bandwidth are spread among many users, thus creating a Virtual Private Network.
LAN: (Local Area Network) A computer communication system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communication system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, frontend processors, controllers, and servers.
337
VPN Business Drivers

VPNs are popular today for a number of reasons, including: Mature standards, protocols, and technology. Signicant cost savings. Reduction in network complexity, resulting in lower network operation costs. Increased security and encryption capabilities.
The Need for Remote Access

Remote access is a business requirement todayrequired for both communication and interaction. To determine whether or not a VPN is a good answer to your companys needs for remote connectivity, consider your specic technical requirements, along with the pros and cons of VPN use. Some advantages to using VPNs include: The ability to securely connect high-speed remote users over broadband technology, including cable modems and DSL lines, that was not possible before the advent of VPNs. VPNs will work with any last-mile technology as long as IP is running over the connection. No administrative headaches for managing direct access telephone lines (dedicated leased lines), ISDN, T1, or PRI lines used for data, or for the RAS equipment (modems or other network access servers). Terminating the phone calls creates potential cost savings, especially if many of your remote users are located outside your local calling area.
Some disadvantages include: Potentially lower bandwidth available to remote users over a VPN connection, as compared to a direct dial-in line. Inconsistent remote access performance due to changes in Internet connectivity. To counteract this, you can have your users choose ISPs that have higher levels of service, perhaps the same ISP from which you purchase your corporate Internet connection, to keep the majority of your traffic on the same backbone. No entrance into the network if the Internet connection is broken. Some administrators choose to leave a limited amount of dial-in access for emergency access.
The Need for Extranets

Most VPNs can be designed to work as an extranet. But not all extranets are VPNs. Although there are several different meanings attributed to the term, it commonly refers to a type of network that gives outside userssuch as customers, clients, and business associatesaccess to data residing on a corporations network. Users access the data through a web browser over the Internet and typically need to enter a user name and password before access to the data is granted. Depending on the level of security needed, a company could choose to use an extranet approach or a customized approach that combines password protection of network servers with third-party authentication systems. A VPN can be used in a similar manner, but a VPN typically has much higher security associated with it. Specically, a VPN typically requires the establishment of a tunnel into the corporate network and the encryption of data passed between the users PC and corporate servers.
VPN Types
Even though the number of solutions is steadily increasing, VPNs fall under three main types: Hardware-based VPNs, for use in gateway-to-gateway conguration. Firewall-based VPNs. Software-based VPN applications, for use in client-to-client conguration.
Most hardware-based VPN systems are encrypting routers. Dedicated hardware VPN products offer better performance, security, reliability, and scalability than software-based solutions running on conventional servers and operating systems. They offer better performance and are more scalable because they are custombuilt to perform essential tasks, such as encryption and decryption, as quickly as possible, often by having dedicated chips to carry out these functions. Their security is better because they are not vulnerable to weaknesses in an underlying operating system or hard disks that can fail or run out of space. The best hardware VPN packages offer software-only clients for remote installation, and incorporate some of the access control features more traditionally managed by rewalls or other perimeter security devices. However, they may not be as exible as software-based VPNs. Firewall-based VPNs take advantage of the rewalls security mechanisms, including controlling access to the internal network. They also perform Network Address Translation (NAT), satisfy requirements for strong authentication, and serve up real-time alarms along with audit logs. Most commercial rewalls also harden the host operating system kernel by stripping out unnecessary services, such as default accounts for guest users that is a clear vulnerability for exploitation, thus providing additional security for the VPN server. Operating system protection is a major plus, since very few VPN application vendors supply guidance on operating system security. Performance may be a concern, especially if the rewall is already congured; however, some rewall vendors offer hardwarebased encryption processors to minimize the impact of VPN management on the system. Software-based VPNs are ideal in situations where both user and destination endpoints of the VPN are not controlled by the same organization, and when different rewalls and routers are implemented within the same organization. At the moment, stand-alone VPNs offer the most exibility in how network traffic is managed. Many software-based products allow traffic to be tunneled based on IP address or protocolunlike hardware-based products, which generally tunnel all traffic they handle regardless of protocol. Tunneling specic traffic types is advantageous in situations where remote sites may see a mix of trafficsome that need transport over a VPN to access data or some that do not, as in simple web surng. In situations where performance requirements are not heavy, softwarebased VPNs may be the best choice. A disadvantage might be that software-based systems are generally harder to manage than encrypting routers. They require familiarity with the host operating system, the application itself, and appropriate security mechanisms must be in place. Also, most software-based VPN packages require changes to routing tables and network addressing schemes. As the VPN market evolves, the distinctions between VPN architectures are becoming less clearly dened. Some hardware vendors have added software clients to their product offerings, and extended their server capabilities to include some of the security features more traditionally offered by software- or rewallLesson 6: Implementing IPSec and VPNs 339
based VPNs. A few stand-alone products have added support for hardware-based encryptors to improve their performance. For all types of VPNs, further implementation of the proposed IP Security Protocol (IPSec) is making interoperability easier with different VPN products by softening the lines of distinction between them.
VPN Elements
The critical elements of a VPN connection are described in the following table. Name
VPN server VPN client
Description
Accepts connections from VPN clients and can also provide VPN connections between routers. Initiates the VPN connection that ends up at the VPN server. A VPN client can be an end-user system, such as Windows 2000 or Windows XP, or it can be a router that gets a router-to-router connection. A VPN client can be a Point-toPoint Tunneling Protocol (PPTP) client or a Layer 2 Tunneling Protocol (L2TP) client using IPSec. The part of the connection where the data is encapsulated. The part of the connection where the data is encrypted. The data must be both encrypted and encapsulated along the same part of the connection for the connection to be considered a secure VPN connection. The communication standard used to manage the tunnel and encapsulate the data. For example, Windows 2003 supports PPTP and L2TP tunneling protocols. Is sent across the private point-to-point link. The IP internetwork (for example, the Internet) that connects the VPN client with the VPN server.
Tunnel VPN connection
Tunneling protocols
Tunneled data Transit network
Each of the different types of VPN congurations can be enabled by using some combination of the following technology components: Dedicated VPN gateways IPSec-enabled routers and rewalls VPN client software IPSec-enabled operating systems, such as Windows 2003
A number of security applications combine VPN and rewall functionality into a single box. This is very useful for branch offices communicating with central office gateways.
340
Tunneling and Security Protocols

Tunneling is a technique where a data packet is transferred inside the frame or packet of another protocol. Therefore, the infrastructure of one network is used to travel to another. A tunnel can be thought of as a session pipe. A VPN client connects to a VPN server through a tunnel using a tunneling protocol. The logical path along which the encapsulated packet is routed is called the tunnel. Tunneling describes the entire process. Encapsulation of the data packet at the source. Transmission of the data packet through the tunnel. Un-encapsulation of the data packet at the destination.
In a VPN connection, encrypted data is sent through the tunnel. Both the tunnel client and the tunnel server must use the same tunneling protocols. The major tunneling protocols for VPNs are: Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) IP Security Protocol (IPSec)
Tunneling mechanisms differ in terms of: What is done to the data for encryption and authentication. The OSI layer at which they operate. The headers that describe the data transmission and authentication.
OSI: (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components.
TASK 6E-1
Defining Tunneling Protocols
1. Dene the three major tunneling protocols for VPNs: Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and IP Security Protocol (IPSec)
Topic 6F
Tunneling Protocols
Earlier in the course, you studied the IPSec protocol intensively, by working with various IPSec policy settings and testing their validity. The policies, however, were tested only in Transport Mode. When IPSec is used to secure VPN communication, it is used in Tunnel Mode. IP Security Protocol (IPSec) is an evolving security protocol from the Internet Engineering Task Force (IETF) that provides authentication and encryption over the Internet. Normal IPv4 packets consist of headers and payload, both of which contain information of value to an attacker. The header contains source and destination IP addresses, which are required for routing, but may be spoofed or altered in what are known as man-in-the-middle attacks. The payload consists of information that may be condential to a particular organization.
cryptography: The art of science concerning the principles, means, and methods for rendering plain text unintelligible and for converting encrypted messages into intelligible form.
The two prime functions of IPSec are to ensure data security and data integrity. Security is achieved through data encryption techniques, and integrity through a combination of techniques that authenticate the data sender. IPSec is a set of industry standards for cryptography-based protection services and protocols. As mentioned in the previous topic, the major tunneling protocols for VPNs are PPTP, L2TP, and IPSec. Each of the three VPN protocols provides different levels of security and ease of deployment. The standardization process has made the Layer 2 Tunneling Protocol (L2TP) and IPSec the protocols of choice. PPTP is widely used for remote access connections, primarily because of its integration in the Microsoft operating systems. PPTP, L2TP, and Ciscos Layer 2 Forwarding Protocol (L2F) are all designed to work at Layer 2 of the OSI model. IPSec is the only protocol engineered to work at Layer 3 of the OSI model. IPSec is fast emerging as the protocol of choice to build the best VPN system because it supports: Strong security Encryption Authentication Key management
When dealing with VPNs in a multi-protocol non-IP network environment, PPTP or L2TP may be a better choice. Both PPTP and L2TP are strictly tunneling protocols. Since IPSec was designed for the IP protocol, it has wide industry support and is expected to eventually become the standard for VPNs on the Internet. Other tunneling protocols include: Secure Shell (SSH)
SSH: (Secure Shell) A completely encrypted shell connection between two machines protected by a super long pass-phrase.
Socks v5
These offer Application layer tunnels, as well as various implementations of tunnels, such as cascaded tunnels, nested tunnels, or end-to-end tunnels. The SSH protocol is a widely used Application layer tunneling protocol that uses a public key cryptographic system to ensure security. SSH is freely available as a direct result of OpenSSH initiatives. The SSH protocol suite offers a secure replacement for Telnet, rlogin, FTP, and other programs, in addition to tunneling capabilities. Socks v5 offers an Application layer VPN by providing desktop-to-server authentication and encryption. While both SSH and Socks v5 are exceptional application (session)-tunneling protocols, they are not widely deployed in strategic enterprise VPN solutions.
Point-to-Point Tunneling Protocol (PPTP)

The PPTP Forum developed the Point-to-Point Tunneling Protocol (PPTP) specication. This forum included Ascend Communications, 3Com/Primary Access, ECI Telematics, U.S. Robotics, and Microsoft. PPTP has fast become the most widely used protocol for creating dial-in remote access VPNs. A key reason for the success of PPTP for dial-in remote access has been support for the protocol by Microsoft. Microsoft supports PPTP on the NT Server platform version 4.0 and above and includes a free PPTP client in the desktop operating system. The Microsoft version of PPTP is its own version of the IETF PPTP protocol, and it is the Microsoft version that is the de facto standard for PPTP deployments. Most vendor products use Microsofts version of the protocol.
342
Working at Layer 2 of the OSI model, PPTP encapsulates PPP packets using a modied version of Generic Routing Encapsulation (GRE), which gives PPTP the capability to handle any supported network layer protocol such as IP, IPX, and NetBEUI. While PPTP is best suited for remote access VPNs, there are some security issues related to it. These issues relate to vulnerabilities associated with the Challenge/ Response Authentication Protocol (Microsoft CHAP), as well as the RC4-based encryption protocol (MPPE). Even though there have been security updates and enhancements by Microsoft, it is still recommended that Microsofts PPTP protocol not be used in VPN systems where there is a strong need to protect sensitive data. PPTP may be an appropriate solution to deploy in smaller organizations that may only need a limited regional VPN, supporting small numbers of mobile users.
Layer 2 Tunneling Protocol (L2TP)

Layer 2 Tunneling Protocol (L2TP), dened in RFC 2661, is a protocol for tunneling PPP sessions across a variety of network protocols such as IP, Frame Relay, or ATM. The IETF working group joined the PPTP group efforts with Ciscos Layer 2 Forwarding Protocols (L2Fs) initiatives to develop L2TP. L2TP is the successor to PPTP and L2F. L2TP was specically designed for client-to-gateway and gateway-to-gateway connections with broad tunneling and security interoperability. L2TP has wide vendor support because it addresses the IPSec shortcomings of client-to-gateway and gateway-to-gateway connections. L2TP tunnels appear as IP packets, so IPSec Transport Mode provides authenticity, integrity, and condentiality security controls. L2TP tunneled-in IP, using UDP port 1701, is used as the VPN tunneling protocol over the Internet for tunnel maintenance. Compressed or encrypted PPP frames encapsulated in L2TP also use UDP to transmit tunneled data.
343
IPSec
IPSec in Tunnel Mode secures TCP/IP-based protocols using Layer 2 Tunneling Protocol (L2TP). Three main components form the building blocks of the IPSec protocol suite. Component
AH: (Authentication Header) A eld that immediately follows the IP header in an IP datagram and provides authentication and integrity checking for the datagram.
Description
Provides authentication, integrity, and anti-replay protection for both the IP header and the data payload. It does not provide condentiality. Provides condentiality and/or authentication. Data is encrypted before it is transmitted. Denes the security policy to be used in managing the secure communication between two nodes.
Authentication Header (AH)
Encapsulating Security Payload (ESP) Security Association (SA)
ESP: (Encapsulating Security Payload) A mechanism to provide condentiality and integrity protection to IP datagrams.
Keep in mind that you can use IPSec itself as the tunneling protocol, or you can use L2TP to create the tunnel and let IPSec provide data encryption. L2TP does not provide its own encryption service; it uses IPSecs ESP protocol to encrypt and authenticate the entire UDP datagram, thereby protecting it from compromise by unauthorized users. You can create L2TP tunnels without encryption, but this is technically not a VPN because the data is not protected.
Authentication Header (AH)

IPSec provides mechanisms to protect both header and payload data. The IPSec Authentication Header (AH) provides a mechanism for data integrity and data origin authentication for IP packets using the hashing algorithms Hash-based Message Authentication Code (HMAC) with MD5 or HMAC with Secure Hash Algorithm 1 (SHA-1). Use of the IP AH is indicated with the value 51 in the IPv4 Protocol eld or IPv6 Next Header eld in the IP packet header. AH digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, verifying the identity of the source and destination machines and the integrity of the payload.
Encapsulating Security Payload (ESP)

The IPSec Encapsulating Security Payload (ESP) guarantees the integrity and condentiality of the data in the original message by combining a secure hash and encryption of either the original payload by itself, or a combination of both the headers and payload of the original packet. As in AH, ESP uses HMAC with MD5 or SHA-1 authentication; privacy is provided using DES-CBC encryption. Placing a value of 50 in the IPv4 Protocol eld or IPv6 Next Header eld in the IP packet header indicates use of the IP ESP format. Both AH and ESP provide sequence numbers in each packetthis prevents a replay attack.
Security Association (SA) and Key Exchange

Before two parties can exchange secure data that is authenticated and encrypted, those parties need to determine: Which algorithms will be used for the session. How the key exchange will take place. How often keys will need to change.
344
Then, the two parties need to actually exchange the keys. These values are packaged together in a Security Association (SA) to facilitate secure communication between the two systems. Authentication and condentiality using AH or ESP use SAs. A primary role of IPSec key exchange is to establish and maintain SAs. SAs are logical, uniquely dened and uni-directional, or one-way connections between two communicating IP endpoints that provide security services to the traffic it carries using either AH or ESP procedures. The endpoints of the tunnel can be an IP host or IP security gateway, which is a VPN-enabled network device. Providing security to the more typical scenario of two-way (bi-directional) communication between two endpoints requires the establishment of two SAs (one in each direction). Two types of SAs are dened in IPSec, regardless of whether AH or ESP is used for the session. A Transport Mode SA is a security association between two hosts that provide the authentication and/or encryption service to the higher layer protocol. Only IPSec hosts support this mode of operation. A Tunnel Mode SA is a security association applied to an IP tunnel. In this mode, an IP header species the IPSec destination and an encapsulated IP header species the destination for the IP packet. Both hosts and security gateways support this mode of operation and it is considered the more secure of the two. IPSec is controlled specically by a security policy of both sender and receiver and one or more Security Associations (SA) negotiated between them. An SA between the sending and receiving parties provides access control based on the distribution of cryptographic key and traffic management relative to the AH and ESP security protocols. The SA is either one, one-way relationship or two oneway relationships in complimentary directions. A Security Parameter Index (SPI) uniquely distinguishes each SA from other SAs. The IPSec security policy consists of a lter list and associated actions. For a successful deployment of IPSec, a scalable, automated SA and key management scheme is necessary. Several protocols have been dened for these functions: The Internet Security Association and Key Management Protocol (ISAKMP) denes procedures and packet formats to establish, negotiate, modify, and delete SAs. It also provides the framework for exchanging information about authentication and key management, but it is completely separate from key exchange. The Oakley Key Determination Protocol (Oakley) describes a scheme by which two authenticated parties can exchange key information. Oakley uses the Diffie-Hellman key exchange algorithm. The Internet Key Exchange (IKE) algorithm is the default automated key management protocol for IPSec, which is the result of combining both ISAKMP and Oakley protocols.
Key exchange is closely related to the management of SAs. When you need to create an SA, you need to exchange keys, and IKE is the framework that wraps together all the required pieces and delivers them as an integrated package.
IPSec Components
The key IPSec components are described in the following table. Component
IPSec driver
Use
Monitors, lters, and secures IP trafc.
345
Component
The Internet Security Association Key Management Protocol (ISAKMP/Oakley) IP Policy Agent IP Security Policy and Security Association Security Association API Management Tools
Use
Key exchange and management services to oversee security negotiations between hosts. Looks for appropriate policies and delivesr these policies to the IPSec driver and ISAKMP. Denes the security environment in which the two hosts must communicate. Provides the programming interface that will be used between the IPSec driver, ISAKMP, and the Policy Agent. Creates policies, tracks IP security statistics, and creates and logs appropriate IP security events.
IPSec Tunnel and Transport Modes

In IPSec Tunnel Mode, one packet is encapsulated or tunneled in another packet, while IPSec Transport Mode secures the packet exchange end-to-end, source to destination. IPSec Tunnel Mode is used primarily for link-to-link packet exchanges between intermediary devices, like routers and gateways, while Transport Mode provides the security service between the two communicating endpoints. Either mode can use ESP or AH packet types. Both modes require that the two clients engage in a complex negotiation involving the IKE protocol and PKI certicates for mutual authentication. In Transport Mode, both of the end systems must support IPSec, but the intermediate systems do not have to support IPSec because they simply forward packets. Tunnel Mode is intended for gateway-to-gateway links. In Tunnel Mode, the sender encapsulates the entire IP datagram by creating a completely new header. The ESP protocol encrypts the entire datagram, including the original IP header and the AH protocol, generates a signature for the entire packet, including both the original IP header and the new one. Therefore, the encapsulation and encryption processes create a secure tunnel through an inherently insecure network. In Tunnel Mode, only the gateways providing the security services must support IPSec. The end systems (ultimate source and ultimate destination systems) do not have to support IPSec.
IPSec and Network Address Translation (NAT)

Network Address Translation (NAT) is not compatible with the Authentication Header (AH) protocol, whether used in Transport or Tunnel Mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, which includes both data payload and headers by appending a hash value to the packet. When using the AH protocol, the data payload within the packet is not encrypted.
346
The compatibility problem stems from the fact that a NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and will complain that the hash value appended to the received packet doesnt match. The VPN device at the receiving end doesnt know about the NAT in the middle, so it assumes that the data has been altered while in transit. IPSec, using ESP in Tunnel Mode, encapsulates the entire original packet (including headers) in a new IP packet. The new IP packets source address is the outbound address of the sending VPN gateway, and its destination address is the inbound address of the VPN device at the receiving end. When using ESP protocol with authentication, the packet contents (in this case, the entire original packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended to the packet. This mode (Tunnel Mode ESP with authentication) is compatible with NAT, because integrity checks are performed over the combination of the original header plus the original payload, which is unchanged by a NAT device. Transport Mode ESP with authentication is also compatible with NAT, but it is not often used by itself. Since the hash is computed only over the original payload, original headers can be rewritten.
TASK 6F-1
Assigning Tunneling Protocols
1. In the table provided here, assign the tunneling protocols: IPSec, PPTP, L2TP, SSH and Socks v5 to their corresponding OSI layers. Layer Number
7 6 5 4 3 2 1
Name
Application Presentation Session Transport Network Data Link Physical
Protocols
SSH, Socks v5SSH, Socks v5
IPSec PPTP, L2TP
347
Topic 6G
VPN Design and Architecture
VPN conguration is often complex. Conicts between NAT and IPSec can cause legitimate packets to be refused or dropped. Further, strong authentication of a VPN client is critical. If the client is not strongly authenticated, the enterprise is at risk of an intruder remotely taking control of the client system and gaining an open tunnel into the enterprise network. One VPN design choice would be to require a personal rewall with built-in intrusion detection on the remote client. The personal rewall would block any inbound communication, and when intrusions are detected, it would report back to the logging server on the enterprise network. The problem with this design is guaranteeing that the personal rewall software is always present or functional on the client side. Further, how does the enterprise network force a disconnect of the tunnel session? How does it deactivate the users account? Designing an IPSec-based VPN solution involves addressing the following objectives: Designing an IPSec encryption scheme.
security level: The combination of a hierarchical classication and a set of non-hierarchical categories that represents the sensitivity of information.
Designing an IPSec management strategy. Designing negotiation policies. Designing security policies. Designing IP lters. Dening security levels.
VPN Implementation Challenges

Most organizations experience challenges with rolling out and deploying a VPN. In this section, you will examine some key VPN challenges and provide guidelines to minimize implementation-related problems and issues. Typical challenges experienced with VPN deployment include: Difficulty with centralized management of client policy, conguration, and strong authentication requirements. Lack of protocol interoperability (for example, interoperability between NAT, IPSec, and PPTP). Complexity of infrastructure.
Specic challenges that an organization may experience in the process of deploying a VPN include: Addressing and routing. Administration. Common addressing methods for VPNs include DHCP and NAT address pools. The problem is that NAT and IPSec have had compatibility problems. Some vendors, such as Cisco, are solving the problem by licensing an IPSec-over-UDP client that allows IPSec connections through NAT. The IETF is working to intro348 Tactical Perimeter Defense
duce new standards for IPSec and NAT to work together better. According to RFC 2026, established SAs would no longer be bound to IP addresses. Instead, SAs would be controlled via Host Identity Tags (HIT) and Scope Identity elds. Therefore, a VPN client system could conceivably change its IP address using Mobile IP, DHCP, PPP, or even IPv6, and still maintain the same SA with its communication partner. Also, a draft protocol called the Host Identity Protocol (HIP) would be integrated into existing IKE code, allowing IKE to work across NAT devices as well. The IETF is also working on long-term solutions to make NAT and IPSec work together better. Until new standards are established, the most popular way to overcome problems with IPSec Tunnel Mode with NAT is to use ESP Transport Mode. This allows the VPN to traverse a NAT device, such as a gateway. However, client authentication cannot be guaranteed because IP headers are not veried upon receipt. The inability to authenticate communication partners in a VPN tunnel compromises the purpose of IPSec. The challenge for administration is to make sure that remote VPN clients have installed and congured their VPN software correctly. Also, they need to have security mechanisms in place to make sure that the client host is secure against attacks that might use the VPN connection to access the corporate network. Other VPN challenges include: Authentication and key management Fault tolerance Performance Reliable transport VPN architecture
TASK 6G-1
Examining VPN-related RFCs
1. 2. Navigate to C:\Tools\Lesson6\RFCs then open rfc-index.wri. Perform a search using the keyword VPN You should see RFC 2547 highlighted. RFC 2547 describes a method by which an Internet Service Provider may provide VPNs for its customers. 3. 4. 5. Identify the method used, and then close the le. In C:\Tools\Lesson6\RFCs, scroll down to rfc2547.txt. Scroll down to the third paragraph in section 1.1, and read the denitions for intranet and extranet. Note if these compare to your understanding of these terms. Close all open windows.
6.
349
Topic 6H
VPN Security
A VPN is not necessarily secure. This is because a VPN is typically protected by nothing more than a weak password. Sending information over the Internet is not secure, and therefore, has the corporate world concernedeven with the advent of VPNs. In practical terms, information passing over a secure VPN will potentially be routed across several networks that are not under the control of the sender. An important part of any VPN is the encryption that will secure the data payload from unauthorized users. Although most of the VPN solutions delivered today use Triple-DES encryption, there is a widely used, older, weaker type of encryption called DES, or SingleDES. Triple-DES, which is the type of encryption normally implemented in todays solutions, is much more secure than Single-DES, and has never been broken. Thats how safe data passing through a secure VPN is. Virtually all of the common encryption technologies can be used in a VPN. Most VPN equipment vendors give the user a choice. IT managers can often select anything from the 40-bit built-in encryption offered by Microsoft under Windows 95 to more robust encryption technologies like Triple-DES. VPN vendors support a number of different authentication methods. Many vendors now support a wide range of authentication techniques and products, including such things as Kerberos, tokens, and software- and hardware-based dynamic passwords. The primary purpose of a VPN is to secure the data in transmission. Four critical functions must be in place to ensure this. Data encryption, which ensures that no one who intercepts data as it travels through the Internet can read it. Most solutions delivered today use TripleDES encryption, which is so strong that it has never been broken. Data integrity, which checks each data packet received from the Internet to make sure that it has not been modied during transit. User authentication, which ensures that only authorized people can gain access to corporate resources through a VPN. There are many different methods in which users can authenticate themselves, from very basic user name and password authentication to much more secure methods, such as digital certicates, smart cards, SecureID tokens, biometrics, and others. Access control, which restricts unauthorized access to the network.
A VPN must secure the data against eavesdropping and tampering by unauthorized parties. Depending on the VPN solution being implemented, there are a few ways to control the type of traffic sent over a VPN session. Many VPN devices allow you to dene a user- or group-based lter, which can control IP address and protocol/port services allowed through a tunnel. In addition, IPSec-based VPNs allow you to dene a list of networks to which traffic can be passed (Security Associations). The rst mechanism allows the administrator to limit access to specic networks/machines and applications on their network. The second usually provides full connectivity to the private network. Allowing VPN access only in conjunction with strong authentication also prevents an intruder from successfully authenticating to your network, even if they somehow congured/captured a VPN session.
VPNs and Firewalls

Two of the most common congurations for a VPN device providing corporate remote access are to run a VPN device either in parallel to an existing rewall or behind an existing rewall. Terminating VPN sessions in front of a rewall or on a rewall itself is not as popular. There are pros and cons for all implementations. Placing a VPN device in parallel to an existing rewall requires no changes to an existing rewall infrastructure, but it also means that you will have two entry points into your private network. On most VPN devices, you should verify that they block all non-VPN traffic to minimize the additional security risk. Depending on how your network is set up, this will probably also require the VPN device to do some sort of address translation, or to have the ability to redirect this traffic to an existing rewall. Placing a VPN device behind an existing rewall forces you to make changes to the conguration of your rewall. You will also need a rewall smart enough to be able to congure a lter to pass the VPN traffic. Depending on how your network is set up, this may also allow you to make use of only one of the two or more Ethernet ports on your VPN device. This conguration is sometimes known as one-arm-routing. Placing a VPN device in front of your rewall terminates secure traffic in a public zone. You will need to assign addresses to users from a certain block of IP addresses and open a large hole in the rewall for access from these IP addresses. A potential advantage to doing this would be that you could then use your existing rewall to control the destination of traffic, but most VPN boxes will also allow you to do this. This type of application may make more sense for trading-partner connectivity, as opposed to connectivity for remote access users. Implementing a VPN on an existing rewall adds some intense processing to a device whose original purpose was, simply speaking, to control network access. Some people like the simplicity of adding a service to an existing device on the network perimeter.
The use of encryption adds some additional overhead to a session. Most VPN devices, whether hardware- or software-based, will be able to process encryption for connections up to 10Base-T speeds. On a lower-speed connection like a modem, VPN processing is much faster than delays introduced by the limited bandwidth availability. Often, performance is potentially affected more by packet loss and latency on bad Internet connections than by the encryption overhead. A VPN client typically establishes a connection with a VPN server using either L2TP over IPSec or PPTP. Keep in mind the following information related to PPTP, as it may be required for dening packet lters for VPN traffic on rewall systems: TCP port 1723 allows PPTP tunnel maintenance traffic to move from the PPTP client to the PPTP server. IP protocol type 47 allows the PPTP tunneled data to move from the PPTP client to the PPTP server.
351
The following information may be required for dening packet lters for L2TP over IPSec VPN traffic on rewall systems: UDP port 500 allows the Internet Key Exchange (IKE) traffic to access the VPN server. UDP port 1701 allows L2TP traffic to move from the VPN client to the VPN server. IP protocol ID 50 allows IPSec ESP traffic to move from the VPN server to the VPN client.
At the rewall, typically all L2TP traffic, including tunnel maintenance and tunneled data, is encrypted as an IPSec ESP payload. Figure 6-11 depicts ports and protocols associated with tunneling protocols.
Figure 6-11: Ports and protocols associated with tunneling protocols.
VPN Authentication
In general, user authentication is based on the following principle: An entity has authenticating knowledge (what you know), possession of an authenticating device (what you have), or exhibits a required physiological characteristic (what you are). Strong authentication requires that at least two of the three factors be demonstrated. VPN authentication protocols, which operate at the Data Link layer, include: Password Authentication Protocol (PAP). PAP is a weak method for authentication as it uses a cleartext authentication scheme. Challenge Handshake Authentication Protocol (CHAP). CHAP does not transmit the actual password and is a stronger authentication protocol than is PAP. With CHAP, remote customers use a Message Digest 5 (MD5) hash of their credentials in response to a challenge by a network access server. Shiva Password Authentication Protocol (SPAP). SPAP is used in mixed environments that support the Shiva Local Area Network Rover software. Extensible Authentication Protocol-Transaction Level Security (EAP-TLS). EAP-TLS is a Microsoft implementation of a strong authentication method that uses public key certicates.
352
The IPSec authentication scheme for both AH and ESP uses the Hash-based Message Authentication Code (HMAC) authentication code, which uses a shared secret key between two parties, rather than public key methods, for message authentication. The generic HMAC procedure can be used with just about any hash algorithm, although IPSec species support for at least MD5 and Secure Hash Algorithm 1 (SHA-1) because of their widespread use. In HMAC, both parties share a secret key. The secret key is employed with the hash algorithm in a way that provides mutual authentication, but at the same time prevents the key from being transmitted on the line. IPSec key management procedures are used to manage key exchanges between the two parties via Security Associations (SA).
Key Length
Data is transmitted securely in a VPN by using industry standard IPSec tunneling, encryption services using DES and 3DES, and MD5 and SHA-1 for message authentication. IPSec creates private end-to-end pipes, or tunnels, through the IP network, connecting the designated VPN sites to each other. Unauthorized access to the information is prevented by the encryption and authentication services, which are applied. Encryption systems depend on two mechanisms to guarantee data condentiality. The encryption algorithm provides the mathematical rules that convert the plaintext message to a random ciphertext message. The algorithm provides steps for converting the plaintext message with an encryption key, a block of alphanumeric data that introduces the random element into the ciphertext message. The longer the secret key is, the more time it takes for an attacker to test all possible values of the key, and determine the plaintext content of the message. In other words, data that will be of value to an attacker for a long time should be encrypted with longer keys.
TASK 6H-1
Viewing Firewall-related RFCs
1. 2. Navigate to C:\Tools\Lesson6\RFCs and open rfc-index.wri. Perform a search using the keyword rewall If you keep clicking Find Next, you will see many hits. Stop when you see RFC 2979 highlighted. RFC 2979 describes the behavior of and requirements for Internet rewalls. 3. 4. 5. 6. Close the le. Navigate to C:\Tools\Lesson6\RFCs and open rfc2979.txt in Notepad. Scroll down to the second paragraph in section 3.1.1, and read the transparency rule for rewalls. Close all open windows.
353
Topic 6I
Configuring a VPN
Built into Windows 2003s Routing And Remote Access Service (RRAS) is a single, integrated service that terminates connections from either dial-up or Virtual Private Network (VPN) clients. With RRAS, your Windows 2003 Server can function as a remote access server, a VPN server, a gateway, or a branch-office router. You can allow users ready access to the network through the Internet by implementing a VPN, therefore, greatly reducing direct dial-up costs. Windows 2003 VPNs can be created by using either PPTP or L2TP. In this topic, you will build a VPN, and the tasks will require three computers. One computer will be congured as the internal resource, a simple FTP site. The second computer will be the VPN Server, and this machine will require two network cards. One of the cards on this server will be the connection to the private network, and the other will be the connection to the remote client. The third computer will function as the network client, the one making the access via the VPN. The computers will be called: VPN Server, Internal Server, and VPN Client.
About the Tasks

In this task, you will work in pairs, with one student conguring the VPN Server and the other conguring the VPN Client. The Internal Server is a simple web page, or ftp site, hosted on the instructor computer, as part of the internal network.
TASK 6I-1
Configuring the VPN Server
Note: Complete this task only if you are designated as the VPN Server Note: The VPN Server in these tasks requires a second network card. This can be an integrated or non-integrated network card. Upon completion of the VPN tasks, this second network card can be either removed or disabled for the remainder of the class. 1. 2. Enable the second network card on the server. Assign the second network card with the following IP Address information: IP 10.0.10.x (replace x with your seat number) 3. SM 255.255.255.0 DG This can be left blank
Open a command prompt and verify your NIC and IP Address conguration, by entering the command ipconfig /all
354
4.
Verify that you have one NIC with an address of 172.16.x.x or 172.18.x.x based on your location in the classroom. Your second NIC has an address of 10.0.10.x based on your location in the classroom. Write down your 172.16.x.x address as your Internal NIC and your 10.0. 10.x address as your External NIC. Choose StartAdministrative ToolsCongure Your Server Wizard. At the Welcome screen, click Next. Verify you have met the requirements at the Preliminary Steps screen, and click Next. The system will now detect your network settings and conguration. Select the Custom Conguration radio button, and click Next. Select the Remote Access / VPN Server, and click Next.
5. 6. 7.
8. 9.
10. In the Summary Of Selections, verify that you are going to run the Routing and Remote Access Server to setup routing and VPN, then click Next. The RRAS Wizard will open at this time. 11. At the RRAS Setup Wizard, click Next.
355
12. Select the Virtual Private Network (VPN) Access and NAT radio button, and click Next.
13. Select your VPN Network adapter. In this task, this is the NIC that you have assigned the 10.0.10.x IP address to.
14. Leave the Basic Firewall check box checked, and click Next.
356
15. Select your internal network for the clients to connect to, and click Next.
16. In the IP Address Assignment screen, select the From A Specied Range Of Addresses radio button and click Next. 17. In the Address Range Assignment screen, click the New button. 18. These are the IP Addresses of the internal network.
Enter a small range, based on your seating in the classroom, click OK, verify your addresses are correct, and click Next.
357
19. At the Network Selection window, select the network that has access to the Internet, and click Next. This is usually the same network as your internal resource network.
20. At the Name & Address Translation Services window, leave the default of basic name and address Services, and click Next. If your system does not show this window, continue to the next step. 21. Review the Address Assignment Range, and click Next. If your system does not show this window, continue to the next step. 22. For this lesson, you will authenticate locally, so leave the No, Use RRAS To Authenticate Connection Requests radio button selected, and click Next. 23. Review your settings, and click Finish. (If you get a prompt to congure relaying of DHCP messages, click OK.)
358
24. The Remote Access / VPN Server will now start. Click Finish.
25. Close the Manage Your Server window.
VPN Clients
Generally, the conguration on the client side of the VPN is minimal. The client needs to know how to make the connection, and needs proper credentials to authenticate and use the VPN. In the following task, you will prepare the VPN Server to accept VPN clients.
TASK 6I-2
Configuring VPN Clients
Setup: Complete this task if you are designated as the VPN Server. 1. 2. 3. 4. Choose StartAdministrative ToolsComputer Management. Expand Local Users And Groups (under system tools). Right-click Users and choose New User. In the User Name text box, type VPN1 and enter and conrm a password of QWERTY1 Uncheck the box to change password at next logon, and click Create. 5. 6. Click Close. One client account is enough for testing purposes. Double-click the new VPN1 user account, and click the Dial-in tab.
7.
Select the Allow Access radio button and click OK.
8. 9.
Close the Computer Management window. Choose StartAdministrative ToolsRouting And Remote Access.
10. Expand your server_name and click Remote Access Policies. 11. Right-click Remote Access Policies, and choose New Remote Access Policy. 12. In the New Remote Access Policy Wizard, click Next. 13. Leave the Use The Wizard To Set Up A Typical Policy For A Common Scenario radio button selected. 14. In the Policy Name text box type VPN_Policy_1 and click Next. 15. In the Access Method window, select the VPN radio button and click Next. 16. In the User Or Group Access window, select the User radio button and click Next. 17. For the Authentication Method, ensure that only MS-CHAPv2 is checked, and click Next.
360
18. For the Policy Encryption Level, only check the box for Strongest Encryption (MPPE 128-bit) and click Next.
19. Review the settings for this policy, and click Finish.
Establishing the VPN

The following task will require steps on both the VPN Server and on the VPN Client computers. The VPN Client will connect to the VPN Server, receive an IP Address and join the private network. The VPN Server will verify the connection is active, and the VPN Client will then access a resource located on the Internal Server. In addition to the VPN Client and the VPN Server, to show the VPN to a higher level, if there is enough time in the class, create a resource server for the VPN client to connect to. In the following task, the FTP Server is designed to be running on the instructor machine, in the middle segment.
361
TASK 6I-3
Establish the VPN
The Instructor machine requires a resource for the VPN client to connect into. Enable the FTP Service on your machine, and use that for your students. If your class has enough time, run a packet capture on each machine to perform a packet analysis of the connection and ftp site access.
Note: Perform step 1 through step 15 on the VPN Client. 1. Open the TCP/IP Properties of your network card. Edit the IP Address to be a node on the 10.0.10.X/24 network. You can replace the X with your seat number. Close the properties of your network card. Open a command prompt. Enter ipconfig to verify your IP Address conguration. Choose StartControl PanelNetwork ConnectionsNew Connection Wizard. In the New Connection Wizard, click Next. Select the Connect To The Network At My Workplace radio button and click Next.
2. 3. 4. 5. 6. 7.
8.
Select the Virtual Private Network Connection radio button and click Next.
362
9.
In the Company Name text box, type SCP VPN and click Next.
10. Enter the IP Address that is assigned to the External NIC of the VPN Server, and then click Next. Note: The external IP Address is the one in the 10.0.10.x range. 11. Select the My Use Only radio button and click Next. 12. To complete the creation of the new connection, click Finish. 13. In the screen to connect to the SCP VPN, in the User Name eld, type VPN1, in the Password eld, type QWERTY1, and then click Connect.
14. Open a command prompt, and enter ipconfig /all

15. Note that you have been assigned an IP Address from the VPN Server, and that the IP Address is part of the Internal network. Note: Perform step 16 through step 19 on the VPN Server 16. Choose StartAdministrative ToolsRouting And Remote Access. 17. Expand your Server name. 18. Click Remote Access Clients. 19. In the right pane, double-click the connection to see the IP Address that was assigned, and other statistics. Note: Perform step 20 through step 24 on the VPN Client 20. In the command prompt, enter ftp 172.17.10.1 (If your instructor changed the IP Address of the Internal Server, use the address as provided.) 21. Enter annonymous as the username with no password. 22. Once connected, enter dir to list the contents of the ftp site. 23. When done browsing the ftp site, enter bye to end the session. 24. Close all windows.
Returning the Classroom Setup to its Original State

To ensure the remaining tasks in this course work properly, the VPN implementation lab must be torn down, and the classroom environment returned to its original state. Be sure not to skip this quick section.
TASK 6I-4
Restoring the Classroom Setup
1. 2. 3. 4. 5. 6.
On the VPN Server, choose StartAdministrative ToolsCongure Your Server Wizard. In the Welcome Screen, click Next. In the Preliminary Steps Wizard, click Next. Click Remote Access / VPN Server, and click Next. Check the Remove The Remote Access/VPN Server Role check box and click Next. At the prompt that you are disabling the router, click Yes.
7. 8. 9.
When the VPN Server Role has been removed, click Finish. Disable the External NIC on the VPN Server. Open a command prompt, and ensure that you are only running the Internal NIC with the 172.x.x.x address by entering ipconfig
Perform step 10 through step 14 on the VPN Client.
10. On the VPN Client, choose StartConnect ToShow All Connections. 11. Right-click the SCP VPN connection, and choose Delete. 12. In the conrmation prompt, click Yes. 13. Open the properties of your NIC and return the IP Address to your original conguration, then click OK. (The 172.x.x.x address.) 14. Close all windows.
Summary
In this lesson, you worked with a Microsoft Management Console (MMC). You congured an MMC and viewed the default or built-in IPSec policies. You then created custom IPSec policies. You implemented and tested these policies. You also took a rst look at implementing lter lists and experimented with a couple of authentication methodspreshared keys and certicates.
Lesson Review
6A What are the two protocols in IPSec that are used to protect network traffic?
The Encapsulating Security Protocol (ESP) and the Authentication Header (AH). What are the two main modes of implementation for IPSec? Transport Mode and Tunnel Mode. If you are going to set up a VPN with IPSec, what mode will you probably use? Tunnel Mode.
6B What are the three default IPSec policies in Windows 2003?

