Contents · UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640 © UMUC 2012 Page 2 of 47 Topic 1: Analogy Analogy: A Challenge

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

© UMUC 2012 Page 1 of 47

Contents Topic 1: Analogy .............................................................................................................................. 2

Analogy: A Challenge .................................................................................................................. 2 Topic 2: Module Introduction ........................................................................................................... 4 Topic 3: Honeypots and IDS Network Placement ........................................................................... 5

Introduction to Honeypots ............................................................................................................ 5 Types of Honeypots ..................................................................................................................... 6 Honeypot Placement .................................................................................................................. 10 IDS Placement ........................................................................................................................... 11 Securing the IDS Box ................................................................................................................. 13 Activity: Best IDS Placement ..................................................................................................... 14

Topic 4: Virtual Local Area Networks and Demilitarized Zones .................................................... 15 Switches ..................................................................................................................................... 15 Benefits of VLANs ...................................................................................................................... 16 Vulnerabilities of VLANs ............................................................................................................ 20 Types of DMZs ........................................................................................................................... 21 VLANs and DMZs ...................................................................................................................... 23

Topic 5: Virtual Private Network Remote Access Architecture ..................................................... 24 Introduction to VPN Remote Access Architecture ..................................................................... 24 VPN Gateways and Firewalsl in Series ..................................................................................... 25

Topic 6: Redundancy Architecture ................................................................................................ 27 Redundancy Architecture Implementation ................................................................................. 27

Topic 7: AAA Architecture ............................................................................................................. 29 Introduction to AAA Architecture ................................................................................................ 29 AAA Technologies ..................................................................................................................... 30

Topic 8: Access Control List .......................................................................................................... 31 ACL Processing ......................................................................................................................... 31 Wildcard Mask ............................................................................................................................ 33 ACL Syntax ................................................................................................................................ 34 Activity ........................................................................................................................................ 39

Topic 9: Summary.......................................................................................................................... 42 Glossary ......................................................................................................................................... 43



Topic 1: Analogy

Analogy: A Challenge

Network Security Architecture

CSEC 640 – Module 10 A Challenge Protecting the valuable resources of a network is like protecting a king’s treasure in a castle. The king’s guards ensure that all the castle doors are fitted with sturdy locks. The guards fortify the castle walls, station lookouts at strategic points, and patrol the corridors to keep intruders out. How is the role of a network security architect similar to that of the king’s guards? Find out by reading the analogy. Analogy The King is famous for the treasures in his castle. His guards stay busy keeping burglars from breaching the castle walls. Burglars are constantly looking for unprotected entry points that will help them enter the castle and steal the treasure. The King has ordered his guards to secure the castle so burglars cannot penetrate its walls. The castle’s walls help keep intruders out. In addition, the moat and the castle gate limit the entry and exit of people and supplies. In a corporate network, the firewalls act as a defense system to keep hackers out. The firewalls also function as gateways that restrict the flow of traffic between the internal corporate network and the Internet. The treasures in a castle are hidden deep inside the castle. Not everyone has access to these innermost recesses of the castle, and guards stationed at various points restrict the movement of people within the castle. The resources of a corporate network include intellectual property, revenue, customer data, and company records. These resources require virtual castles to be built around them to withstand cyber attacks. The castle guards keep an eye on every move inside the castle rooms and corridors to spot any suspicious activities. In case of an intrusion, the guards raise an alarm and ensure that the trespasser does not flee. A network security architect employs intrusion detection systems (IDSs) on a network to detect unauthorized intrusions, security breaches, and malicious activities. The castle’s head guard hears rumors of a conspiracy, supposedly by insiders, to steal the royal crown. He hits upon the idea of using a glittering but valueless crown as bait to tempt intruders. The fake crown is placed in a booby-trapped room, and additional guards are posted so any intruders can be caught as soon as they enter the room.



In a corporate network, the security architect uses honeypots to the same effect—to bait hackers. Honeypots are closely monitored to catch hackers and nab them before they can do any real damage.



Topic 2: Module Introduction IT security architecture helps organizations build security into their IT infrastructure. Though there is no single solution that can fulfill all the security needs of all organizations, there are certain common elements of an IT security architecture that a company can consider when developing its security plan. This module examines implementation of different architectures such as honeypot/IDS network architecture; virtual local area network (VLAN); demilitarized zone (DMZ); virtual private network (VPN) remote access architecture; redundancy architecture; and authentication, authorization, accounting (AAA) architecture. The module also covers how to apply an access control list (ACL) to enforce security policies for a given network.



