620 likes | 1.22k Views
Tools for Auditing and Defending your Network . Tools for Auditing and Defending your Network . Firewalls Network Reconnaissance Tools Port Redirection Sniffers TCP /IP stack Tools. Firewalls. Firewalls and packet filters-The Basics Freeware Firewalls Commercial Firewalls.
E N D
Tools for Auditing and Defending your Network • Firewalls • Network Reconnaissance Tools • Port Redirection • Sniffers • TCP/IP stack Tools
Firewalls • Firewalls and packet filters-The Basics • Freeware Firewalls • Commercial Firewalls
Firewalls and packet filters-The Basics • A firewall appliance is a network device that separates two or more network and has firewall software running on at least one network interface. • Firewall software is any software that examines traffic passing through an interface and makes routing decision based on a set of criteria. • E.g. Parental control software: it blocks web traffic from certain blacklisted adult web sites, preventing users from accessing these sites without authorization.
How do Firewalls protect network? • System administrator build the rule-set in such a way that it sufficiently protects the network behind it, while still permitting legitimate traffic. • Three ways to handle traffic by Firewall: • Accept the packet and pass it on to its intended destination. • Deny the packet and indicate the denial with an Internet Control Message Protocol (ICMP) message or other acknowledgement. This provides explicit feedback to the packet’s sender that such traffic is not permissible through the firewall. • Drop the packet without any acknowledgement. This ends the packet life on the network. No information is sent to the packet’s sender. This reduces the sender’s ability to deduce information about the protected network, but it may also adversely impact network performance for certain type of traffic.
Packet characteristics that can be filtered in a rule-set • Most firewalls and packet filters have the ability to examine the following characteristics: • Type of protocol (IP, TCP, UDP, ICMP, Ipsec, etc.) • Source IP address and port • Destination IP address and port • ICMP message type and code • TCP flags (SYN, FIN, ACK, etc.) • Network interface on which the packet arrives
Filtering Example • Protect network from IP spoofing: • traffic with source address of 192.168.1.x coming inbound on the eth1 interface should be blocked. • deny poroto any from 192.168.1.0/24 to any on eth1 deny poroto any from 192.168.1.0/24 to any in on eth1 allow poroto any from 192.168.1.0/24 to anyouton eth1 10.0.0.1 (eth1) 192.168.1.1 (eth0) 10.0.0.0/24 External 192.168.1.0/24 Internal.)
Stateless and Statefull Firewall • A stateless firewall can examine only one individual packet at a time in isolation, regardless of other packets that have come before it. • A stateful firewall, on the other hand, can place that packet in the context of other traffic and within the particular protocol, such as TCP/IP or FTP. • This allows the stateful firewalls to group individual packets together into connections, sessions, or conversations. • Consequently, a stateful firewall can filter traffic based on the characteristics of an individual packet, but also on the context of a packet according to a session or conversation.
Private and public address • In actual practice, packets from either a public or private address are routable, but with a specific distinction. • Private addresses are not intended to be used for internet addressing. Private addresses are reserved for organizations to create internal network.
Private Network address • Internet Assigned Numbers Authority (IANA) reserved certain IP address blocks for private networks.This means that public internet routers will not (or at least should not) route traffic to and from machines in these network ranges. • The network ranges are as follows • 192.168.0.0 through 192.168.255.255 (written 192.168.0.0/16 or 192.168.0.0/255.255.0.0) • 172.16.0.0 through 172.31.255.255 (written 172.16.00/12 or 172.16.0.0/255.240.0.0) • 10.0.0.0 through 10.255.255.255 (written 10.0.0.0/8 or 10.0.0.0/255.0.0.0
Network Address Translation (NAT) • According to recommanded behavior states public internet routers will not route traffic to or from systems with private addresses. • How a private address can access internet web site? • Network Address Translation (NAT) is used to translate packets from private to public addresses.
How NAT Works • When a NAT device receives traffic from a the private network destined for the external network (Internet), it records the packet source and destination details. The device rewrite the packet header and replaces the private source IP address with external public address. • from destination system’s point of view, the packet appears to have come directly from the NAT device .The destination system responds to the NAT device’s IP address.
How NAT Works (continued) • When NAT device receives the response packet, it checks its address translation table to see if the address and port information of the packet match any of the packets that had been sent out. • If no match is found, the packet is dropped or handled according to any firewall rules operating on the device. • If the match is found the NAT device rewrites the packet destination IP address with the private IP address of the system that originally sent the packet. • Finally the NAT device sends the packet to its internal destination
Opening ports • To expose some particular services on private network to the internet port forwarding technique can be used. • Access can be limited according to IP addresses • But eventually there is a need for dozen rules to be put on the firewall
Virtual Private Networks (VPNs) • In this technique there is a VPN server resides on the appliance and waits for connection from VPN clients. Remote offices often install a firewall/VPN appliance at their peers and configure the devices so that traffic passes between them as if they were connected by a dedicated data line. • The traffic still transits the internet but the VPN provides additional layer of security via encryption and firewall protection.