Server (Require Security), Server (Request Security), and Client (Respond Only). What integrity algorithms are supported in Windows 2003 IPSec? MD5 and SHA-1.
What encryption algorithms are supported in Windows 2003 IPSec? DES and 3DES.
6C What authentication methods are supported in Windows 2003 implementation of IPSec?

Kerberos, Certicates, and Preshared Keys. What are the default key lifetimes? A new key is generated for every 100 MB of data exchanged between the two IPSec devices or every 15 minutes, whichever is earlier.
6D When would ESPs integrity check be most usefully employed?

When implementing IPSec in Tunnel Mode. ESPs integrity check at the tunnel endpoint will ensure the integrity of the payload (including the encapsulated packet, internal IP headers, and all other data). Using lters, it is possible to explicitly control IPSec traffic.
6E Describe all of the key components of a VPN.

VPN server, VPN client, tunnel, VPN connection, tunneling protocols, tunneled data, and transit network. Identify the key VPN tunneling protocols. PPTP, L2TP, and IPSec.
6F What are the differences between the tunneling protocols PPTP and L2TP?
PPTP uses separate channelsa control stream that runs over TCP, and a data stream that runs over GRE. L2TP uses UDP. PPTP is generally associated with Microsoft, and Microsoft uses MPPE for encryption. L2TP uses IPSec for encryption. What are the differences between IPSec Tunnel and Transport Modes? In IPSec Tunnel Mode, one packet is encapsulated or tunneled in another; while IPSec Transport Mode secures the packet exchange end-to-end, source to destination. IPSec Tunnel Mode is used primarily for link-to-link packet exchanges between intermediary devices like routers and gateways. Transport Mode provides the security service between the two communicating endpoints. What is a Security Association (SA)? A Security Association (such as ISAKMP) determines which algorithms will be used for the session, how the key exchange will take place, and how often keys will need to change. What are the two types of SAs? Transport Mode SA and Tunnel Mode SA.
366
How does IKE relate to ISAKMP and Oakley? ISAKMP denes procedures and packet formats to establish, negotiate, modify, and delete SAs. It also provides the framework for exchanging information about authentication and key management, but it is completely separate from key exchange. Oakley describes a scheme by which two authenticated parties can exchange key information. Oakley uses the DiffeHellman key exchange algorithm. IKE is the result of combining both ISAKMP and Oakley protocols.
6G Identify key design issues related to IPSec VPNs.

IPSec encryption scheme, IPSec management strategy, negotiation policies, security policies, IP lters, and security levels. Identify specic challenges associated with VPN implementation. Diffculty with centralized management of client policy, conguration and strong authentication requirements; lack of protocol interoperability (for example, interoperability between NAT, IPSec, and PPTP), complexity of infrastructure, addressing and routing, and administration.
6H What is PAP? What is CHAP? Briey describe the differences between them.
PAP and CHAP are both authentication protocols. PAP uses cleartext authentication, while CHAP relies on encryption mechanisms. Describe the security issues related to having a VPN server in front of the rewall (exposed to the Internet connection) or having a VPN server (in the DMZ) behind the rewall. By placing a VPN device in front of your rewall, you will be terminating secure traffc in a public zone. You will need to assign addresses to users from a certain block of IP addresses and open a large hole in the rewall for access from these IP addresses. A potential advantage to doing this would be that you could then use your existing rewall to control the destination of traffc, but most VPN boxes will also allow you to do this. By placing a VPN device behind an existing rewall, you will need to change the conguration of your rewall. You will also need a rewall smart enough to be able to congure a lter to pass the VPN traffc. Depending on how your network is set up, this may also allow you to make use of only one of the two or more Ethernet ports on your VPN device. If a VPN server is using PPTP, which ports would you need to provide access through a rewall system? TCP port 1723 allows PPTP tunnel maintenance traffc to move from the PPTP client to the PPTP server. IP protocol type 47 allows the PPTP tunneled data to move from the PPTP client to the PPTP server.
367
Which ports are associated with L2TP and a VPN? UDP port 500 allows the Internet Key Exchange (IKE) traffc to access the VPN server. UDP port 1701 allows L2TP traffc to move from the VPN client to the VPN server. IP protocol ID 50 allows IPSec ESP traffc to move from the VPN server to the VPN client. What are security vulnerabilities of a VPN? What technologies can be used with a VPN to make it more secure? Key management is a critical security vulnerability of a VPN. PKI technologies can be used with a VPN to make it more secure.
6I What is the encryption standard supported by Microsofts implementation of PPTP?

MPPE. What are the transport protocols used by PPTP and L2TP? PPTP uses TCP, and L2TP uses UDP.
368
Designing an Intrusion Detection System

Overview
In this lesson, you will be introduced to the concepts surrounding one of the areas critical to the defensive network protection schemethe Intrusion Detection System. This system, in conjunction with the rewall technologies in place, is the basis for a very solidly defended network. The Intrusion Detection System will be used to detect when an intruder is attempting penetration of the network or tampering with the rewalls.
LESSON
7
Objectives
To design an Intrusion Detection System, you will: 7A Examine the goals of Intrusion Detection Systems. Given the components of Intrusion Detection Systems, you will describe how the components interact to accomplish the goals of intrusion detection. 7B Describe the technologies and techniques of intrusion detection. Given a scenario of users in a network, you will examine the process of intrusion detection and how behavioral use is implemented in the IDS. 7C Describe host-based IDSs. Given a network of connected hosts, you will describe how host-based IDSs identify an intrusion. 7D Describe network-based IDSs. Given a network of connected hosts, you will describe how networkbased intrusion detection systems identify an intrusion. 7E Examine the principles of intrusion detection data analysis. Given an example signature of an incident, you will examine the concepts and methods of data analysis. 7F Describe the methods of using an IDS. Given network scenarios, you will identify multiple uses of IDS for detection of, monitoring of, and anticipation of attacks.
Lesson 7: Designing an Intrusion Detection System
369
7G
Dene what an IDS cannot do. Given a network situation, you will identify the functions an IDS cannot complete.
370
Topic 7A
The Goals of an Intrusion Detection System
As the months and years go by, security professionals have an increasingly difficult task of keeping the network secure. What makes this job so difficult? Is it the fact that there are more threats than ever? Perhaps, but there is more to it than that. Is it the fact that there are more people on the Internet year after year? It contributes, but there is more to it than that, too. As you build complex interconnected networks, where partners from the outside require access to the inside, where you have employees telecommuting, and where you have internal connections to external suppliers, the problem grows. It is the very nature of the industry to be even more connected. This connection comes with a price. The price is the extreme difficulty in securing the network. In order for networks to continue to grow and be functional, there must be a certain degree of trust built into the systems. However, on top of the level of trust, there must be verication of this trust. The method most often employed by organizations these days is a solid Intrusion Detection System (IDS). The three general components of network security from a need perspective are shown in Figure 7-1.
Figure 7-1: Components of network security. Most security analysts and professionals are at least familiar with these concepts. Over the last 30 years or so, most organizations had focused the vast majority of their time, energy, and budget on prevention. The logic seemed obviousif it were possible to stop the majority of threats from getting in, then the network could be reasonably secured. Then came the networks of today. These complex, interconnected networks do not have this clear-cut boundary, where the goal is to keep the bad people out and the good people in. Reliance on perimeter defense of a rewall alone is no longer adequate. Perhaps even more of an issue is the fact that most organizations do not have systems in place to detect the very attacks that can lead to nancial loss. This again proves that the rewall defense is not enough. The ability to detect intrusion through defense is critical to the overall security of the network.
What is Intrusion Detection?

Before you can get into a detailed denition of intrusion detection, lets return briey to the standard network defense system. The common method for protecting the network is to follow the layered defense policy. While this is a solid base to network security, it does have its limitations.
371
A common analogy to this problem is to investigate the castle structure (or fortress structure) of centuries ago. As you discussed earlier, the fortress would have a large, thick stone wall surrounding the main structure. There would perhaps be a large moat on the outside of the wall, with only a large drawbridge as an entrance. This presented a solid defense, and there are many instances recorded of a small group of soldiers holding off many times the number of attackers. The question then arises, if the defense was so strong, why did the fortress model fade away? The attackers got smarter. They realized that attacking the front door was effective at times, but the losses could be enormous to gain entry. The attackers also realized that the soldiers inside the fortress seemed to be getting new supplies, but no one was seen going through the front door. This indicated a hidden door elsewhere, as was often the case. This hidden back door would be the key to the attackers capturing the fortress. What is the solution to the back door? Many in the fortress assumed the back door was secure, and with all the ghting on the front, there were little resources left to guard the hidden entrance. The swarming attackers, once inside, would seize the fortress from the inside out, and quickly overwhelm the one soldier left there to guard this door. Had solid intrusion detection systems been in place, odds are that the fortress would not be so quick to fall. Although this is a fun analogy (except for the soldiers!), it is quite correct. Todays modern networks are well guarded with rewalls. But, there needs to be a way to know if someone is trying to get through a side door, a hole in the rewall, or if people on the inside of the rewall need monitoring. The solution of adding layers may help with the defense, but as layers are added, the function of the network often suffers. It becomes more tedious to allow a single connection through from a remote supplier when there are ve layers to navigate. This is where intrusion detection comes in. By itself, intrusion detection will not prevent access to resources. However, it is a method to use in identication of criminal activity, assistance in gathering evidence, and, perhaps most importantly, indication of attacks in progress. Intrusion detection is the process of detecting and responding to computer and/or network misuse. Throughout this lesson, you will be introduced to the different options of detection and the ways to dene misuse. Some of the questions you will need to answer are: What constitutes an intrusion? What is our denition of detection? What is our denition of misuse? How will we dene a false-positive? How will we dene a false-negative?
372
Some Intrusion Detection Definitions

As you get further into this lesson, you need to be aware of some of the common IDS terms and their denitions. There are many denitions of IDS terms; the ones that follow are intended to give you a basic level of understanding. This is not intended to be a complete glossary, but the terms that are required for this lesson and the discussion of IDSs are listed in the following table. Term
Intrusion Misuse Intrusion detection Misuse detection Anomaly detection Vulnerability scanners Security vulnerabilities
Denition
Unauthorized access to, and/or activity in, an information system. Improper use of resources inside the organization, regardless of intention. The process of detecting unauthorized access or attempted unauthorized access to resources. The process of detecting unauthorized activity that matches known patterns of misuse. The process of detecting any variations from acceptable network use and activity, based on known patterns of use. The process of examining systems to locate problems or areas that could indicate security vulnerabilities. A feature or error found in system software or system congurations that provides a method of entry for an attacker, or provides for an opportunity for misuse.
Some of the groups that you might want to research for further denitions and standards on IDS are: the Recent Advances in Intrusion Detection (RAID) group, the Intrusion Detection Sub-Group (IDSG) of the Presidents National Security Telecommunications Advisory Committee (NSTAC), and the Intrusion Detection Systems Consortium (IDSC).
The IDS Matrix

Figure 7-2 is an interesting true-false matrix showing the relationship between IDS congurations and alarms going on or off in response. Very simply put, any IDS has to be trained to look for trouble, by programming in one or more signatures, where a signature can be considered a representation of patterns of traffic or behavior that spells trouble.
373
Figure 7-2: The classic true-false matrix of IDS. Think of a police officer who has just pulled over a car. The officer walks over and asks the driver for his license and registration. The driver starts to reach into his jacket. To a trained officer, this is a signature action representative of someone reaching for a handgun. According to the training the officer has received, an alarm should go off in his head. He should yell at the driver to freeze, and then very rmly order the driver to step out and search him for a handgun. Now, in the above scenario, if the officer does discover a handgun, it is representative of a true-positive. If there is no handgun, it is representative of a falsepositive. Lets change the scenario a bit. If the officer is not trained well, the action of the driver reaching into his jacket will not be seen as a signature action of someone reaching for a handgun. According to the training the officer has received, no alarms go off in his head. He doesnt yell at the driver to freeze. You might say here that the officer has been inadequately programmed. In this changed scenario, the officer does not see the action of the driver reaching into his jacket as a threat, and if the driver simply pulls out his license and registration from his jacket, it is representative of a true-negative. However, if the driver does pull out a handgun, it is a false-negative! As much as most of us would want to live in a world of the true-negative, it is unfortunately not the case. There are large numbers of true-positives (still OK) and many false-positives that you have to put up with. Then there is the complacent but dangerous world of false-negatives. To summarize: If the conguration of signatures is done right for the environment that the IDS is in, the state of the IDS is TRUE. If the conguration of signatures is not done right for the environment that the IDS is in, the state of the IDS is FALSE. If the alarms go off as programmed, its said to be POSITIVE. If the alarms do not go off as programmed, its said to be NEGATIVE.
Given the previous analogy with respect to an IDS, you can dene the states in the following table.
374
State
True-positive False-positive True-negative False-negative
Description
The event when an alarm is indicating an intrusion when there is an actual intrusion. The event when an alarm is indicating an intrusion when there is no actual intrusion. The event when an alarm does not occur and there is no actual intrusion. The event when an alarm does not occur when an actual intrusion is carried out.
IDS Components
An IDS in a network of today is a group of processes working together, and, in virtually every case, these processes are on different computers and devices across the network. The very nature of an IDS has grown from its rather simple name. Todays IDS is much more than a detection of intrusion. Most IDSs will have the abilities to do one or more of the following: Recognition of patterns associated with known attacks. Statistical analysis of abnormal traffic patterns. Assessment and integrity checking of dened les. Monitoring and analysis of user and system activity. Network traffic analysis. Event log analysis.
Although the systems vary from vendor to vendor, these features of IDSs have similar requirements for implementation. These components are generic, meaning that most IDS applications will have these in one form or another.
The Command Console

The command console is where the IDS is monitored and managed. It maintains control over the IDS components, and the console should be accessible from any location. Generally, the command console will maintain open channels between network sensors over encrypted paths, and is a dedicated machine.
The Network Sensor

Network sensors are programs that run on network devices or dedicated machines, or both, on essential network segments. The network sensors may be dened as agents, and they are often congured in promiscuous mode. Sensor placement is critical in the network because there could be thousands of targets that need monitoring. When all networks used hubs, you could place a sensor on any port of the hub, since all traffic is sent out from all ports of a hub, and the tap could detect any anomalous traffic. However, when the conversion to switches happened, this changed things for the hub. Switches send traffic only to the correct host, and so a tap may miss communication on a switch. To address this issue, a common conguration technique is to use switches that have an expansion port on them (much of the newer networking equipment has this), and connect the IDS to this expansion port.
375
These ports are known as Switched Port ANalyzer (SPAN) ports. SPAN ports can be congured by the security professional to mirror all switch transmissions so that the single port can be used by the IDS to monitor designated traffic.
The Network Tap

The network tap is a hardware device that sits on the network, can be rack mounted, andto the untrained eyecan appear to be a hub or a switch. As part of an IDS, the network tap, which has no IP address, sniffs network traffic and sends an alert when an intrusion is detected. Having a network tap in your network-based IDS will make the overall system more secure, as attacking the hardware device is not an effective technique for the vast majority of attackers. Although widely considered a solid tool in your IDS arsenal, there are design issues you will have to overcome for proper tap deployment. Network taps require the monitoring of two data streams, for the two directions of your full duplex network traffic. Although you will be able to monitor your networks traffic using two streams, this might present a cumbersome solution for your environment. Newer products are designed to combine the two streams so that you will need only one connection from the tap to monitor all traffic.
Alert Notification
Alert notication is the portion of the system that is responsible for contacting the incident handler. Modern IDSs can provide alerts via many options such as pop-up windows, audible tones, paging, email, and Simple Network Management Protocol (SNMP).
SNMP: (Simple Network Management Protocol) Software used to control network communications devices using TCP/IP.
Realistic Goals of IDS

Although there are varied goals for intrusion detection from organization to organization, there are two that can generally be counted on being present. The two general goalsaside from the initial detection itselfare response and accountability.
The IDS Response

When discussing the response of an IDS, one must recognize rst what it is. A response is the end result of an IDS analyzing data. The end result is a result calling for action. The action is what must be dened.
Exercise caution in determining the level of response to incidents. Aggressive or offensive responses may open up the organization to serious legal issues. It is suggested that legal counsel is consulted during response decisions.
The most common response is not quite as exciting as many security professionals would likeit is a simple entry placed in the log le. Even though the log le entry does not have the glamour of a Hollywood intrusion response, it may turn out to be the most useful. The log le report has the data that many organizations will use in determining the overall IT security budget. Other responses can include a trigger that will issue a call to the security architects pager, or even a pop-up window or email message. During an attack, the response can also be the ability to have the network modify itself. A command may be issued to change or block port numbers, or to disable services. This response during an attack can prove to be the vital element that keeps the network from compromise.
376
Accountability
Having the response options is a valuable portion of all IDSs and should be congured as part of the network security policy, but many systems must provide proper accountability as well. This accountability provides the option to trace the misuse event of intrusion to the responsible party. Accountability is one of the hardest tasks in implementing an IDS, given that users change systems and attacks can come from spoofed sources. This is a critical step in the overall protection of a network, however, and this becomes even more evident in the event that the organization pursues legal avenues against an attacker. Ideally, the accountability system will enable the Security Professional to locate not only the computer used in the attack, but its physical location and, if possible, the user who initiated the attack.
TASK 7A-1
Describing Alarms
1. Describe the differences between a false-positive alarm and a falsenegative alarm. A false-positive is when an alarm indicates an intrusion when there is no actual intrusion. A false-negative is when an alarm does not occur when an actual intrusion is carried out.
Topic 7B
Technologies and Techniques of Intrusion Detection
Now that you are armed with the basics of intrusion detection, lets build on your new knowledge. The next step is to investigate the technologies and techniques commonly associated with IDSs.
377
The Intrusion Detection Process

To further dene how IDS functions, lets examine a case with IDS in action. In this example, you will look at a system in an Ethernet network with the sensor running in promiscuous mode, sniffing packets off the local segment. 1. A host creates a network packet. So far, nothing is known other than a packet exists that was sent from a host in the network. 2. 3. The sensor on the network reads the packet in real time off the network segment. This sensor needs to be placed so it can read the packet. The detection program in the sensor matches the packet with known signatures of misuse. When a signature is detected, an alert is generated, which is sent to the command console. The command console receives the alert, and in turn noties the designated person or group of the detection. (The alert is done via a predened method, email, pop-up window, page, and so on.) The response is created in accordance with the programmed response for this matching signature. The alert is logged for future reference, either locally or in a database. A summary report is created with the incident detailed. The alert is viewed with other historical data to determine if there is a pattern of misuse or to indicate a slow attack.
promiscuous mode: Normally, an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination.
4.
5. 6. 7. 8.
378
Figure 7-3: A visual example of the IDS process. Figure 7-3 is only one example of the potential process of the IDS. As you progress through this lesson, you will see different processes.
Behavioral Use
For the system to generate the correct response in the correct situation, it must be programmed with starting data. The starting data is where misuse is dened (along with alerts and response techniques). If the system is expected to determine misuse, then the individual who programs this data needs to know how the organization denes misuse.
379
A starting point for this process is to determine the network activity that the IDS will attempt to deal with. The following diagrams illustrate the various steps in determining use, both acceptable and unacceptable. Figure 7-4 shows all the uses of a network.
Figure 7-4: All of the uses of the network. In Figure 7-5, you can see that a basic clarication between acceptable and unacceptable use has been made, according to the security policies that are applicable to the usage categories. (Only some of the options that the security policy may cover are included in this example.) The security policy for this organization might include the following: No users are allowed to telnet to remote hosts. Users can open only the les they are allowed to open. Users can access network printers only in their allocated areas. Users can execute only those applications they have been granted access to use.
380
Figure 7-5: The dividing line between acceptable and unacceptable use of resources. In order to meet these policy requirements, you must divide network and resource access to acceptable and unacceptable use. At this point, you have categorized resource use to dene what is considered acceptable and unacceptable. This is a generalization for the entire network, with the given that there will be exceptions made for specic users. From this diagram, you can see that the dividing line species that telnet is unacceptable, as is opening of unauthorized les, trying to execute applications without permission to do so, or attempting to use unauthorized network printers. Once this dividing line has been created, the rules for the IDS can be implemented. This is where the task increases, as the number of signatures of known attacks and intrusions is the limitation. If the company has unique applications, the IDS must be made aware of the corresponding signatures. Remember, an IDS can only do what it is told to do, just like any other component of the network. Although the line in our example is a nice solid line between acceptable and unacceptable, in reality, there are times when the line is not so clear. Crossing over the line is when false signals might be sent, as shown in Figure 7-6. In other words, if something that the policy has identied as acceptable has not been entered into the IDS and therefore is not known as acceptable, the IDS might send an alarm indicating an incident. This is known as a false-positive. Falsepositives take time and energy, and as much as possible, they should be minimized by proper policy making and data entry in the IDS. A false-negative, on the other hand, is more than lost time and energy. In fact, a false-negative does not equate lost time and energy, since no one is aware that the condition happened. In other words, a false-negative is when an incident should cause an alarm, but it does not. This is a serious issue, and those responsible for the IDS of an organization need to be sure that the policies createdand the rules implementedminimize the opportunities for false-negatives to occur.
381
Figure 7-6: False situations, both positive and negative. Since, in reality, the dividing line is not so clear, it becomes important for the security professional to be aware of the applications running and the current security policies of the organization. The same security professional needs to be made aware of any unusual activity that might take place in the network. For example, if the organization has recently hired 20 new Help Desk users, their trainer might be showing them various options and situations in the network, such as what it looks like to attempt access to unauthorized les, or to attempt to log on as a different user. The security professionals in the network need to know this is happening, so that their response is correct for the situation.
Information Collection and Analysis

As you begin to work with the tools available to you, you will need to become comfortable with data collection and analysis. In this section, you will not go into signicant detail on the headers and data contentthat will be addressed elsewhere. Instead, you will discuss the concepts of data collection and the concepts of data analysis. With all the sources available to work with, an intimidating problem can arise quickly to the security professional working on the IDS of an organization. Some of the many questions that will arise are: What is to be collected? What data is to be discarded? What is to be identied in the data that is collected? Once I do identify certain things in the data, are they good, bad, or neutral?
382
We previously dened an intrusion as anything from threats, to theft, to misuse but now you must dene analysis. What actually is analysis? Although there might be many different meanings, in this discussion, you will identify analysis as the concept of organizing and categorizing data according to the security policies present for the network. The analysis must identify the intrusions as previously dened. These intrusions, then, are the actual data collected. They can either be about a user, a node, an IP address, or any other given variable, again meeting the requirements of the policy. In order to begin the analysis process, there must rst be an analysis system in place. The analysis system can be as simple as reading a single log le at night, or as complex as multiple IDSs submitting data to an external database for future data mining. Regardless of the scale of the system, there are certain variables that must be met, and all systems have these in common. These are the ability to generate the initial data, categorize the data based on given rules, and process the data once organized. The collection of the data will be identied by the IDS, based on the rule set in place for the policy. This data collection can be either user misuse of resources, actual data theft, denial of service, or any of the types of data you have discussed that might be part of the IDS. Once the data has been collected, it must be organized in a usable format. This categorization can generally be dened by the cause of alarm and led accordingly. Two general categories that are commonly used are Misuse Of Resources and Threats. It is also common to organize the data by the type of signature present. If the attack was of a known signature, such as a Ping of Death DoS attack, it can be classied as such. By organizing the data using these known signatures, the analysis phase can be a more efficient process, as the data is in the order of attack.
Remember, not all misuse detection is a threat.
TASK 7B-1
Discussing IDS Concepts
1. What are the differences between misuse and intrusion? Misuse can occur if a user has access to a resource but uses that resource for a purpose not intended by the owner of that resource. However, if a user does not have access to a resource but gains access by subverting the networks or resources security, or by any other devious means, this is considered intrusion. 2. Describe behavioral use in terms of an IDS. First, categorize all network and resource usage into a set. Then, divide network and resource access into two categoriesacceptable and unacceptable usebased on policies that have been agreed to. This is a generalization for the entire network, with the given that there will be exceptions made for specic users. Over a period of time, look for patterns of usage of these resources to build a database of behavioral use.
Lesson 7: Designing an Intrusion Detection System 383
Topic 7C
Host-based Intrusion Detection
Now that the fundamental issues of intrusion detection have been covered, you will examine the actual options for implementation. In this topic, you will detail the host-based IDS. Host-based IDS is where the data that will be analyzed is generated by hosts (computers) in the network. This system has many variables in data collection, since the source is so varied. A host-based system can be collecting data from application logs, such as Web servers. At the same time, it is collecting data from operating system logs. Because the system is host based, it is generally quite good at detecting internal misuse of resources. The event logs of each host can generate data on les accessed, by whom, on what date, and at what time. This provides excellent tracking data of misuse, and in the event of compromise, evidence of the attack.
Host-based IDS Design

Host-based IDS uses what are known as agents (also called sensors). These agents are small programs running on the hosts, and they communicate with the command console (remember, this is the central computer controlling the IDS). There are two basic forms of design of the host-based IDScentralized and distributed. One difference to keep in mind as you go through the steps of each is that centralized design requires the data from the host to be sent to the command console for analysis, and distributed design states that the host will analyze the data in real time and send only alert notications to the command console.
Centralized Host-based IDS Design

As mentioned, a centralized design dictates that the data will be collected by the host and sent over the network to the command console for analysis. Because the data is gathered and sent from the host, there is no signicant performance drop on the hosts, or agents. However, there also is no possibility of real-time detection and response.
384
The following steps highlight the process of centralized design, and are shown in Figure 7-7. 1. The host detects that an event has happened (such as opening a le, or logging on to a user account). The event is written as an event record. The record is written to a secured le on the host. At a predened time, the host sends its records to the command console over the network, using a secured (encrypted) link. The command console receives the records and submits the data to the detection engine. The detection engine analyzes the data for known signatures. The command console generates a log of its work as a data archive. If an intrusion is detected, the command console generates an alert, and the programmed notication is used. The security professional receives the notication. A response to the alert is created. The response used by the console has been previously programmed by the security team for this type of intrusion event. The alert is stored in a secured database.
2. 3. 4. 5. 6. 7. 8. 9.
10. The data used for generating the alert is archived. 11. The console generates a report of the alert activities. 12. Long-term analysis is used to determine if this alert is part of a bigger intrusion.
Figure 7-7: Centralized host-based IDS example.
385
Distributed Host-based IDS Design

The primary difference between centralized and distributed host-based IDS is where the detection engine and analysis take place. In the distributed design, the agents of hosts are the ones that perform the analysis. There is a signicant advantage to this method. The intrusion data can be monitored in real time. The ip side to this is that the hosts themselves can experience a performance drop, as their computer is engaged in this work constantly. The following steps highlight the process of distributed design, and are shown in Figure 7-8. 1. 2. 3. The host detects that an event has happened. The event is processed in real time in the detection engine, and is analyzed for known signatures. If an intrusion is detected, a notication is sent. (Some vendors have the host generate the notication; others have the command console generate the notication.) A response to the intrusion is created. This can be from the host or console. The alert of the intrusion is created and sent to the console, where it is archived. Long-term analysis is used to determine if this is part of a bigger intrusion. (The analysis can consist only of alert data, so it might be limited.)
4. 5. 6.
Figure 7-8: Distributed host-based IDS example.
386
TASK 7C-1
Describing Centralized Host-based Intrusion Detection
1. Describe where and how data is collected in a centralized host-based IDS. 1. 2. 3. 4. 5. 6. 7. 8. 9. The host detects that an event has happened. The event is written as an event record. The record is written to a secured le on the host. At a predened time, the host sends its records to the command console over the network, using a secured (encrypted) link. The command console receives the records and submits the data to the detection engine. The detection engine analyzes the data for known signatures. The command console generates a log of its work as a data archive. If an intrusion is detected, the command console generates an alert, and the programmed notication is used. The security professional receives the notication. A response to the alert is created. The response used by the console has been programmed by the security team for this type of intrusion event. The alert is stored in a secured database.
10. The data used for generating the alert is archived. 11. The console generates a report of the alert activities. 12. Long-term analysis is used to determine if this alert is part of a bigger intrusion.
Topic 7D
Network-based Intrusion Detection
The concepts and implementation of the host-based IDS might lead you to believe that it is the best way to run your IDS. This might not be the case. Although there are advantages to running a host-based system, it does not suit every situation or meet every need. If you require the IDS in your organization to analyze the actual TCP/IP traffic, then network-based IDS is your choice. The IDS in a network-based design is such that it will sniff the packets off the wire. Hardware devices, such as switches and routers, can also be programmed to send this data directly to the IDS. A signicant difference between host- and network-based IDS is the actual location of the agents. In host-based IDS, the agents, or sensors, are placed directly on the hosts. In network-based IDS, the source of the detection is often placed so that it can sense the external traffic, or the intrusion attempts from the outside. This allows the network-based system to detect what the host-based normally cannot, such as a DoS.
387
Another example of a difference between these two implementations would be the detection of attempted access to a system by an attacker. Suppose, for a moment, that an attacker breaks into the network and attempts to log in to a host. The host-based system will not report, or have the ability to identify, anything until the actual login request happens. The network-based system will identify the pattern of the request itself, before (ideally) the attacker has successfully logged in.
Network-based IDS Design

The physical layout of the network-based IDS is such that sensors are installed in key positions throughout the network, and they all report to the command console. In this case, the sensors are full detection engines that have the ability to sniff the packets, analyze for known signatures, and notify the console with an alert if an intrusion is detected. There are two basic forms of design of network-based IDS: traditional and distributed. The traditional design uses sensors in promiscuous mode, sometimes called network taps. The distributed design employs agents throughout the network to sense network traffic that is destined for the host itself.
Traditional Network-based IDS Design

Traditional design of network-based IDS uses sensors in the network. A sensor is a host that is congured to run the IDS software and is usually a stand-alone computer. Further, each specic host (sensor) has a network card (and software) installed that can run in promiscuous mode, to sniff the network traffic. The packets are then fed directly into the detection engine, where analysis can happen. The general theory on sensor placement is that there should be one on each critical segment of the network. The alarms generated are then sent to the command console. This design is depicted in Figure 7-9. The following steps highlight the process of the traditional design: 1. A network packet is sent from one host to another in the network (this can include a packet from the Internet to a rewall). 2. 3. 4. 5. 6. 7. 8. The packet is pulled off the network in real time by the network sensor, which is generally positioned between the two communicating hosts. The packet is processed in real time in the detection engine, and is analyzed for known signatures. If a signature match is detected, an alert is created and forwarded to the command console. The security professional is notied of the alert. A response to the alert is created. The response used by the console has been programmed by the security team for this type of intrusion event. The alert is archived for later analysis, and a report of the incident is created. Long-term analysis is used to determine if this is part of a bigger intrusion.
388
Figure 7-9: Traditional network-based IDS example.
Distributed Network-based IDS Design