Topic 3: Honeypots and IDS Network Placement

Introduction to Honeypots

Honeypots are Internet-attached systems that are installed on an organization’s network for the specific purpose of being probed, attacked, or compromised. The main goals of using a honeypot are: Diverting attackers from genuinely valuable systems Proactively collecting information about attackers’ behavior Honeypots are highly flexible tools that can be used in a variety of situations. Detection Like an IDS, a honeypot can be used to detect attacks. Honeypots act as early indicators and warning sensors to detect malicious activity and can be used to capture and analyze automated attacks, such as worms. Because no other type of activity is expected on a honeypot, honeypots function well as sensors that detect malicious activity. They also act as deterrents, making an attacker waste time and resources on exploiting the honeypot instead of vulnerable production systems. Additionally, the collected information can be used to generate new network intrusion detection system (NIDS) signatures. Deception Honeypots can be used as electronic bait to attract attackers, provide a set of real-time applications for attackers to interact with, and proactively gather information about their behavior. An attacker may first check for low-hanging fruit on the network, and since honeypots appear to be more vulnerable and easier to exploit, an attacker may spend time on that system first. Because honeypots have no production traffic, activity on honeypots generates valid security alerts, as they detect attacks by virtue of system activity and not by signatures. Honeypots share a limitation with host-based intrusion detection systems (HIDS), as they generate alerts only when an attacker directly targets them. Research Research honeypots are used in information gathering by providing a platform to study cyber threats. Honeypots are frequently used to collect malware automatically and to log attack activities and communications. The collected information can be analyzed to generate new NIDS signatures or firewall rules to counter an attacker.




Types of Honeypots

Based on security requirements, honeypots offer low, medium, or high interaction. Low-Interaction Honeypots Low-interaction honeypots are the easiest to deploy, but the functionality is limited to detecting known malicious behaviors and generating alerts when those are observed. Low-interaction honeypots emulate certain services and appear to be misconfigured. For instance, they may mimic File Transfer Protocol (FTP) servers that allow anonymous connections, while providing no other interaction to the attacker. Many types of low-interaction honeypots, such as Dionaea, are available to accomplish security goals. Slide 1 Dionaea is a low-interaction honeypot designed to emulate known services with the intent of acquiring binary codes from malware. Dionaea emulates the services of Server Message Block (SMB), Hypertext Transfer Protocol Secure (HTTPS), FTP, Trivial File Transfer Protocol (TFTP), Session Initiation Protocol (SIP), and Microsoft Structured Query Language (MSSQL) protocols. Dionaea captures exploit binaries targeting these protocols by a comprehensive shellcode detection mechanism. Shellcodes are the attacker's way in to the system but are only the first step of an attack. Dionaea evaluates the shellcode captured, and by emulating a successful exploit, it downloads the malware pointed to by the shellcode. Dionaea can also be bundled with automatic submission to malware analysis Web sites, such as VirusTotal, to get more information about the captured malware. As a low-interaction honeypot, Dionaea's primary targets are worms and other automated attacks. Dionaea captures malware in files using the Message-Digest Algorithm 5 (MD5) hash of the submitted malware binary. The captured malware can be automatically sent to these Web sites for further analysis: http://anubis.iseclab.org http://www.virustotal.com http://threatexpert.com Reference: Dionaea catches bugs. (n.d.). Retrieved from http://dionaea.carnivore.it



Slide 2 The screenshot shows a successful malware capture from four separate hosts: 131.171.127.1, 131.171.127.2, 131.172.127.3, and 131.172.127.5 with two different binaries, a6ff39d6271acb4626469ae8579956a7 and 39c7772b34e2e340a0e5214dd508a9cf. Dionaea’s logging engine is SQLite database. The first binary is a worm named W32.Rahack.h; the second is unidentified malware. Interestingly, three separate hosts were recorded submitting the unidentified malware from the 131.171.127.5 domain in the United States.

Slide 3 Dionaea can be combined with an operating system (OS) fingerprinting service called p0f to display information about the attacking or scanning machines. This screenshot shows that 192.168.1.132 is the honeypot and that the attacker used Windows NT and XP.

Medium-Interaction Honeypots Medium-interaction honeypots are designed to provide the appearance of a complete OS, such as a virtual machine, to the attacker. This causes the attacker to waste time interacting with the honeypot.