Demilitarized Zone (DMZ) • There are some services in private network that we want to make them publicly accessible, such as FTP server, web server, and DNS server. • Most firewall appliances come with the third network interface for these restricted but public servers. • In DMZ terminology, this third interface is intended for a publicly accessible yet protected network
Freeware Firewalls • Ipchain • Iptable • IPFW2
Commercial Firewalls • Although some commercial firewall products can be purchased as software alone, most of them can be purchased bundled with a hardware appliance. • Linksys SOHO Firewall units • SonicWall • Cisco PIX and ASA
Linksys SOHO Firewall Units • Offers a number of cable/DSL routers and wireless routers such as the BEFSR41 and BEFW1154. • The appliance contain NAT, port forwarding, and minimal filtering software that can be used to protect and hide; home or small office network. • The use of NAT and the reserved private IP range allows users to have multiple machines share one internet connection with just a single public IP address from ISP.
Cisco PIX • Cisco PIX is a dedicated firewall appliance. The PIX firewall software comes installed on hardware appliances of various sizes. • It can be configured using command line or using PIX Device Manager (PDM) for graphical user interface. • Cisco PIX provides services like: • Advanced NAT • VPN capabilities using IPsec • Stateful packet inspection
Cisco ASA(Adaptive Security Algorithm) • A Cisco ASA is a new firewall and anti-malware security appliance from Cisco Systems. • ASA has multi-threat protection. • If you want to run a PIX you still need another system to protect your network against other threats like: viruses, worms, unwanted applications (e.g., P2P, games, instant messaging), phishing, and application-layer attacks.
Network Reconnaissance Tools • Whois • Host,Dig, and Nslookup • Ping • Fping • Traceroute • Hping
Whois/fwhois • Whois and fwhois are extremely simple but useful tools that query particular “whois” databases for information about a domain name or an IP address. • Whois servers are databases that are maintained by domain name authorities around the world. • The most relevant contents of whois database are: • Location • Contact information • IP address ranges • Domain name under its authority. • It is usually installed by default on most Unix distributions.
Implementation • The whois command takes the host name of a whois server using a –h flag. The rest of the command indicates the query we wish to send. • The fwhois command (found on Linux system) has the query specified first with the optional @whois_server specified at he end. • Example: • bash% whois –hwhois.alldomains.comyahoo.com • bash% fwhoisyahoo.com@whois.alldomains.com
Host, Dig, and Nslookup • These utilities are part of a packet called BIND (Berkeley Internet name Domain), the most popular Unix name server • These tools can be used to query Domain Name Service (DNS) servers about what they know. • DNS servers map hostnames to IP addresses and vice versa. They also can give other information such as which host is the registered mail handler for specified domain.
Ping and Fping • Ping simply sends Internet Control Message Protocol (ICMP) echo request and waits for replies. • Fping is used in large networks. • Fping sends ICMP echo request to a list of IP addresses provided either on standard input or from a file, in a parallelized fashion. • It sends out ping in “round-robin” fashion without waiting for a response. • When responses are eventually returned, fping notes whether the host is alive or not and waits for more responses, all the while continuing its ping sweep.
Traceroute • It trace the route that an IP packet takes to get from your host to its destination. • It starts by sending an IP packet (either ICMP or UDP) to its specified destination, but it sets the TTL to 1. • The packet expires at the first hop, and that router tells us that the packet expired using an ICMP message which allows us to identify where that first hop is. • Now we send another packet off to the destination, but this time the TTL field is set to 2.
Hping • This program allows user to do the same kind of testing as Ping but using any IP packet, including ICMP,UDP, and TCP. • By default hping uses TCP instead of ICMP. • It constructs empty TCP packets with a window size of 64 and no flag set in the header, and it sends those packets to port 0 of the target host.
Hping usage • Determining a host’s status when ping doesn’t work. • Testing Firewall Rules • Stealth port scanning • Remote OS fingerprinting
Port Redirection • The majority of TCP/IP services rely on a client/server method for establishing connections. • For a packet to reach its destination it must have a destination IP address and a destination port (a single “socket” on a host). • TCP/IP allows 16-bit port numbers (between 0 to 65535). • Most servers try to use well-known ports (port 0 to 1023) to make it easier for client to know how to connect to a service. • Examples : http-port80, SSL-port443
Port Redirection • Datapipe • Fpipe • WinRelay
Datapoint • A port redirection tool passes TCP/IP traffic received by the tool on one port to another port to which the tool points. • It function as a conduit for TCP/IP connections, not an end point. • For example you could place a datapoint between a web browser and web server. The web browser would point to the port redirection tool, but all requests would be passed on to the web server. • Datapipe is a Unix-based port redirection tool. It uses standard system and network libraries, which enables it to run on the alphabet of Unix platforms.