Despite the effectiveness of the traditional design in collecting network packets, it is susceptible to packet loss on network segments. A variation of the traditional design was introduced to address this situationdistributed design. In the distributed design, a sensor is installed on each host in the network, instead of on each segment of the network. The sensors then communicate with each other in the event of an intrusion, and uses the command console as a center of operations, and for alarms. As you might imagine, this type of design has led to much confusion on the distinction between network- and host-based IDS. What you must realize is that the location of the sensor, or agent, is not the determining factor in what type of design is implemented. If the IDS is running on each computer and those computers are analyzing tasks of the operating system, then it is host-based. If the IDS is running on each computer and those computers are analyzing the packets with the Ethernet device, then it is network-based. This is important to remember, specically when dealing with IDS vendors. Be sure that if you buy a commercial product, you get exactly what you want. The process is depicted in Figure 7-10. The following steps highlight the process of the distributed design: 1. A network packet is sent from one host to another in the network (this can include a packet from the Internet to a rewall). 2. 3. 4. 5. 6. 7. 8. The packet is pulled off the network in real time by the network sensor, on the individual host. The packet is processed in real time in the detection engine, and is analyzed for known signatures. If a signature match is detected, an alert is created and forwarded to the command console. The security professional is notied of the alert. A response to the alert is created. The response used by the console has been programmed by the security team for this type of intrusion event. The alert is archived for later analysis, and a report of the incident is created. Long-term analysis is used to determine if this is part of a bigger intrusion.
Lesson 7: Designing an Intrusion Detection System 389
Figure 7-10: Distributed network-based IDS example.
TASK 7D-1
Discussing Sensor Placement
1. Is the location of the sensor the determining factor in deciding if the IDS is host-based or network-based? Explain your response. No. If the IDS is running on each computer and those computers are analyzing intrusion attempts on the operating system, then it is host-based. If the IDS is running on each computer and those computers are analyzing the packets with the Ethernet device, then it is network-based. 2. Describe the process of a traditional network-based IDS. 1. A network packet is sent from one host to another in the network (this can include a packet from the Internet to a rewall). 2. 3. 4. 5. 6. 7. 8. The packet is pulled off the network in real time by the network sensor, generally positioned between the two communicating hosts. The packet is processed in real time in the detection engine, and is analyzed for known signatures. If a signature match is detected, an alert is created and forwarded to the command console. The security professional is notied of the alert. A response to the alert is created. The response used by the console has been programmed by the security team for this type of intrusion event. The alert is archived for later analysis, and a report of the incident is created. Long-term analysis is used to determine if this is part of a bigger intrusion.
390
Topic 7E
The Analysis
In the previous topic, you examined the processes of the different types of IDS implementation. One common point in all of them was the analysis of data once it has been collected. In this topic, you will look into the analysis process itself.
When to Analyze
After the agents, or sensors, have been set in place, the timing of analysis must be dened. While this might be part of the architecture chosen, it is worth noting the options and their strong and weak points.
Interval Analysis
This method of analysis uses the internal operating system (or other host-based) audit logs to capture the events, and the IDS, at given intervals, analyzes the data in the logs for signatures of intrusion. Using this method of analysis is effective in organizations where the perceived threat is low and the potential loss from a single attack is high, such as a verywell-guarded server that holds the organizations most secret data. Those running this type of analysis are more concerned with the data collected and accuracy than speed. The data collected in this case is often, if secured properly, used in legal proceedings during criminal prosecution. Another strong point of interval analysis is that there is less of a burden placed on the individual hosts to perform the analysis, since it is not in real time. And, this type of analysis is a benet to organizations that are not large enough to have a full-time employee or consultant watching for intrusion signatures. On the other hand, there are weaknesses to this type of analysis. An incident is usually not identied until after it has occurred, which presents obvious problems. Because the analysis is in intervals, the ability to notice and respond to an incident quicklyor as it is happeningis close to nonexistent. Additionally, if the hosts that are running the analysis do not have sufficient disk space to hold the events, problems can occur.
Real-time Analysis
As an alternative to interval analysis, there is real-time analysis. This involves, as the name implies, data being analyzed for signatures as it is collected. Real-time analysis runs continuouslycollecting, analyzing, reporting, and responding (if programmed to do so). Do not misunderstand the term real-time to mean same-time. An event cannot be countered the exact moment it happens. However, the concept behind real time is such that an attack should be dealt with as it is happening, and if the system knows the signature, stop the attack before it can complete and compromise a host.
391
This type of analysis has the ability to respond in real time, via the methods previously discussed (email, pages, and even telephone calls). The real-time nature of this analysis means that security professionals can respond while an attack is underway, and stop it. An additional benet to real-time analysis is that hosts can be recovered quickly in the event of a compromise, because there is no need to wait for the analysis to nd out what has been compromised. However, just as there are benets, there are weaknesses to this type of analysis. One of the more critical weaknesses might be the extra resources used by the hosts. More memory and processing will be required. Because the systems can be programmed to provide an automated response, this must be planned carefully. Unless you can guarantee the system will analyze the data correctly, and respond as expected, the automatic response needs to be considered cautiously. A response of disconnecting a distribution partner over the Internet due to an error in analysis could be very costly.
How to Analyze
You have discussed the methods of when to have the IDS analyze data, but it is just as critical to determine how the analysis is going to happen. Again, this might be part of the architecture of the design, but the individual points must be described.
Signature Analysis
The common element that most IDS products have in common is signature analysis. The signature is a known event or pattern of events that correspond to acknowledged or known attacks. These signatures can be very simple to detect, like a ood of ICMP requests to a given server, or much more subtle, like a failed login request on a server three times in a week from an external source. Signature analysis is the process of matching the known attacks against the data collected in the network. If there is a match, then that is a trigger for an intrusion, and an alarm might be the result. Most commercial IDS vendors have a list of known signatures, much like the antivirus industry. The big difference is that the majority of the antivirus companies have lists of over 20,000 known signatures for viruses and Trojan horses, and, these companies can react very quickly, and have the signatures uploaded to webites for users to download. By way of comparison, an IDS might have only a few hundred signatures to use. The users of the IDS are then left to download further signatures when they are available, or analyze the data and create their own signatures.
An Example Signature
Although the signatures that an IDS uses can be complex, you can use parts of a signature to illustrate how the analysis works. Suppose that the data displayed in Figure 7-11 is collected by the IDS.
392
Figure 7-11: An example of data collected by an IDS. If this signature was not in the database of known signatures to the IDS, the security professional running the IDS should still be able to identify the attack. Lets perform a brief analysis of this data. You can identify that the source address is 172.168.30.23. You would check the IP address to see if there is any historical data regarding this IP address. The IDs are sequential, corresponding to the time of the event. This indicates a very fast event, as all IDs are less than one second apart (event starting at 8:52:52 and ending at 8:52:53). The destination port tells us the source is running a scan to see what hosts have a telnet server running. The scan is a scan of the entire network of IP addresses, 1 through 254. Our brief analysis of this event, then, is: At 8:52:52, the network 192.168.10.0/24 was scanned to see which computers were running telnet servers. The scan concluded at 8:52:53. The likelihood that the source IP address was spoofed is low, because the attacker would need the scan to return data on hosts running telnet. Because none of the computers scanned run telnet, the risk from this event individually, is low. There is no historical data to indicate previous activity from this source IP address. However, it is now recorded that there is intrusion activity from 172.168.30.23, and future attempts will correlate with this data. The previous example illustrates the process of analyzing signatures. The IDS can only detect the signatures it is aware of; other activity will need to be identied by the professionals using the system.
Statistical Analysis
A common scientic method, not often implemented in commercial IDS products, but worth discussing, is statistical analysis. The basic concept of statistical analysis is to nd a deviation from a known pattern of behavior. Using this method, an IDS would create proles of user behavior. Examples of the types of behavior might include login times, amount of time on the network, and the amount of bandwidth used.
393
prole: Patterns of a users activity which can detect changes in normal routines.
This data is then described as the normal usage of this prole. When an event happens that is not in the normal usage pattern, a possible intrusion is the result. The normal example of this would be login times. If a user has consistently logged in only between 8:30 A.M. and 6:30 P.M. for the last year, if that account tries to login at 2:00 A.M., a possible intrusion is happening, and an alert would be issued.
TASK 7E-1
Discussing Data Analysis
1. Which type of data analysis is often used as the method of analysis for legal proceedings involving IDSs? Interval analysis.
Topic 7F
How to Use an IDS
In this topic, you will be introduced to the different methodologies of intrusion detection. While there are no methods set in stone, this topic attempts to outline several examples for you to use in the future. These detailed intrusion examples include DoS, network sweeps, and internal misuse of resources.
Detection of Outside Threats

One of the issues of ever-increasing trouble for networks is Denial of Service attacks. When attackers choose to block service without attempting network penetration, it can be a difficult problem to solve.
penetration: The successful unauthorized access to an automated system.
Imagine the following scenario: It is 4:40 P.M. on Friday. You are about to go home and enjoy the weekend. You hear your incoming mail sound, and look at the new message. Incoming ICMP packets, lots of them. You are not going home after all. You begin your investigation. It seems the ICMP packets have been detected as a Denial of Service attack. You have seen this before, and are familiar with the signs. As you investigate further, you realize it is more than a simple ping attack. It seems to be a Distributed Denial of Service. The IDS is alarming with signs of attack from 101 distinct IP addresses. You continue to dig, as you read the log les, and it turns out although there are 101 addresses listed, they all register to the same local ISP. By now, youre thinking, I hope Saturday afternoon will be nice. The pings pause for a minute. Unusual, you think. It is almost like the attacker did not enter enough packets to maintain the high DDoS attack. About 10 minutes later, it starts again. You have been on the phone this entire time with your ISP trying to get them to block ICMP requests.
394
Back to the log les, where you see the attacks coming from the same group of nodes. The attacker must have re-entered the script, perhaps this time with a higher count. Now, your ISP is noticing, and they indicate they will open a ticket to investigate. Back to the log les, where further investigation conrms the IP addresses used are all in the same block from the same local ISP. You get on the phone to the local ISP. They are helpful and willing to work with you to locate the offending IP addresses. They conrm that those addresses are all in their range. Since the local ISP is only a few miles away, and the IP addresses in question are all local, you are thinking the attacker must have targeted your network on purpose, and you are not the victim of a random DDoS. On the other hand, your organization has not lost a veriable amount of money over the attack so far, so FBI involvement will probably not be needed. The local ISP administrator is helpful and works with you on helping to locate a source. The pings stop again. Even though they went longer this time, they still stopped. Again, there is a pause in the action for a while, and it picks up again. Back to the log les. Again, you nd 101 addresses in the attack. The local ISP administrator calls to tell you there is no new news yet. Into the night, you decide to leave and come back in the morning. Returning in the morning, you turn to the log les. The log les indicate that the attacks continued throughout the night, 101 addresses every time, yet each attack running only for 10 minutes. You dump the logs into a database for analysis, and you decide to see which addresses were involved in each attack. This turns out to be the break you were looking for. In the data logs, it turned out that only three IP addresses were involved in every attack. Working with the local ISP, you identify that two of the addresses are dial-up accounts and rarely on. The third is a DSL user who is always connected. You suspect this user is the culprit. Although the local ISP will not reveal the identity of the user to you, they had helped you as much as you could hope for. Now, you are onto internal research. You begin by combing through the current employee list and checking for home email addresses. The company is not all that large, so it is an easy task. You view the list from top to bottom and nd nothing. Next, you decide to go through the list of past employees, starting with people who were let go or who resigned in the last six months. This is a much smaller list, only 17 names. There it isin black and white. There is one ex-employee who was red only a month ago. The home email address does indeed come from the same local ISP. You pull out a saved email from the archive and check the headers. Sure enough, the IP address matches. You are hot on the trail of the attacker and have enough evidence to go to the next level. Now, imagine this scenario without the IDS running. What would the situation be in this case? The network would seem slower, but it would take time to isolate where it is slowing down. Without IDS, you would not have the head start, you would not have logging of the IP addresses, and you might have a hard time tracking down not only the cause, but you would have a hard time deciding on a response and solution.
395
Detection of Inside Threats

Lets now look at an example of how IDS can work to detect inside threats. This is one of the difficult areas of security. Because these users already have some level of access to the network, dealing with inside threats can be more complex than outside. A reason that this is a difficult area of security is the term threat. In this case, a threat is not always someone stealing data, more the inappropriate use of company resources. So, for this example, you will look at a user who is misusing resources, not attempting data thievery. At 11:30 A.M. on a Tuesday, you are notied that two of the color laser printers are running out of toner every Monday. Because the company has laser printers all over the office and only a few people are granted permission to each printer, this is unusual. It should be several months before the printers need relling. However, every Monday two of them are nearly out and end up getting relled. You are investigating to nd out the culprit, but cannot nd anything right away. You add the IP address of the laser printers to the IDS to track who is sending what to the printers, and when. Every night, you check the logs and nd nothing out of the ordinary. By Friday night, you are wondering if perhaps the printer is malfunctioning. You remotely connect into the network over the weekend and check the logs on Saturday night. Still, you nd nothing. Sunday night, around 11:30 P.M., you remotely connect into the network again to check the logs. Again, there is nothing to report as unusual. You go to bed, wondering what the situation will be like in the morning. When you get to work on Monday, you are pulled into a meeting that lasts until 1:00 P.M. When you nally get out of the meeting, you see a note on your monitor that states, Yes, we just had to replace the toner again. What did you nd? You get on the network and head right to the log les. Finally, there it is. There is an enormous print job sent at 7:00 A.M. It took over two hours to nish printing. You quickly identify the IP address and host name of the computer that sent the data. You inform the network administrators of what you found, and the two of you take a walk. When you get to the cube of the worker who used that computer, you can see the evidence quite clearly. All over the walls are glossy printed photographs; they are 11x17 full color photographs. Stacks of 11x17 photos are on the desk. After a conversation, you nd out that this employee has taken up digital photography as a new hobby. And, every weekend this employee shoots hundreds of pictures, only to come in to work rst thing in the morning, and print out as many as possible. (Until the colors are not as crisp and bright on the printout, and then I stop, you are told.) This is a classic example of resource misuse, which can be identied with the IDS in place. Without the IDS, this task is much more complex, and perhaps someone would be asked to physically watch the printer for use in this fashion.
396
Anticipation of Attack Monitoring

One of the standard attack sequences for hackers just starting out is the ping sweep for live hosts. Not complex, or difficult, but worth noting in any event. The ping sweep simply pings a given range of IP addresses. The nodes that respond are active, and might be potential targets. Virtually all IDS systems will pick up and notify on ping sweeps. This type of traffic can lead to nothing, or it could be the early attempt to map the network for further attacks. The IDS will recognize the signature of sequential ping packets in rapid succession, and an alarm will sound. By recognizing a ping sweep, the organization can decide their proper response. Perhaps they respond with a message to the ISP that holds the IP address, or perhaps they simply monitor for further traffic from that IP address. In any case, the ability to choose a course of action exists due to the presence and function of the IDS.
Surveillance Monitoring
When there has been some indication of either a threat of a break-in, resource misuse, or some other unauthorized activity, the IDS can be used in a mode of surveillance. At rst glance, this might seem to be the entire function of the IDS in the rst place. However, in this particular area, the reference is to more of an increased level of awareness. Beyond the normal day-to-day monitoring that happens, this is when a threat has been identied. Take the following situation as an example: A company has had the same seniorlevel network administrator for ve years. Recently, this administrator was found to be working part-time for another company. Because this person was at a senior level and had an exclusive contract, he had to be let go. The release was not a pleasant one, but no threats or poor language was used towards either party. This situation would, however, be cause to put the IDS into a surveillance mode, with the specic goals being to monitor traffic that could be coming from the released employee. The task of detecting an ex-employee can be difficult (even more so if it is a technical person) because this person is aware of the internals of the network. Nonetheless, this situation would require an IDS on a higher alert.
TASK 7F-1
Discussing Intrusion Detection Uses
1. Describe how an IDS can be used to detect an outside threat. Answers will vary, but may include: To identify attack signatures that are originating from IP addresses other than your internal private range.
397
Topic 7G
What an IDS Cannot Do
Throughout this lesson, you have identied and discussed the abilities of IDSs. As good as they are, and as helpful to the security of the network as they are, they do have limitations. An IDS can only do what it is designed to dodo not expect more from it. In this topic, you will examine some of the things an IDS cannot do.
Provide the Magic Solution

Although some IDS vendors might try to convince you of this, an IDS is not a magic solution. It does not have the ability to bring the security of your network to perfection. An IDS cannot, and should not, be expected to suddenly notice every single event that you might consider to be an intrusion or misuse. It can perform only as it is programmed. If a new type of intrusion is created today, the IDS cannot magically be congured to know this signature by this afternoon. Relying on the IDS to an extreme can create security professionals that get complacent and miss new or unusual intrusions when they occur. Your skill and knowledge as a security professional must remain at the highest level, regardless of the equipment in the organization.
Manage Hardware Failures

This might seem like an obvious point, but lets dene it a bit further. If a new attack comes into your network, suddenly hits your 1,000 Linux Workstations (all nodes), and they all crash, there are no nodes available to inform the IDS of an intrusion. Yes, the IDS (if on a different platform) might still be on, and you might get a page that states, All of your Linux computers are gone, but you cannot expect the IDS to manage any of those failures. The IDS might inform you that the event happened, but dont expect more.
crash: A sudden, usually drastic failure of a computer system.
Investigate an Attack
There are options for what an IDS can do to respond to an attack. But responding is not the same as investigating. An IDS cannot notice a SYN ood coming from the same IP address, and follow up on it. The IDS will inform you of the SYN ood, and it will be up to you to follow up. The IDS will provide the data for the investigation, but do not expect the IDS to perform any of the investigation itself. Although, if that day ever comes, there will be some interesting ramications of it. Imagine your IDS paging you to state, You had a SYN ood at 2 A.M. I traced the IP address, sent a message to their ISP, and had the attacker arrested. Have a nice day!
SYN ood: When the SYN queue is ooded, no new connection can be opened.
398
100 Percent Analysis

Once the data has been collected by the IDS, then some serious investigation must happen. There must be a way of analyzing all the collected data. Because most organizations do not have a full-time (24 hours a day, 7 days a week) human monitoring the IDS statistics, analysis of the data is required. To expect the IDS to perform a perfect 100 percent analysis on the data is unrealistic, as the amount of data would be too high. The computers running the analysis would not be able to keep up with that high volume of traffic. To say to the IDS, Here is all the data collected in the last week, tell me everything that happened, and think you can then sit back and watch for the results of the analysis is also unrealistic.
TASK 7G-1
Discussing Incident Investigation
1. Describe why an IDS cannot investigate an intrusion attempt. The IDS is able to identify an attack, even in real time; however, it cannot investigate the attack. It might be able to respond, by closing ports, or paging the security professional. There is no mechanism in modern IDS systems for tracking down IP addresses, contacting the correct ISP, or explaining an intrusion attempt to the FBI.
Summary
In this lesson, you were introduced to the concepts and technologies of IDSs. You examined the differences between using host-based and networkbased IDSs, and how each of them can be implemented. You examined the types of data analysis. You identied multiple scenarios of an IDS in use, and how each one presents a different situation to the IDS. Finally, you examined the situations an IDS cannot help with, and the tasks an IDS cannot perform.
Lesson Review
7A What are the major components of an IDS?
Prevention, detection, and response. What is one reason you need to be careful with the response of the IDS? You have to exercise caution in determining the level of response to incidents, since aggressive or offensive responses may open up the organization to serious legal issues.
399
Whats worse: a false-negative or a true-positive? A false-negative, as it signies that an alarm was not generated when a condition should have been alerted.
7B Describe how an Ethernet host, running in promiscuous mode as an IDS, sniffs packets off the local segment. 1. A host creates a network packet. So far, nothing is known other than a packet exists that was sent from a host in the network. 2. The IDS host reads the packet in real time off the network segment. 3. The detection program in the sensor matches the packet with known signatures of misuse. When a signature is detected, an alert is generated and sent to the command console. 4. The command console receives the alert and noties the designated person or group of the detection. 5. The response is created in accordance with the programmed response for this matching signature. 6. The alert is logged for future reference. 7. A summary report is created. 8. The alert is viewed with other historical data to determine if there is a pattern of misuse or to indicate a slow attack. 7C Describe the general process of host-based IDS.
Host-based IDS uses what are known as agents (also called sensors), which are small programs running on the hosts that are programmed to detect intrusions upon the host. They communicate with the command console. What are the different designs of host-based IDS? Centralized and distributed. Describe the advantages and disadvantages of each design of host-based IDS. In centralized design, the data is gathered and sent from the host to a centralized location. There is no signicant performance drop on the hosts because the agents simply gather information and send it elsewhere for analysis. However, due to the nature of the design, there is no possibility of real-time detection and response. In distributed design, the agents of the hosts are the ones that perform the analysis. There is a signicant advantage to this method. The intrusion data can be monitored in real time. The ip side to this is that the hosts themselves can experience a bit of a performance drop as their computer is engaged in this work constantly.
7D Describe the general process of network-based IDS.

In network-based IDS, sensors are installed in key positions throughout the network, and they all report to the command console. The sensors are full detection engines that have the ability to sniff network packets, analyze for known signatures, and notify the console with an alert if an intrusion is detected.
400
What are the differences between host-based and network-based IDS? Host-based IDS is designed to detect intrusions on a host, whether the attempt to intrude comes through a network interface or the keyboard. Network-based IDS is designed to detect intrusions in a network by analyzing network traffc, regardless of any specic host. What are the different designs of network-based IDS? Traditional and distributed. Describe the advantages of each design of network-based IDS. In the traditional design of network-based IDS, sensors are used in the network where a sensor is a host that is congured to run the IDS software. This is usually a stand-alone computer. Each sensor runs in promiscuous mode. Packets are then fed directly into the detection engine for analysis. In general, there should be one sensor in each critical segment of the network. Any alarms that are generated are sent to the command console. In the distributed design of network-based IDS, a sensor is installed on each host in the network, instead of on each segment of the network. The sensors then communicate with each other in the event of an intrusion, and use the command console as a center of operations, and for alarms. This provides the opportunity to detect packets that might otherwise have been lost or missed by the traditional design IDS.
7E What is the difference between interval and real-time analysis?

In interval analysis, the operating system (or other host-based) audit logs are used to capture the events, and the IDS, at given intervals, analyzes the data in the logs for signatures of intrusion. With real-time analysis, data is analyzed for intrusion signatures as it is collected. What is the difference between statistical and signature analysis? In signature analysis, known attack signatures are compared against data collected in the network. A match results in a trigger for an intrusion, and an alarm might follow. Statistical analysis attempts to nd deviations from known patterns of behavior. Using this method, an IDS would create proles of user behavior. This data is then described as the normal usage for this prole. When an event happens that deviates from the normal usage pattern, it could mean a possible intrusion.
7F Describe the process of detecting internal misuse.

Most internal threats are network or resource misuse. This is one of the diffcult areas of security. Since the users already have some level of access to the network, dealing with inside threats can be quite a bit more complex than outside. A reason that this is a diffcult area of security is that the threat does not always result in someone stealing data, more the inappropriate use of company resources. Detecting internal misuse might require auditing of network resources such as le and print servers, and so on.
401
Describe the difference between surveillance and normal IDS operation. When there has been some indication of either a threat of break-in, resource misuse, or some other unauthorized activity, the IDS can be used in surveillance mode. While this might seem to be the entire function of the IDS in the rst place, the reference is to more of an increased level of awareness versus normal mode of operation.
7G What is the reason an IDS cannot manage hardware failures?

The IDS might be able only to inform you that an event happened. If the response is not programmed to thwart the attack and if the attack results in the shutting down of the system running the IDS, then obviously future attacks cannot be analyzed as well. What is the reason an IDS cannot provide 100 percent analysis? While it might be mathematically possible to gather 100 percent of the network traffc and 100 percent of host-based activity, it is unrealistic to expect the computer to process all of it.
402
Configuring an IDS
Overview
In this lesson, you will implement IDS. There are many different types of IDSes, and for this lesson, you will use perhaps the most famous free IDS toolSnort. Snort is a tool that is designed to monitor TCP/IP networks, looking for suspicious traffic and direct network attacks. It enables system administrators to collect enough data to make informed decisions on the best course of action in the event that an intrusion is detected.
LESSON
8
Data Files Snort_2_6_1_2_Installer Rules directory mysql-essential-5.0.27win32 adodb493a.tgz base-1.2.7.tar.gz Lesson Time 6 hours
Objectives
To congure IDSs, you will: 8A Describe how Snort works as an IDS. You will describe how Snort works as an IDS, including the pros and cons of implementation in a production network environment. 8B Install Snort on a stand-alone computer. Given a computer running Windows in a networked environment, you will install the Snort intrusion detection application. 8C Describe the rules used in Snort. On a computer running Snort, you will create and test a ruleset to check the effectiveness of the installation. 8D Congure Snort IDS to use a MySQL database. Given a computer running Windows, you will install MySQL and congure Snort to send alert data to the database. 8E Congure a full IDS on Linux. Given a computer running SuSe Linux, you will congure Snort, MySQL, and the BASE Console to view alerts.
Lesson 8: Conguring an IDS
403
Topic 8A
Snort Foundations
In the world of intrusion detection tools, administrators and analysts have many choices. One of the choices is cost. Another critical choice is speed of response to new types of incidents, such as Code Red and the quick follow-up of Code Red II. It is in this conversation that an open-source tool such as Snort really shines. This tool and the associated applications that go along with it can be found at www.snort.org. The cost issue should be obvious to everyone, and free cant be beat! When commercial IDS products can be a few thousand dollars on the low end and over a hundred thousand dollars towards the high end, free is clearly a driving force for some. The other primary benet is the fact that the open-source format allows for fast modications. The rules that Snort uses to make decisions can be made by anyone and then posted to the web. If a new threat is identied in the morning, an administrator can create a new rule and post it by that afternoon. The Snort community can then analyze the rule, and when it is determined to be correct, the rule can be downloaded and implemented. A threat can be minimized the very day it is announced. This is a signicant benet.
Snort Deployment
Snort can be deployed on just about any host on the network. The actual Snort program is very small and does not use enough resources to cause any signicant issues with the base operating system. It is possible to install and congure Snort and let it run for days with no intervention from the administrator. At a later date, the administrator can view and analyze the data collected. Although Snort can be installed on almost any host in the network, the choice for placement is important. Snort uses an interface in promiscuous mode (meaning that it captures all the packets seen by the NIC), and one installation of Snort per collision domain might be sufficient. It can also be a benet to have an IDS placed just inside and just outside of the rewall. This way, you can identify the attacks that are blocked by the rewall, not just those internal threats. The interface that is in promiscuous mode is acting as a sniffer, capturing all the network traffic that the NIC sees. If your network is switched, make sure that you have at least one host running Snort on each segment. The host itself need not be an overly powerful machine; however, it is advisable that sufficient disk space be available to store data and that the processor be able to keep up with analysis of the packets.
sniffer: A program to capture data across a computer network. Used by hackers to capture user ID names and passwords. Software tool that audits and identies network trafc packets. Is also used legitimately by network operations and maintenance personnel to troubleshoot network problems.
How Snort Works

Snort functions as a network sniffer and logger that can be implemented as a network-based IDS. (Snort is not a host-based IDS.) Snort uses crafted rules, which are matched against the packets as they are captured. If the rule matches, the user-dened action in the rule is executed.
404
Limitations on what the rules can check for are limited by the administrators imagination and the fact that Snort can only identify TCP, UDP, IP, and ICMP. There is currently no support for routing protocols. The types of rules that can be created are therefore quite varied. Examples are buffer overows, port scanning, network mapping, SMB probes, NetBIOS scans, and so on. The way that Snort is able to use such exible rules is due to the way Snort functions. Snort can look inside a packet and examine its contents. Snort is not limited to an examination of headers only. This function is called payload inspection. It is due to this payload inspection that Snort can achieve such exible rules.
Snort Fundamentals
Snort has four main pieces that combine to provide you with solid IDS functionality. The rst is the actual packet capture piece, utilizing LibPcap or WinPcap, where raw packets are pulled off the wire. The second is the preprocessor where packets are examined prior to handoff to the actual detection engine. The third is the actual detection engine. This is where your Snort rules are in action, with the detection engine looking at the parts of the packets, as you have dened. Last is the Output piece. If the packet is run through the detection engine and an alert is generated, or if logging is dened, the Output piece is where that takes place. The main le that contains the core Snort conguration is called snort.conf. This le has several primary parts, some of which you will not make any adjustments to in this course. Note: If you wish to go into great depth with Snort, you are recommended to start with the official documentation found at www.snort.org. The primary parts to the snort.conf le are: Variables Preprocessors Output Plug-ins Rulesets
There are many variables used in Snort, which then can be referenced later. Some common variables are var HOME_NET, which is used to dene your local network, and var EXTERNAL_NET, which is used to dene your external network. Preprocessors are lters used by Snort to perform actions on a packet prior to full Snort engine. This is useful for speeding up Snort, when preprocessing can exclude a packet before Snort rules are required to look inside the payload to perform content and other matching. Output plug-ins are used by Snort to determine alerting and logging features and what format to use when Snort is going to dump collected data. You will dene the location of the rulesets that you wish to use in the snort.conf le. Although you could write rules into this le, that practice is not encouraged. By writing individual rule les, you are able to maintain better control over your conguration. You dene the location of the ruleset in the snort.conf le, and then the individual rules you require are located in that separate ruleset le.
405
Prior to running tasks on Snort, you will need to perform some initial congurations. The rst thing to alter is called the Home Network. This line tells Snort what your networks IP conguration is, so that Snort will only sniff traffic on your network, versus all traffic. If you wish to sniff all traffic, you may use a home network of any. In this classroom, there are two student networks; the LEFT side uses the 172.16. 10.0/24 network and the RIGHT side uses the 172.18.10.0/24 network. If your system is part of the LEFT network, you will congure Snort to use this line: var HOME_NET 172.16.10.0/24. If your system is part of the RIGHT network, you will congure Snort to use this line: var HOME_NET 172.18.10.0/24. Snort runs on both Linux and Windows platforms, and for this lesson, the tasks are run on a Windows system. There are other Snort conguration lines that require editing because you are running on a Windows system. Two of these other lines are: include classification.config include reference.config These need to be changed to dene the full Snort path on your system. You will need to change these lines to read as follows: include C:\Snort\etc\classification.config include C:\Snort\etc\reference.config
Topic 8B
Snort Installation
Another benet of Snort might be its ease of installation. The overall process of installation takes only a few minutes. A few more minutes of conguration, and Snort is up and running. In this section, you will be installing Snort on a Windows computer, and then later in the lesson, you will perform a full installation on SuSe Linux. You will require two things for the installation on Windows: LibPcap for Windows. You will use a packet capture driver called WinPcap for this function. (Further WinPcap information is available from the Computer Network and Network Intelligence Group of Politecnico di Torino.) This simple, self-extracting executable le can be found at www.snort.org or in other Internet archives. The Snort application le itself. This is an executable le that can also be found at www.snort.org.
For tips on loading Snort on Windows machines, visit www.silicondefense.com.
406
TASK 8B-1
Installing Snort
1. If required (you should have installed WinPcap earlier in the course), run the WinPcap installation le to install the Windows version of the LibPcap driver. Note that the lename is WinPcap_4_0.exe. From the C:\Tools\Lesson8 folder, double-click the Snort installer le. The full lename is Snort_2_6_1_2_Installer.exe. Read the License Agreement, and if you agree, click the I Agree button to continue the installation. Keep the I Do Not Plan To Log To A Database radio button selected and click Next. Note that later in the lesson you will work with a MySQL database. Keep all the default selected components checked, and click Next. Accept the default install location, and click Next. When the install is complete, click Close to exit the Setup program. In the successful install window, click OK. If you get a pop-up about WinPcap, click OK. Open My Computer, and navigate to the C:\Snort folder. Note the directory structure that was created during the install: C:\Snort\bin C:\Snort\contrib C:\Snort\doc C:\Snort\etc C:\Snort\lib C:\Snort\log C:\Snort\rules C:\Snort\schemas
It is a good idea for the students to save current versions of their snort.conf le during this lesson. If an error occurs, they only have to go back the last known good le.
2. 3. 4.
5. 6. 7. 8. 9.
10. In the C:\Snort\bin folder, create a folder named log (this will have a path of C:\Snort\bin\log). 11. In the C:\Snort\log folder (note this is not the folder created in Step 10), create a le named alert.ids and click Yes to accept that you are going to change the le name extension. You will need this le later in the lesson. 12. Choose StartAdministrative ToolsServices. 13. Scroll to the Messenger service. 14. Right-click the Messenger service and choose Properties. 15. Change the Startup type to Automatic.
407
16. Click Apply. 17. Click Start. 18. Click OK. 19. Close the Services window.
Common Snort Commands

When running Snort, there are some common switches and commands you should be aware of. In this course, you will not use all of these, but will use the most common ones. These switches include: -v.: This is the basic command, putting Snort in packet sniffing mode. -d: This is the command to display IP, TCP, ICMP, and UDP headers. -e: This is the command to display the packet data along with the headers. -l: This is the command to enable logging. After the -l command, you must dene the location of the logs. -c: This command is what essentially turns on the IDS of Snort, versus running it as a packet sniffer. After the -c command, you must dene the location of the rules le that Snort is to use for IDS functions. -W: This command will list the network interfaces that are available to Snort. -iX: This command will tell Snort which network interface to use when you replace the X variable with the number of the network interface.
TASK 8B-2
Initial Snort Configuration
1.
When editing Snort lines, be sure you edit the actual lines used, not the lines that are designated with a # comment.
Open My Computer and navigate to the C:\Snort\etc folder. Right-click the snort.conf le, and choose Copy. Right-click in the C:\Snort\etc folder and choose Paste. Rename the copy of snort.conf le as snort.conf.bak. (Click Yes, if you receive a Rename warning prompt.) In the event that you run into difficulty with your snort.conf le, you will have this le as a backup. Double-click the original snort.conf le. Select the Select The Program From A List radio button and click OK. Select WordPad as the program to use and click OK. You may leave the check box checked to always use this program to open this le type.
2. 3. 4.
5. 6. 7.
408
8.
Scroll down to var HOME_NET any and replace any with your home network. If you are in the LEFT network, use: var HOME_NET 172.16.0.0/16 If you are in the RIGHT network, use: var HOME_NET 172.18.0.0/16
9.
Search for the variable var EXTERNAL_NET any and change it to read var EXTERNAL_NET !$HOME_NET
10. Search for the variable include classification.config and change it to read include C:\Snort\etc\classification.config 11. Search for the variable include reference.config and change it to read include C:\Snort\etc\reference.config 12. Search for the variable var RULE_PATH ../rules and change it to read var RULE_PATH C:\Snort\rules 13. Change # include threshold.conf to read include C:\Snort\etc\threshold.conf 14. There are two other lines where you must replace the default line to a specic Windows path. The following two steps show the before and after of these two conguration lines. 15. Change dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ to read dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor 16. Change dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so to read dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll 17. Once you have made these changes, save and close the snort.conf le. 18. Open two command prompts. One will be used to run Snort and the other to run ping commands. 19. At one of the command prompts, navigate to the C:\Snort\bin folder, and enter snort -W You will see a list of available adapters on which you could install the sensor. The adapters are numbered 1, 2, 3, and so forth. In this lesson, you will be using the NIC. Write the number associated to that adapter here: _______ 20. At the C:\Snort\bin prompt, enter snort -v -iX where X is the number of the NIC that you recorded in the previous step. 21. Switch to your other open command prompt, and ping any other computer in the network. When the ping is complete, switch back to the command prompt that is running Snort.
Lesson 8: Conguring an IDS 409
22. In the Snort command prompt, press Ctrl+C to stop Snort. 23. Review the summary information, noting the packets that Snort captured in this test. 24. Close all open windows.
Using Snort as a Packet Sniffer

In our rst example of working with Snort, you will use it for packet sniffng. Using a command prompt, you will capture headers. This can produce a lot of information quickly, so make sure that you change the buffer size of the command prompt to a very high value; even 5000 or more is ne. An example of packet sniffing by Snort is shown in Figure 8-1.
packet sniffer: A device or program that monitors the data traveling between computers on a network.
Figure 8-1: An example of Snort being turned on as a packet sniffer.
About the Tasks

For many of the activities in this topic, you will work in pairs. Each student computer should have two command prompt windows open: one for running Snort commands and the other for running pings and other network commands. Your instructor will designate one student in each pair to act as Host One; the other will be Host Two. Remember which is which, and only perform those steps that apply to your specic machine.
410
TASK 8B-3
Capturing Packets with Snort
Setup: Snort has been installed and tested, and your instructor has designated you as Host One or Host Two. Note: Perform the following step on all student computers. 1. Open two command prompts.
Note: Perform the following step only if you are designated as Host One. 2. Change to the c:\snort\bin directory. Enter snort -v -ix (remember to use the adapter number in place of the x). The -v switch prints the headers on the screen.
Note: Perform the following step only if you are designated as Host Two. 3. As soon as Host One has pressed Enter, ping Host One by its IP address.
Note: Perform the following step only if you are designated as Host One. 4. As soon as the ping is completed, press Ctrl+C to stop the packet capture. Leave the used windows open, and switch to the unused command prompt.
Note: Perform the following step only if you are designated as Host Two. 5. Switch to the unused command prompt. Change to the c:\snort\bin directory. Enter snort -v -ix (remember to use the adapter number in place of the x).
Note: Perform the following step only if you are designated as Host One. 6. As soon as Host Two has pressed Enter, ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two. 7. As soon as the ping is completed, press Ctrl+C to stop the packet capture.
Note: Perform the following step on all student computers. 8. Minimize the command prompt window used for pinging, and focus on the window in which Snort was running. Browse the le, and try to identify the ping packets sent between Host One and Host Two.
Packet Data Capture

When Snort is rst stopped, it lists some statistics about the capturing session that just ended. This statistical analysis is for a quick overview of the kinds of traffic that were captured, and it looks like Figure 8-2.
Figure 8-2: An example of the statistics after a packet capture has completed. In this example, no packets were dropped, and the vast majority of packets captured were TCP. This screenshot was generated on a Windows 2000 computer, after running for about 20 seconds in a controlled environment. Figure 8-3 shows a portion of the packet headers that were captured, specically the ping packets. This is what the goal of the previous exercise wasto identify the ping packets. From this screenshot, you can identify that the ping initiated from host 10.0.10.115 and was sent to 10.0.10.213. You should be able to see that the packets were correctly identied as ICMP, and the ID numbers are going up as expected: 2635 on the rst request shown, 2636 on the second, and so on. The reply packets also follow the ICMP rules: ID 53820 followed by 53821. The sequence numbers are also correct, again incrementing by one, as expected.
412
Figure 8-3: An example of a ping sequence between two hosts captured by Snort. Although the capture of header information is an excellent way to craft the IDS for an organization, more might be required, such as examining the contents of packets and determining if the content matches any rule. If this is the case, then another switch is needed to see the packet data in Snort. The switch to add is the -d switch.
TASK 8B-4
Capturing Packet Data with Snort
Note: Perform the following step only if you are designated as Host One. 1. If necessary, change to the directory where you installed Snort. Remember, the directory is c:\snort\bin. Enter snort -ix -v -d. Using the -d switch enables you to see the packet data in Snort. Note: Perform the following step only if you are designated as Host Two. 2. As soon as Host One has pressed Enter, ping Host One by its IP address.
Dont forget, the x in the switch -ix is the number of your network interface.
Note: Perform the following step only if you are designated as Host One. 3. As soon as the ping is completed, press Ctrl+C to stop the packet capture. Leave this window open, and switch to the other command prompt.
Note: Perform the following step only if you are designated as Host Two. 4. Switch to the other command prompt. If necessary, change to the directory where you installed Snort. Enter snort -ix -v -d.
Note: Perform the following step only if you are designated as Host One. 5. As soon as Host Two has pressed Enter, ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two. 6. As soon as the ping is completed, press Ctrl+C to stop the packet capture.
Note: Perform the following step on all student computers. 7. Minimize the command prompt that you used for pinging, and focus on the window in which Snort was running. Browse the le, and try to identify the ping packets sent between Host One and Host Two. Because the contents of the packet are captured this time, the screen looks different. You should still be able to identify the ping sequence, though. The difference that should be obvious is the payload data itself. Because the data is ping, the payload is lled with paddingin this case, letters from the English alphabet. In both command prompt windows, use the cls command to clear the screen and prepare for the next task.
Logging with Snort