There are many medium-interaction honeypots, such as Kippo. Slide 1 Kippo is a medium-interaction Secure Shell (SSH) honeypot designed that logs brute-force attacks and the entire shell interaction performed by the attacker. Kippo emulates a system with a poorly configured SSH server that accepts the username root with a weak password or passwords such as 123456 by default. Once attackers successfully log in, they are presented with a fake system that encourages the attackers to download tools to the honeypot. These downloads are captured separately so the attackers will not be able to clear their tracks. Once an attacker gives up and tries to leave by typing exit, the honeypot enters the attackers into another fake shell instead of terminating the connection. The second fake shell is intended to deceive attackers into thinking that they are back on the machine from which they launched the SSH connection. This mechanism can provide additional information about steps the attacker would perform after an attack. Kippo can log the collected information in a MySQL server. Slide 2 The screenshot shows a segment of an SSH brute-force attempt. It shows an IP trying various username/password combinations to gain access to the honeypot. For more information about the Kippo SSH honeypot, see http://code.google.com/p/kippo.

IP Username Password Timestamp

131.171.127.3

bin reggie2 20xx-04-23 20:34:22

131.171.127.3

http reggie2 20xx-04-23 20:34:24

131.171.127.3

test reggie2 20xx-04-23 20:34:26

131.171.127.3

admin reggie2 20xx-04-23 20:34:28

131.171.127.3

bin JazzJack 20xx-04-23 20:34:30

131.171.127.3

bin brenda19 20xx-04-23 20:34:32

131.171.127.3

bin password1234 20xx-04-23 20:34:34

131.171.127.3

root 634895 20xx-04-23 20:34:37

131.171.127.3

root bgrazzer 20xx-04-23 20:34:39

131.171.127.3

root jen@134 20xx-04-23 20:34:41



IP Username Password Timestamp

131.171.127.3

root nafdnoiw 20xx-04-23 20:34:43

131.171.127.3

root W#WERT 20xx-04-23 20:34:45

131.171.127.3

root yadda#1 20xx-04-23 20:34:47

131.171.127.3

root test@123 20xx-04-23 20:34:49

High-Interaction Honeypots High-interaction honeypots are complete production systems deployed with tightly controlled network environments to prevent an attacker from using the honeypot to attack other systems on the network. These systems are used in conjunction with an NIDS to keep attackers from realizing that they are attacking a honeypot.




Honeypot Placement

Depending on security requirements, honeypots can be placed either inside or outside a firewall. Low-interaction honeypots are frequently placed in the DMZ to automatically collect malware. Medium- and high-interaction honeypots are usually placed inside the firewall and appear to be a part of a production system. For example, if the production servers have IP addresses 192.168.3.2 and 192.168.3.4, it is advisable to assign 192.168.3.3 to the honeypot. Firewalls and routers can also be configured to redirect traffic on some ports to a honeypot to make intruders think that they are connecting to a real server.




IDS Placement

Depending upon the network topology, an IDS may be positioned in one or more places. It also depends upon what types of intrusion activities require detection: internal, external, or both. In Network Using Routers For example, if the goal is to detect only external intrusion activities, and the network has only one router connecting to the Internet, the best place for an IDS is inside the router or a firewall. If there are multiple paths to the Internet, placing an IDS box at every entry point may be necessary. However, if the goal is also to detect internal threats, placing a box in every network segment is necessary.



In Network Using Switches If the network segments or hosts monitored with an IDS use a switch, the IDS can be placed on the spanning port of the switch. A spanning port, also known as a monitoring port, typically indicates the ability to replicate network traffic from all the ports in the same switch to a single port to which an IDS is connected.

In Network Using Hubs and Network Caps If placed right behind a firewall or router, hubs and network taps can also be used to make traffic visible to the IDS.




Securing the IDS Box

Securing the IDS box is one of the most important aspects of an IDS installation. Since an IDS box is capable of monitoring the entire network's traffic, an attacker who compromises the IDS will have access to the entire network. As such, the IDS box should never run any additional services, and the OS running the IDS should be kept up to date. Additional security can be added to prevent the IDS box from showing up in scans. The IDS box can be deployed with a stealth network interface that is missing the capability to send data or with a network interface with no IP address assigned to it. In both the cases, a separate network interface has to be installed to allow the administrator to monitor the IDS, which may be on a separate Intranet network. In the given network topology example, the network administrator is on a separate network (192.168.100.0/24) that is protected by the firewall. In addition, the IDS has no IP address in the 192.168.3.0/24 subnet.




Activity: Best IDS Placement

Placing an IDS at strategic locations can help detect and stop a hacker. Test your knowledge about IDS placements in a network. Analyze the network diagram and identify the best IDS placement to monitor internal threats. a. Location 1 b. Location 2 c. Location 3

Correct answer: Option b Feedback for option a: Not quite. This IDS placement is best suited to monitor external threats to subnet A. Feedback for option b: That’s correct. This is the best IDS placement to monitor internal threats since this machine has access to both internal and external threats to subnet B. Feedback for option c: Not quite. This would be a perfect location for an administrator machine to monitor the IDS.