Implementation • Datapoint must be compiled first • Using datapoint • $ ./datapoint • Usage: ./datapoint <localport> <remoteport><remotehost> • <localport> represents the listening port on the local system. • <remoteport> represents the port to which data is to be forwarded. • <remotehost> represents the host name or IP address of the target. • Example: Listen on high port (9080), that redirects to a website of your choice: • $ ./datapoint 9080 80 www.google.com • Now we enter: http://localhost:9080/ you should see Google’s home page
Fpipe • Fpipe implements port redirection techniques natively in Windows. It adds UDP support which datapipe lacks. • Fpipe does not require any support DDLs or privileged user access; however it turns only on the NT, 2000, and XP platforms.
Implementation • Fpipe command-line switches:
WinRelay • Is Windows based port redirection tool. • Share the same features with Fpipe, including the ability to define a static source port for redirected traffic. • It can be used interchangeably with Fpipe on any Windows platform.
Sniffers • Sniffers can listen for and record any raw data that passes through, over, or by a physical (hardware) network interface. • The sniffer typically operates on the Data Link Layer of the OSI model so it doesn’t have to play by the rules of any higher level protocols. • Sniffers must be placed on the network local to either end of the communication or on an intermediary point, such as a router, through which the communication passes. It is much easier to sniff traffic in a shared computing environment like a coffee shop, schools, or library than it is to target arbitrary cable modem or DSL users. • Current tools use encryption standards that make it extremely difficult to capture useful information. Be aware that programmers still make mistakes in the implementation of encryption.
Sniffers • BUTTSniffer • TcpDump and WinDump • Ethereal • Dsniff • Ettercap • Snort: an Intrusion-Detection System
BUTTSniffer • Is a stand-alone, command line, Windows based tool. • It uses options and dump type in command line. • Dump types are specified using a single letter: • r (raw frames) choose this option to dump raw network traffic. • e (encapsulation) choose this option to dump decoded packets with encapsulation information • P (protocol) choose this option to dump fully decoded packets along with protocol information.
TcpDump and WinDump • Tcpdump is a highly configurable, command-line packet sniffer for Unix. • Windump is tcpdump’s Windows counterpart. • Tcpdump was made strictly for network monitoring, traffic analysis and testing, and packet interception. • Tcpdump/Windump is more of a sniffer than a protocol analyzer. • It captures a lot of useful low level information about a packets passing on the network, and it can help diagnose all kind of network problems.
Ethereal • It is a nice graphical front end to packet capture files created by several different packet sniffers, including tcpdump an WinDump. • By using Ethereal on previously created capture data files, you can navigate through the details of the captured session and analyze higher protocols such as SMB, SMTP, and even different type of SSH sessions. • Ethereal is freely available for all Windows, Linux, Unix, and Mac OS X.
Dsniff • Is a collection of free tools that were originally written for network and penetration testing, but that can be used for evil to sniff and hijack network sessions. • It requires several other packages, including OpenSSL, libpcap, Berkeley DB, and libnids.
Ettercap • Sniffers usually work on Hubs, where network packets get send to every system connected to the hub. • Another way to do sniffing is to configure a particular switch port so that all traffic on the switch also gets sent to that “switch monitoring” port.Ettercap uses this method. • Ettercap allows other users to build their own ettecap plug-ins to extend the functionality.
Snort: an Intrusion-Detection System • Intrusion Detection System (IDS) is a sniffer, but it has specialized filter to identify malicious activity. • A good IDS can find anything from a buffer overflow attack against an SSH server to the transmission of /etc/password files over FTP. • Network architects place IDS hosts on strategic points in the network where they can best monitor traffic. • The IDS examines all packets that pass through the network, looking for particular signatures that are defined by the administrator.
Snort: an Intrusion-Detection System (continued) • The IDS then reports on all traffic that matches those signatures. • The point is to configure the IDS with signatures of undesirable packets. • Snort is a robust IDS • It runs on several Unix variants as well as Windows.
TCP/IP Stack Tools • Testing the TCP/IP stack of your firewall, web server, or router is not part of a daily review, but these tools can help you verify access control lists and patch levels. • They also provide a method for analyzing how your servers may respond to Denial-of-Service (DoS) attacks or other extreme network conditions. • This functionality enables you to create specific, customized tests for scenarios that range from load testing to protocol compatibility testing
TCP/IP Stack Tools • ISIC: IP Stack Integrity Checker • Iptest • Nemesis: Packet weaving 101 • Beyond the command line