Using packet capture enables the security professional to gather data to look for misuse of resources and network intrusions. However, it is impractical to expect anyone to watch the screen for intrusions, not to mention that the speed at which the packets are captured is quite fast (as you might have already seen). It is much more logical to record these packets to the hard drive for future analysis. The process is pretty simpleprovide a log directory and tell Snort to perform logging. If you start the Snort program, telling it to log, and there is no such directory, Snort will exit with an error. Snort is designed to create a folder hierarchy of the packets it captures. The folder structure in the log directory uses IP addresses for simple searching at a later time.
TASK 8B-5
Logging with Snort
Setup: Two clean command prompt windows are open. Note: Perform the following step only if you are designated as Host One. 1. If necessary, change to the directory where you installed Snort. Enter snort -ix -dev -l \snort\log to start Snort and instruct it to record headers and data in the \snort\log folder.
Note: Perform the following step only if you are designated as Host Two.
414
2.
Ping Host One by its IP address.
Note: Perform the following step only if you are designated as Host One. 3. Switch to the other prompt, and ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two. 4. Change to the directory where you installed Snort, and enter snort -ix -dev -l \snort\log to start Snort and instruct it to record headers and data in the \snort\log folder.
Note: Perform the following step only if you are designated as Host One. 5. Ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two. 6. Ping Host One by its IP address.
Note: Perform the rest of this task on all student computers. 7. 8. 9. Press Ctrl+C to stop Snort. Start Windows Explorer, and navigate to the snort\log folder. Locate your log le, it will have a name such as snort.log.116850130.
10. Choose StartAll ProgramsWiresharkWireshark. 11. Choose FileOpen. 12. Navigate to your new log le and click Open. 13. Review the packet capture, and compare what was captured with the ping commands you sent between you and your partner. 14. Close all windows.
Topic 8C
Snort as an IDS
Up to this point, you have been using Snort to capture packets and then examining the contents of those packets. Although this can be quite useful, it is not a practical way to deploy an IDS. An IDS needs rules to follow and a way to alert the administrator when a rule is matched. In this topic, you will take Snort to the next level: IDS.
415
Its All in the Rules

As stated earlier, Snort uses rules to match for signatures of misuse. These rules can be created or modied for use as they come in the application. You will look at both scenarios. An example of the syntax to use Snort as an IDS is as follows:
%systemroot%\snort\snort -dev -l \snort\log -c snort.conf
In this example, the new addition to the line is the -c switch, followed by the snort.conf le. As you might remember, the snort.conf le is used to dene conguration variables that will be used for Snort. Earlier, all that the snort.conf le was used for was to specify the Home_Net variable by changing it to refer to the correct IP address. In this case, adding the -c switch tells Snort to apply the rules that are in the snort.conf le to the packets as they are processed by Snort. Before we get too far ahead of ourselves, lets back up and look at the basics of the Snort rules. The rules of Snort are made up of two distinct parts: Rule Header: The Rule Header is where the rules action, protocol, directional operator, source and destination IP addresses (with subnet mask), and the source and destination ports are identied. Rule Options: The Rule Options are where the rules alert messages and specications on what parts of the packet are to be matched to determine if there is a rule match.
Here is an example rule:

The symbol represents that all code shown belongs on the same line. It is shown here on more than one line due to margin constraints.
alert tcp any any -> any 80 (content: "adult"; msg: "Adult Site Access";)
The syntax breakdown of this example is as follows: The text up to the rst parenthesis is the Rule Header. The section enclosed inside the parentheses are the Rule Options. Rule Options are not required by any rule, but they provide much information and might be the reason for creating the rule itself.
So, the end result of this rule is to create an alert if TCP traffic from any IP address and any port is sent to any host at port 80, where the word Adult is in the payload. If this rule is met, a message of Adult Site Access will be placed in the logs with this packet.
The Rule Header

Lets look at the Rule Header in more detail. As mentioned previously, the Rule Header for our example is composed of the following information:
alert tcp any any -> any 80
The rst part of this syntax, alert, is known as a rule action. The rule actions in the header denes what is to be done when a packet that matches the rule is found. There are ve actions that can be dened. Rule Action
Alert
Description
Creates an alert using whatever method has been dened. Also logs the packet using whatever method has been dened.
416
Rule Action
Log Pass Activate Dynamic
Description
Logs the packet using whatever method has been dened. Tells Snort to ignore this packet. Creates an alert and turns on a dynamic rule. Remains unused unless another rule calls it. If called, it acts similarly to a log rule.
After the action has been dened, the next step is to dene the protocol. In our example, the protocol dened is TCP. Currently, Snort supports dening the TCP, UDP, ICMP, and IP protocols. After the action and protocol are dened, Snort requires the IP addresses to be used. A valid statement is to use the word any, meaning any IP address. Snort uses the netmask format of specifying the subnet mask. Following this, a full Class A IP address will have a netmask of /8, a full Class B will have a netmask of /16, and a full Class C will have a netmask of /24. Single hosts might be specied with a /32 netmask. In addition to dening a single host or a single subnet of addresses, Snort can work with groups of IP addresses in a single rule. This is called creating an IP list. The IP list can be created by enclosing the list, with addresses separated by commas, in square brackets. An example of using an IP list is:
Alert tcp any any -> [10.0.10.0/24, 10.10.10.0/24] any (content: "Password"; msg:"Password Transfer Possible!";)
Note: Although the previous line is split in two lines, in the editor it can be entered as a long line. Versions of Snort, pre-1.8, required a slash symbol (\) between lines of a single rule. It is acceptable now to have a rule span multiple lines, but in most editors, a long line is easy to work with. After IP addresses have been specied, you need to tell Snort which port you want to check. When you are working with Snort rule syntax, ports can be dened in several ways. Single static ports are common, as in port 80, port 23, and so on. The rule can also dene the keyword any, again meaning any port. Ranges of ports can also be dened using a colon to separate the start and end points of the range. Here are several examples of different port denitions: To log any traffic from any IP address and any port to port 23 of the 10.0. 10.0/24 network:
Log tcp any any -> 10.0.10.0/24 23
To log any traffic from any IP address to any port between (and including) 1 and 1024 on any host in the 10.0.10.0/24 network:
Log tcp any any -> 10.0.10.0/24 1:1024
To log any traffic from any IP address where the port number is less than or equal to 1024 and is destined for any host in the 10.0.10.0/24 network with a destination port equal to and greater than 1024:
Log tcp any :1024 -> 10.0.10.0/24 1024:
417
In the rules of Snort, there is an option to negate a port or IP address. By using the exclamation point (!), the rule will perform a negate. This is similar to the negate option in the IPTables rulesets. For example: To log any tcp traffic from any host other than 172.16.40.50 using any port to any host on the 10.0.10.0/24 network using any port:
Log tcp ! 172.16.40.50/32 any -> 10.0.10.0/24 any
To log any tcp traffic from any host using any port to the 10.0.10.0/24 network to any port other than 23:
Log tcp any any -> 10.0.10.0/24 !23
By now, through these examples you should be able to identify the directional option. The direction is dened with ->. This means coming from the left and going to the right, so to speak. It is possible to have Snort check the packet for IP addresses and ports in both directions. This can be a benet for analysis of both sides of a session. The following example uses the bi-directional option to record both ends of a telnet session:
Log tcp 10.0.10.0/24 any <> 172.16.30.0/24 23
The Rule Options

Where Snort can really start to show its exibility and function is in the Rule Options. All of the Rule Options are separated by using a semicolon (;). Rule Option keywords are separated from their arguments with a colon (:). The following table lists some of the available keywords. Keyword
msg ttl id flags ack content
Description
Prints a message, as dened in the alert and packet logs. Used to match the IP headers Time To Live value. Used to match a specic IP header fragment value. Used to match tcp ags for dened values. Used to match the TCP ack setting for a dened value. Used to match a dened value in a packets payload.
There are more keywords. It is advisable that you check the man pages (if you are using a Linux box) or the Help pages (if you are using a Windows box) for the remaining list of keywords. When the msg option is used in a rule, it tells the logging and alerting engine that there is a message that should be inserted along with a packet dump or in an alert. Here is a sample syntax for the msg option:
msg: "text here";
When the ttl option is used in a rule, it tells Snort that there is a specic Time To Live value to match. Only successful on an exact match, this can be useful for detecting traceroute attempts. Here is a sample syntax for the ttl option:
ttl: "time-value";
When the id option is used in a rule, it tells Snort to match an exact value in the IP header Fragment eld. Here is a sample syntax for the id option:
id: "id-value";
418
For the ags option, there are several suboptions, which include the ags that can be matched. The ags are dened in the rule by their single letter, as listed here: F for FIN S for SYN R for RST P for PSH A for ACK U for URG 2 for Reserved bit 2 1 for Reserved bit 1 0 for no tcp ags set
The standard logical operators are also valid for ags: the + for matching all ags, the * for matching any ag, and the ! for matching all except the dened ag. The reserved bits can be used to detect scans or IP stack ngerprinting. Here is a sample syntax for the ags option:
flags: value(s);
The following rule example shows a syntax that could be used to detect SYNFIN scans:
Alert any any -> 10.0.10.0/24 any (flags: SF; msg: "SYN FIN Scan Possible";)
When the ack option is used in a rule, it tells Snort to match a specic ACK value in the TCP header of a packet. The network mapping tool Nmap uses the ACK ag to determine if a remote host is active. Here is a sample syntax for the ack option:
ack: "ack-value";
The content keyword might be the most important keyword that Snort has available. When you use this option in a rule, it enables Snort to examine the payload of a packet and perform checks against the contents based on this keyword. Snort uses a pattern-match function called Boyer-Moore. (This matching function can be more intense than all the other options, so take care not to overuse this option on slower machines.) This rule is case-sensitive, so matching the word Test and the word test are two different things. The complexity of this option comes into play with the denition of the data for the match. Although it can be entered in plaintext, it can also be entered as mixed binary bytecode. (Bytecode data is a hexadecimal representation of binary data.) The basic syntax of this option is similar to the other options:
content:"content value";
Simple Rule Examples

This section details several rule examples, followed by brief descriptions of their functions. You can use these as a template for creating your own simple rules. To log all traffic trying to connect to the telnet port:
419
Log tcp any any -> 10.0.10.0/24 23
Even when using ICMP, Snort requires ports to be dened, so use the word any.
To log ICMP traffic towards the 10.0.10.0 network:

Log icmp any any -> 10.0.10.0/24 any
To allow all web browsing to go through without logging:

Pass tcp any 80 -> any 80
To create an alert with a message:

Alert tcp any any -> any 23 (msg: "Telnet Connection Attempt";)
To nd SYN/FIN scans of the network:

Alert tcp any any -> 10.0.10.0/24 any (msg: "SYN-FIN scan detected"; flags: SF;)
To nd TCP NULL scans of the network:

Alert tcp any any -> 10.0.10.0/24 any (msg: "NULL scan detected"; flags: 0;)
To nd attempts at OS ngerprinting:
Alert tcp any any -> 10.0.10.0/24 (msg: "O/S Fingerprint detected"; flags: S12;)
This example uses the Home_Net variable instead of dening the IP address.
To perform content ltering:

alert tcp any $HOME_NET -> !$HOME_NET any (content: "Hello"; msg:"Hello Packet";)
Now that you have looked at several example rules, lets put them together and create a ruleset for Snort.
Snort Rule IDs

An option was added to Snort to categorize all the various Snort rules. This allows for people from all over the ability to use the same number for their rules, and it helps keep the rules organized. There are a few ranges of the Snort ID that you need to be aware of. These ranges are: Less than 100: Reserved for future Snort use. 101 through 1,000,000: Reserved for direct Snort.org distribution rules. 1,000,001 and greater: These numbers are for the custom local rules.
A great resource called www.bleedingsnort.com uses rules in the 2,000,000 range. When you develop your own local rules, as long as you use a unique number for every rule, and that number is greater than one million, your rule will not have a SID problem. However, it is a good idea to use a higher number such as four million and up, because organizations who write rules, such as Bleeding Snort, might be in the lower ranges.
420
TASK 8C-1
Creating a Simple Ruleset
Objective: To create a rule that logs all TCP traffic, alerts to ping, and alerts to the use of the word password. 1. Open Notepad and enter the following:
log tcp any any <> any any (msg: "TCP Traffic Logged"; sid:10000001;) alert icmp any any <> any any (msg: "ICMP Traffic Alerted"; sid: 10000002;) alert tcp any any <> any any (content: "password"; msg: "Possible Password Transmitted"; sid:10000003;)
Due to space constraints, code appearing with the character at the end of the line should appear on one line in Notepad.
2.
Save the le as C:\Snort\rules\myrule.rules and close Notepad. Be sure to type the quotes so that Windows will not assign a le name extension, keeping rules as the extension.
Testing a Rule Set

After you have created a ruleset and have saved it in the Snort folder, it is time to test this ruleset. You can do so at the command prompt. Just be sure that the command prompt buffer is set high enough.
TASK 8C-2
Testing the Ruleset
Note: Perform the following step on all student computers. 1. Clear the \snort\log folder and open two command prompts. If you want to save the old logs to another location, go ahead and do so.
Note: Perform the following step only if you are designated as Host One. 2. If necessary, change to the directory where you installed Snort. Enter snort -d -e -v -iX -c \Snort\rules\myrule.rules -l \Snort\log to run Snort using the new ruleset.
Note: Perform the following step only if you are designated as Host Two. 3. Once Host One is running Snort, ping Host One by its IP address. Then, enter net send [ip_address] Here is my password In this case, [ip_address] is the IP address of your partners computer. Note: Perform the following step only if you are designated as Host One. 4. When you receive the message, click OK, and then stop Snort by pressing Ctrl+C.
421
Note: Perform the following step only if you are designated as Host Two. 5. If necessary, change to the directory where you installed Snort. Enter snort -d -e -v -iX -c \Snort\rules\myrule.rules -l \Snort\log to run Snort using the new ruleset.
Note: Perform the following step only if you are designated as Host One. 6. Once Host Two is running Snort, ping Host Two by its IP address. Then, enter net send [ip_address] Here is my password In this case, [ip_address] is the IP address of your partners computer. Note: Perform the following step only if you are designated as Host Two. 7. When you receive the message, click OK, and stop Snort by pressing Ctrl+C.
Note: Perform the following step on all student computers. 8. Examine the log les for the alerts and logs that were generated. Compare them to the ruleset and your scan from earlier. Then, close all open windows. To look at the alert data that was generated, right-click the alert.ids le, open it with WordPad, and examine the alert.
9.
More Rule Options

Up to this point, you have seen very simple rules, and while these are good for getting used to Snort, the example rules so far have been very limited. Snort can work with much more complex rulesets, and as you will see in the following section; the only limitation is your imagination and knowledge of your environment. As discussed, the Snort rule is broken into two primary parts, the header and the options. Where the header details the IP, port number, direction, and so on, the options are where you can get very specic with the rule. There are many choices of what you can place in the options part of the rule, and for the context of this lesson, you will examine two of them: Metadata Options and Payload Detection Options.
422
Metadata Options
Metadata Options are where you detail characteristics about the rule. One example of a Metadata Option is the Message (msg), which you looked at previously in this lesson. Another example is the Snort Rule ID (sid). You could also dene a reference URL for more information about the event. Here is a quick list of Metadata Options: msg:: This option is used to insert a message in human-readable language. sid:: This option is used to dene the unique Snort Rule ID for the specic rule. classtype:: This option is used to classify the specic type of event. priority:: This option is used to dene the priority level of the event. reference:: This option is used to dene a reference URL for more information about the event. rev:: This option is used to dene a revision number to the rule.
Classtypes
Classtype and priority level can go together, with the classication of an event being tied to a priority level. There are three default levels of priority (low, medium, and high), but you are able to dene these further using the priority: option in your rule. The default priorities have a numeric value of 1 (high), 2 (medium), and 3 (low). The Classtype is used to categorize events. There are many precongured classtypes, and these are assigned to one of the three default priority levels. The following table details some of the default classtypes Classtype
Attempted-admin Attempted-user Shellcode-detect Successful-admin Trojan-activity Web-application-attack Attempted-recon Suspicious-login Successful-dos Unusual-client-port-connection Icmp-activity Network-scan
Description
Attempted administrator privilege gain. Attempted user privilege gain. Executable code was detected. Successful administrator privilege gain. A network Trojan was detected. Web application attack. Attempted information leak. An attempted login using a suspicious user name detected. Denial-of-service attack. A network client was using an unusual port. Generic ICMP event. Detection of a network scan.
Priority
High High High High High High Medium Medium Medium Medium Low Low
Here is an example rule with the addition of these new options: Alert tcp $EXTERNAL_NET any -> 192.168.10.1 80 (msg:"Sample web access alert"; classtype:web-application-activity; reference:url,http://www.securitycertified.net; sid:10000023; rev:2;)
423
Walking through this rule from the beginning: This is an alert rule, looking at TCP as the protocol. It is designed to alert on traffic from the external network on any port to the machine at 192.168.10.1 on port 80. There is a simple message that states Sample web access alert, and the classtype has been dened as the built-in web-application-activity. As a reference for more information, a URL has been given, www.securitycertied.net, and this is the second revision to the rule, which has a Snort Rule ID of 10000023
Rule Payload
The core of many IDSes is to examine the actual contents, or payload, of each packet. Snort can look inside the packet at the payload details to make a determination about that specic packet. There are many options for Snort here, and in this lesson, you will focus on a few specic options.
Content Keyword
In Snort, the Content keyword might be the most important of all the keywords. The Content keyword is how you dene the specic content inside the packets payload that Snort should look at for rule matching. A critical issue to keep in mind when dening content is that the data can be either text or binary data. Your binary data is normally provided in bytecode format, and it is enclosed within the pipe ( | ) character. Bytecode is a way of representing binary data in hexadecimal format. When you enter your content information, if you require the : character, such as in a URL, use instead the |3a| notation. Using the : character in content matching will cause problems because the : character is used after each keyword.
Other Keywords
The content keyword matches either text or binary data.
The nocase keyword simply tells Snort to ignore case when looking into a packet. Nocase is a modier, used after the content keyword. The depth keyword tells Snort how far into a packet it should look to nd the pattern, or content match. If you inserted a value of 5 here, then Snort would only look for the pattern within the rst 5 bytes of the packet payload. Like nocase, the depth keyword is a modier used after the content keyword. The offset keyword tells Snort to ignore a dened number of bytes before looking into a packet. If you inserted a value of 5 here, then Snort would start to look for the pattern, or content match, after the rst 5 bytes of packet payload. Offset is also a modier and must be used after the content keyword. Here is an example rule with the addition of these new options:
Alert tcp $EXTERNAL_NET any -> 192.168.10.1 80 (msg:"Sample web access alert"; content:"http|3a|//www.securitycertified.net/ test.cgi?id=r00t"; nocase; offset:2; classtype: web-application-activity; reference:url,http://www. securitycertified.net; sid:10000025; rev:2;)
This rule is the same as the previous example, with some additions. The rst is the content keyword. This rule is looking for content that includes a URL with the id=r00t in the payload. Note that the : character you would normally put in a URL has been replaced with the |3a| notation. You cannot use the : character inside the content keyword. This rule is skipping the case sensitivity and is ignoring the rst 2 bytes of each payload. Lastly, as this is a different rule, there is a different sid assigned.
Flow Control
The ow keyword gives you the exibility to dene packets with Snort in terms of their direction between the client and the server. This option works on TCP streams, and there are several choices for you, if you wish to use the ow keyword. The following list identies the ow control options, with a brief comment about each option: to_client: This matches a server response to a client. to_server: This matches a request from a client to a server. from_client: This matches packets sent from the client. Similar function as the to_server option. from_server: This matches packets sent from the server. Similar function as the to_client option. only_stream: This matches only on reassembled stream packets. no_stream: This does not match reassembled stream packets. established: This matches on packets that are part of an established TCP connection. stateless: This matches packets without regard of state.
While there is no one correct way to write a Snort rule, there are some general guidelines that will make your writing more efficient and accurate. To start with, you want to be as precise as possible with your content matching. This will cut down on false matches and will cut down on the load on your system. A second guideline is to create rules to match the vulnerability, not the specic exploit. Writing rules that look for matches to the vulnerability will allow your IDS to still match traffic, even if an attacker makes a modication to the exploit.
Pre-configured Rules
It is vital that you know how to create rules for Snort, but no one wants to build something from scratch when it is already available and you can get it with very little effort. The same thought applies for basic rules for Snort. The default Snort installation comes with a selection of IDS rules for you to pick through and use, and there are several more available for download at www.snort.org. There are several options for you to choose from when you wish to receive Snort rules. If you need to have real-time rules, with the most current options available, you must become a subscriber to receive the Sourcere VRT-certied rules. The Subscriber rules are the ones you need if you are looking to address security issues as they arise, often with a new rule available within days of a new vulnerability being introduced. The second method to download pre-congured rules is to become a registered user at www.snort.org. Registered users are able to receive all the latest snort rules, but the rules are available 30 days after they are made available to Sourcere subscribers. The third way to download pre-congured rules from Snort is as an unregistered user. Unregistered users are able to download the ruleset that is available with every major Snort release.
425
In addition to the rules that are available from Snort, there are rules available from www.bleedingsnort.com The bleedingsnort.com rules are very current and are submitted from people all over the net. If you need absolute up-to-the-minute, experimental, and test rules, this is the location to nd them. In this lesson, you will work with Snort rules that are made available to everyone (unregistered) from www.snort.org.
TASK 8C-3
Examining Pre-configured Rules
1. 2. 3. 4. Navigate to C:\Tools\Lesson8\Rules. Copy all the .rules les to the C:\Snort\rules folder. Navigate to the C:\Snort\rules folder. Open the folder, and browse through the pre-congured rules. You will come back to these les in a moment.
Examine Denial of Service Rules

As you can see, there are many very detailed default rules for you to work with. One section of the pre-congured rules deals with Denial of Service attacks. Here is a sample rule from this le: alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3;) Starting at the beginning of this rule, you can see that it is an alert, matching tcp as the protocol. Traffic on the external network, on any port going to the internal network, on port number 27665 is what Snort will be looking at. This rule is looking for an established TCP connection, with traffic going to the server. The content is listed as: betaalmostdone. Since this incident would be an attempt at denial of service, this rule appropriately is given the classtype of attempted-dos, has a reference you can check the Arachnids database, number 197 (Arachnids was an incident database, more current data is found on the CVE list), has been given a Snort rule ID of 233, and this is the third revision of the rule.
426
TASK 8C-4
Examining DDoS Rules
1. 2. 3. Navigate to the C:\Snort\rules folder. Open the ddos.rules le with WordPad. Based on these rules, what three ports does the DDoS tool Trin00 utilize? UDP 31335, TCP 27665, and UDP 27444. 4. Based on these rules, what icmp_id numbers does the DDoS tool Stacheldraht utilize? Icmp_ids: 666, 667, 668, 669, 1000, 6666, 6667.
Examine Backdoor Rules

Just as there are pre-congured rules for Distributed Denial of Service, there are extensive rules designed for matching backdoor attacks. These rules will generally be more complex than a DoS rule because the content matching often requires more information. Here is a sample rule from the backdoor.rules le: alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:5;) This rule is an alert looking for matches on the TCP protocol. In this case, it is traffic from your internal network on port 12345 or 12346 to the external network on any port. The Netbus server actually resides on the compromised host, in this case, inside your network. The traffic ow is from the server (compromised host), and it is an established connection. The content that is being looked for is NetBus. This alert is characterized as a misc-activity, has a Snort rule ID of 109, and is the fth revision of the rule.
TASK 8C-5
Examining Backdoor Rules
1. 2. Navigate to the C:\Snort\rules folder. Open the backdoor.rules le with WordPad.
427
3.
Based on this rule set, what service and port are the majority of the Linux rootkit attempts using? Telent, on port 23.
4.
Is the second Subseven rule with SID 107 looking for an attempt to place a Trojan on a computer in your network or looking for evidence that a Trojan has already been placed on a computer in your network? Looking for evidence that a Trojan is already in the network.
Examine Web Attack Rules

One of the fastest growing areas of attack is on web servers. Since these are exposed, they are often the targets of attacks from every skill level, from scriptkiddies to more experience attackers. Snort has many rules designed to look for web attacks. Here is one example rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; nocase; classtype:web-application-activity; sid:1372; rev:5;)
This rule is an alert, looking at TCP traffic from the external network on any port to your web servers on your web server ports. The web servers and web server ports are dened in your variables. The ow of this traffic is to the web server, and it would be an established connection. The attacker is looking for the /etc/ shadow le on a Linux/UNIX system. Case sensitivity is not taken into consideration with this rule, it has been given a Snort Rule ID of 1372, and is the fth revision to the rule. This specic rule is listing the classtype as webapplication-activity, but you might want to consider this potentially a recon event.
If you have an older rule set, your web attack rules may vary.
TASK 8C-6
Examining Web Attack Rules
1. 2. 3. Navigate to the C:\Snort\rules folder. Open the web-attacks.rules le. Which rule is watching for an attacker adding a user account to the administrators group? SID 1357. 4. In SID 1335, an attacker would send the command /bin/kill. What operating system is the web server likely running? Linux/UNIX. 5. Many of these rules contain the %20 characters. What does this mean? This means that the Snort rule is looking to match a space where the %20 resides in the content portion of the rule.
428
Examine Web IIS Rules

As the Microsoft IIS Web Server grows in popularity, the attacks seem to grow exponentially. Because of this, there is a ruleset dedicated to rules for the IIS Server. Here is one example of an IIS Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Directory transversal attempt"; flow:to_server,established; content:"..|5C|.."; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:10;) This rule addresses a rather famous exploit where a person could simply put in the URL a line that would give them access to the computer. This is called the Directory Transversal Attack, where in the URL the attacker uses ../.. in the URL as part of the attack. In this rule, the alert is acting on TCP traffic in the direction of the external network on any port towards the web servers on web server ports. The connection must be established and is in the direction towards the server. The key point in this rule is the content of ..|5C|.. This would be a double-dot then a / then a double-dot to the server. Since the rule requires the ASCII conversion, the rule has the pipe symbol, 5C, then the pipe symbol, as / in ASCII is 5C. This is classied as a web attack, has a Snort ID of 974, and is the tenth revision of the rule.
TASK 8C-7
Examining IIS Rules
1. 2. 3. Navigate to the C:\Snort\rules folder. Open the web-iis.rules le with WordPad The Code Red exploit has .ida? in the payload. Which SID would you look up online for more information about the rule to match Code Red attacks? SID 1243. 4. The Code Red II exploit attempted to use /root.exe and has a Snort Rule ID of 1256. If you wanted to learn more about this exploit, what URL would you use to nd more information about Code Red? www.cert.org/advisories/CA-2001-19.html
429
Topic 8D
Configuring Snort to Use a Database
Snort Output Plug-ins
By now you can see that Snort will be able to generate large volumes of data in the form of alerts, logs, and so on. Reading this data on screen while Snort is running isnt realistic, so you will need to use some means of reading the data that Snort collects. Snort provides several output options through the use of output plug-ins. In this section, you will congure Snort to output information to a MySQL database. Snort is not limited to using a MySQL database, that is simply the choice for this lesson. You could output Snort to Oracle, SQL Server, any UNIX ODBCcompliant database, and so on. In addition to sending logs and alerts to a database, you could instruct Snort to send this data to a remote logging server via Syslog. This is the command to output locally to a Syslog format: output alert_syslog: LOG_LOCAL2 LOG_ALERT. If you wish to send this data to a remote server, you will need to replace the local information with the remote server information. Another option, if you desire, is to output directly in a binary format that tcpdump works well with. This is the command to output in tcpdump format: output log_tcpdump: snort.dump In the snort.conf le, you will congure the type of output you wish to use. Remember, the output is detailed in the snort.conf le, not with a command-line switch. For this lesson, you will be conguring the system to output to a database. The following example shows what a basic entry for database logging would like in the snort.conf le: output database: log, mysql, user=username password=password dbname=snortdb host=localhost
Configure Snort to Use a Database

Since you are going to congure a MySQL database to accept data, you must inform Snort about the database and give it the information required to make the connection. In this following task, you will recongure the snort.conf le to include the output to the database.
430
TASK 8D-1
Editing Snort.Conf
1. 2. 3. 4. Navigate to the C:\Snort\etc folder. Open the Snort.conf le with WordPad. Scroll down in the le to the Output database plug-in section. Add the following line:
Output database: log, mysql, user=snort password=snortpass dbname=snortdb1 host=localhost
5.
Save and close the snort.conf le.
Installing MySQL for Snort

In order for Snort to utilize a database, you must build one. In this lesson you will work with the freely available and widely popular MySQL database. Keep in mind that Windows, Snort, and MySQL can take a lot of computing resources on a busy network, so a dedicated machine with a good processor and lots of memory would be a good base platform.
TASK 8D-2
Installing MySQL
1. 2. 3. 4. 5. 6. 7. 8. 9. Navigate to the C:\Tools\Lesson8 folder. Double-click the mysql-essentials-5.0.27-win32.msi le. In the Welcome screen, click Next. Select the Custom radio button and click Next. Click the Change button. You are going to install to a location you choose. In the Folder Name text box, type C:\Snort\mysql and click OK, and then click Next. Verify the install directory location and click Install. Once MySQL is installed, select the Skip Sign-Up radio button and click Next. Verify that the Congure MySQL Server Now check box is checked, and click Finish.
10. In the Welcome screen, click Next. 11. Select the Standard Conguration radio button, and click Next.
12. Check the Include BIN Directory In Windows PATH check box, and click Next. (Note: leave the box checked next to Install As Windows Service.) 13. In the Root Password and the Conrm text boxes, type and re-type sqlpass Do not check the box to Enable Root Access or Create An Anonymous Account, and then click Next. 14. To start the conguration, click Execute, and then click Finish to end the installation. With MySQL now installed with the base conguration, you will need to create the actual database that Snort is going to work with. In the following task, you will use both the MySQL command line and the Snort command line. Snort comes with a script to build the database in MySQL, complete with the appropriate tables. This script was generated during the install of Snort. If you recall, you had the option to dene the database/logging that you would use, and you selected the option that included support for MySQL.
TASK 8D-3
Creating the Snort Database
1. 2. 3. 4. 5. 6. 7. 8. 9. Navigate to the C:\Snort\schemas directory. Note the le create_mysql. This is the le you will use to build the database. Choose StartAll ProgramsMySQLMySQL Server 5.0MySQL Command Line Client. Enter your MySQL root password. Note: This should be sqlpass from the previous task. Enter create database snortdb1; Enter show databases; Verify that your two new databases are listed. To switch to the new database, enter connect snortdb1; To populate the database, enter source C:\Snort\schemas\create_mysql To show the tables that were created during the execution of the previous script, enter show tables;
10. At the mysql> prompt, enter quit;
432
MySQL User Accounts

MySQL needs several user accounts for the full functionality of this lesson. You will need to congure the accounts so that MySQL will accept the data that Snort is sending, and so that later, if you were to use an analysis program such as BASE (which you will see later), you would need these accounts to connect to the database to pull the required data.
TASK 8D-4
Creating MySQL User Accounts
1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartAll ProgramsMySQLMySQL Server 5.0MySQL Command Line Client. Enter your MySQL root password. Note: This should be sqlpass. At the mysql> prompt, enter show databases; Enter grant INSERT,SELECT,UPDATE on snortdb1.* to snort identified by snortpass; Enter grant INSERT,SELECT,UPDATE on snortdb1.* to snort@localhost identified by snortpass; Enter flush privileges; Enter exit; Navigate to the C:\Snort\mysql folder. Right-click my.ini and open the le with WordPad.
10. Change the following line: Before:

sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_ USER,NO_ENGINE_SUBSTITUTION"
After:
sql-mode="NO_AUTO_CREATE_USER,NO_ENGINE_ SUBSTITUTION"
11. Save and close the my.ini le.
Snort to Database Connectivity

Now that you have a database installed and have congured Snort to communicate with the database, you need to test this connectivity. The following quick task is a simple loading of the snort.conf le to check to see if the connection to the database is functional. You do not want to go further in your conguration if you are unable to get the connection between MySQL and Snort to function.
433
TASK 8D-5
Testing the New Configuration
1.
If you receive a winpcap error, you can try using winpcap_3_1.exe.
Open a command prompt. Navigate to the C:\Snort\bin folder. Enter snort -d -e -v -iX (remember to change X to use your network interface as before). Watch to see that Snort is functional and is showing packets on screen. If you need to generate network traffic, ping a neighbor computer. Press Ctrl+C to end Snort. To see the full Snort system running, enter snort -d -e -v -iX -c C:\Snort\etc\snort.conf -l C:\Snort\log Press Ctrl+C to stop Snort. To see where Snort made the connection to the database, scroll through the commands.
2. 3. 4. 5. 6. 7. 8.
Snort as a Service
While it may work for you to manually start and stop Snort to perform the occasional packet capture, in a working environment, you will likely want Snort on all the time. One way to achieve this is to install Snort as a service in Windows. The following task will walk you through the steps of adding a service, and then verify that it starts automatically.
TASK 8D-6
Configuring Snort as a Service
1. 2. 3. Open a command prompt. Navigate to the C:\Snort\bin> folder. At the C:\Snort\bin> prompt, enter snort /SERVICE /INSTALL -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii -iX (Remember to change X to use your network interface as before.) You will receive a prompt that the SNORT_SERVICE has been successfully installed. 4. 5. 6.
Close the command prompt. Choose StartAdministrative ToolsServices. In the right pane, scroll down to and double-click the Snort service.
7. 8. 9.
In the Startup Type, change the setting from Manual to Automatic. Click Apply. To close the Snort Properties window, click OK. Do NOT click Start at this time.
10. Close the Services window. 11. To verify that the Snort service starts automatically, restart your server. 12. When the server restarts, log on as Administrator. 13. Right-click the taskbar and choose Task Manager. 14. Select the Processes tab, and verify that both Snort and mysql are started and running. 15. Select the Snort process, and note the amount of memory that is allocated to Snort. As you can see, Snort is a memory-intensive process. 16. Close the Task Manager.
Topic 8E
Running an IDS on Linux
LAMP On SuSe
While this lesson, up to this point, has focused on the use of Snort, in order to make the system more functional, you will need a system in place to read, sort, and view all the data that Snort is able to collect. In the previous section you saw how to set up Snort to interact with a MySQL database, while running on a Windows system. In this section, you will congure Linux with the background system to read the Snort data via a web browser. This requires the building of a LAMP server. LAMP stands for Linux, Apache, MySQL, and PHP (you may see the P also refer to Python or Perl, but in this case it is PHP). In addition to the LAMP components, you will install nmap, a tool you will use later in the lesson to generate network scanning traffic. In SuSe Linux 10, many of the components required to build the environment for Snort are available and ready for installation. Other components will require you to connect to the Internet to get the current version. In this lesson, the specic versions are detailed. Please keep in mind that in the event that you use a different version, it is possible, and even likely, that these steps will not work.
435
TASK 8E-1
Installing LAMP Components
1. 2. 3. Log in to your Linux server as root. From the Computer menu, choose Install Software. In the Software list, scroll down and check the following check boxes: lamp_server (i586) 4. 5. nmap (i586) php5-gd (i586) php5-mysql (i586) php5-mysqli (i586) php5-pear (i586) snort (i586) webalizer (i586)
Verify that you have checked these components, and click Install. The additional packages that are required for these components to run properly are listed. Review the list to see how many smaller pieces are required, and then click Apply. If you are prompted for the Novell media, insert the CD or DVD now, and click OK. Note: it may take several minutes to install these packages. Once the les have been copied, you will see an Installation Was Successful prompt. Click Close. Close the Software Installer.
6. 7. 8.
Apache and PHP