Topic 4: Virtual Local Area Networks and Demilitarized Zones

Switches

Switches are used to create VLANs or separate broadcast domains. VLANs can logically segment switched networks based on physical locations such as buildings, or organizations such as the departments of a company. Here is an example of the network topology of a financial services company, Ibsen Inc. At Ibsen, the sales department’s VLAN is assigned to the switch ports 1, 2, and 3. The human resources department’s VLAN is assigned to the switch ports 9, 10, and 11. Logically speaking, VLANs are also subnets. This means that each VLAN has a unique network IP address. A subnet can be thought of as one broadcast domain; the broadcast packets in one subnet will not be forwarded to another subnet. This also applies to the VLAN. For example, the host A in the sales department VLAN or subnet can directly communicate with host B or host C since host B and host C are both in the same subnet. However, host A cannot directly send any frame to the hosts in the human resources department. This means that an IP packet originating from the hosts in the sales department must travel through the router to arrive at the hosts in the human resource department. In addition, the broadcast packets sent by the hosts in the sales VLAN cannot travel to the human resources department VLAN since the router blocks any broadcast packets.




Benefits of VLANs

VLANs offer many benefits, such as flexibility, scalability, and security. Flexibility A VLAN assigns a host to a broadcast domain based on the port that the host system is plugged into. If Ibsen Inc. decides to move host A from the sales VLAN to the human resources VLAN, the administrator simply needs to reconfigure port 1 to be a part of the human resources VLAN. Step 1

The company assigns hosts to different VLANs.

Step 2

The company moves host A from the sales department VLAN to the human resources department VLAN.



Step 3

Configuration is required to assign a different VLAN.

Scalability A VLAN is not limited to a single switch. It can span an entire enterprise network. Step 1

The company assigns hosts to different VLANs.



Step 2

The company adds more hosts to the sales department VLAN. Step 3

VLANs are not bound by physical locations. Security A VLAN can provide greater security than a traditional LAN. One reason is that a VLAN can be used to create more secure user groups and prevent others outside the broadcast domain from receiving sensitive data. This is a useful way to enforce a trust model among subnets or VLANs. In addition, at a layer-3 device such as a router, an access control list (ACL) can be implemented that controls what traffic can pass to any given VLAN. A VLAN can also be used to enhance DMZ function and restrict network access.



Step 1

Direct communication is not allowed between two VLANs. Step 2

Communication through the router is not allowed if the router is correctly configured.




Vulnerabilities of VLANs

VLANs should be used carefully or not implemented, especially when trying to install multiple VLANs on the same switch with different security levels. This can lead to leakage of confidential information. Assume that a system administrator wants to divide a network segment into two subnets with two different security levels: classified subnet and unclassified subnet. In this case, the security goal is to prevent any traffic flow between classified subnet and unclassified subnet. There is always a possibility that the traffic can pass inadvertently between VLANs via a device error or maliciously via a type of attack called VLAN hopping. During VLAN hopping, an attacker takes advantage of incorrectly configured ports on network switches to launch an attack. The VLAN-hopping attacks are designed to allow the attacker to bypass layer-3 devices, such as routers, and send packets destined for a system on a different VLAN that an attacker cannot normally reach. As a result, confidential information can flow from the classified VLAN or subnet to the unclassified VLAN or subnet.




Types of DMZs

Introduction A DMZ is a buffer zone that separates the Internet from an organization’s internal network. A DMZ ensures that no request originating from the external network can be directly passed to the internal network.

Types of DMZs There are many different ways to design a network with a DMZ. The two most popular and common DMZ designs are multi-homed firewall architecture and dual firewall architecture. Multi-Homed Firewall Architecture The multi-homed firewall architecture is also known as three-homed firewall architecture. The term “three-homed” means that there are three network interfaces attached to a firewall. This is a relatively common DMZ architecture. The flows allowed within this architecture are shown here. Step 1: Internal network flows to the DMZ network. Step 2: DMZ network flows to the internal network. Step 3: Internal network flows to the Internet. Step 4: DMZ segment flows to the Internet. Step 5: Internet flows to the DMZ network. Step 6: No network traffic can pass directly to the internal network from the Internet. It must go through the firewall. Dual Firewall Architecture The use of dual firewall architecture provides more security than multi-homed firewall architecture. The external firewall can protect the DMZ as well as the internal network. The internal firewall protects the internal network not only from the DMZ but also from the Internet.



Typically, the external firewall is capable of filtering the packets at a faster speed, while the internal firewall is more focused on examining the application payload of the packet from the DMZ and the external firewall. The external firewall acts as a gateway on the internal network side. With this configuration, data flowing toward the internal network can be more thoroughly examined.