One of the critical components you just installed was PHP. PHP is a server-side scripting language. PHP is used to provide dynamic web page content to end users, without the end users having any new software to install on their system. The end user will connect to the server with a web browser, and the PHP scripting on the servers side will generate the response to deliver to the end user. If you manually build your server, meaning if you install these components individually on their won versus through the SuSe installer, you will need to congure Apache to use PHP. This is done by editing the httpd le and adding the line for your version of PHP. You would also need to edit the PHP conguration le. During the installation, a le called php.ini-dist will be installed, and you would rename this le to php.ini. In the php.ini le, you need to tell PHP where to nd the PHP extensions and where to nd a temporary directory. In this task, since you used the SuSe installer, these steps are taken care of and you will not need to manually congure the php.ini le.
436
In the following task, you will turn on your Apache server and verify that PHP is properly installed and running. If your server does not reply with the test screen, you must check your installation. Without a functional PHP and Apache Server, you will not be able to complete the tasks in this topic.
TASK 8E-2
Apache and PHP Test
1. 2. 3. 4. 5. 6. 7. 8. 9. From the Computer menu, choose YaST. On the left side, click System, and then click System Services (Runlevel). Scroll down and highlight apache2. Click Enable, and if you see a pop-up message about dependencies, click Continue. In the success pop-up, click OK. To close the System Services window, click Finish. To save the Runlevel changes, click Yes. Close YaST. From the Computer menu, choose Firefox.
10. In the address bar, enter http://localhost 11. If your server is running, you will get the message, It works! If not, carefully repeat the installation steps. 12. Close the browser, and navigate to the /srv/www/htdocs directory. 13. Inside /srv/www/htdocs, create a new document named info.php 14. Right-click this document and open it with Gedit. 15. Enter <?php phpinfo(); ?> and then save and close the le. (Note If you made your le using the File Manager, you must right-click and edit the permissions so that the Others group has read access.) 16. Open the web browser. 17. In the address bar, enter http://localhost/info.php 18. You will see a screen that presents all the local PHP information. This summary screen details the PHP install on your system. 19. Close the Web Browser.
437
Enable Snort on Linux

Now that you have veried that your web server is running, and you have veried that PHP is enabled and functional for your server, you can move on to the next section. In this section, you will congure Snort and enable MySQL. Previously, you congured these on Windows, so the steps should be familiar to you. First, you will congure Snort, then you will enable both Snort and MySQL in YaST. The steps to enable these services are critical. If you forget to enable both Snort and MySQL under System Services, you can expect to run into some errors later in the topic!
TASK 8E-3
Configure Snort on Linux
1. 2. 3. Open your le browser, and navigate to /etc/snort. To open the le with Gedit, double-click snort.conf. Edit these lines in your snort.conf le:
var HOME_NET 172.X.0.0/16 (replace the X based on your address in the network) var EXTERNAL_NET !$HOME_NET var RULE_PATH /etc/snort/rules output database: log, mysql, user=snort password=snortpass dbname=snortdb1 host=localhost
4. 5. 6. 7. 8. 9.
Save and close the le. From the Computer menu, choose YaST. Click System, then click System Services (Runlevel). Scroll down, highlight mysql, and click Enable. Click Continue To Enable The Dependencies, and then click OK. Scroll down and highlight Snort, and click Enable. Note the message prompt, and click OK. Click Finish, and then click Yes to save the changes to the run levels, and then close YaST.
Configuring MySQL on Linux

With the basic Snort conguration ready, next you must create the MySQL database for Snort to use. The script for building the database is included in Snort when Snort is compiled for use with a database. The default installation includes the scripts for a MySQL database.
438
Remember that when you work with MySQL, each of your commands end with the ; character. If your install is not done on the SuSe platform with the software installer, the location of your Snort les will likely be different. In this task, you will assign a password to the root account, create and assign a password to the snort account, and build the database.
TASK 8E-4
Configuring MySQL for Snort
1. 2. Open a Terminal Enter the following commands (press Enter after each command):
mysql SET PASSWORD FOR root@localhost=PASSWORD('rootpass'); create database snortdb1; grant ALL on root.* to snortdb1@localhost; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snortdb1.* to snort identified by 'snortpass'; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snortdb1.* to snort@localhost identified by 'snortpass'; exit mysql -u root -p rootpass connect snortdb1; source /usr/share/doc/packages/snort/schemas/create_mysql; show databases; use snortdb1; show tables;
3.
If you see the table, with 16 rows, you have successfully created the database and you can proceed. If not, please follow this task again carefully; every step must be exact. At the mysql> prompt, enter exit Close the Terminal window.
4. 5.
Connecting Snort to a Database

Now that you have congured Snort to connect to the database, and you have congured the database to accept the connections from Snort, you should test this conguration. You do not want to get too far into this conguration only to nd an error from the beginning. Note that in the tasks here, you are issuing the full command syntax in Snort to see the results on screen. In your production environment, you would most likely not include the option to see this information on screen, as you would have little use for seeing that information on screen. In this following task, you will run a test to conrm that Snort can connect to the database. If you do not make the connection to the database, you must stop here and go back through the tasks to nd the error. Once connected, you will exit the Snort process. At this time, do not leave Snort running.
TASK 8E-5
Testing Snort Connectivity to the Database
1. 2. 3. Open a Terminal window. Enter snort -d -e -v -c /etc/snort/snort.conf -l /var/log/snort It may take a moment, but you should see Snort load and make the connection to the database. If you get an error message, verify that all the lines are correct in your snort.conf le and that your MySQL is congured properly. Press Ctrl+Z to stop Snort. Scroll up to see where Snort made the connection to the database. Once successful, close the Terminal window.
4. 5.
Installing ADOdb and BASE

Since you have congured several components up to this point, now is a good time to review. First, you installed and congured Apache to start up. You then congured PHP to work with the server, and veried that PHP is working with a simple test page. Next, you congured Snort for your system, and congured MySQL to work with Snort by creating the appropriate database. Lastly, you ran a connectivity test to ensure that Snort can connect to the MySQL database that you created. With those pieces in place, you are ready to install what is called the Basic Analysis and Security Engine, or BASE for short. You use BASE through your web browser to analyze the data that Snort is sending to your MySQL database. The team at www.sourceforge.net describes BASE as follows: BASE is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system. ACID was the original web front-end for Snort results and has evolved into BASE. ACID is still used by many organizations. Another component you will need to download is called ADOdb. ADOdb is used by BASE with PHP to perform the actual queries of the Snort database. Since PHPs database access abilities are not standardized, there needs to be some means of access, and this is where ADOdb comes into place. You will need to download two more parts for this section to be operational. These les have already been downloaded and are on the SCNS Course CD, the task will simulate the location you may download les to on your local computer. If you download new les, be sure you use the exact le names in this task; if not, it is possible that your BASE console will not function as expected. Here are the locations for these two les: http://sourceforge.net/projects/adodb (this is where you can download ADOdb) http://sourceforge.net/projects/secureideas (this is where you can download BASE)
440
TASK 8E-6
Downloading ADOdb and BASE
1. 2. Open a Terminal window. Enter the following commands:
cd / mkdir download cd /download ls cd /Tools/Lesson8 ls cp adodb493a.gz /download cp base-1.2.7.tar.gz /download cd /download ls
With these two les downloaded, you are now ready to install them. The install steps are straightforward; however, there is one conguration le for BASE that you will need to congure. This le, called base_conf.php, needs to know where your adodb is installed and needs to know how to connect to the Snort databse you made in MySQL. In the following task, you will install these two les and congure the BASE php le.
TASK 8E-7
Installing ADOdb and BASE
1. 2. Open a Terminal window. Enter the following commands:
cd /download cp adodb493a.gz /srv/www cd /srv/www tar -xvzf adodb493a.gz rm -rf adodb493a.gz cd /download cp base-1.2.7.tar.gz /srv/www/htdocs cd /srv/www/htdocs tar -xvzf base-1.2.7.tar.gz rm -rf base-1.2.7.tar.gz mv base-1.2.7 base cd /srv/www/htdocs/base cp base_conf.php.dist base_conf.php
Be sure you type these commands exactly.
3. 4.
Once you have created the new base_conf.php le by copying it, you can close the Terminal window. In the le browser, navigate to /srv/www/htdocs/base and open base_conf. php with Gedit.
441
5.
Edit the le so that the following changes take place: $BASE_urlpath = /base; $Dblib_path = /srv/www/adodb/; $alert_dbname = snortdb1; $alert_host = localhost; $alert_port = ; $aler_user = snort; $alert_password = snortpass;
6. 7.
Save and close the base_conf.php le. Restart your server.
Configuring BASE
You have just about nished with the steps to getting your system operational. There is one last conguration that is required once the BASE console is running. In this last task, you will need to tell BASE how to set up the database. Once this last step is complete, your system will be ready to go.
TASK 8E-8
Configuring BASE
1. 2. 3. 4. 5. 6. 7. Open a web browser. In the address bar, enter http://localhost/base/base_main.php You will receive a message that the underlying database appears to be incomplete/invalid. Click the Setup Page link. On the next page, click the Create BASE AG button on the right side of the page. If you get a Security Warning, click Continue. The required items will be successfully created. Click the Main Page link at the bottom of the page. You are now at the default page of your new BASE console.
This next task is not a requirement specic to the BASE console, but it is required for remote access to your web server. Later in this lesson, you are going to generate some events through the web server. In order for a simulated attacker to be able to connect to your web server, it must be enabled for others to access. By default, the rewall in your installation does not allow this. In the following task, you will turn on the HTTP service through the rewall.
442
TASK 8E-9
Configuring the Firewall to Allow HTTP
1. 2. 3. 4. 5. 6. 7. From the Computer menu, choose YaST. Click Security And Users, and then click Firewall. On the left side, click Allowed Services. From the Service To Allow drop-down list, select HTTP Server. Click the Add button to the right of the drop-down list. Click Next, and then click Accept. Close YaST.
Generating Snort Events

At this time, you have congured Snort, MySQL, PHP, APACHE, ADOdb, and BASE. However, you likely had no data in your BASE console when you loaded it because there were no events present to cause a trigger. In the following section, you will start Snort, your instructor will generate some simple events, and you will then view this data in your BASE console.
TASK 8E-10
Generating Portscan Snort Events
Setup: This task requires students to work in pairs. 1. 2. 3. 4. 5. 6. Right-click the desktop and open a Terminal. To start Snort, enter snort -d -e -v -c /etc/snort/snort.conf -l /var/log/snort Keep the Snort window open. Right-click the desktop and open a second Terminal. Verify that your partner has Snort started. In your second Terminal, replacing a.b.c.d with your partners IP address, enter
nmap nmap nmap nmap nmap -sS a.b.c.d --system-dns -sX a.b.c.d --system-dns -sN a.b.c.d --system-dns -sF a.b.c.d --system-dns -O a.b.c.d --system-dns
7.
When your partner has nished running these nmap scans, close your nmap Terminal, and proceed to the next step.
8. 9.
In your Snort Terminal, press Ctrl+Z to stop Snort. Open a web browser, and enter http://localhost/base/base_main.php in the address bar.
10. Note that you will have new Portscan Traffic found (you may need to scroll down in your window to see this). 11. Scroll down in your browser, and click the Percentage link to the right of Portscan Traffic. 12. Here you can see the scans that were detected. Click any of the event IDs on the left side. These will likely start with #0, or something similar, on your system. 13. Review the details of this event. 14. Keep your Snort Terminal open, keep the BASE console open, and open a second web browser for the next task. In the previous task, you generated simple Portscan traffic, which Snort reported and which you analyzed in your BASE console. In this next task, you will generate web attack traffic. These will be simple URL requests to your web server. You will start Snort in your Terminal window, then open a web browser and make several requests of your partners server. You will then view the results of these actions in your BASE console.
TASK 8E-11
Generating Web Snort Events
Setup: This task requires students to work in pairs. One student running the Snort IDS, and the other an attacking Windows machine. It is suggested to go through the task twice, with students switching roles the second time through. 1. On the Linux Machine, running Snort, open your Snort Terminal, and enter snort -d -e -v -c /etc/snort/snort.conf -l /var/log/snort On the Windows Server 2003 machine, verify that your partner has started Snort. Open a web browser, and connect to http://your.partners.ip.address. Verify that you see the It works! default page. If you do not see this message, check that the HTTP service is allowed on the web server. In the web browser, enter the following URL requests. Note: These will be unsuccessful, which is ne for this task: http://your.partners.ip.address/../../ .
2.
Steps 2 through 6 are to be done on the Windows Server 2003 machine.
3. 4. 5.
http://your.partners.ip.address/../../bin/sh
6. 7. 8. 9.
Close the web browser. On the Linux machine, running the Snort IDS, switch to your Snort Terminal, and press Ctrl+Z. Open your BASE console. Notice that you now have new alerts, this time they are TCP alerts.
Steps 7 through 12 are to be done on the Linux IDS machine.
10. Click the percentage next to TCP to analyze the alerts. 11. Answer the following questions: What is the name of this signature? (http_inspect) WEBROOT DIRECTORY TRAVERSAL How can you learn more about this event through BASE? Click the Snort link next to the name. What ags were set on this event? ACK and PSH. 12. Close all open windows. You have now congured all the components of running a full-edged Network Intrusion Detection System. The default conguration of Snort uses many different rulesets, which you can dene in the snort.conf le. In your environment, you will need to craft rules for your specic requirements or use the predened rulesets.
If you have time, have your students turn on Snort again, and then you can generate some events, scanning, web events, etc. Ask your students to identify what you did by analyzing their BASE consoles.
Summary
In this lesson, you identied that there are many different types of IDSes, and you implemented the worlds favorite free IDSSnort. You used Snort as a network-based IDS tool that is designed to monitor TCP/IP networks, looking for suspicious traffic and direct network attacks. You learned that Snort enables system administrators to collect enough data to make informed decisions on the best course of action when an intrusion is detected. You then built a full functional network IDS on Linux, including the BASE console for alert analysis.
445
Lesson Review
8A What protocols does Snort support?
TCP, UDP, IP, and ICMP. What are the four primary parts of the Snort.conf le? Variables, preprocessors, output plug-ins, and rulesets
8B What must be installed in Windows prior to installing snort?

LibPcap for Windows (also known as WinPcap).
8C How do you negate an option in Snort?

By using the exclamation point (!) symbol.
8D What Snort le must you edit in order to have Snort connect to a database?
Snort.conf At the mysql prompt, what is the command to make a new database, called snortdb1? create database snortdb1;
8E What scripting does Apache need to have congured in order for your BASE console to work?
PHP What are the components of a LAMP server? Linux, Apache, MySQL, and PHP
446
Securing Wireless Networks

Overview
In this lesson, you will learn to implement and secure a wireless network. You will examine the components of the network, and how to congure these components. You will detail the security options required for making wireless networks part of your trusted enterprise. You will perform wireless network analysis using leading wireless tools, and examine how to create a trusted wireless network.
LESSON
9
Data Files dotnetfx.exe NetStumblerInstaller_0_ 4_0 Lesson Time 8 hours
Objectives
To secure a wireless network, you will: 9A Examine the fundamental issues of wireless networking. You will identify and examine the equipment, media, and systems of wireless networking. 9B Describe the fundamentals of wireless local area networks. You will describe how WLANs function, including the 802.11 framing options, the essentials of WLAN congurations, and the threats that exist to the WLAN. 9C Implement wireless security solutions. You will implement WEP, SSID broadcast disabling, MAC address ltering, and WPA as security solutions to the wireless network. 9D Audit the wireless network. You will use leading tools, such as OmniPeek Personal and NetStumbler, to audit a wireless network. 9E Describe the implementation of a wireless trusted network, a wireless PKI. You will examine the components required to implement and the procedure for implementing a wireless trusted network.
Lesson 9: Securing Wireless Networks
447
Topic 9A
Wireless Networking Fundamentals
Not too long ago, the concept of a network inside an office that had no wires running to and from the client computers seemed a bit far-fetched. Perhaps in the future, many people said, but not for a while. Fast forward only a few short years, and you are in the future. Wireless networks are here now. The idea now of a mobile workforce, able to move through an office, city, or country, and connect no matter where they are located has become very desirable to many organizations. The enterprise network now must include options for users to move, and have their connection stay with them. In addition to the idea of a mobile workforce, other factors are pushing the implementation of wireless networks. New networks can be deployed faster, and often cheaper, if they are wireless versus wired. Buildings where running cable is cost prohibitive, such as offices across a street or city block, are nding wireless the best option. Companies that have chosen architectural buildings for their appearance may nd those buildings marked as historical landmarks, and running cables may not be allowed. All of these reasons will make the option of a network without wires seem like the perfect solution. But what may seem like a perfect solution has serious issues upon closer inspection. Even though the network experience may seem the same to end users, there are major differences in wireless networks from their wired counterparts. Where two computers communicating in a wired network have a single cable connecting each end point, there is no such cable for the wireless network. It is this lack of cable that causes the problems. For most enterprises, not much of the security policy and effort will be spent on the physical medium. There may be systems in place to try to prevent cable splicing, or physical security systems that guard the cable. The wireless network cannot employ these systems.
Wireless Equipment
As you may expect, there are unique pieces of equipment used to run the wireless network. Although many of these pieces perform tasks similar to their wired counterparts, the wireless network equipment requires specic examination. The physical pieces used in the wireless network require careful placement because the location of the devices can affect security and performance of the network.
Access Points
The centerpiece, literally, of the wireless network is the Wireless Access Point. The full acronym for this is WAP, but in the context of this lesson, the acronym AP (for access point) will be used. This is to eliminate confusion with the other wireless networking acronym of the same name, which is Wireless Application Protocol. The function of the AP in the wireless network is similar to that of the switch in the wired network. Individual components of the network communicate to and from the AP in order to communicate with other network components. Each AP will have at least one, and usually two antennas. By having multiple antennas, the AP is able to cancel out any duplicating radio waves that may reach the AP.
Figure 9-1: Linksys Wireless Access Point, model: WAP54G.
Wireless Network Cards (WNIC)

Just as a network card is required to connect to the cable in the wired network, a network card is required to connect to the wireless network media. These cards can be installed in desktop or laptop computers, or even embedded into appliances. The majority of newer laptop computers have built-in wireless network capability options as well.
Figure 9-2: Netgear wireless network card.
Antennas
Whereas the AP of the wireless network is similar to the switch in the wired network, and the network cards of both the wireless and wired networks have the same functionality, there is one component of the wireless network that is not found in the wired networks. This component is the antenna. The antenna itself becomes an extension of the transmitter or receiver. When an access point transmits a signal it is passed from the internal signal generation components to the antenna, then transmitted through the air to a receiving antenna, which pulls the signal into the device. You can use an antenna that is designed to increase its ability to pull in a good signal in its construction and aiming. This increase is called the gain of the antenna. Although there are many subtypes of antennas, there are three common types of antennas used to increase the range of wireless networks. These are the: yagi, parabolic, and omni-directional antennas. The yagi antenna is one that is designed to be very directional. Yagi antennas may be enclosed in a tube, as shown in Figure 9-3, or they may be open, like the traditional over-the-air television antennas. Yagi antennas are perfect for direct point-to-point communication, such as a bridge connecting two offices.
449
Figure 9-3: A yagi antenna, manufactured by Telex Wireless. The second common antenna is the parabolic antenna. This antenna is also a good choice for bridging two networks, and has a greater range than the yagi antenna. The parabolic dish antenna is able to create gains that can be twice that of the yagi antenna.
Figure 9-4: A parabolic dish antenna, manufactured by Telex Wireless.
450
The third common antenna is the omni-directional antenna. The omni-directional antenna is often used in conjunction with an AP to increase the local connection ability of the wireless network. This antenna type is usually mounted high above the group of end points that will communicate with the wireless network. The gain of the omni-directional antenna can approach that of some yagi antennas, but is quite a bit less than the gains of the parabolic antennas.
Figure 9-5: An omni-directional antenna, manufactured by Telex Wireless.
Association
A unique aspect of the wireless network is that nodes that are going to use an access point must rst associate with an access point. In the wired network, the node is simply turned on and plugged into the cable, there is no association required for the local hub or switch. In the wireless network, the node must be turned on, and then associate, or join, a wireless access point. This process of association is accomplished by the wireless node knowing what its alphanumeric identier is, and looking for an alphanumeric identier that matches. The vast majority of network cards now include an option that scans the local radio waves and lists the possible networks that the WNIC can attempt to associate with. It is an attempt to associate rst; the WNIC must be authenticated as well, and then association can be successful.
Wireless Media
In the traditional network, the cable can be guarded and cable runs carefully controlled; in the wireless network there is no cable. This presents the problem of wireless security in a very general way. The problem is how to secure that which you cannot see, and cannot control.
451
Although the media cannot be seen, there are similarities between the wired and wireless networks. In both networks, a signal is sent from one computer to another computer, there must be a common method of communication, and there must be a common method of delivery and receipt. In the wireless network, the media used to carry the signals from one wireless device to another can vary. In this course, you will examine the three wireless media: infrared, microwave, and radio waves. There are signicant differences in these media, in how they work, and what they can do for your network.
Figure 9-6: The electromagnetic spectrum.
452
Infrared Wireless Media

Infrared wireless technology has been around for many years. The most common example of infrared technology is in electronic remote controls. The signals used for infrared signals are in the terahertz range, and this allows for solid communication. The infrared signal is pure light, usually electromagnetic waves or photons from a small section of the electromagnetic spectrum. Infrared is a simple wireless technology that uses pulses of light. If a binary one is required, the light is on; if a binary zero is required, the light is off. An emitter on one device (normally an LED) sends the light and a detector receives the light signal and reproduces the correct signal (either the one or the zero). The two common methods of wireless infrared communication are line-of-sight and diffused (also called broadcast). Line-of-sight (sometimes called point-to-point) requires the emitter and detector to be directly in line with each other. If any object passes between the two points, no matter how brief, the line-of-sight is broken and the transmission will be interrupted. Due to this, any networking service that requires high degrees of reliability will likely not use this implementation. Infrared is most often used today to network devices such as digital cameras, scanners, PDAs, and other devices to computers. These types of devices can be held in close proximity to one another so the odds of an object getting between the emitter and detector are very low. From a security perspective, infrared line-of-sight is an acceptable choice. This is because the single beam between the two end points must be constant. There is no sniffing option, as the light beam is direct and focused. It is possible to split the beam, but that would require physical access to the beam between the two end points. The beam splitter is often a prism, normally designed as a right-angle triangle, with a mirror on a 45-degree surface. The beam goes through the prism, and reects a small amount of the signal to a third point. This third point can then put the signal back together. Note, the splitter must be physically placed in the beam, so any enterprise with adequate physical security should prevent this type of sniffing.
Figure 9-7: A beam splitter.
453
Although the prism is the most common form of a beam splitter, there are also beam splitters that are simple mirrors with a high degree of translucency. The mirror is placed at an angle in the stream, and functions just as the prism does. Just as the line-of-sight cannot be sniffed, the infrared signal cannot penetrate walls, therefore, the infrared transmission cannot be listened in on from a neighboring room or outside office. Another strong point for the infrared line-of-sight is that outside interference is minimal; other radio waves will have no noticeable effect on the signal. The security advantages of infrared wireless are offset by the limitations of infrared. Infrared cannot provide any mobility to the devices, and the pure lineof-sight issue causes too much disruption in most office settings. Similar to local line-of-sight, infrared networks are laser communications. Laser communications work by using a powerful directed beam between two points, with the unique difference being that the distances covered are much greater. Laser line-of-sight transmissions can cover miles, as long as the direct and uninterrupted line-of-sight is clear and available. Diffused infrared technologies overcomes some of the limitations of the line-ofsight communication. In the broadcast network, there still are two end points, the emitter and detector. However, the emitter does not send the signal directly to the detector. Instead, the signal is sent out to the network, and can bounce off walls and other objects in the room. The detector receives the signal and processes the information just as if it were line-of-sight. A big difference between line-of-sight and diffused infrared is speed. Because the signal has to travel farther and bounce off surfaces, it is a weaker signal when the receiving node detects the transmission. A second difference is that because the signal is broadcast, end points other than the intended recipient are able to receive the transmission. These issues combine to limit most use of infrared in wireless networking to the small local devices. As more and more people use small devices, you can expect infrared technology to remain a part of wireless networking for some time.
Microwave Wireless Media

Where as infrared wireless networking serves the individual devices, such as PDA communication to a PC, it is usually not used to build the network infrastructure. One of the technologies that is used for this purpose is microwave technology. Microwave wireless networks allow for two end points to be placed far apart from one another. The connection is still made between two end points, one sending and one receiving node. There are two main types of microwave systems used in wireless networking: terrestrial and satellite. Terrestrial microwave systems usually use a directional antenna to send and receive network transmissions directly from one to another. These systems are designed to be direct line-of-sight, although they can use relay towers to extend the range or to move the signal around obstacles. Weather can have an affect on these signals, although not to the degree the weather has on infrared. Depending on the laws in your area, you may need to get a license to operate a microwave transmitter. There are usually strengths and frequencies that do not require licensing. Even though it may not be required, you may wish to pursue licensing so you can protect the frequency for that area, and prevent others from using the same frequency.
Satellite Microwave
When you have extreme distance to cover, the only choice is satellite. Satellites are the equivalent of the transmitter and receiver stationed high in the sky. By placing the transmitter and receiver higher, more ground can be covered by the same point. This allows an enterprise with one office in New York to have a single hop to a second office in London.
Figure 9-8: Example of satellite microwave networking. There are multiple orbits a satellite might take around the Earth. Geostationary orbits (GEOs) are those that circle Earth directly above the equator. A benet of gravity and orbiting is that once at a specic point, the geostationary satellite will achieve a xed position. This position is approximately 22,200 miles (or 36,000 km) above the Earths surface. Being placed at such an altitude, the satellite will be able to cover about one-third of the Earths surface. You could, therefore, place three satellites 120 degrees apart and cover the entire planet, except for the extreme northern and southern latitudes. Today there are hundreds of GEOs in the sky above you. There is also an orbital pattern called the Highly Elliptical Orbits (HEOs). These orbits do not orbit the Earth in a circle around the equator. Instead, these satellites orbit in an oval-shaped pattern. The oval is not equal around the Earth, instead the satellite will pass close to the Earth (at its closest, is called the perigee of the orbit), and will then move further away from Earth (at its furthest, it is called the apogee of the orbit).
455
Finally there are Low Earth Orbits (LEOs). These orbits are between 124 and 15,900 miles above the Earths surface (between 200 and 25,589 km). Most of the satellites in this range are at the low end, from 124 to 1,490 miles (200 to 2,400 km). These satellites can move very fast, and can be visible with the naked eye standing on Earth. A satellite in LEO may be able to circle the entire earth in 90 minutes. LEOs are not restricted to equatorial orbits.
TASK 9A-1
Examining Satellite Orbits
1. 2. 3. 4. Open Internet Explorer, and connect to http://science.nasa.gov/Realtime/ JTrack/3D/JTrack3D.html In the dialog box asking you to perform an install, click No. Wait for a moment, the JTrack satellite applet will open and load satellite data. Maximize the applet. Once the applet loads, press Ctrl and click the mouse (Ctrl-click) to move the Earth back and to see the orbital path of the GEOs. Examine the distance to the GEO orbits in relation to the size of the Earth. Click any small white dot to see the orbital path of the satellite. Click the mouse in the applet and drag to rotate the Earth and notice the GEOs all are lined in a similar pattern. Ctrl-click until the Earth is small in the applet. Click a white dot that seems further away from Earth, and not in the same circle pattern of the GEOs. Try to nd Chandra, AO-40, and Integral. Examine the orbital patterns of these HEO satellites.
5. 6. 7. 8. 9.
10. Shift-click to move in towards Earth until the continents are clearly visible. 11. Click any white dot that is near Earth, and examine the orbital patterns of these LEO satellites. 12. Shift-click until the Earth lls the applet window. 13. Choose OptionsUpdate Rate14 Second. 14. Choose OptionsTimingReal-time. 15. Note the movement of the satellites in LEO. 16. Choose OptionsTimingX100. 17. Note the movements of the LEO satellites at 100 times real-time speed.
456
18. When you have nished examining the orbital patterns of the satellites, close the JTrack3d Applet and close Internet Explorer. 19. What type of satellite orbit, the LEO or the GEO, will introduce the largest delay in packet transmission? The GEOs produce the highest delay in packet transmission. You may be able to get high speeds, but the distance alone dictates that there will be considerable delay in the network packet transmission.
Radio Wireless Media

Although infrared and satellite communications have their place in the wireless world, the emphasis today in regards to security is on radio waves. This is because the vast majority of wireless network communications take place on radio waves. Although people often think of the analogy of water waves, this is not quite accurate. Radio waves do not require a physical surface, such as the water wave. Rather, the radio waves ride on an electromagnetic (EM) wave, referred to as the EM eld. Waves in the electromagnetic spectrum move at the speed of light, or 186,000 miles per second. There is similarity with the water wave in dissipation, however. If you throw a rock into water, a wave starts in a circular pattern and radiates out from where the rock entered the water. The circular waves get smaller, or dissipate, as they get farther away from the source. Radio waves are similar. They are broadcast from a source, and radiate out away from the source. The farther away from the source, the weaker the signal becomes, until it cannot be located. In the water, waves reect off of surfaces, and can even bounce back onto another wave. This can happen with radio waves as well. If two waves collide at the right time, with both waves at their peak, the end result is that the waves are added (called in phase), resulting in a bigger wave. If two waves collide at the right time, with one wave at a peak and one wave at a trough (called out of phase), the end result is that the waves cancel each other out. Reecting waves can cause problems for wireless networks, therefore, the device manufacturers have addressed this issue. One problem is that a signal can be broadcast, and due to bouncing off surfaces, will reach the access point multiple times and at different times. These bouncing waves cause interference, and in wireless networking this is called multipath interference. By using multiple antennas on the access point, the access point is able to compensate for the reception of multipath interference. Another form of interference that wireless networks must deal with is RF interference in the EM eld. Devices such as cordless phones and microwave ovens produce signals in the EM eld that are used by the wireless network. Devices in the 900 MHz and 2.4 GHz ranges are in the Industry, Science, & Medical (ISM) band, while devices in the 5 GHz range are in the Unregulated National Information Infrastructure (U-NII) band. The technology used to minimize the effect of these other devices is called spread spectrum technology.
Spread Spectrum
Spread spectrum technology allows for bandwidth to be shared by multiple devices, so your microwave and wireless network are not going to battle over the exact same frequency at the exact same time. Spread spectrum works by splitting the information over multiple channels of communication. By splitting the inforLesson 9: Securing Wireless Networks 457
mation over different channels, if a person is sniffing one specic channel, they will not get useful information from that channel, only tiny pieces of larger transmissions. There are two primary methods of spread spectrum used in wireless networks: Frequency Hopping Spread Spectrum (FHSS), and Direct Sequence Spread Spectrum (DSSS).
Frequency Hopping Spread Spectrum (FHSS)

During World War II, the emphasis on secure communications and transmissions was extremely high. Hedy Lamar and George Anthell came up with the idea of FHSS to keep enemies from jamming radios. The idea was to use a range of frequencies, and to send (or burst) a short amount of information on one frequency, then switch to another frequency, send (burst) some information, then switch frequencies again and send another burst of information, and so on.
Figure 9-9: Multiple signal bursts sent as an example of FHSS. During FHSS, the time that is spent on any one frequency is called the dwell time, and the amount of time that it takes to move from one frequency to another is called the hop time. A device using FHSS will transmit on the designated frequency and then move to the next frequency using the pre-dened sequence. Once the device reaches the last frequency, the device loops to the rst frequency and starts the process over again. The sequence of frequency hopping creates a single channel.
Direct Sequence Spread Spectrum (DSSS)

The DSSS system works differently from FHSS. Instead of hopping from one frequency for a burst, and then another, DSSS transmits on multiple frequencies together. These multiple frequencies are grouped together and called a band. Instead of sending the raw data, DSS performs an XOR calculation on the data at transmission.
458
Figure 9-10: The XOR process of DSSS communications. This added data used in the XOR process is called the chipping code. By adding these codes, the original data is spread out, which increases the likelihood that the data will be received properly. The number of bits (chips) in the chipping code compared to the raw data is referred to as the spread ratio; higher spread ratios means higher chances of successful communication. The 802.11 specications dictate that there are to be 11 chipping bits per raw data bit. Due to issues such as the use of multiple frequencies, and the inclusion of the chipping code, DSSS is able to achieve higher rates of transmission than FHSS. You should not think of either FHSS or DSSS as better than one another. Instead, you should realize that they are used for different functions. FHSS generally costs less to build, is used for devices that require shorter transmission distances, and has a lower overall speed. DSSS generally cost more to build, is used in devices that require greater transmission distances, and offers greater speed. From an administrative viewpoint, you may never deal directly with spread spectrum issues, they are more in the realm of the product manufacturer.
Bluetooth
Although it is the most common technology for wireless networking, 802.11 is not the only wireless standard. Another common standard is Bluetooth. Bluetooth devices are generally FHSS devices, and are used in close proximity from one another. Bluetooth has found a market in device-to-device communications, such as PDA to computer, computer to a printer, automobile to phone headset, and so on. Bluetooth functions in the 2.4 GHz range, and has low-speed bandwidth, when compared to 802.11 standards, especially 802.11g. For these reasons, Bluetooth is not designed to be directly competitive with 802.11, rather a complimentary technology used for different purposes.
Short Message Service

As devices continue to become smaller, and as people expect to be able to do more with their devices, new technologies are required. In wireless networking, one of these technologies is called the Short Message Service (SMS).
459
SMS is used to send and receive the short (up to 160 characters) text-only messages on devices like cell phones, pagers, and PDAs. This technology uses a store and forward system, which means that if the intended recipient is not available, the message can be stored for later transmission. Nearly all providers of cellular services offer support for SMS today, and security problems exist here just as they do with all other forms of wireless communication. Although SMS security is out of the scope of this course, here are a few examples of SMS security issues: A Norwegian company found that a specic message sent via SMS to certain cell phones would freeze the phones, with the only solution being to remove the batteries. A virus called Timofon.A sends short SMS messages to random numbers. By itself, this is not a true virus, as users have to run a VBS script, but it hints at the potential. SMS Bombers are being built to ood networks with messages.
IEEE 802.11
All forms of networking that have any success are built upon standards, and wireless networking is no different. The primary standard in the world of wireless networking is the 802.11 standard. The 802 LAN standards committee was created in 1980 by the Institute of Electrical and Electronic Engineers (IEEE), and in 1990 the committee created the 802.11 working group to discuss and dene issues surrounding wireless networking. In 1997, the 802.11 working group nalized their rst standard. The IEEE 802.11 standard was to address the Media Access Control (MAC) and Physical (PHY) Layers of network communication. 802.11 described three specic types of transmissions to take place at the PHY Layer: Diffused Infrared, utilizing infrared transmissions. Direct Sequence Spread Spectrum (DSSS), utilizing radio transmissions. Frequency Hopping Spread Spectrum (FHSS), utilizing radio transmissions.
The 802.11 working group quickly found that the project was growing at such a rate, and the amount of issues to discuss was growing. The solution to this problem was to create subgroups to handle each issue independently. These groups have been assigned a letter and appended to the 802.11 name. Several of these groups have produced standards that are used in the industry today, others are on the horizon, and others still will become obsolete.
802.11a
In 1999, IEEE approved the 802.11a standard, calling it: High-speed Physical Layer in the 5 GHz Band. This standard utilizes Coded Orthogonal Frequency Multiplexing (COFM), and supports multiple data transmission rates. Supported rates are: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. Two 802.11a devices will connect using the fastest data rate (based on things like distance between nodes and signal strength), with a maximum rate of 54 Mbps. Work on this standard is considered complete.
460
802.11b
Also published in 1999, but slightly ahead of 802.11a, was the IEEE approved 802.11b standard, called: Higher-speed Layer Extensions in the 2.4 GHz Band. This standard utilizes High-Rate Direct Sequence Spread Spectrum (HR-DSS), and supports multiple transmission rates. Supported rates are: 1, 2, 5, and 11 Mbps. Work on this standard is considered complete.
802.11c
The 802.11c working group was developed to manage MAC bridging operations. This type of standard is used by developers of hardware. The 802.11c working group on its own is complete, with continued discussion on this subject folded into the 802.11d working group.
802.11d
As wireless networking came on the scene, and the 802.11 standard was available, there were only a few economies (such as the United States, Europe, and Japan) that had regulations on the use of the radio waves. In order for wireless networking to become global, standards would be required that comply with regulation of transmissions in various countries. The 802.11d working group is focused on the international regulations for the use of wireless networking.
802.11e
An important issue in all of networking is Quality of Service (QoS). By ensuring high QoS, transmitting other types of information such as audio and video can be accomplished through a wireless network. The 802.11e group is working on standards to prioritize network traffic through the wireless network, to improve QoS. 802.11e addresses the MAC layer, and as such it will be compatible with all 802.11 PHJY networks.
802.11f
The development of the original 802.11 standard did not address the communications between individual access points. This was done to provide for the maximum exibility in an enterprise implementing various vendors products. This causes difficulty though, when there are many different types of vendor equipment in the network, that may have different methods of communicating. 802.11f is working to dene the standards of communication between access points so that roaming wireless clients do not experience network problems, or have communications cut off. It is suggested that until this standard is complete, and all vendors comply, that you should use a single vendor to provide your wireless infrastructure.
802.11g
A problem that developed during the initial standards process was that 802.11a and 802.11b did not communicate. So, although the ability to add the higher bandwidth of 802.11a was appealing to some, the lack of interoperability discouraged others. 802.11g provides the standards to provide higher speed, while being able to interoperate with other wireless networks. 802.11g utilizes OFDM to manage communications, provides for transmission rates of up to 54 Mbps, and operates in the 2.4 GHz range.
461
802.11h
Specic European regulatory issues are discussed in the 802.11h working group. In Europe, there is a strong possibility that 802.11a devices, which operate in the 5 GHz range, will interfere with satellite communications, which are designated as primary use. Many European countries label wireless networking as secondary use.
802.11i
There are serious security issues associated with wired equivalent privacy (WEP). The 802.11i working group was designed to address these issues. The result of the groups efforts is a stronger security standard, including all the options that exist in Wi-Fi Protected Access (WPA), and adding the use of the Advanced Encryption Standard (AES). Some, including the Wi-Fi Alliance refer to 802.11i as WPA2.
802.11n
With the ever-growing demands on wireless networks, speed is always an issue. The 802.11n working group develops enhancements to wireless networking technologies to achieve a higher throughput. The speed estimates out this standard at a 200+ Mbps rate. Through the use of multiple antennas, some vendors are claiming speed into the 400+ Mbps range.
Wireless Application Protocol

The Wireless Application Protocol (WAP), detailed at the Wapforum (www.wapforum.org), is a specication that is open and utilized globally. Handheld devices, such as mobile phones, pagers, and PDAs, can interact with networks, such as the Internet through WAP. It is compatible with many wireless networking technologies including Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), and Global Systems for Mobile Communications (GSM).
As of this writing, there was an estimated 855 million worldwide GSM users, 162 million CDMA users, and 124 million TDMA users.
Since WAP is a protocol and application environment, it has the ability to be built into any operating system that is designed to use it. It is currently used in operating systems such as: WindowsCE, PalmOS, JavaOS, and OS/9. Mobile devices work by using WAP microbrowsers that are built into the device. These are similar to the full-scale Internet browsers, such as Netscape and Internet Explorer, only scaled down to the minimum requirements. Many mobile devices can communicate via HTML and/or XML, but there is a language specically for the wireless devices. That language is called Wireless Markup Language (WML). WML is based on XML, and web content accessed via WML will have the .wml extension, similar to the .html extension of web pages. The programming of WML looks very similar to that of HTML or XML. There are in fact XML tags in WML pages. The following code example shows what two WML cards look like in a WML deck:
web pages written in WML are called decks, and decks are constructed using cards.
462
<wml> <card id="no1" title="Card 1"> <p>Hello World!</p> </card> <card id="no2" title="Card 2"> <p>This is the second card text!</p> </card> </wml>
WAP itself, like all specications, has gone through several versions since it was rst introduced. WAP v1.0 was introduced in April 1998, WAP v1.1 in June 1999, WAP v1.2 in November 1999, and WAP v2.0 in the summer of 2001. The 1.0 version of WAP used a WAP gateway, often a separate computer to act as the literal gateway between the WAP client and the web server hosting the les.
Figure 9-11: The original WAP architecture. In the original WAP architecture, protocol conversion was required at the WAP gateway. This is due to the WAP devices not speaking the language of the Internet. With WAP v2.0 devices, the gateway protocol conversion is not required. This is due to devices running the WAP v2.0 stack being able to utilize TCP/IP, and speak through a proxy to the Internet.
463
Figure 9-12: The two common stacks of WAP.
TASK 9A-2
Choosing a Wireless Media
1. You have been contracted to design the wireless network for your new client. This client has three offices, all within the same two-block radius. They are three independent offices, each in a multistory building, which do not require frequent resource access to any of the other offices. The only authorized communications that can be sent from one office to another are email or other approved instant messages. There are some slight obstructions, such as trees, that prevent perfect line-ofsight between all three buildings. You have asked the client, and have been informed that removal of the trees is not permitted. Based on this information, which media type will you recommend to the client, and why? You will recommend using radio waves as the media, by conguring the networks to use radio waves and a directional antenna, such as a yagi, to increase the strength and range. The radio wave option should provide the client with an inexpensive solution.
464
Topic 9B
Wireless LAN (WLAN) Fundamentals
WLANs are built upon the 802.11 standards and are designed to operate similarly to their wired counterparts, running the 802.3 (Ethernet) standard. One difference (other than the lack of those pesky wires!) is that 802.11 networks use Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA), whereas the 802.3 networks use Carrier Sense Multiple Access/Collision Detection (CSMA/CD). In the CSMA/CD networks, the nodes listen to the wire to see if it is clear to transmit. Since the 802.11 nodes are not on a single physical media like the 802.3 networks, CSMA/CD will not work. Instead, the WLANs use CSMA/CA where each node sends a short broadcast preceding each transmission.
The Access Points

The AP in the network is what the end nodes will be communicating within the network. Placement of the AP can have a signicant effect on the overall speed and transmission in the WLAN. If the AP is placed near a source of high EMI, then the network will be negatively affected. Likewise, the height of the AP may have an effect. For many network administrators, the AP placement is a process of trial and error. First decide on the placement as best you can by analyzing the layout, trying to avoid anything that will cause interference. After the AP is placed, run bandwidth tests from various locations, where the end nodes will likely be located. Then, move the AP to a different location, perhaps moving it higher on the wall, and run the bandwidth tests again. After you have run a group of tests, you will know the optimal placement for your unique situation.
SSID
Wireless networks have a component called the Service Set Identier, or SSID. The SSID is a 32-character unique identier that gets attached to the header of WLAN packets. The SSID is designed to identify individual WLANs, so that devices connect to the proper WLAN. This is a value that should be congured upon setting up security on a WLAN. The SSIDs are well known for many manufacturers, and changing this value to one that is not well known is one of your initial steps in your WLAN security. Access Points are congured, usually by default, to broadcast their SSID in what are called beacon frames. This function allows authorized users to nd their proper WLAN easily, but also informs any attacker the name of the WLAN segment. The beacon frames are broadcast in plaintext; there is no encryption of these transmissions. Most WLAN analyzing software will listen for SSID beacon frames, and report that information back, making the location of the networks simple. If your network will allow for it, you should turn off the SSID beacon frame broadcast.
465
Association
A unique aspect of the wireless network is that nodes that are going to use an access point must rst associate with an access point. In the wired network, the node is simply turned on and plugged into the cable, there is no association required for the local hub or switch. In the wireless network, the node must be turned on, and then associate or join, a wireless access point.
Association is the process of a WLAN client associating with an AP in the WLAN.
This process of association is accomplished by the wireless node knowing what its SSID value is, and looking for an SSID value that matches its known value. The vast majority of network cards now include an option that scans the local radio waves and lists the possible networks that the WNIC can attempt to associate with. It is an attempt to associate rst; the WNIC must be authenticated as well, and then association can be successful.
Authentication
One step in the WLAN client being able to use the WLAN is association, but that may not be enough. The second step that may be required in the network is authentication. Authentication can happen in one of two general methods, as per the IEEE 802.11 specication: open system authentication and shared-key authentication. Open system authentication is simply when there is no encryption and all communication is done in clear text. The WLAN client can authenticate in the open system without having to know any key information. In the shared-key authentication system, a key is required, and the key system must be used on both ends of the communication, meaning both the AP and the WLAN client must be using the same system.
WLAN Topologies
When building your WLAN, you have two major types of networks to build. You can build a WLAN in either ad-hoc mode or in infrastructure mode. Neither of these topologies are right or wrong, they just have different functions.
Ad-hoc Mode
The ad-hoc is perhaps the fastest WLAN to build. No APs are required from the ad-hoc mode WLAN. In this case, you install and congure the wireless network card on multiple end nodes, and they all have the ability to interact directly with any other node. This is a true peer-to-peer network with no single point in control.
466
Figure 9-13: An example of an ad-hoc WLAN conguration. When you group several end nodes together in the ad-hoc mode those nodes create what is called an Independent Basic Service Set (IBSS). These nodes are grouped together by all using the same SSID.
Infrastructure Mode
Although the ad-hoc mode may be the fastest for you to set up, it is not likely the mode you will use in a production environment. In the enterprise, you are much more likely to use the infrastructure mode. In the infrastructure mode, your network clients are congured with the SSID of an AP. All the clients who are going to be grouped together have the same SSID. The AP then acts as the central point in the network. The request of each node is received by the AP, and then transmitted to the network. If you have a single AP, that does not overlap with any other WLAN segments, then you have created a Basic Service Set (BSS). You can create an Extended Service Set (ESS) by grouping BSS to form a single subnetwork. Just about all APs that are made today have at least one Ethernet port on them, allowing you to seamlessly connect your wired clients into your wireless network. You will usually connect the Ethernet port of the AP to a hub, switch, or other network connecting device.
467
Figure 9-14: An example of an infrastructure mode WLAN conguration.
Lesson Configuration
There is quite a bit of hardware used in this lesson. For the tasks and screenshots there were multiple WNICs and APs used, and both ad-hoc and infrastructure mode will be used. For this lesson, there are two congured clients, one Linksys WPC54G and one Netgear WPN824, used in laptop computers.
Prepare for the Ad-hoc Network

The rst network type you will congure is an ad-hoc network. This will allow for a small network to be established in a very short amount of time. This rst network will not have security running, and can be viewed as a guide of the steps required to get an ad-hoc network operational. In this rst task, you will congure the Linksys 54G card, which can run 802.11b and 802.11g. Note as most of the machines you will congure wireless networking upon will be clients, these tasks have been written using laptops running Windows XP. For the SCP certications questions about the wireless networks are based on the wireless tools and techniques shown here, not on the built-in Windows wireless networking solution.
468
TASK 9B-1
Installing the Linksys WPC54G WNIC
Setup: This task is performed on the rst Windows XP laptop. 1. 2. Log on to Windows XP Professional. Insert the Linksys WPC54G setup CD-ROM into the CD-ROM drive. If the setup program does not autorun, navigate to the CD, and double-click the Setup.exe le. In the Linksys Welcome screen, click the Click Here To Start button. Read the License Agreement, and click Next. The setup les will now be installed to your computer. When prompted, insert the WNIC into the computer, then click Next. The Linksys Available Wireless Network screen will open. Click the Manual Setup button to create a prole.
3. 4. 5. 6.
7.
Select the Specify Network Settings radio button: In the IP Address text box, type: 10.0.10.30 In the Subnet Mask text box, type: 255.255.255.0 In the Default Gateway text box, type: 10.0.10.1
8. 9.
Leave the DNS text boxes blank, and click Next. Select the Ad-Hoc Mode radio button.
469
10. In the SSID text box, type Ad_Hoc_1 and click Next.
11. In the Channel drop-down list, select Channel 3 and click Next. 12. In the Security drop-down list, select Disabled and click Next. (You will add security features later in the lesson.) 13. Conrm your settings are correct, and click Save.
470
14. Verify your IP Address settings via Windows Networking. Note, on some systems the Linksys conguration tool will not congure the Windows IP settings. In this case you will be required to manually congure the WNIC. IP: 10.0.10.30 / 24 DG: 10.0.10.1 15. Leave the screen open, as you will return to it shortly.
Configure the Second WNIC

For the ad-hoc network to function, you need at least two WNICs to communicate with each other. Now that you have installed and congured on single node in the network, you need to congure a second node. Once both are congured properly, then the ad-hoc network can begin.
TASK 9B-2
Installing the Netgear WPN511
Setup: This task is performed on the second Windows XP laptop. 1. 2. Log on to Windows XP Professional. Insert the Netgear WPN511 CD-ROM into the CD-ROM drive. If the setup program does not autorun, navigate to the CD, and double-click the autorun.exe le. In the Netgear SmartWizard screen, click the Install Software button. In the Welcome screen, click Next. Read the License Agreement, and click Accept. Accept the default Destination Folder, and click Next. The setup les will now be copied to your computer. Once the software installation is complete, click Next. The setup les will nish their installation. Insert your Netgear WPN511 card into your computer, and click Next. In the Country drop-down list, select your country, and click Agree.
3. 4. 5. 6. 7. 8. 9.
471
10. Keep the default selection to use the Netgear Smart Wizard for your wireless connection, and click Next.
11. Select the No, I Want To Congure It Myself radio button, and click Next. 12. Choose StartAll ProgramsNetgear WPN511 Smart WizardNetgear Smart Wizard. The tool to congure the Netgear WNIC will open. 13. In the Network Name text box, type Ad_Hoc_1 14. In the Network Type section, select the Computer-to-Computer (Ad Hoc) radio button.
15. Click the Initiate Ad Hoc button.
472
16. From the Channel drop-down list, select Channel 3 and click OK.
17. Click the Apply button. 18. Open the Windows Network Connections window, right-click the newly installed Netgear WNIC, and choose Properties. 19. Select Internet Protocol (TCP/IP), and click Properties. 20. Select the Use The Following IP Address radio button. 21. Enter the following conguration: IP 10.0.10.31, SM 255.255.255.0, DG 10.0.10.1, click OK, click Close, and close the Network Connections window. 22. In the Netgear WPN511 Smart Wizard window, select the Networks tab. 23. Select the Ad_Hoc_1 network, and click the Connect button. (If no network is listed, click the Find a Network button.)
473
24. Click the Apply button. You will be connected to the Ad_Hoc_1 network from this computer.
25. Leave the Wireless Network Connection window open for subsequent tasks.
Enable the Ad-Hoc Network

Now that you have both WNIC installed and the Netgear card is connected to the Ad-hoc network, you need to simply connect the other side of the network. In the following task, you will connect the Linksys WNIC, thus enabling the Ad Hoc network.
TASK 9B-3
Enabling the Ad-Hoc Network
1. 2. 3. Verify that you are at the computer with the Linksys WNIC installed. In the Site Survey screen of the Linksys Network Monitor Tool, click the Refresh button. You should now see the Ad-Hoc_1 network available. Select the Ad-Hoc_1 network, and click Connect.
474
4.
Once connected, you will see that you have successfully joined the Ad-Hoc network.
5.
Click the More Information button to see the details of this connection.
6.
If you wish, open a command prompt and perform a ping test from one computer to the other to conrm the wireless network is functional.
475
802.11 Framing
Although you will likely never directly work with the design or physical architecture of any wireless network device, you do need a strong understanding of how the 802.11 network functions in order to implement solid networks. At rst glance, it seems that the 802.11 network functions in the exact same way as the Ethernet networks. Upon further investigation you will notice that, although the appearance is the same, the 802.11 network has very real differences from the Ethernet network. The Ethernet network framing is essentially to take the data, add a preamble, add the required addressing information, such as IP, and add an integrity check (or Frame Check Sequence) on the end. The wireless network however, must add more information than that. In the 802.11 network there are multiple frame types. The three 802.11 frame types are: data frames, control frames, and management frames. The data frames are the frames that you will see on the network the most, these carry the actual data from one node to another. The control frames are for functions like carrier-sensing (like modems) and acknowledgement. The management frames are what a node uses to join (or associate) and to leave (or disassociate) an access point.
Frame Format
The rst thing you will notice when looking at the 802.11 frame is that the MAC uses four address elds. Every 802.11 frame will not use all four elds, and values that are assigned to the different address elds can actually change based on the type of MAC frame that is being transmitted.
Figure 9-15: The format of an 802.11 MAC frame.
Frame Details
An in-depth discussion of the 802.11 framing format is beyond the scope of this course.
Every 802.11 frame begins with a two-byte frame control subeld that is divided into several different subelds. One of the subelds is the protocol version. The protocol version subeld is a two-bit value, which indicates what version of the 802.11 MAC is found in the frame. Currently, there is only one supported version of the 802.11 MAC, and that has been given a protocol ID of 0.
476
Figure 9-16: The frame control of the 802.11 frame, expanded showing its internal contents. The second subeld is the type. This indicates the type of subtype to follow. If this is set to 00, then management frames are to follow. If this is set to 01 then control frames are to follow, and if this is set to 10, then data frames are to follow. The third subeld is called the subtype, which is related to the type of eld just discussed. This subeld is a four-bit value, which indicates the subtype of the frame. Management subtypes are identied in the following table. Management Subtype Value
0000 0001 0010 0011 0100 0101 1000 1001 1010 1011 1100
Subtype Name
Association request Association response Reassociation request Reassociation response Probe request Probe response Beacon Announcement trafc indication message Disassociation Authentication Deauthentication
Using the table as reference, you can identify two common subtypes: The association request (0000), and the beacon (1000). Another subeld is the WEP eld. When this is set to 1, WEP is in use, and when this is set to 0, WEP is not in use.
The Beacon Subtype Value is 1000.
477
By now you have noticed that there are multiple entries for addresses in the frame format. The 802.11 frame can use up to four address elds, generally numbered one through four. Address eld one is a receiver, address eld two is a transmitter (or sender), address eld three is ltering, and address eld four is optional. The sequence control eld is used for multiple purposes. It uses 4 bits to manage fragmentation and 12 bits to manage sequence numbers. If a higher-level packet needs to be fragmented, the sequence number will be constant for all the fragments, but the 4-bit fragment number will increase by 1 for every new fragment. The data eld is where the upper layer payload goes for transmission. This eld has a maximum payload value of 2304 bytes of data, and has a maximum size of 2312 bytes. The additional 8 bytes are to allow for the extra information required of WEP, which must be supported. Finally, there is a frame check sequence (FCS) eld. This is similar to the FCS in Ethernet and other networking systems. The FCS allows for an integrity check on the frame, but there is a difference in the wireless network. The difference in the 802.11 format, is that there is no negative ACK if a frame fails the FCS. Instead the nodes must wait for an ACK timeout before they retransmit.
802.11 Addressing
As you saw earlier, there are four address elds in the frame, all of which do not have to be used in each transmission. Before you can make a connection between an address and an address led, you need to be aware that there are multiple types of addresses in the 802.11 wireless networks. These addresses can be given the DA, RA, SA, and TA acronyms. Their denitions are as follows: Destination Address (DA): This is the MAC address of the node that is to ultimately process the frame. Receiving Address (RA): This is the MAC address of the node that will receive the frame. Note, this does not have to match the DA. Source Address (SA): This is the MAC address of the node that created the frame. Transmitting Address (TA): This is the MAC address of the node that transmitted the frame. Note, this does not have to match the SA.
The address elds will change based on the frame format. For example, the third eld can hold the SSID address, the DA, or the SA, based on the frame. Where there is consistency is in the eld that holds the transmitting address, this is address eld two. Address eld one is designed for the recipient of the frame, which you must note does not mean the nal destination of the frame, only the recipient of the current frame.
The SSID used in MAC address eld is not the same as the manually entered SSID value.
When the network is in infrastructure mode, the address used is the SSID address. This is not the same as the SSID that has been manually assigned to the network, such as the default Linksys. The interface on the physical AP requires a MAC address, just as any other interface does. In Infrastructure mode, the SSID address is the MAC address of the AP that is participating in the Infrastructure network.
478
One reason that there are multiple options here for the addressing is that there are multiple methods for establishing a wireless network. For example, in the most straightforward network, all the nodes simply talk directly to one another; this is the ad-hoc network. Another network could be where all the end nodes communicate only with the Access Point. Finally, you could link two (or more) wireless networks together, with the Access Point of each one functioning as a bridge to the other network. Figure 9-17 identies the addresses that would be assigned to each of the four address elds, and the DS settings, based on the function.
Figure 9-17: The settings of the address elds, based on the frame function. From this gure, you can identify that the most basic addressing is in ad-hoc mode, where the frame has a simple DA and SA. This is the closest to the traditional Ethernet network that most network professionals are familiar with. Of note in this table are the congurations of the ToDS and FromDS bits. DS is the Distribution System, for example the Ethernet network that is connected to the wired side of an AP. If both the ToDS and FromDS bits are set to 0, then the frame is on an ad-hoc network. When the ToDS is 1 and the FromDS is 0, this indicates a frame that is transmitted from a node to an infrastructure network. Conversely, when the ToDS is 0 and the FromDS is 1, this indicates a frame that is received for a node in an infrastructure network. Finally, when both the ToDS and FromDS are set to 1, then the frame is on a wireless bridge, from one wireless network to another.
When the ToDS and FromDS are both set to zero; the frames are for a network running in ad-hoc mode.
479
Figure 9-18: The addressing of two nodes in an ad-hoc network. When two nodes are communicating in ad-hoc mode, the addressing is clear-cut. The SSID is identied in the third address eld, and the receiver and transmitter addresses are entered. This is the most straightforward of all the addressing options.
Figure 9-19: The addressing of two nodes and one AP in an infrastructure network. In this second example (an infrastructure network), the addressing becomes more complex. When the two end nodes initiate their communication, the ToDS bit is set to 1 and the FromDS bit is set to 0, which indicates a frame sent to an infrastructure network. The address eld one is the receiving address (RA), which is the SSID, and address eld two is the source address (SA). In this case the node
that originated the frame is the SA; this is because the frame is sent to the network, not directly to the end node. Notice that address eld three is used; in this case it holds the destination address of the frame. The destination address is for the node that is to ultimately process the frame. As the frames are moved from the AP to the respective end nodes, you can see that the ToDS bit is now set to 0 and the FromDS bit is now set to 1. This indicates the frame is intended for an end node, coming from the infrastructure network. Address eld one now contains the address for the actual intended node that will process the frame. Address eld two contains the SSID, where the frame was transmitted from, and address eld three contains the source address, where the frame originated.
In infrastructure mode, when a frame is sent to the AP, address eld one contains the SSID address.
In infrastructure mode, when a frame is sent from the AP, address eld one contains the destination address.
Figure 9-20: The addressing of frames in a wireless bridge network. In the nal addressing example, you have two APs in wireless bridge mode that are connecting two wireless networks. In this example, you have frames that are of different functions in the network. The frame that leaves the node that started the transmission sends a frame that is in infrastructure mode, and is sent to the AP, with the nal destination address in the third address eld. When the frame gets to the AP, the network is in bridge mode between the two points, and the ToDS and FromDS are now both 1s. It is at this time that all the address elds are used, and it is here that the distinction between transmitting and sending and receiving and destination addresses are clear. At the AP, with MACs 2345 and 3456, the frame has a receiving address of 4567, the MAC on the other side of the bridge. The nal destination address is 6789, this is how the addressing makes the difference between a point receiving the frame, and the end node that is to nally process the frame. Also at the AP, the frame has a sending address of 1234, as that is where the frame originated, but the transmitting address is 3456, the AP that is sending the frame to the next access point. When the frame is received at the second AP, the frame is then formatted as a frame in infrastructure mode, with the ToDS set to 0 and the FromDS set to 1. This frame is then sent to the node that will process the frame, and the series of frames are complete. In the event that a response to the original sender is required, the same process will happen, only in reverse.
481
Access Point Configuration

In order for the network to evolve from an ad-hoc to an infrastructure network, you need at least one AP. In this section, you will walk through the steps required to congure an AP with basic settings. At this time, the goal is to create a simple infrastructure network, running with one single AP, without WEP or any other advanced conguration. Most APs will have one of two methods of connecting, and performing the initial conguration. One of the methods is to connect a USB cable from the AP to a computer that will run the conguration. A second method is to connect via a network protocol, with the AP connected using a Cat5 cable versus a USB cable. This second method, of connecting through the network, generally through a web browser is becoming very common. In this task, the steps for installing and conguring the rst AP are shown. This lesson has two different APs installed, and you will walk through the steps of installing each AP. The Linksys AP requires a connection through the 192.168.1.0 / 24 network, so you must congure your computer to this network for the initial communication.
TASK 9B-4
Installing the Linksys WAP54G Access Point
1. 2. 3. 4. Log on to Windows 2003 Server as Administrator. Open the Properties of your LAN adapter. Select TCP/IP, and click Properties. Enter the following IP Addressing information: IP Address: 192.168.1.145 5. 6. Subnet Mask: 255.255.255.0 Default Gateway: This may be left blank
Click OK twice, and then click Close. Physically locate the WAP54G access point where you want it in the room. If possible, this should be a high point in the room, and not near any source of EMI. Insert the Linksys CD-ROM into the CD-Rom drive. If the setup program does not autorun, navigate to the CD, and double-click the Setup.exe le. In the Welcome screen, click the Click Here To Start button. Plug in the WAP54G power cord and plug in the supplied network cable, then click Next.
7. 8. 9.
10. Connect the WAP54G to the network, and click Next. 11. Connect the WAP54G to an outlet, and click Next.
482
12. Verify all three LEDs are lit on the front panel, and click Next. 13. Note the status of the new AP, including the default IP Address, and click Yes.
14. Type the default password of admin and click Enter. For ease of running the course, you will leave the default password in place. In a production environment, you would use a strong password here. 15. In the IP Address text box, type 10.0.10.1 16. In the Subnet Mask text box, type 255.255.255.0
483
17. Leave the Default Gateway text box empty. Once you have entered this information, click Next.
18. In the Congure Wireless Settings window, click the Enter Wireless Setting Manually button. 19. In the SSID text box, type SCP_1 20. Leave the Channel drop-down list on Channel 6. 21. In the Network Mode drop-down list, select G-only, then click Next.
484
22. At this time, you are not conguring Security options, select the Disable radio button, and click Next. 23. Conrm your settings, and click Yes.
24. Click Exit to close the Access Point conguration tool.
Configure the Infrastructure Clients

Once the AP is congured and running in the network, there needs to be clients connected to make the Infrastructure network functional. In this section, you will recongure the client computers to associate with the AP, establishing the infrastructure network. It is assumed that the initial installation of the clients have been completed, and in these tasks, you will move directly to the client conguration.
TASK 9B-5
Configuring the Linksys Client
1. 2. Log on to the computer with the Linksys WPC54G installed. In the Windows system tray, right-click the Linksys WPC54G monitor icon, and choose Open The Monitor.
485
3.
Click the Site Survey tab. You will now see the new AP that has recently been congured.
4. 5. 6. 7.
Click the Proles tab. Click the New option. Type SCP-1 in the text box, and click OK. Select the SCP-1 network, and click Connect. Once you are connected in Infrastructure Mode, click the More Information button to see the details of the connection.
486
Adding Infrastructure Network Clients

To make your network more functional, you will need other clients. You currently have one AP and one Infrastructure client. In the following task, you will congure the second wireless networking client.
TASK 9B-6
Configuring the Netgear Client
1. 2. 3. Log on to the computer with the Netgear WPN511 installed. In the Windows system tray, click the Netgear WPN511 Smart Wizard icon. Click the Networks tab, and highlight the SCP-1 network by clicking on it.
4.
Click the Connect button. The adapter will now connect to the SCP-1 network.
487
5.
To make the changes to the adapters conguration, click the Apply button. You are now connected in Infrastructure mode.
6.
If you wish, open a command prompt and perform a ping test from one computer to the other, and to the access point itself, to conrm the wireless network is functional.
WLAN Threats
The threats facing the WLAN are similar to those facing the LAN, with some variation due to the open medium of the wireless network. The techniques used to counter the threats will be discussed later in this lesson. You will start with some of the passive threats.
Eavesdropping and Analysis

One threat that is very prevalent in the WLAN is that of passive eavesdropping and analysis. Passive eavesdropping is the easiest of all the threats to the WLAN. A person with a laptop and a wireless network card in promiscuous mode can simply sit outside of the physical boundary of your network and receive packets. The attacker does not need to attempt to connect to the network at this time, only listen. By receiving packets, a skilled attacker can then analyze the network traffic. This may lead to the attacker learning protocol information and operating system information. Attackers can increase the range from which they can receive a signal by using specialized antennas. These antennas can pull in signals from well outside the range of the normal WLAN client. Attackers do not need to buy expensive antennas for this; there are reports of people making successful longrange antennas out of aluminum cans, washers, and pipes.
488
War Driving
Something that may not be a specic threat to the WLAN, but in the same category is that of war driving. War driving is the practice of building a mobile wireless machine, with software designed to learn and map wireless networks. In addition, war drivers may have a powerful external antenna and a Global Positioning System (GPS) device. Using a GPS, the attacker can record the exact longitude and latitude of the network that was found while driving. Along with war driving is a practice called war chalking. War chalking is where a person who has found a WLAN via war driving marks the location with a symbol. These symbols represent open networks, closed networks, protected networks, and more. The growing list of symbols used to identify networks is changing frequently.
Figure 9-21: Example of the three main symbols of war chalking. In the gure, the symbol on the left indicates an open network, where the SSID is being broadcast by the AP. When chalked, the symbol will include the actual SSID located and the bandwidth at that point. The middle symbol is a closed network, where the AP is not broadcasting the SSID. This symbol will also list the SSID, once discovered, and the speed of the connection. The symbol on the right is one that is protected using the Wired Equivalent Privacy (WEP). WEP will be discussed in more detail later in this lesson. The WEP symbol, along with the others, may also contain other information; there is no restriction on what can be written down. If you come into the office and see a symbol like this near your network, you should address the security of the network right away.
Gaining Access
An interesting problem that is unique to the WLAN versus the wired network is that of DHCP. If the WLAN is using DHCP, then any client that turns on in range and asks for an IP address will be given one. This may include attacker computers. In some instances, the entire job of the attacker gaining unauthorized access is to simply nd a WLAN, and there are many tools available to locate WLANs.
489
Networks that use DHCP must employ another system to defend their wireless network; otherwise any client may gain access. Even if there were operating system level security measures in place to prevent unauthorized users from accessing a server, they would be in the network. Furthermore, you could have two or more users accessing the network and communicating with each other, happily using up your wireless bandwidth. The man-in-the-middle attack is one that exists on the wired network, and exists in the wireless world as well. For this to work, the attacker is positioned between two end points, which is trivial on the wireless network, as being between the two points does not mean a straight line. The attacker breaks the connection that is established between the target node and the AP. (The connection can be broken using an RF Jammer or other form of electrical interference.) The attacker then congures the attacking machine as the new local AP for the target, and allows the target to successfully associate with the attacker machine. The attacker will then route the packets through to the legitimate AP. All packets can then be stored and analyzed for whatever purpose the attacker has in mind can be carried out.
Denial of Service
One common threat for all forms of networking is the denial of service. For the WLAN this can take on new meaning, as there are natural bandwidth restrictions on the network to begin with. The WLAN has a limited amount of bandwidth to share among all the WLAN clients. This is due to the physical restriction on the number of radio waves available to carry data. Unlike the wired network, where each node to the switch may have dedicated bandwidth, in the WLAN all nodes share the same 10 MB, and this is amplied when you consider the devices are half-duplex. This is a perfect example of why two nodes connecting via DHCP can cause problems on the network, even if they do not attempt to gain access to servers. Simply performing large le transfers can tie up the network, or setting up a continuous ping sequence, or transmitting large malformed packets.
Topic 9C
Wireless Security Solutions
Although there are risks to using wireless networking, there are also solutions to make the wireless network secure. It can be argued that the wireless network can never be as secure as the wired network, but there are solutions that you can implement to provide reasonable levels of security on your wireless networks. In this topic you will examine and implement several of these solutions.
490
Wireless Transport Layer Security (WTLS)

As the WLAN grows and becomes more a part of our everyday life, and as remote devices use WAP more, security of these networks is of obvious importance. One tool available to the security professional is Wireless Transport Layer Security (WTLS). WTLS has basic goals: to provide data integrity, privacy for the two end points, and authentication between the two end points. The WTLS stack is designed specically for the low bandwidth and high latency networks that are used for wireless communication.
WTLS Origins
WTLS is considered a security protocol for wireless networking, most specically applying to WAP, and is sponsored by the WAPforum. WTLS is designed to provide for the assurance that messages sent to and from end points in the wireless network have not been modied. WTLS is based on TLS, which is based upon SSL.
WTLS Authentication
When moving towards the security of a trusted network, authentication is a requirement. WTLS is no different. The method of authentication used in WTLS is certicates. It is possible to implement WTLS to not require certicates, but in order to increase the security, certicates are recommended. Various formats of certicates are allowed in WTLS, including the X.509v3 format.
WTLS Components
WTLS is split into multiple components. The lower layer is called the Record Protocol (RP). The RP takes the raw data from the higher layers, performs compression, encryption, and transmits the data. Likewise, upon receipt the RP takes the data, performs decompression, decryption, and moves the data up to the higher layers. The RP also performs message checking to verify the message has not been altered. Once the RP has done its job, it will deliver the data to the four higher-level clients of WTLS.
Figure 9-22: The components of WTLS. There are four higher-level clients in the design of WTLS: handshake protocol, alert protocol, application protocol, and change cipher specic protocol. Although the extensive details of each of these are beyond the scope of this book, you should be familiar with the function of each client.
WTLS Handshake Protocol

The WTLS handshake protocol client allows the two end points in the communication to agree upon the security parameters of the communication. This includes issues such as the protocol version used, cryptographic algorithms used, and the handshake procedure.
Lesson 9: Securing Wireless Networks 491
Figure 9-23: The WTLS handshake process. There are several steps to the handshake of WTLS. The rst step is done from the client, just as in SSL, the client initiates the communication by sending a hello message, called ClientHello, to the server. The server responds with a ServerHello message. Between these two hello messages, the client and server are agreeing upon the session conguration. When the client sends the initial hello message, the client will indicate the cryptographic algorithms that the client supports, and the server hello message will include the algorithm chosen in the response. After the initial hello phase the server will send its certicate, called ServerCerticate, and will request the clients certicate. At this time, the server will also send the ServerKeyExchange, which is used to give the client the public key, which will be used to exchange the pre-master secret value. The master secret value will be the nal piece used in the session. The server will then send a ServerHelloDone message, indicating to the client to move on to the next step in the handshake. Upon receipt of the ServerHelloDone message, the client proceeds to send the requested certicate and a ClientKeyExchange. The ClientKeyExchange contains either the pre-master secret value (encrypted with the servers public key) or other information to use in completing the key exchange. The client then sends an optional ChangeCipherSpec message. Finally, the client will send a Finished message to the server. The Finished message contains a verication of the agreed upon information for the session. The server will respond with a Finished message as well, verifying the security and session parameters. The server will also send a ChangeCipherSpec message, and the session will be established.
492
In the event that the session gets disrupted during communication, there is a means to re-establish the session without a complete new handshake. During a session, there is a SessionID assigned to the communication between the two end points. If communication is cut, the client will send a ClientHello message, only this time it will include the previous SessionID. The server responds with a ServerHello, also with the SessionID. Upon matching the session, a ChangeCipherSpec message will be sent, and then the session can be resumed without the complete handshake.
WTLS Change Cipher Specific Protocol

The ChangeCipherSpec Protocol message can be sent by either the client or the server. This message indicates a change in the cipher used for the communication. The changing of the cipher can happen upon the re-establishment of a session, but is most often part of the original handshake process.
WTLS Alert Protocol

The WTLS Alert Protocol is what manages error handling in the session. There are three states of alert messages: warning, critical, and fatal. These messages are sent in whatever the current state the session is in, encrypted, non-encrypted, and so on. The warning message is a standard message warning of an existing condition. If a critical alert message is sent, then both ends ensure the secure communication is terminated. However, other connections are allowed to continue using the secure session, and the existing SessionID may be used to establish a new secure connection. If a fatal alert message is sent, then both ends ensure the secure connection is terminated. Other connections between the two ends using the same secure session may continue, but the SessionID associated with the fatal alert is invalidated, meaning the terminated connection cannot be used for new secure connections.
WTLS Application Protocol

In WTLS, the Application Protocol is simply a means for interfacing with the upper layers. In the context of this course there are no security ramications or technical issues that network administrators and professionals will have to congure.
Fundamental Access Point Security

On most modern access points there are a few things, outside of cryptography, that you can do to increase the security of your wireless network. One is to disable the SSID broadcast, removing the constant announcement that you have a wireless network available. Another is to enable MAC address ltering, which allows you to list the allowed and/or disallowed MAC addresses for your network. By disabling the SSID broadcast you are taking a simple step by removing the AP that constantly sends out frames to the world that your wireless network is here, this is the SSID, and to please try to associate. It is better to keep that quiet. Allow the end node to send a frame to the AP, and let the AP respond. An attacker that is listening to the radio waves around your network will still likely get this SSID information, but at least your APs are not specically trying to contact the attacker.
The MAC address ltering is a bit more tedious, but provides a bit more control and security over the network. The process of ltering is very direct, you create a list of addresses, then dene that as allowed or disallowed. The common implementation of the MAC address lter is to build the list of allowed addresses and mark them as allowed. Your lter then denes all other addresses as disallowed. This is not a solution to rely on as your main system since MAC addresses can be spoofed. Neither SSID broadcast disabling nor MAC address ltering are enough protection for you to consider your wireless network secure, but they are reasonable layers you can add to your defense. The key to protecting your enterprise is to create layer upon layer that work together to protect your resources, and these are two small options that add layers.
Wired Equivalent Privacy (WEP)

When the 802.11 standard was created, those involved in the project were very aware of the problems of wireless communications in regards to security. In the wireless network, the word broadcast takes on a whole new meaning. WEP was designed to provide levels of condence in the security of the radio signals, as they would be encrypted. The initial response to WEP was positive, that WEP would ensure the security of the wireless transmissions, and nearly all equipment vendors support WEP. However, the one thing that is true regarding cryptography is that there is no perfect system. Eventually aws and modern technology will force the move to new forms of cryptography. This usually takes some time, but for WEP the time went by very quickly. The general points regarding the implementation of WEP shows some weakness in the overall design. For example, WEP is not a security system that is turned on by default. It is up to administrators and/or users to enable WEP, and then up to those same people to properly congure it. Also, WEP utilizes a pre-shared key, where both the AP and WNIC must be made aware of the key, or series of available keys.
Cryptography and WEP