VLANs and DMZs

When the DMZ network uses a layer-2 switch to connect all the service machines such as public Web servers, DNS servers, and mail servers, it is secure to create multiple VLANs on the switch for the ports you want to use for the DMZ. Consider the example of Ibsen Inc., where the port used for each service is assigned to a different VLAN. The FTP server, public Web server, and DNS server are plugged into ports belonging to VLAN10, VLAN20, and VLAN30, respectively. When the compromised Web server in the VLAN20 DMZ performs an SYN flood denial of service (DoS) attack, the other two servers will not be affected by the attack since the SYN packets cannot reach VLAN20 or VLAN30. However, as previously mentioned, implementing a VLAN to divide a network segment into multiple areas with different security levels is not recommended.



Topic 5: Virtual Private Network Remote Access Architecture

Introduction to VPN Remote Access Architecture

The VPN gateway and network firewalls are security devices, and their functions have much in common; both devices can function as the front door to an internal network. Therefore, there is a trend to integrate VPN gateway functionality and firewall functionality in a single device. Consider security and placement options when two devices are separate but both are located at the corporate network boundary to protect the private network. There are different ways the VPN gateway and firewalls can be arranged to complement each other.



Topic 5: Virtual Private Network Remote Access Architecture

VPN Gateways and Firewalls in Series A VPN gateway can be configured in many ways. Each configuration has advantages and disadvantages. Here are some ways VPN gateways can be configured. Behind the Firewall In this architecture, the firewall must install a specific rule to allow VPN traffic to pass through. This means any tunneled traffic destined for the VPN gateway must be permitted by the firewall since the firewall cannot apply any specific access control rules to the encrypted VPN traffic. Opening the firewall to permit VPN-related traffic may weaken the protection controlled by the firewall. Although the firewall cannot read a VPN packet, it can establish some rules about the types of tunnels that are legitimate. Because the firewall filters allowable traffic, the VPN gateway policies are no longer used for access control. However, non-VPN traffic should still pass through the VPN gateway, and this causes an unnecessary resource computation. For this reason, this configuration is not recommended.

In Front of or Without a Firewall Architecture In this architecture, the VPN gateway is in front of the firewall. The VPN gateway must handle the tunneled traffic and also perform some access control on non-VPN traffic. The traffic that passes through the VPN gateway, including decrypted VPN traffic, is processed by the firewall. The advantage of this architecture is that since all the traffic going to the firewall is clear or decrypted, the firewall can apply sophisticated access control rules to all the traffic. However, the VPN gateway, or concentrator, should have some firewall functionalities since it acts as the first security device to the internal network and is not protected by the firewall. This serial configuration is used more often than the firewall-first approach because the firewall can offer more advanced access control than the VPN gateway.



VPN Gateway and Firewall in Parallel A VPN gateway and a firewall also can be installed in parallel. In this configuration, traffic going through the VPN gateway and traffic going to the firewall are separated. The router is configured in such a way that VPN traffic is directed to the VPN gateway. The VPN gateway and firewall have public addresses. This is a relatively popular design.

VPN on a DMZ In this architecture, the VPN gateway is attached to the third leg, or DMZ, of the firewall. Since the firewall rules are normally applied to a specific network interface, different sets of filter rules are used for the VPN tunnel traffic and non-VPN firewall traffic. A VPN-specific set of rules is applied to the DMZ interface to regulate the VPN traffic, and only VPN-tunneled traffic can pass through the DMZ interface.



Topic 6: Redundancy Architecture

Redundancy Architecture Implementation

A redundant network can be implemented as an additional backup system in a network. If any single device or connection fails due to physical faults or cyber attacks, without user intervention, a backup system or connection will automatically take over the job of the failed device or connection. Here are two redundancy architectures used by firewalls and routers: firewall failover and Hot Standby Router Protocol (HSRP). Firewall Failover Failover allows a system administrator to connect a second firewall unit to protect the network of an organization if a first firewall goes offline. There are two different types of failover: nonstateful (hardware) and stateful failover. Nonstateful Failover

If the primary firewall fails, the standby firewall will begin processing traffic. The only item replicated between the two firewalls is the configuration used. Hardware failover is not stateful. This means that the state tables, such as the Network Address Translation table, that are necessary to maintain a connection are not synchronized with the second firewall. Therefore, in case of failover, the state tables must be transported to the second firewall. This transportation process is always disruptive. Stateful Failover