WEP uses a symmetric key system, where the secret key is shared between the two end points, the AP and the WNIC. There is no standard system for exchanging the secret key data, so the most common method is to simply manually congure the two nodes with the correct key(s). To provide the encryption in WEP, the RC4 cipher is used. This particular cipher is a symmetric stream cipher, and follows all the standard uses of symmetric key cryptography. RC4 is a well-known cipher, used in many secure systems such as SSL. The problem in WEP is not the RC4 cipher, rather the implementation of the cipher. Implementation is generally where the problems with encryption come into play, and WEP is the prime example of this situation. Before moving into further detail on WEP, you must examine stream ciphers. The stream ciphers, as the name implies, stream the bits through the cryptosystem one at a time. The raw data is then combined with the Key stream in an exclusive OR (XOR) operation to produce the Cipher stream. The Cipher stream is then transmitted to the receiving node, where the process is repeated in reverse to produce the raw data.
494
Figure 9-24: The standard operation of a stream cipher. The stream cipher takes the short secret key and extends that into a larger value, the same length as the message, just like a one-time pad. This extension is created using a pseudorandom number generator (PRNG). To summarize, the sender XORs the plaintext with the key stream to produce the cipher text, and the receiver uses the identical key stream in reverse to produce the original plaintext. Since the stream cipher works by reversing the equation on the receiving end, the key is the critical component. The receiver will use the same key stream as the sender, and simply XORs the ciphertext to arrive at the plaintext message. Since the XORs cancel each other, if the plaintext=P, the ciphertext=C, and the key stream=K, then assume the following equation: P = C XOR K = P XOR K XOR K = P Take the key stream, K, and two encrypted messages, P1 and P2 , which go through the process to become C1 and C2 . If this is the case, C1 = P1 XOR K, and C2 = P2 XOR K. Since the K is the same, and the XOR process is well known, you can assume then that the following equation is true: C1 XOR C2 = P1 XOR K XOR P2 XOR K = P1 XOR P2 This means the attacker has now learned the XOR of two plaintext messages, without any difficulty. This example highlights why a stream cipher such as this should never encrypt two messages with the same K.
WEP and Key Lengths

The standard implementations of WEP utilize 64-bit shared RC4 keys. Many people consider a 64-bit key to be weak, and those people have serious issues with how WEP implements those 64-bits, and for good reason! Of the 64 available bits, 40 are assigned to the shared secret key value. This is where the term
495
40-bit WEP comes from. In order to extend the life of WEP, several vendors moved to offer 128-bit WEP, of which only 104 bits were used for the shared secret key. If you are wondering where the extra bits that are not used for the keys are going, they are going to what is called the Initialization Vector (IV). In order to protect network transmissions from pure brute-force decryption attacks, WEP is designed with the option of using a set of keys. Four keys can be generated, and WEP can cycle through those four keys.
The WEP Process

As the RC4 cipher has been shown over time to be a solid cipher, the WEP problem is found in the process, in the way that WEP attempts to protect data. Understanding the process is critical in order to follow the steps of cracking WEP, and making the realization that WEP provides little security. For WEP to function, the two ends of the communication will have established their secret key already. This is done by manually entering the single key that is used, or by having a sequence of predened keys to use. Many networks that implement WEP use the single secret key option. Administrators of these networks take some time to create a long and complex key, using the full alphanumeric options. Using the single key, and a strong one at that, is nice. However, as you will see, there is actually not much added security by using such a strong single key. The other option of having a series of keys to use provides for a slightly higher level of security, as the single key is not reused for every single wireless transmission. Here again however, you will see that the implementation of WEP is such that the rolling key option does not provide much more security.
496
Figure 9-25: The WEP encryption process. The process begins when the sender initiates the system for transmitting a message. At this time, the plaintext is run through an integrity check algorithm to create the Integrity Check Value (ICV). The 802.11 specications dene the use of CRC-32 for this function. The ICV is then appended to the end of the original plaintext message. A 24-bit random (more on this in a moment) Initialization Vector (IV) number is generated and added to the front of the secret key. (In this example the standard 40-bit secret key value is used.) The IV and secret key combo are input into the Key Scheduling Algorithm (KSA). The KSA is used to generate a seed value that will be used by the PRNG. The following key sequence uses the value generated by the PRNG to create the key stream that will match the length of the plaintext. Once the key stream has been generated, it is XORed with the plaintext/ICV to produce the encrypted portion of the message. The same IV that was input to the KSA is prepended to the front of the encrypted message, a standard header and FCS are added to the message, and it is transmitted.
497
Figure 9-26: The WEP decryption process. Upon receipt of the message at the destination, the process is essentially done in reverse. In order for the destination node to generate the symmetric key stream, the variable IV must be used. This is the reason that the IV must be sent in unencrypted form; the destination needs this value. Using the shared secret key, the destination takes the IV and runs it through the same KSA, PRNG, and key sequencing to get the key stream. The key stream and the ciphertext are then XORed, and the resulting Plaintext and ICV are calculated. Finally, the destination node computes a new ICV, and checks to see if this new value matches the sent ICV. If there is a match, then the receiving node will accept and process the message.
WEP Weakness
So, throughout this discussion, you may be wondering where the weakness is found. Actually, there is more than one weakness, but the problems really start to show when looking at the implementation of the IV.
498
The IV is a 24-bit eld, regardless of the number of bits allocated to the secret key. Therefore, when you implement 64-bit WEP, only 40-bits are for the key, and 24-bits are for the IV. When you implement 128-bit WEP, only 104-bits are for the key, and 24-bits are for the IV. A 24-bit eld does not yield very many possibilities, only 16,777,216 possible combinations. This means that every 16.7 million times the IV is used it will have no choice but to repeat itself. Busy networks will transmit that many packets in a matter of hours at the most, and due to randomness it is likely that values will be reused long before the 16 million mark. But, in most networks the attacker will not have to wait for nearly 17 million transmissions to nd a duplicate IV. This is because many WNICs reset the IV to 0 when the card is reinitialized. As WNICs are reinitialized frequently in busy networks, nding a repeating pattern may take a very short time. If an attacker has any idea of the contents of the plaintext message, then the job of breaking WEP is that much easier. This can be accomplished by the attacker being the one to generate the plaintext message such as send an email or ping into the WEP-protected network, and sniffing the result. Knowing the formatting of messages sent and received will also increase the attackers success rate. Given that message formatting is known, such as the rst byte of plaintext data being the SNAP header, this is not a difficult assumption. Once the attacker has built up a table of mapping known as plaintext to the ciphertext, the key streams can be stored.
An IV collision is when the IV is reused.
499
Figure 9-27: Example of the plaintext/ciphertext attack on WEP.

When emailing the target, sending a message of a string of the same character (such as all 5s) makes comparison between plaintext and ciphertext a bit simpler.
Earlier, you looked at some of the given equations of WEP. Recall that C1 = P1 XOR K and C2 = P2 XOR K, therefore, C1 XOR C2 = P1 XOR P2 . Therefore, sniffing both sides of the AP will give the attacker the keystream when the attacker XORs the ciphertext with the plaintext. The attacker need not decrypt the stream; only know what the stream is. By doing this enough times, the attacker can build what is called a decryption dictionary. The decryption dictionary is a table that the attacker has built that stores all the keystreams, mapping the IP and the key. Due to the WEP implementation, there are a maximum of 224 entries in the dictionary. Once the dictionary is full, then the attacker can decrypt all WEP traffic. If the system is fast enough, it may even happen in close to real-time. If you recall that many systems reset their IV to 0 each time, this makes for a much smaller keyspace used. Another problem is that systems are not required to change the IV on each packet, again making smaller and smaller spaces that require attacking. Take a look at the following equation, to see how this works out in simple binary. In this case, you are looking at just two bytes, but the process is identical for larger amounts of data. Assume for this equation, you are the attacker. 0110100001101001 Known plaintext. (Known because you sent it.) This is P1 . 0110100111000101 Known ciphertext. (Known because you are sniffing it.) This is C1 . 1010001110101100 Learned stream. (Learned by XORing the plaintext with the ciphertext.) This is now K.
500
The attacker can simply perform this type of operation over and over, until all the keystreams are identied. After the keystream is known, the attacker can take any WEP message, look up the known data in the dictionary, and XOR the ciphertext to get the plaintext. The attacker did not spend time trying to decrypt the key. In this case, the attacker does not care what the key is, only the value of the key stream. The nal big push that led to the downfall of WEP as the primary security system for wireless communications came in August of 2001. A paper was published by Scott Fluhrer, Itsik Mantin, and Adi Shamir titled Weaknesses in the Key Scheduling Algorithm of RC4. This paper included theoretical attacks on WEP. One of the focus points in the paper was that of weak IVs. Since 802.11 uses LLC encapsulation, there are weaknesses in the known formatting issues, such as the plaintext of the rst byte known to be 0xAA (this is the rst byte of the SNAP header.) Knowing the plaintext value of the rst byte, an attacker can simply XOR the rst byte of the Cipherstream with the known data to reveal the key stream for that byte. In the paper, this class of weak keys is analyzed. Every weak IV is used to attack a specic byte of the RC4 key that is secret. The bytes of the key are numbered, starting from zero. In a 40-bit WEP implementation there are 1,280 weak IVs. You should be aware that the number of weak IVs that exist varies based on the key length. Therefore, if you elect to use the 128-bit WEP, the overall number of weak IVs that exist increases. The 128-bit WEP has more than twice the number of weak IVs than the 40-bit WEP. In the 128-bit WEP implementation (which uses 104 bits for the key), there are 4,096 weak IVs.
WEP Conclusion
Although by now you may feel that there is no practical value in utilizing WEP, you should still take advantage of this option. Adding this layer of security should be one of the starting points in the security of your wireless network, not the end. By having WEP on the network, you may be able to remove the casual attacker from any interest in your network.
Configure WEP
Up to this point, you have seen the creation of an ad-hoc wireless network, and the creation of an infrastructure network. Although effective for fast setup and simple congurations, this provides no security. The only time you should run an unprotected network is in a controlled lab environment, where access to any production machine of any type is impossible. In this section, you will see the process of enabling WEP. Even though youve learned that WEP can be cracked, if your wireless system does not support any more robust security features, you must implement WEP as your bare minimum. In this task, 128-bit WEP will be congured. The AP that will be congured to use WEP is a Netgear WPN824.
501
TASK 9C-1
Installing the Netgear WPN824 Access Point
1. 2. 3. 4. Log on to your Windows 2003 Server as Administrator. Open the Network Properties of your LAN adapter. Select TCP/IP, and click Properties. Congure your LAN IP Address to allow you access to the Internet, click OK twice, and then click Close. Note In these tasks, the Netgear AP will recongure the Server to use DHCP by default to connect to the AP. Insert the Netgear CD-ROM in the CD-ROM drive. If the setup program does not autorun, navigate to the CD, and double-click the Autorun.exe le. From the main menu, click Setup. Read the Before You Begin instructions, and click Next. Record your current network settings, as shown, and click Next. The system will recongure to use DHCP as required. Once the system has conrmed your setup and Internet connection, click Yes.
5. 6. 7. 8. 9.
10. In the Overview screen, click Next. 11. Review the screen to turn off the broadband modem, and click Next. 12. Review the disconnection of the Ethernet cable screen, and click Next. 13. Connect the Netgear Router to the Broadband connection, and click Next. 14. Connect your Server to the Netgear Router, then click Next. 15. Power on the Broadband device, then power on the router, and click Next.
502
16. Wait while the system resets, and when you are at the Welcome screen click the Advanced User URL that is shown in the window.
17. For User Name, type admin and for the Password, type password (these are the defaults), and click OK. 18. If you receive a rmware update notice, check the Do Not Display Again check box, and click Close Window. If you do not receive a rmware update notice, move to the next step. 19. Type an IP Address of 10.0.10.50 a Subnet Mask of 255.255.255.0 and a Gateway IP Address of 10.0.10.2 Congure the DNS Settings for your network. Then, click Apply. If you are prompted for the user name and password, use the same credentials you used earlier in step 17. 20. From the menu on the left side of the screen, click the Wireless Settings link. 21. In the Name (SSID) text box type SCP-2 Leave the Channel and Mode at their defaults. 22. Under Security Options, select the WEP radio button. The WEP options will be enabled when you make this selection. 23. Keep the default Authentication Type as Automatic, and in the Encryption Strength drop-down list, select 128bit.
503
24. Select the Key 1 radio button, and in the Passphrase text box type SECRET1 and click the Generate button. (Note the system is designed to only populate one Key eld at a time, but at times the system will populate all elds. If this is the case copy and Paste each key to Notepad.) 25. Select the Key 2 radio button, and in the Passphrase text box type SECRET2 and click the Generate button. Repeat this pattern for Keys 3 and 4. 26. Once all four keys are entered, click Apply.
27. Enter the Netgear credentials, and click OK. The settings will be updated.
Establishing the WEP Network

With the Access Point installed and congured to use WEP, you will now need to congure the clients to use the same security settings. Since the AP is congured to use four different WEP keys, these exact same keys will be required on each WEP client. The client to be congured will be the Netgear Client. The WEP clients and APs use the same keys. You will use the following keyphrases and keys: SECRET1 - D26BC1D2A0BFE7F09BBF02349C SECRET2 - 30FC02118708A87A1A2CB06E1B SECRET3 - 014DAAF8F9BEECA7E046D7C2AC SECRET4 - F41FB818ED33EDD64D38E62BA0
504
TASK 9C-2
Configuring WEP on the Network Client
1. 2. 3. 4. Log on to the computer that has the Netgear WPN511 installed. In the Windows system tray, click the Netgear WPN511 Smart Wizard icon. Click the Networks tab. Click the Scan button to locate the new network. Note that the new WEP network is located.
5.
Select the SCP-2 network, and click the Connect button. Note that you are brought to the main Settings tab when you do this, and that both the SSID and WEP options have been selected. In the Passphrase drop-down list, select 128 bits. Verify that Key 1 highlighted under the Enter Key Manually drop-down list, and in the Passphrase text box type SECRET1 (notice that the Key is automatically generated.) Select Key 2 in the drop-down list, and type SECRET2 in the Passphrase text box. Select Key 3 in the drop-down list, and type SECRET3 in the Passphrase text box.
6. 7.
8. 9.
505
10. Select Key 4 in the drop-down list, and type SECRET4 in the Passphrase text box, then click the Apply button. You are now connected to the WEP network.
11. If you wish, open a Command Prompt and ping 10.0.10.2 (the AP) to verify the connection.
Temporal Key Integrity Protocol (TKIP)

TKIP is not specic to Wi-Fi Protected Access (WPA), but is utilized by WPA. TKIP was developed to correct some of the weaknesses found in the WEP RC4 process. TKIP still uses RC4 as the core cipher, but from there the process changes. TKIP forces a new key to be generated every 10,000 packets, and it hashes the IV so that the IV becomes encrypted, and therefore not as easy to sniff. The simple step of hashing the IV means that the previous problem of turning a 64-bit key into a 24-bit plaintext and 40-bit secret is now gone. TKIP also includes a method of verifying the integrity of the data called the Message Integrity Check (MIC). The MIC will allow for conrmation that the packet has not been altered during transit. Although TKIP strengthens (not replaces) the WEP process, and provides an increase in the security of the network transmissions, it should not be considered the ending solution to the security of the wireless network communication. This is because the system still will fall to the cracking of the single password (or keyphrase) that was used to initiate the whole system. If that secret is discovered, the entire system is compromised.
TKIP is not a replacement for WEP.
Extensible Authentication Protocol (EAP)

Extensible Authentication Protocol (EAP) is not a wireless-specic protocol. EAP is used in many different systems, both wired and wireless. EAP, in the simplest denition is a means of validating a remote access connection.
506
EAP is not tied to a specic authentication technology, meaning that it will work with certicates, smart cards, tokens, challenge/response systems, and so on. In the case of wireless security, EAP has been applied to authenticating remote wireless users.
Wi-Fi Protected Access (WPA)

WEP is not the only solution to securing your wireless communications. Another solution is called Wi-Fi Protected Access (WPA). Behind WPA is the Wi-Fi Alliance, which is an organization deeply involved in wireless interoperability issues. WPA is designed to meet two goals: strong protection via encryption, and strong access control via user authentication. The rst goal of user authentication is provided with the use of 802.1x + Extensible Authentication Protocol (EAP). The second goal of encryption is provided with three items: Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC)called Michael, and 802.1x dynamic key distribution. This means WPA = 802.1x + EAP + TKIP + MIC.
The WPA Process

There is a sequence of steps involved in the WPA process. These steps are different for an Enterprise implementation and a Small Office Home Office (SOHO) implementation. In the SOHO implementation, a matching password is congured on the AP and the client. When the passwords are checked and matched, then cryptographic keys are exchanged and the encrypted session begins. Although the authentication is simplied to the matching password for the SOHO implementation, the encryption process is the same for the SOHO as the Enterprise.
The formula for WPA is: WPA = 802.1x + EAP + TKIP + MIC
507
Figure 9-28: The Enterprise implementation steps of WPA. In the Enterprise, there are several more steps in the overall process. The rst step is the association of the client to the AP. Once the client associates, the second step is for the AP to prevent the client from accessing the LAN segment until the client has authentication. The third step is the client providing authentication credentials to the authentication server. If the client successfully authenticates, then the process moves to step four, if the client does not authenticate, then the client will remain blocked from the LAN segment. The fourth step is for the authentication server to distribute the required cryptographic keys to the AP and the client. The fth step is for the client to join the LAN, using the keys to encrypt all the communications between the AP and the client.
Hardware Requirements
In order to take advantage of all that WPA offers, you will need to be sure that your network is able to run WPA. Access Points and other wireless equipment will have to have been enabled to use WPA. Most newer devices are enabled for WPA, but older models may require upgrades to support it. In addition to the APs and clients supporting WPA, you will need an authentication server. This should be any strong authentication server, such as a RADIUS server.
WEP and WPA Comparison

Although the technologies are different, there is a natural tendency to compare WEP directly with WPA. Here is a quick comparison of some of the primary points between these two security mechanisms.
508
WEP
40-bit keys Static key Manual key distribution
WPA
128-bit keys Dynamic keys Automatic key distribution
Looking at those three points alone should provide ample reason for migrating the enterprise to WPA as a security solution over WEP. A nal point is the authentication systemsin WEP there is no unique authentication required by the users, whereas in WPA the user must authenticate with the authentication server.
Configure WPA2
For this task, it is assumed that the initial WAP54G installation and conguration is nished, and the task is specically designed to congure WPA. Once the AP is congured to utilize WPA, then the WNICs will be congured to connect to the WPA-protected network.
TASK 9C-3
Configure WPA2 on the Access Point
1. 2. 3. 4. Log on to your Windows 2003 Server as Administrator. Open a web browser, and point to http://10.0.10.1 (or, if different, whatever IP Address you assigned to the WAP54G). Leave the User Name empty, and type admin as the Password, then click OK Click the Wireless tab, and under the Basic Wireless Settings, change the Network Name (SSID) to SCP-3 and click the Save Settings button. When you get the prompt that your changes have been saved, click Continue. On the Wireless tab, click the Wireless Security option. In the Security Mode drop-down list, select WPA2-Mixed. In the Passphrase text box, type SCNP4ME! Click the Save Settings button. When you get the prompt that your changes have been saved, click Continue.
5. 6. 7. 8.
Supplicants
While several makers of wireless networking equipment have made their cards able to understand the higher-level security features, such as WPA, there are issues currently in getting the WNIC to connect to the AP using WPA. The use of supplicant applications helps to smooth out this process.
509
It is important to note that you may need to download a supplicant in order to get WPA running on your system. The supplicant is the piece of code that allows your new card to actually use the features of WPA. This is especially true in legacy systems, such as Windows 2000. Microsoft has released a WPA patch for Windows systems, and Funks Software has released a third party solution called: Odyssey. With the AP now congured to use WPA2, you need to congure your client computers to match this security setting. In this next task, you will congure the Linksys WNIC client to use WPA2 security.
TASK 9C-4
Configuring WPA2 on the Network Client
1. 2. 3. Log on to the computer that has the Linksys WPC54G installed. In the Windows system tray, right-click the Linksys WPC54G monitor icon, and choose Open The Monitor. Click the Site Survey tab. Notice the new WPA2 security-enabled AP is listed.
4.
Select the SCP-3 WPA2 secured network, and click Connect.
510
5.
Verify that the WPA2-Personal option is selected, type SCNP4ME! Iin the Passphrase text box, and click Connect.
6. 7.
In the Congratulations screen, click Connect To Network. In the Link Information screen note that you are now connected to the Access Point. Click the More Information button.
8.
If you wish, open a Command Prompt and ping 10.0.10.1 (the AP) to verify the connection.
511
802.1x
While industry groups such as the Wi-Fi Alliance are working on security solutions, so is the IEEE. The 802.11i working group is focused on the security issues of the 802.11 wireless networking standards. The group is working towards the 802.1x standard, which will dene the authentication framework of the 802.11based networks. The 802.1x standard is based upon EAP, and will provide for the exibility to use multiple authentication algorithms, since it is an open standard. Vendors will be able to implement and advance the technology in along the standard. In this system there are three primary components, the end client, the access point, and the authentication server. Although it is common for the authentication server to be a RADIUS server, there are no specications requiring RADIUS. This leaves the design open to t your specic situation.
Topic 9D
Wireless Auditing
Since the wireless network is so dynamic, in order to maintain proper security, regular auditing is required. This is in addition to the normal auditing and analysis of your wired network. Since the wireless network has no true boundary, your auditing must be specically targeted towards this segment of the enterprise. A complete audit of the wireless network should inform you of all the APs all the WNICs and any other signicant information, for example, are the APs in the network broadcasting their SSID? One method of attack is to add a rogue AP on the edge of your network, allowing for the range to be increased across the street or into another building. Without proper auditing, you may nd this out only after it is too late.
Site Survey
One of the primary, and most basic, wireless auditing tasks is called the site survey. This is a primary task because the wireless network is an ever-changing network, with dynamic boundaries. Even if the nodes in the network remain static, the bandwidth use may be dynamic, causing transmission rates to modify during the course of communication. The BSS and ESS that are running in the wireless network can recongure themselves to use the lowest common denominator of bandwidth when associating with nodes and other APs. Analyzing the packets on a given channel of an AP can indicate the strength of the signal and the size of the packets transmitted. If it seems that all the packets are small in size, then there is the possibility that interference is causing the small size. Through your analysis you can now alter the settings of the AP or move it to a different physical location.
512
WNIC Chipsets
Although not specic to the concept of auditing or the wireless network, you need to be aware of the WNIC chipsets in order to utilize many of the wireless auditing tools. The reason for this is that there are several different manufacturers of wireless chipsets, and this is important because the tools and drivers are actually interacting with the chipset itself. When looking for interoperability with your O/S or auditing tool, you may need to know which chipset is in your card, and which chipsets are compatible with that specic tool. For 802.11b networks, two common chipsets are Prism and Hermes. The Prism chipset is on a wide variety of cards, such as Linksys, D-Link, and Netgear. The Hermes chipset is often found in Proxim cards, specically the ORiNOCO cards. Many wireless tools work best (and, for some tools, only) with the ORiNOCO card. For 802.11g networks, two common chipsets are Atheros and Broadcom. Many different card vendors use these different chipsets. In this lesson, both the Linksys and Netgear client cards use an Atheros chipset.
Wireshark
Wireshark is one of the leading network analysis tools, and runs on both Windows and Linux platforms. Wireshark can capture all the packets on a network card, and present those packets for analysis. Complete details on Wireshark network analysis is out of the scope of this book. Even though Wireshark runs on both Windows and Linux, the support for analyzing 802.11 packets is better on Linux.
NetStumbler
Perhaps one of the most famous wireless tools, NetStumbler should be a part of all wireless auditing tool kits. NetStumbler works with a wide variety of cards, with a full is available here: www.stumbler.net/compat This tool, once loaded on your computer can detect 802.11 networks, identify the SSIDs, identify the security in place, identify the channel used, and so on. There is a mapping function in NetStumbler that creates a graphical image, on a map of the area, of the location of APs. Since the tool allows for GPS integration, you can even use a GPS device to identify the exact longitude and latitude of the AP for plotting onto a map. Furthermore, you can output your results to the mapping software MapPoint. NetStumbler will identify, on screen, the SSIDs of the networks that it nds, and will report whether or not that network is using WEP. If the AP is using WEP, a small lock icon will appear in the circle next to the MAC address of the AP. Installing NetStumbler is very simple, just execute the application and a desktop icon will be created. Double-click the desktop icon, and NetStumbler is ready to go. The only issue is making sure that the WNIC you use is supported by NetStumbler. Supported cards require no additional steps, NetStumbler will simply use the card upon running the application. The web site, www.netstumbler.com, is where you can go to nd the current updates regarding the supported cards.
513
TASK 9D-1
Installing NetStumbler
1. 2. Log on to the computer with the Linksys WPC54G installed. On your course CD-ROM, navigate to C:\Tools\Lesson9\ NetStumblerInstaller_0_4_0.exe (note if you do not have this le, you may download it from www.stumbler.net). Double click the NetStumbler_0_4_0.exe le to begin the installation. Read the License Agreement, and click I Agree. Leave the default selection of a Complete Install, and click Next. Accept the default installation directory, and click Install. Once the install is complete, click Close. If you wish, read through the Release Notes, then close the Release Notes window.
3. 4. 5. 6. 7. 8.
Identify Wireless Networks

After you have NetStumbler installed, you can quickly analyze your network to nd active access points. Once you have identied an access point, you can dig a bit deeper to determine the MAC address, the SSID, encryption use, signal strength, and (if you have GPS connectivity) the longitude and latitude of the AP.
In the previous gure, you can see that NetStumbler has located three APs nearby. NetStumbler has identied the SSID, Channel and MAC address. The vendor name is estimated based on the MAC address, as specic MAC addresses are assigned to specic vendors. This is not always accurate however, as MAC addresses can be changed. In the test lab for this gure, two APs are Linksys, and one is Netgear. When using NetStumbler, you are able to identify if you are associated with a network by looking to see if your MAC address is in bold. In the example gure, the MAC address 0018390FFA5D is bolded, to the machine that created this example is associated to the network on Channel 6, and using SSID SCP-3.
Notice as well that NetStumbler has identied the Encryption on SCP-2 and SCP-3 as WEP. While SCP-2 is using WEP, the SCP-3 network is using WPA2, so although NetStumbler did correctly identify that encryption was in use, it did not delineate the difference between a WEP and WPA2 encrypted connection. You should keep this in mind as you are using your wireless tools. While not clearly dened from a legal viewpoint, connecting to an Access Point may be considered unauthorized access. If your WNIC is set to DHCP, your system may associate and you may be given an IP Address very quickly. Be careful that you do no associate and join a network that you had no intention of using.
If you have time, visit the site: www.wigle.net There is an interactive map that you can zoom in on down to the level of seeing the name of individual SSIDs that have been discovered via wardriving.
TASK 9D-2
Identifying Wireless Networks
1. 2. 3. 4. Log on to the system that has NetStumbler installed. Double-click the NetStumbler desktop icon. (If no icon was installed, you can nd NetStumbler in your Programs menu.) NetStumbler will automatically run a scan and locate active Access Points within range of your system. Examine the results and locate the following information: What are the network types identied? 5. What are the channels used? Is your system associated with any network? Which networks are using encryption?
Close the NetStumbler application. At this time, there is no need to save the le results, unless you wish to have them for later analysis.
OmniPeek Personal
There are many products designed to perform wireless network analysis directly, and one of them is part of a bigger product called OmniPeek, a commercial product from Wildpackets. OmniPeek Personal can be downloaded for free for personal use only from the WildPackets site: www.omnipeek.com. To use OmniPeek in a commercial environment, you must buy a license to the OmniPeek Workgroup or Enterprise products. One thing OmniPeek Personal is not designed to do is to crack WEP. There are other tools designed for this purpose. If you have WEP running in your network, you can however, input the WEP keys and OmniPeek Personal will decrypt those packets on screen. By decrypting the WEP signals, you can use OmniPeek Personal to analyze higher layer communications as well.
515
Installation of OmniPeek Personal is very straightforward. OmniPeek Personal will not work with every WNIC made, but supports quite a few brands and types of cards. OmniPeek Personal supports various 802.11a, 802.11b, 802.11g, and 802.11 combo cards. You will need to be sure that your card is one that is supported. Once you know that your card is supported, you will then update the WNIC with a WildPackets driver for that specic card. Once the driver is installed, then OmniPeek Personal is ready to run on your system.
TASK 9D-3
Installing OmniPeeK Personal
Setup: OmniPeek Personal requires Microsoft .NET Framework 2.0. If your system does not have this installed, please visit www.omnipeek.com/downloads.php and follow the link to Microsoft to download the current version. 1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to the system that has the Linksys WPC54G installed From C:\Tools\Lesson9, double-click WildPackets_OmniPeek_ Personal41.exe. If your security system generates a Security Warning pop-up, click Run. If no pop-up is created, proceed to the next step. In the InstallShield Wizard, click Next. In the Name text box, type your rst name and in the Company Name text boxtype, SCP and click Next. If you wish to receive WildPackets updates, click Next. If you do not wish to receive WildPackets updates, uncheck the check box, then click Next. Read the features offer in the OmniPeek Workgroup Pro upgrade, and click Next. Read the terms of the License Agreement, select the radio button if you accept, and click Next. Read through the Installation Notes, and click Next.
10. If your system does not have Microsoft .NET Framework 2.0 installed, you will be prompted to download .NET 2.0. If you do need to perform this download, click OK. If your system already has .NET installed, skip to the next step. 11. Leave the default selection of a Complete Install, and click Next. 12. Conrm your settings, and click Next to begin copying les. The software will now be installed to your system. 13. Once the install is complete, uncheck the box to view the Readme, uncheck the box to Launch OmniPeek, and click Finish.
516
WildPackets Drivers
OmniPeek Personal requires the installation of a special WildPackets driver in order to use a wireless card with an Atheros chipset. Note, that once you have installed the WildPackets driver, if you wish to revert to your previous conguration, you will need to reinstall the factory drivers that came with your WNIC. In this book, you will be using the OmniPeek les that are included as samples, so no driver installation is required.
OmniPeek Personal Captures

OmniPeek Personal has several congured packet captures saved for you to use. Viewing these sample captures will give you an insight into the process of using OmniPeek Personal, without the requirement of you setting up a complex wireless lab. If you are going to move further in your career as a wireless network analyst, you will build and manage your own lab, so this is not an issue, but for the classroom, these captures are a great tool. OmniPeek Personal can work as a network troubleshooting and maintenance tool, in addition to providing the information you need to run security audits. The tool can tell you bandwidth use, packet transmissions, and errors all through it easy to read visual gauges. The full details of this tool are beyond the scope of this course, but one of the features you will likely want to familiarize yourself with is the peer map. The OmniPeek Personal peer map will help you to actually visualize the traffic in your network. Connections are given colored lines, with the line getting thicker based on utilization. In the peer map, you can grab a node with your mouse and move it on screen, with the lines moving in relation, and allowing you to adjust the view to your liking.
TASK 9D-4
Viewing OmniPeek Personal Captures
1. 2. Log on to the system where you have installed OmniPeek Personal. Navigate from the Start menu to the WildPackets OmniPeek Personal installation.
517
3.
The rst time the application runs, you must dene a network adapter. In this course, you will not be using an adapter. In the Monitor Options screen, select None, and click OK.
4. 5. 6. 7.
Choose FileOpen. Navigate to the folder location where you installed OmniPeek Personal. Open \OmniPeek Personal\Samples\Wireless. Select association.apc and click Open. What is the function of the packet found in line 4? It is the broadcast looking for a wireless network to join. This broadcast is called the probe request.
8.
What is the MAC address of the node that sent the Probe Request? 00:A0:F8:9B:B9:AA
9.
What is the function of the packet found in line 5? It is the response from the AP that it will accept connections. This response is called the probe response.
10. What is the function of the packet found in line 8? A request to use open authentication.
518
11. Right-click line 8 and choose Select Related PacketsBy Flow. Click the Hide Unselected button. You will be left with only the packets related to that specic conversation.
12. What is the subtype of the authentication request in line 8? It is Subtype: 1011 (Authentication). 13. What is the status code of the authentication response in line 10? It is listed as Successful, so this packet is to inform the client that the request is granted. 14. Choose EditUnhide All Packets. 15. Double-click line 3, which is a Beacon packet.
16. Note the type and subtype of this packet. 17. Click the green right-arrow. This arrow is found two rows under the File menu.
519
18. What is the type and subtype of this packet? Type 00 (Management) and 0100 (Probe Request). Continue to click the green arrow, noting the different Types and Subtypes, as they are associated to different packets. 19. What is the type and subtype for a probe response? Type 00 (Management) and 0101 (Probe Response). 20. What is the type and subtype for an 802.11 acknowledgement? Type 01 (Control) and 1101 (Acknowledgement). 21. What is the type and subtype for a beacon? Type 00 (Management) and 1000 (Beacon). 22. What is the type and subtype for an 802.11 authentication packet? Type 00 (Management) and 1011 (Authentication). 23. What is the type and subtype for an association request? Type 00 (Management) and 0000 (Association Request). 24. What is the type and subtype for an association response? Type 00 (Management) and 0001 (Association Response). 25. Choose FileClose to close the packet details. 26. From the left menu, under Statistics, click Protocols.
27. Notice the percentages of each protocol in this capture. When nished, choose FileClose. Keep OmniPeek Personal open for subsequent tasks.
520
Live Captures
Although it may not be a part of your daily tasks, there will be times when you wish to view captures as they happen. These live captures can then be saved for later analysis, or you can look for trends as they are happening. There is a feature built into the program to simulate the live capture of packets, so you do not need to have a suitable WNIC installed.
TASK 9D-5
Viewing Live OmniPeek Personal Captures
1. 2. Choose CaptureStart Capture. In the Monitor Options, select the File option, and click OK.
3.
In the File Name box, browse to \WildPackets\OmniPeek Personal\ Samples\Wireless\Demo.apc, and click Open. (Note you may need to change the le type to view .apc les.) Choose CaptureStart Capture. Click the green Start Capture button. Allow the capture to run for some time. When you reach approximately 700 packets, click the red Stop Capture button. Leave the application open for upcoming tasks.
4. 5. 6. 7.
521
Non-802.11 Packets
Although you may wish to spend the majority of your time analyzing the 802.11 packets and associated wireless networking issues, OmniPeek Personal can capture all traffic. This allows you to perform analysis on all network traffic if you wish. In the following task, you will examine all the traffic captured, and view the OmniPeek Personal options for analysis.
TASK 9D-6
Analyze Upper Layer Traffic
Setup: This task assumes that the Demo.apc le is open. 1. 2. 3. Right-click line 16 and choose Select Related PacketsBy Flow. Click the Hide Unselected button. What are the IP Addresses of the nodes in this conversation? 4. 192.168.0.11 192.216.124.4
Which packets dene the three-way handshake? Packets 16, 19, and 21.
5.
What website is being accessed in these packets? www.wildpackets.com (This is the maker of OmniPeek Personal.)
6.
Double-click any HTTP packet. What is the type and subtype of the packet? Type 10 (Data) and 0000 (Data Only).
7.
Double-click line 23.
522
Looking at the MAC addresses and last bit of the frame control ags, do you suspect this to be an ad-hoc or an infrastructure network? An infrastructure network, there are three addresses in use, and the ToDS bit is set to 1. 8. 9. Choose FileClose. Click No, as you do not need to save this capture le. Leave OmniPeek Personal open for the next task.
Decode WEP
If you are analyzing traffic on your network, you know what the WEP key is. In this case, you are not cracking, but you will utilize the key to decrypt WEPprotected data on screen. OmniPeek Personal has an option to UnWEP packets, allowing you have the required key.
TASK 9D-7
Decrypting WEP
1. 2. 3. If it is not already open, open OmniPeek Personal. Choose FileOpen. Browse to \WildPackets\OmniPeek Personal\Samples\Wireless\telnetwep.apc and click Open. Notice that under the Protocol column, no protocol information for higher layers is available. (You can reorder the columns, if you wish).
4. 5.
Double-click packet 6. What is the type and subtype of this packet? Type 10 (Data) and Subtype 0000 (Data Only).
523
6.
According to the frame control ags, is WEP enabled, and is this likely for an ad-hoc or an infrastructure network? Yes, WEP is enabled, and the ToDS bit is set, so this is an infrastructure network.
7.
What is the WEP IV for this packet? 0x050100
8. 9.
To get back to the main packet list, close the packet details. Choose ToolsDecrypt WLAN Packets.
10. Select the Encrypted Only radio button and click the button to the right of the Use Key Set text box. 11. Click the Insert button. 12. In the Name text box, type UnWEP1 In the Key 1 text box, type 0123456789 and in the Key 2 text box, type 9876543210 Click OK. These values are part of the OmniPeek Personal demo.
524
13. In the Key Sets window, click your newly created unWEP1 set, and click OK.
14. In the Decrypt WLAN Packets window, click OK to perform the decryption with the UnWEP1 keyset. It will only take a brief moment to perform the decryption. You will see right away that the packets are decrypted, and the protocols and other details are now exposed.
15. Starting with packet 1, what are the other packect involved in the threeway handshake? Packets 1, 2, and 3. 16. What IP address is associated with the Telnet client? 192.168.0.11 17. What packet holds the login request from the Telnet server? Packet 8.
525
18. Examine the details of lines 9, 12, 15, 18, 20, 24, 27, 30. What can you learn from the information in these lines? You can learn the login is sysadmin. (Note Look at the values presented in the Line 1 eld of these packets together.) 19. What does it appear that the password is for this login session? The password looks like foo. From lines 36, 39, and 42. (Note Look at the values presented in the line 1 eld of these packets together.) 20. Which packets are used to end the Telnet session? Packets 63, 64, 65, and 66. 21. Double-click line 63. This is the Ack/Fin to close the session from the Telnet server. 22. What is the setting of the ToDS bit and the FromDS bit? The ToDS bit is set to 0 and the FromDS bit is set to 1. 23. After you identify the bit setting, click the green right-arrow to move to the next packet. This is packet 64, the return Ack to the server. 24. What is the setting of the ToDS bit and the FromDS bit? The ToDS bit is set to 1 and the FromDS bit is set to 0. 25. After you identify the bit setting, click the green right-arrow to move to the next packet. This is packet 65, the Ack/Fin from the client to the server. 26. What is the setting of the ToDS bit and the FromDS bit? The ToDS bit is set to 1 and the FromDS bit is set to 0. 27. After you identify the bit setting, click the green right-arrow to move to the next packet. This is packet 66, the return Ack from the server. 28. What is the setting of the ToDS bit and the FromDS bit? The ToDS bit is set to 0 and the FromDS bit is set to 1. 29. After you identify the bit setting, click the green right-arrow to move to the next packet. 30. Close all open windows. Click No if you are prompted to save the le, and click Yes to Exit OmniPeek Personal.
Aircrack
Aircrack is a whole set of wireless tools, that work in 802.11a/b/g networks. Included in this suite is Airodump, a wireless packet capture program and Aireplay, which is a wireless packet injection tool, and the ability to crack WEP encryption. By using packet injection, the tool can ensure that enough packets are available for decryption.
526
WEPCrack
As the name directly implies, WEPCrack, which runs best on UNIX systems, is a wireless tool designed to crack WEP keys. One thing to note, is that this tool will require a lot of packets to do its job. It must sniff and analyze the packets, searching for the weak IV it can exploit. The amount of data that you need to capture before WEPCrack can crack the code can be seven or eight gigabytes. Of course it is possible that redundancy will be found earlier, but you should be aware that this is not a fast or instantaneous process like some of the online password cracking utilities.
AirSnort
AirSnort, like WEPCrack, can crack WEP keys, and is also designed to run on Linux. AirSnort, once activated, can crack WEP automatically without user input. This tool will run on both the ORiNOCO and Prism chipsets, but seems to have a preference towards using the ORiNOCO cards. If not already, you can expect AirSnort to become a required tool in all wireless analysts tool kits in the very near future.
Ekahau
Ekahau is a wireless auditing tool that allows you to pinpoint the actual physical location of wireless devices in your network. Using this tool, you make a map of your office, and then perform a survey of the office. Once the survey is done, the system is aware of the wireless network in the space. When the map is complete, you can identify specic nodes in the network. In the event that you identify an unknown node, you can use this tool to locate that node. The accuracy is listed within a few feet. You then can simply walk up to the person using the network with the unidentied node and say hello.
Kismet
Kismet is a powerful wireless network tool, that can perform network sniffing, log data in a Wireshark format for simple analysis, and can enable you to plot wireless data and detected networks directly to downloaded maps.
527
Topic 9E
Wireless Trusted Networks
While there have been many advances in securing the wireless networks over WEP, some of which you have examined in this lesson, there is more work to be done before an enterprise will trust wireless networking for any critical application. This is the realm of the 802.11i working group.
802.1x and EAP