A stateful failover configuration performs the same function as hardware failover. The main difference is that a stateful failover requires the state information on the primary firewall if it should be synchronized with the standby firewall through an Ethernet



connection. When the second standby firewall promotes itself to the primary role, its process is completely transparent to the users and their connections. HSRP HSRP provides a mechanism designed to support nondisruptive failover of IP traffic in cases such as device failure or a security attack. In HSRP, a single active router and a standby router are elected from a group of routers. The active router is responsible for routing packets. The standby router takes over when the active router fails. A virtual router is a pair of IP and MAC addresses that end-host machines configure as their default gateway. All the packets sent to the address of the virtual router or software router are processed by the active router. In other words, the active router physically forwards packets sent to the MAC address of the virtual router. If the active router fails, a new standby router becomes active. Since the new active router uses both the IP and MAC addresses of the virtual router, the end host machines see no disruption.

The standby router takes over when the active router fails.



Topic 7: AAA Architecture

Introduction to AAA Architecture

Authentication, authorization, and accounting (AAA) is one of the most important methods of hardening networks. AAA helps a system administrator centralize security checks. Authentication is responsible for checking a user’s identity to determine if the user is allowed access to networking devices—such as routers, switches, and VPN gateways—to do a system administrative task. To gain access, the user must provide a valid username and password. Once the user gains access to the networking device, authorization determines what the user can do. For example, authorization determines what commands the user can execute, given the privilege level assigned to the user. With the accounting function, a system administrator keeps a record of the user’s actions such as showing what commands a user executes and when a user executes them.



Topic 7: AAA Architecture

AAA Technologies

There are two primary technologies used to provide AAA for network infrastructure: the Remote Authentication Dial-In Users Service (RADIUS) and the Terminal Access Controller Access Control System (TACACS+). Both RADIUS and TACACS+ technologies employ a client/server architecture that allows a remote access server to authenticate user connections against a centralized database of user credentials. For a remote user to access a specific network device, the user must be authenticated by the AAA server. Once the authentication process succeeds, the user is authorized to access the network device based upon privilege level. The level of privilege is also determined by the AAA server. Kevin Snow is a junior security administrator at MultiGrowth Finance Solutions (MFS). Kevin wants to remotely configure the company router. However, a senior system administrator of MFS wants to limit the commands Kevin can execute when remotely logged into MFS’s router. The company has set up an AAA server, such as a RADIUS server. When Kevin remotely logs into MFS’s router, he needs to be authenticated to MFS’s AAA server. Once he is authenticated, he can execute only the commands allowed by the AAA server through the authorization process.



Topic 8: Access Control List

ACL Processing

It is important to understand how the concept of an ACL can be applied to a network. ACL syntax introduced in this section is similar to the syntax used by many vendors, including Cisco Systems. An ACL can be applied to a network device such as a router or a firewall. This module mainly uses a router to illustrate ACL concepts and examples. An ACL is nothing more than an ordered list of permit and deny statements. Every time a network device such as a router or firewall refers to an ACL, it reads the list from the top and works its way down, so the order in which ACL statements are placed is very important. Reference: Watkins, M., & Wallace, K. (2008). CCNA Security Official Exam Certification Guide. Pearson.

Match? First Statement A router or firewall receives a packet and compares the received packet with the first statement in the ACL. If the router finds a match between the packet and the statement, it will execute a permit or deny action as specified in the statement. Match? Second Statement If the router does not find a match of packet contents to the first ACL statement, it moves to the next statement in the list. This search process continues until the router finds a match. Once a match is found, no further statements in the list are processed.



Drop An important thing to know about ACLs is that at the end of every list is an invisible statement that drops all traffic. This means that if a router compares a packet with all the statements in the list and does not find a match, the router will reach the last, invisible statement and drop the packet. This process is referred to as implicit deny.




Wildcard Mask

Before exploring ACLs further, it is important to understand a wildcard mask, which is used in an ACL statement. A wildcard mask tells how much of the packet’s source IP address or destination IP address needs to match for the condition in a ACL statement to be true. Just like a subnet mask, a wildcard mask is a 32-bit quantity paired with an IP address. With a wildcard mask, a 0 in a bit position means that the corresponding bit position in the IP address of the ACL statement must match the same bit position in the examined packet. A 1 in a bit position means that the corresponding bit position in the address of the ACL statement does not have to match the bit position in the examined packet. Thus, wildcard masking uses the following rules: 0: Check the corresponding IP bit value. 1: Do not check, or ignore, the corresponding IP bit value.