802.11i will employ multiple types of security, to allow for exibility in deployment, and stronger security. When the attacker has one single attack point, such as WEP, their job is easier. By allowing for different implementations, the job of attacking 802.11i networks will be much more difficult. In order to meet the goals of solid wireless security, 802.11i will employ 802.1x and EAP. 802.1x as the authentication technology that requires mutual authentication before allowing the client to progress further into the network, called portbased access control. EAP is the extensible Authentication Protocol that allows for the use of different authentication solutions, and is currently most well known for its use in PPP (point-to-point protocol). You can consider this method of security as built upon three layers. One layer is the 802.11 physical carrier of the network traffic. On top of the 802.11 physical carrier, you have the 802.1x authentication system, which can use the various EAP implementations. Combined, these mechanisms provide for solid wireless security.
802.1x allows for port-based access control and EAP allows for mutual authentication.
Figure 9-29: The location of EAP 802.1x and the physical 802.11 network.
528
By implementing this type of security, you have achieved several goals that are not possible in open wireless networks. These are some of the goals that are met with this system: 1. Mutual authentication between the client and the authentication server before network access is granted. 2. 3. 4. User authentication is required, not simple system authentication. Keys are generated dynamically. Strong encryption, with the ability to ensure data integrity.
There is similarity to the WPA security system you examined earlier. A signicant difference is that to build a wireless PKI, you will need to use and congure digital certicates. WPA operates by using a shared key, whereas you will not have that type of manually-input shared key used in a trusted wireless network. There are enough similarities however, that the nal security implementation based on the technologies in this lesson will be called WPA-2. There are three primary components of the trusted wireless network; they are the end client, the access point, and the authentication server. The authentication server is commonly a RADIUS server but may be congured to your networks needs. You may see the client referred to as the supplicant in some text, because it is technically the software that is involved in the process not the client, and the software is called the supplicant.
EAP Types
There are four primary EAP types for wireless networking implementation. They are EAP with Transport Layer Security (EAP-TLS), EAP with Tunneled Transport Layer Security (EAP-TTLS), Ciscos Lightweight EAP (LEAP), and Protected EAP (PEAP). Each type has a unique combination of requirements for the client, authentication server, and delivery of the key. It is worth noting that there is another type of EAP, called EAP-MD5. Although a valid EAP type, it is not used in trusted wireless networking. This is because the authentication of the clients is done by hashing the users password with MD5, and transmitting the hash. The RADIUS, or whatever authentication server is in use, checks the MD5 hash for a match and, if there is authentication, is successful. In a controlled physical network, such as Ethernet, this may have a place, but in the wireless world, where traffic can be sniffed from the air, this is not a good system for implementing security. Due to this, you should not implement security based on EAP-MD5 in your wireless network.
There are ve EAP types, but EAP-MD5 is not recommended for wireless PKI so it is not included as one of the main EAP types.
Lightweight EAP (LEAP)

Cisco has led the development of LEAP. LEAP requires a mutual password for authentication. This password is manually congured on the client and the authentication server. When the authentication server challenges the client, the password is returned. Although this provided good security at a time when the WEP implementation was cracked, it is not strong enough for a trusted network. This is because of the reliance on the shared password. A benet of LEAP is that, even though it is not built into operating systems, Cisco has provided for enough support that implementation on most platforms is not an issue.
Since the single shared password exists, there is the possibility to a man-in-themiddle attack, and the issue of password reuse. LEAP is denitely a step in the right direction and provides better security than WEP, but it is recommended that for your wireless PKI you move forward to other systems.
EAP with Transport Layer Security (EAP-TLS)

EAP-TLS is a system that ts into the trusted network as it utilizes X.509 certicates with both the client and the server needing unique certicates. Both sides of the communication must prove their identity to the other party. There is very little information that can be sniffed in this system. One of the few things that an attacker could sniff is the name of the client node. Figure 9-30 shows the steps of the EAP_TLS process.
Figure 9-30: The process of a client using an EAP-TLS protected network. In the EAP-TLS example, the client begins the process by associating with the AP. The AP will block any further access until an accept message is sent from the authentication server to the AP. The AP responds to the client, essentially telling the client to send the EAP required initial request, which the AP then forwards on to the authentication server. The server receives the request and responds by sending the servers digital certicate to the client. Once the client validates the information on the servers certicate, the client responds with the client digital certicate. Once the server validates the clients certicate, the server begins the process of creating the mutual key to use. This is done following standards public key cryptography systems. Once the key is generated, the server sends a message to the AP that authentication is successful, with the AP then informing the client of the successful authentication. The client proceeds to use the generated key to encrypt traffic and the AP allows the client access to the LAN.
530
EAP with Tunneled Transport Layer Security (EAPTTLS)

EAP-TTLS takes the fundamental process of EAP-TLS and modies it a bit. The primary difference between EAP-TLS and EAP-TTLS is that in the EAP-TTLS system only the server is required to authenticate itself, the client certicate is not required. This does not mean that the client never has to provide authentication data; only that it is not required during this initial setup.
Figure 9-31: The process of a client using an EAP-TTLS protected network. The process begins with the client associating with the AP, and then being required to begin the EAP-TTLS process. The server sends the server certicate, which the client validates, and then the client and server build an encrypted tunnel. This is very similar to how a tunnel is created with SSL. Once the tunnel is created, the client will present whatever credentials are required (certicate, token, standard password, and so on), using the algorithm that the administrator has chosen. In the tunnel, most algorithms will function without any difficulty, such as PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-MD5, and so on. When the user has successfully authenticated, the server sends the success message to the AP, who in turn sends the success message to the client. Now that the client has successfully gone through this process, messages can be encrypted and sent to the LAN through the AP.
Protected EAP (PEAP)

PEAP was jointly developed by Microsoft, Cisco, and RSA Security, and combines different existing security mechanisms. There are two parts to the PEAP process, with the rst being similar to that or EAP-TLS. The second is similar to EAP-TTLS in that multiple authentication systems are supported.
531
The client begins the process by associating with the AP. The AP will block any further access until an accept message is sent from the authentication server to the AP. The AP responds to the client, essentially telling the client to send the EAP required initial request, which the AP then forwards on to the authentication server. The server receives the request and responds by sending the servers digital certicate to the client. Once the client validates the information on the servers certicate, the client responds with whatever authentication system is called for. This may be certicates, tokens, passwords, and so on. Once the server validates the clients authentication information, the server begins the process of creating the mutual key to use. This is done following standard public key cryptography systems. Once the key is generated, the server sends a message to the AP that authentication is successful, with the AP then informing the client of the successful authentication. The client then proceeds to use the generated key to encrypt traffic and the AP allows the client access to the LAN.
EAP Type Comparison

Looking at these systems, it may be a bit overwhelming to put them in perspective and decide what you should implement. Part of your decision may be based on hardware. For example, if you are running all Cisco networking equipment, you have the choice of LEAP, EAP-TLS, and EAP-TTLS installed on all their current adapters. If you are running all Linux nodes, you are limited to EAP-TLS and EAP-TTLS. On the other hand, only PEAP and EAP-TLS are embedded in Windows XP, 2000, and 2003. Type
Embedded O/S Clients O/S Clients, when using third-party supplicants Supplicant Vendor RADIUS Support
LEAP
Cisco All Win32
EAP-TLS
WindowsXP/ 2003/2000 All Win32, Mac OS X, Linux, BSD Microsoft, Cisco, Funk, and others Cisco, Funk, Microsoft, others Public Key Certicate Public Key Certicate Yes Yes Yes Strongest
EAP-TTLS
None All Win32, Mac OS X, Linux, BSD Microsoft, Funk, and others Funk, and others
PEAP
WindowsXP/2003/ 2000 All Win32
None Cisco, Funk, and others Password Hash Password Hash Yes No Yes Moderate
Server Authentication Client Authentication
Dynamic Key Use Open Standard Unique Key per User Over Security Level
Public Key Certicate PAP, CHAP, MSCHAP, EAP, and others Yes Yes Yes High
Microsoft, Funk, and others Cisco, Funk, Microsoft, and others Public Key Certicate Varies as per implementation. Yes Yes Yes High
532
Wireless Trusted Network Summary

If your enterprise requires a wireless component, you should implement a wireless PKI, or else be aware of the high levels of risk. If you already have a PKI running, the addition of the wireless PKI component is a natural extension. If you do not have a PKI running, and do not want to implement a full-scale trusted network, you can implement a PKI just for your wireless network. The Funk Software company makes a tool called Odyssey that will ll this purpose. You can run Odyssey on a machine, as your authentication server, and utilize the security features of PKI on your wireless clients alone. This will enable you to take advantage of all that wireless networking has to offer, and have a secure network at the same time.
TASK 9E-1
Choosing a Wireless Trusted Network
1. Consider the following scenario: You work for a company that is a global enterprise. The company is often listed in the top 50 companies in the world. You work out of the corporate office, based in Chicago, IL. There are 300 regional offices, and over 2,000 small satellite offices. In the HQ, there is discussion of conguring a new wireless network. This new wireless network is going to be a case study, and if all goes well, similar systems will be implemented in all the regional offices, and eventually in the satellite offices. The current discussion is on the security of the wireless network. For the case study, the implementation will be a single le server, which local network clients will need to access frequently. During the case study, there will be approximately 75 users participating (all of whom are running Windows 2000 or Windows XP), spread throughout two different oors of the HQ. During the discussion it is agreed quickly that WEP will not be used, and now the discussion is moving towards the specic security system to use. To provide the maximum level of security, which security system will you recommend for the implementation? Even though this is a case study, you realize that if successful, the security system will be duplicated worldwide. Your goal is to provide the maximum level of security, so your choice is to go with an EAP-TLS implementation. This will allow for full use of certicates, on both the client and server.
533
Summary
In this lesson, you examined the fundamental issues of wireless networking, including the required equipment and transmission media of wireless networks. You then identied WLAN issues such as the function of the AP, the conguration of SSIDs, and the choices between an ad-hoc and infrastructure network. You detailed the 802.11 framing and use of multiple MAC addresses. You then identied the security solutions for the wireless networks, including WEP, WPA, and WTLS. You examined the tools for performing security audits, and the methods available for creating a trusted wireless network using digital certicates.
Lesson Review
9A Which type of spread spectrum signal uses multiple frequencies at the same time?
Direct Sequence Spread Spectrum (DSSS). Why is 802.11a incompatible with 802.11b? They use different spread spectrum techniques. What are the two primary pieces of equipment for the wireless network to be operational? The Access Point and the Wireless Network Interface Card (WNIC). What language is used to create web content for handheld devices, such as cell phones, when they connect to the Internet? WML.
9B What is association?
The process of a WNIC associating with an AP in order to use the wireless network. What are the two WLAN topologies? Ad-hoc mode and infrastructure mode. What is the name assigned to people who search out WLANs? War drivers.
9C What additional piece of software is required to congure WPA on Windows 2000 WNIC clients?
Supplicants. What component of WEP is the cause of its weakness? The Initialization Vector (IV).
534
What cipher does WEP utilize? RC4.
9D What tool used in lesson provides you with a fast scan of the APs in your area?
NetStumbler. What tools can be used to break WEP? Aircrack, AirSnort and WEPCrack. What tool can provide you with the physical positioning of a wireless node in the network? Ekahau. What tool allows you to perform full wireless packet capture and analysis? OmniPeek Personal
9E What does 802.1x provide?

Port-based access control. What does EAP provide? Authentication. Why is EAP-MD5 not suitable for trusted wireless networks? The shared password hash is susceptible to sniffng and other attacks. Why is EAP-TLS considered the strongest for wireless trusted network implementation? Because certicates are required on both the client and the server.
535
536
GLOSSARY
attack An attempt to bypass security controls on a computer. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures. audit trail In computer security systems, a chronological record of system resource usage. This includes user login, le access, other various activities, and whether any actual or attempted security violations occurred. audit The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures. authentication To positively verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system. availability Assuring information and communications services will be ready for use when expected. back door A hole in the security of a computer system deliberately left in place by designers or maintainers. Synonymous with trap door; a hidden software or hardware mechanism used to circumvent security controls. breach The successful defeat of security controls which could result in a penetration of the system. A violation of controls of a particular information system such that information assets or system components are unduly exposed. bug An unwanted and unintended property of a program or piece of hardware, especially one that causes it to malfunction. compromise An intrusion into a computer system where unauthorized disclosure, modication, or destruction of sensitive information may have occurred. confidentiality Assuring information will be kept secret, with access limited to appropriate persons. cryptography The art of science concerning the principles, means, and methods for rendering plaintext unintelligible and for converting encrypted messages into intelligible form. DES (Data Encryption Standard) Denition 1: An unclassied crypto algorithm adopted by the National Bureau of Standards for public use. Denition 2: A cryptographic algorithm for the protection of unclassied data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use. false positive Occurs when the system classies an action as anomalous (a possible intrusion) when it is a legitimate action. firewall A system or combination of systems that enforces a boundary between two or more networks. Gateway that limits access between networks in accordance with local security policy. The typical rewall is an inexpensive micro-based Unix box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster.
Glossary 537
GLOSSARY
hacker A person who enjoys exploring the details of computers and how to stretch their capabilities. A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn the necessary minimum. host A single computer or workstation; it can be connected to a network. host A single computer or workstation; it can be connected to a network. integrity Assuring information will not be accidentally or maliciously altered or destroyed. intrusion detection Pertaining to techniques that attempt to detect intrusion into a computer or network by observation of actions, security logs, or audit data. Detection of break-ins or attempts either manually or via software expert systems that operate on logs or other information available. intrusion Any set of actions that attempts to compromise the integrity, condentiality, or availability of a resource. key A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt. key A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt. network security Protection of networks and their services from unauthorized modication, destruction, or disclosure, and provision of assurance that the network perform its critical functions correctly and there are no harmful side effects. Network security includes providing for data integrity. network Two or more machines interconnected for communications. network Two or more machines interconnected for communications. AH (Authentication Header) A eld that immediately follows the IP header in an IP datagram and provides authentication and integrity checking for the datagram. authenticate To establish the validity of a claimed user or object. crash A sudden, usually drastic failure of a computer system. cryptography The art of science concerning the principles, means, and methods for rendering plain text unintelligible and for converting encrypted messages into intelligible form. DES (Data Encryption Standard) Denition 1: An unclassied crypto algorithm adopted by the National Bureau of Standards for public use. Denition 2: A cryptographic algorithm for the protection of unclassied data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
538
GLOSSARY
ESP (Encapsulating Security Payload) A mechanism to provide condentiality and integrity protection to IP datagrams. firewall A system or combination of systems that enforces a boundary between two or more networks. A gateway that limits access between networks in accordance with local security policy. The typical rewall is an inexpensive micro-based UNIX box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster. integrity Assuring information will not be accidentally or maliciously altered or destroyed. LAN (Local Area Network) A computer communication system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communication system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, front-end processors, controllers, and servers. LAN (Local Area Network) A computer communication system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communication system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, front-end processors, controllers, and servers. metric A random variable x representing a quantitative measure accumulated over a period. non-repudiation Method by which the sender of data is provided with proof of delivery and the recipient is assured of the senders identity, so that neither can later deny having processed the data. OSI (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components. OSI (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components. packet filter Inspects each packet for user dened content, such as an IP address, but does not track the state of sessions. This is one of the least secure types of rewall. packet filtering A feature incorporated into routers and bridges to limit the ow of information based on pre-determined communications such as source, destination, or type of service being provided by the network. Packet lters let the administrator limit protocolspecic traffic to one network segment, isolate email domains, and perform many other functions. packet sniffer A device or program that monitors the data traveling between computers on a network. packet A block of data sent over the network transmitting the identities of the sending and receiving stations, error-control information, and message.
Glossary
539
GLOSSARY
packet A block of data sent over the network transmitting the identities of the sending and receiving stations, error-control information, and message. passive threat The threat of unauthorized disclosure of information without changing the state of the system. A type of threat that involves the interception, not the alteration, of information. penetration The successful unauthorized access to an automated system. perpetrator The entity from the external environment that is taken to be the cause of a risk. An entity in the external environment that performs an attack, i.e. hacker. physical security The measures used to provide physical protection of resources against deliberate and accidental threats. plaintext Unencrypted data. profile Patterns of a users activity which can detect changes in normal routines. promiscuous mode Normally an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination. promiscuous mode Normally, an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination. protocol Agreed-upon methods of communications used by computers. A specication that describes the rules and procedures that products should follow to perform activities on a network, such as transmitting data. If they use the same protocols, products from different vendors should be able to communicate on the same network. proxy A rewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all traffic passing through it. A software agent that acts on behalf of a user, typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination. router An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the Network Layer. router An interconnection device that is similar to a bridge, but serves packets or frames containing certain protocols. Routers link LANs at the network layer. security audit A search through a computer system for security problems and vulnerabilities.
540
GLOSSARY
security level The combination of a hierarchical classication and a set of non-hierarchical categories that represents the sensitivity of information. security policies The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. security violation An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information contained therein or to the system itself. security A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or inuences. security A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or inuences. server A system that provides network service such as disk storage and le transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine. server A system that provides network service such as disk storage and le transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine. sniffer A program to capture data across a computer network. Used by hackers to capture user ID names and passwords. Software tool that audits and identies network trafc packets. Is also used legitimately by network operations and maintenance personnel to troubleshoot network problems. SNMP (Simple Network Management Protocol) Software used to control network communications devices using TCP/IP. SNMP (Simple Network Management Protocol) Software used to control network communications devices using TCP/IP. SSH (Secure Shell) A completely encrypted shell connection between two machines protected by a super long pass-phrase. SYN flood When the SYN queue is ooded, no new connection can be opened. threat The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest. A potential violation of security. topology The map or plan of the network. The physical topology describes how the wires or cables are laid out, and the logical or electrical topology describes how the information ows. traceroute An operation of sending trace packets for determining information; traces the route of UDP packets for the local host to a remote host. Normally traceroute displays the time and location of the route taken to reach its destination.
Glossary 541
GLOSSARY
Trojan Horse An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsication, or destruction of data. vulnerability analysis Systematic examination of an AIS or product to determine the adequacy of security measures, identify security deciencies, provide data from which to predict the effectiveness of proposed security measures, and conrm the adequacy of such measures after implementation. vulnerability Hardware, rmware, or software ow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to an AIS.
542
INDEX
3DES, 353 802.11 addressing, 478-481 802.11 framing, 476-481 frame details, 476-478 frame format, 476 802.11a standard, 460 802.11b standard, 461 802.11c standard, 461 802.11d standard, 461 802.11e standard, 461 802.11f standard, 461 802.11g standard, 461 802.11h standard, 462 802.11i standard, 462 802.11n standard, 462 802.1x, 512 AH and ESP in IPSec, 327-329 response policy, 335-336 session analysis, 331-332 Aircrack, 526 AirSnort, 527 alert, 416-418 alert notication, 376 analysis, 382-383, 391 anomaly detection, 373 anti-spoong logging, 150 APs, 448-449 conguration, 482-485 ARP process, 108-110 attack monitoring, 397 attack response, 10 audit data handling, 25 preserving, 25 audit trails, 25 auditing, 22-23 authentication, 3-5, 16, 98-99, 303, 352-353 Authentication Header, 344 Also see: AH authentication methods editing policies, 317-318 authentication tokens, 16-20 authorization, 98-99 authorization and availability, 3-5 awareness, 9
A
access control, 15 access points, 448-449 Also see: APs accountability, 377 acknowledgement numbers, 47 ACL anti-DoS, 142 anti-Land, 143 anti-spoong, 143-144 anti-SYN, 142-143 command syntax, 138-139 creating, 134-135 defending against attacks, 142-144 extended syntax, 139-140 implementing, 138-142 logging, 149-151 operation, 135 activate, 416-418 Active Defense-in-Depth, 7-8 active open connection, 48-50 administrative distance, 123-124 AH, 344 combine with ESP in IPSec, 327-329 conguring, 321-322 Transport mode, 303 Tunnel mode, 303
B
banners, 101 basics, 42-43 behavioral use, 379-382 binary conversion, 37-38 Bluetooth, 459 breach, 5-6 broadcast, 44-45 buffered logging, 147-148 bug, 96 business drivers for a VPN, 338
Index
543
INDEX
C
capture packet data, 411-413 captures displaying, 54-55 castle analogy, 10-11 CDP, 128-129 centralized host-based design, 384-385 Challenge Handshake Authentication Protocol, 352-353 Also see: CHAP Challenge Response Process, 17-18 challenge response token, 16-17 CHAP, 352-353 CIDR, 43-44 Cisco banners, 101-103 logging, 145-146 OS, 96 router language, 96 Cisco Discovery Protocol See: CDP Classless Interdomain Routing See: CIDR Client policy, 306-307 collection, 382-383 command console, 375 condentiality, 3-5 conguration fragments, 97-98 connection, 48-50 establishing, 48-49 terminating, 49-50 connections TCP, 63-64 console logging, 147 console password, 99 cryptography, 302 defense technologies, 13-14 Defense-in-Depth, 6 defensive strategy, 8-10 denial of host, 140-141 denial of network, 141 denial of subnet, 141 DES, 307-308, 353 detection, 371 Direct Sequence Spread Spectrum, 458-459 Also see: DSSS Discretionary Access Control, 15 Also see: DAC distance vector routing, 121 distributed host-based design, 386-387 DSSS, 458-459 dynamic, 416-418 dynamic routing, 116-118
E
EAP, 506-507 comparison of types, 532-533 Lightweight, 529-530 Also see: LEAP Protected, 531-532 Also see: PEAP types, 529 with Transport Layer Security, 530 Also see: EAP-TLS with Tunneled Transport Layer Security, 531 Also see: EAP-TTLS EAP-TLS, 352-353, 530 EAP-TTLS, 531 Ekahau, 527 enable password, 99 Encapsulating Security Payload, 344 Also see: ESP encryption, 21-22 ESP, 344 combine with AH in IPSec, 327-329 Transport mode, 303 Tunnel mode, 303 Ethereal, 58-59 Extensible Authentication Protocol, 506-507 Also see: EAP
D
DAC, 15 Data Encryption Standard See: DES decimal conversion, 37-38 Default Response, 318-321
544
INDEX
Extensible Authentication Protocol-Transaction Level Security, 352-353 Also see: EAP-TLS extranet, 338 detecting, 396 integrity, 3-5, 65-68 Internet Protocol See: IP Internet Security Association Key Management Protocol (ISAKMP/Oakley), 345-346 interval analysis, 391 intrusion, 373 intrusion detection, 7-8 denitions, 373 techniques, 378-379 technologies, 378-379 Intrusion Detection, 371-373 Intrusion Detection System, 371 Also see: IDS Intrusion Detection Systems See: IDS IP, 36-39 address classes, 38-39 datagram, 65-68 private addresses, 39 security, 301-302 special-function addresses, 39 IP Policy Agent, 345-346 IP Security Policy and Security Association, 345-346 IP Security Protocol (IPSec), 341 IPSec, 341, 344-346 AH implementation, 312 and NAT, 346-347 components, 345-346 conguring a response, 329-331 conguring options, 333-334 custom policies, 312-317 driver, 345-346 full session, 336-337 implementing, 303-304, 323-324 modes, 302-303 policies, 306-307 Transport Mode, 346 Tunnel Mode, 346 IPSec ESP payload, 351-352 IPSec-enabled operating systems, 340 IPSec-enabled routers and rewalls, 340
F
false-negative, 373-375 false-positive, 373-375 FHSS, 458 nger, 131 rewall, 303 Firewall-based VPNs, 339-340 rewalls, 21 Frequency Hopping Spread Spectrum, 458 Also see: FHSS FTP capture, 76-78 conguring, 322-323 granting, 142 session analysis, 79 Fundamental Access Point Security, 493-494
H
Hardware-based VPNs, 339-340 hexadecimal conversion, 37-38 host, 33-36 host-based intrusion detection, 384
I
ICMP, 129-130 direct broadcast, 129 session analysis, 76 unreachable, 129-130 ICMP messages, 68-70 IDS, 9, 22, 371 components, 375-376 goals of, 376-377 matrix, 373-375 response, 376 IEEE 802.11 standard, 460-462 independent audit, 24-25 infrared wireless media, 453-454 inside threats
Index
545
INDEX
K
key exchange, 344-345 key length, 353 keys, 302 Kismet, 527 misuse, 373 misuse detection, 373 MMC, 304-306 customized conguration, 307 multicast, 44-45
L
L2TP, 341, 343, 351-352 LAN, 309-312 LAN-to-LAN routing, 110-111 LAN-to-WAN routing, 112-114 Layer 2 Forwarding Protocol (L2F), 341-342 Layer 2 Tunneling Protocol (L2TP), 341 LEAP, 529-530 link state routing, 122-123 Local Area Network See: LAN log, 416-418 log priority, 146 logging, 145-146 ACL, 149-151 anti-spoong, 150 buffered, 147-148 conguring, 147-149 console, 147 syslog, 148-149 terminal, 148 VTY, 150-151
N
NetStumbler, 513-514 network, 33-34 network defense, 2 Network Monitor, 52-58 Display view, 54-55 lters, 55-57 network security ve key issues, 3-5 network sensor, 375-376 network tap, 376 network-based design, 388 distributed, 389-390 traditional, 388-389 network-based intrusion detection, 387-388 non-repudiation, 3-5
O
OmniPeek Personal, 515-516 captures, 517-520 live captures, 521 Open Systems Interconnection See: OSI operating modes, 97 operational audit, 24 OSI model, 34-36 outside threats detecting, 394-395
M
MAC, 15 man-in-the-middle attacks, 341-342 management tools, 345-346 Mandatory Access Control, 15 Also see: MAC MD5, 353 metric, 120-124 Microsoft Management Console See: MMC microwave systems satellite, 455-456 terrestrial, 454 microwave wireless media, 454
P
packet, 34-36 packet lter, 134-135 packet ltering, 9 packet fragmentation, 74-75 PAP, 352-353 pass, 416-418 passive open connection, 48-50
546
INDEX
passive threat, 5-6 Password Authentication Protocol, 352-353 Also see: PAP passwords, 22 PEAP, 531-532 perimeter security, 9 PING capture, 76-78 plaintext, 302 Point-to-Point Tunneling Protocol (PPTP), 341 ports, 50-52 PPTP, 341, 342-343, 351-352 pre-congured rules, 425-426 prevention, 371 prole, 393-394 promiscuous mode, 58-59 protocol, 33-36 process, 114-116 protocols, 119, 120-124 Routing Information Protocol See: RIP RSA SecureID token, 18-19 Rule Header, 416-418 Rule Options, 418-419 rule set testing, 421 ruleset examples, 419-420
S
SA, 344-345 Secure Server policy, 306-307, 309-312 Secure Shell, 342 Also see: SSH security, 46-47 Security Association, 344-345 Also see: SA Security Association API, 345-346 security audit, 24-25 security auditing basics, 23-24 security policies, 306-307 security protocols, 341 security threats, 5-6 security vulnerabilities, 373 sequence numbers, 47 server, 33-34 Server policy, 306-307 Service Set Identier, 465 Also see: SSID session teardown process, 64-65 SHA-1, 353 Shiva Password Authentication Protocol, 352-353 Also see: SPAP Also see: SPAP Short Message Service, 459-460 Also see: SMS signature analysis, 392 Simple Network Management Protocol See: SNMP site surveys, 512
Q
QoS, 461
R
radio, 457-459 real-time analysis, 391-392 remote access, 338 remove unneeded services, 132-133 Request For Comments See: RFC Request-and-Respond policy, 325-326 session analysis, 326-327 Request-only session analysis, 324-325 response, 371 RFC, 36 RIP, 124-125 RIPv2, 125-127 routed protocols, 119 router, 42-43 access passwords, 99-100 accessing, 96-97 banners, 101 navigating, 98 user accounts, 100-101 routing, 42-43
Index
547
INDEX
small services, 131 SMS, 459-460 SNMP, 96-97 Snort, 404 architecture, 405-406 as a packet sniffer, 410-411 as an IDS, 415 deploying, 404 function, 404-405 installing, 406-408 logging with, 414 Socks v5, 342 software tokens, 19 Software-based VPN applications, 339-340 source routing, 130 spread spectrum technology, 457-458 SSH, 103, 342 client conguration, 106-107 router conguration, 103-106 verication, 105 SSID, 465 static routing, 116-118 statistical analysis, 393-394 subnet mask, 40-42 subnetting, 40-42 surveillance monitoring, 397 syslog logging, 148-149 traceroute, 129-130 training, 9 transit network, 340 Transport mode, 302-303 AH, 303 ESP, 303 Trojan Horse, 50-52 true-negative, 373-375 true-positive, 373-375 tunnel, 340 protocols, 340 Tunnel mode, 302-303 AH, 303 ESP, 303 tunneled data, 340 tunneling protocols, 341
U
UDP, 46-47 UDP headers, 73-74 unicast, 44-45
V
Variable Length Subnet Masking See: VLSM VLSM, 43-44 VPN client, 340 client software, 340 conguring, 354-359 connection, 340 dedicated gateways, 340 design and architecture, 348 elements, 340 gateway, 346-347 implementation challenges, 348-349 security, 350 server, 340 types, 339-340 VPN fundamentals, 337 VPNs and rewalls, 351-352 VTY logging, 150-151 VTY password, 100
T
TCP, 46-47 connections, 63-64 ags, 47 headers, 70-72 TCP/IP model, 33-34 Telnet granting, 141 Temporal Key Integrity Protocol, 506 Also see: TKIP terminal logging, 148 three-way handshake, 46-47 Time-based Tokens, 18-19 timestamp, 147 TKIP, 506 topology, 121
548
INDEX
vulnerability scanners, 373
W
WAP, 462-464 war driving, 489 WEP, 494-501 conguring, 501-504 cryptography, 494-495 decrypting, 523-526 key lengths, 495-496 process, 496-498 weaknesses, 498-501 WEPCrack, 527 Wi-Fi Protected Access, 507-509 Also see: WPA wildcard mask, 136-138 Wired Equivalent Privacy, 494-501 Also see: WEP Wireless Access Points, 448-449 Wireless Application Protocol, 462-464 Also see: WAP wireless auditing, 512-513 Wireless Markup Language, 462-464 Also see: WML wireless media, 451-457 infrared, 453-454 radio, 457-459 wireless network cards, 449 Also see: WNICs wireless networking access points, 448-449 equipment, 448-451 wireless networks antennas, 449-451 association, 451 identifying, 514-515 microwave technology, 454 trusted, 528 Wireless Transport Layer Security, 491-493 Also see: WTLS Wireshark, 513 GUI, 59-63 WLANs ad-hoc mode, 466-467
APs, 465 associations, 466 authentication, 466 denial of service attacks, 490 essentials, 465 gaining access, 489-490 infrastructure mode, 467-468 threats, 488-490 topologies, 466-468 WML, 462-464 WNIC chipsets, 513 WNICs, 449 WPA, 507-509 conguring, 509 hardware requirements, 508 process, 507-508 supplicants, 509-511 vs. WEP, 508-509 WTLS, 491-493 Alert Protocol, 493 Application Protocol, 493 authentication, 491 Change Cipher Specic Protocol, 493 components, 491 handshake protocol, 491-493 origins, 491
X
x-cast, 44-45
Index
549
SCPTPD20iePB

SCNS - Tactical Perimeter Defense

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SCNS - Tactical Perimeter Defense

Uploaded by

Copyright:

Available Formats

Tactical Perimeter Defense

TACTICAL PERIMETER DEFENSE

Tactical Perimeter Defense

TACTICAL PERIMETER DEFENSE

TACTICAL PERIMETER DEFENSE

LESSON 1: NETWORK DEFENSE FUNDAMENTALS

Network Auditing Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Security Auditing Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

LESSON 2: ADVANCED TCP/IP

Topic 2C Topic 2D Topic 2E Topic 2F Topic 2G

LESSON 3: ROUTERS AND ACCESS CONTROL LISTS

Tactical Perimeter Defense

LESSON 4: DESIGNING FIREWALLS

LESSON 5: CONFIGURING FIREWALLS

Tactical Perimeter Defense

Implementing Firewall Technologies . . . . . . . . . . . . . . . . . . .290 Lesson Review 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

LESSON 6: IMPLEMENTING IPSEC AND VPNS

LESSON 7: DESIGNING AN INTRUSION DETECTION SYSTEM

LESSON 8: CONFIGURING AN IDS

LESSON 9: SECURING WIRELESS NETWORKS

Tactical Perimeter Defense

Tactical Perimeter Defense

ABOUT THIS COURSE

ABOUT THIS COURSE

About This Course

About This Course

Tactical Perimeter Defense

About This Course

COURSE SETUP INFORMATION

Tactical Perimeter Defense

About This Course

Recommendations for hardware preparation:

Figure 0-1: Recommended classroom setup.

IP Addressing and Computer Naming Scheme

Tactical Perimeter Defense

Installing Windows 2003 R2

Installing Network Monitor

Installing Additional Tools for Windows 2003 Server

About This Course

Installing SUSE Linux Enterprise Server 10

Tactical Perimeter Defense

Installing Additional Tools for SUSE Linux Enterprise Server 10

Configuring Cisco Routers

Physical Router Configuration

Before You Start the Router Setup

Setup for CENTER Router

Tactical Perimeter Defense

m. To congure IP, press Enter to accept the default of Yes.

About This Course

Tactical Perimeter Defense

Setup for LEFT Router

m. To congure IP, press Enter to accept the default of Yes.

Setup for RIGHT Router

Tactical Perimeter Defense

m. To congure IP, press Enter to accept the default of Yes.

Configuring the Access Lists

Tactical Perimeter Defense

About This Course

List of Additional Files

HOW TO USE THIS BOOK

Tactical Perimeter Defense

About This Course

Tactical Perimeter Defense

Network Defense Fundamentals

Lesson 1: Network Defense Fundamentals