For the above wildcard mask, the examined IP address must match on a packet that is in the subnet 172.32.0.0/16 (172.32.0.0 ~ 172.32.255.255). More examples:

IP address Wildcard Mask Matches

0.0.0.0 255.255.255.255. Match on any address (keyword any in an ACL statement can be used instead of 255.255.255.255)

131.171.127.1 0.0.0.255 Match only on packets that are in the subnet 131.171.127.0/24 (131.171.127.0 ~ 131.171.127.255)




ACL Syntax

There are two primary types of ACLs: standard and extended. The syntax of each ACL can be applied to or activated in an interface of a router or firewall to permit or deny IP packets. Standard ACL Syntax A generic syntax of standard ACLs is access-list 1-99 permit|deny source_IP_addr [wildcard_mask] 1-99 means that any number between 1 and 99 can be chosen to represent the access control list. In the above syntax, | means or, and [ ] means optional. A wildcard mask can be omitted. When a wildcard is omitted, it defaults to 0.0.0.0; an exact match is required in order to execute the action permit or deny. The standard ACL command starts with the keyword access-list, followed by the access list number. The access control number represents a list of many individual access control statements and can be any number between 1 and 99. Let’s say a system administrator builds a standard ACL to enforce the following simple security policy and decides to use 1 as an access list number: Permit network traffic from the external LAN (131.171.127.0/24) to the internal

network, as shown in the diagram here. Deny all other types of traffic coming from the external LAN. Then, the ACL can be written as access-control 1 permit 131.171.127.0 0.0.0.255 access-control 1 deny any



Activating a Standard ACL (How to Apply an ACL to a Network Device Interface)

In order for the ACL to activate, a system administrator first applies packet-filtering ACLs to a router interface. These ACLs are applied based on the direction of the packet flow as shown in the diagram. The syntax for applying an ACL to a router’s interface is (note that ! is used for writing comments): For inbound traffic, the rule is: apply {access_list_number} inbound on {interface_name} ! Apply the ACL (access_list_number) inbound on the interface (interface_name): The syntax is used to filter inbound packets, or packets flowing toward the router interface. For outbound traffic, the rule is: apply {access_list_number} outbound on {interface_name} ! Apply the ACL (access_list_number) outbound on the interface (interface_name): The syntax is used to filter outbound packets, or packets flowing away from the router interface. Example of Activating a Standard ACL

Using the previous example, consider how an ACL can be activated or applied to the interface of a router. Previously, this ACL was built: access-control 1 permit 131.171.127.0 0.0.0.255 access-control 1 deny any



Now we can apply this access control list, whose access control number is 1, to the interface s0 of the above router: apply 1 inbound on s0 Thus, the complete command to enforce the policy: access-control 1 permit 131.171.127.0 0.0.0.255 access-control 1 deny any apply 1 inbound on s0 Extended ACL Extended ACL Syntax: Numbered ACL There is a generic syntax for an extended numbered ACL. The generic syntax consists of three main types: Internet Protocol (IP), Transmission Control Protocol (TCP) or User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).

As seen from the syntax, extended IP ACLs can filter according to: Source IP address Destination IP address Protocols such as IP, TCP, and ICMP A range of port numbers

A port number or a range of port numbers is specified using the following operations:

Operator Explanation

Lt Less than

Gt Greater than

Neq Not equal

Eq Equal to

For example, eq 80 denotes a port number equal to 80, and gt 80 denotes port numbers greater than 80.



Established Keyword

The established keyword is used only for a TCP connection to match TCP segments that have the ACK and/or RST flag bits set. This assumes that a TCP connection originates from the internal network and has already been established in one direction only. As displayed in the diagram, this TCP connection is a Web HTTP request on port 80 sent by the internal network 131.171.127.0/24. Then, the ACL with the established keyword is applied to filter on the returning traffic. This returning traffic has the ACK and/or RST flag bits set, indicating that this is traffic returning to the internal network. Here is an example of an ACL with the established keyword to permit the returning traffic shown in the above diagram. The policy rule says the returning Web traffic, from any Web server, is allowed to the internal network. Then: access-list 2 permit any eq 80 131.172.127.0 0.0.0.255 The above command permits the Web traffic (a Web server uses port 80 for communication) from a Web server to the internal subnet 131.172.127.0/24. Activating an Extended ACL

An extended ACL is activated just like a standard ACL. For example, Kevin Snow of MFS wants to enforce the security policy on his company’s network. The MFS security policy states this: Allow Web traffic to the internal Web server Allow network traffic to the internal game server that is listening on port 8989 Deny all other types of traffic Kevin is going to apply the ACL inbound on the interface s0 of the router. Here is how Kevin builds the ACL.



First, Kevin picks up an ACL number between 100 and 199. Assume that Kevin chooses 100. Here is the ACL (note that ! is used to write comments): access-list 100 permit tcp any 192.168.1.2 0.0.0.0 eq 80 access-list 100 permit tcp any 192.168.1.1 0.0.0.0 eq 8989 access-list 100 deny ip any any ! deny all other types of traffic Then, Kevin applies the ACL inbound on the interface s0 for activation: apply 100 inbound on s0 The above command specifies the interface of the router on which Kevin wants to activate the ACL inbound and activates the ACL inbound on the s0.




Activity

Introduction Kevin Snow, the junior security administrator at MFS, wants to enforce the security policy of his organization by applying an ACL inbound on the interface s1 of the firewall-enabled router. Assume Kevin chooses 100 as the ACL number and activates the ACL 100 inbound on s1 (“apply 100 inbound on s1”). In the following activity, you will help Kevin apply ACL statements to enforce the security policy at MFS. Network Topology of MFS

Reference: Deal, R. A. (2004). Cisco Router Firewall Security. Cisco Press. Security Policy Document The security policy of the company states these rules: 1. Allow Web traffic from the Internet to the internal public Web server in the DMZ. 2. Allow DNS queries from the Internet to the internal public DNS server in the DMZ. 3. Allow the internal user in the subnet 192.168.2.0/24 to access a Web server in the

Internet. 4. Deny all other types of network traffic.



Workspace Network Topology of MFS

Question 1: ACL statement for Rule 1: access-list 100 permit tcp any ____________ a. 131.171.127.1 0.0.0.255 eq 80 b. 131.171.127.1 0.0.255.255 eq 53 c. 131.171.127.1 0.0.0.0 eq 80 Correct answer: Option c Feedback: The Web server (131.171.127.1) listens to TCP packets on port 80. The ACL statement for Rule 1 is access-list 100 permit tcp any 131.171.127.1 0.0.0.0 eq 80. Note that 0.0.0.0 means that an exact match (131.171.127.1) is required in order to execute the action permit. Question 2: ACL statement for Rule 2: access-list 100 permit_______________ a. TCP any 131.171.127.2 0.0.0.255 eq 80 b. UDP any 131.171.127.2 0.0.0.0 eq 53 c. TCP any 131.171.127.2 0.0.0.0 eq 53 Correct answer: Option b Feedback: The DNS server (131.171.127.2) listens to UDP packets on port 53. The ACL statement for Rule 2 is access-list 100 permit udp any 131.171.127.2 0.0.0.0 eq 53. Question 3: ACL statement for Rule 3: access-list 100 permit tcp ____________________ a. any eq 80 131.171.0.0 0.0.255.255 established b. 192.168.2.0/24 eq 0.0.0.255 80 any established c. any eq 80 192.168.2.0 0.0.0.255 established



Correct answer: Option c Feedback: The established keyword is used here, so it can be assumed that the internal user had already sent a Web HTTP request to an outside Web server on port 80. The outsider Web server (any) will return an HTTP reply (for returning traffic) to the subnet (192.168.2.0 0.0.0.255), where the internal user is located. So the ACL statement for Rule 3 is access-list 100 permit tcp any eq 80 192.168.2.0 0.0.0.255 established. Question 4: ACL statement for Rule 4: access-list 100 deny ip _________ a. any 131.172.172.1 0.0.0.0 b. 192.168.2.0 0.0.0.255 any c. any any Correct answer: Option c Feedback: To deny all other types of traffic, you have to use an implicit deny. For the implicit deny, you have to use any for both the source and destination IP addresses. The correct ACL statement for Rule 4 is access-list 100 deny ip any any. Review The ACL syntax used in this activity is very close to the Cisco ACL syntax. This ACL activity is useful in understanding a real ACL model developed by Cisco Systems. The wildcard mask 0.0.0.0 can be replaced by the keyword host. For example, 131.171.127.1 0.0.0.0 can be rewritten as host 131.171.127.1 since 0.0.0.0 indicates a specific host. Further Challenges In this activity, you learned where to apply an ACL via the command apply 100 inbound on s1 where the ACL is placed on the interface s1 of the firewall-enabled router. However, there are many other possible places to place the ACL, depending on the security architecture design. Do you think it is a good idea to put the ACL 100 inbound on the other interface (s0) of the firewall-enabled router?



Topic 9: Summary We have come to the end of Module 10. The key concepts covered in this module are listed below. Honeypots help protect networks from malicious intruders. Honeypots can be applied

to achieve various security goals. Depending on the level of interactivity desired with the intruder, low-, medium-, or high-interaction honeypots are deployed in the demilitarized zone (DMZ) or inside the firewall.

Intrusion detection system (IDS) placement plays a role in determining the nature of detected intrusion activities, whether internal, external, or both.

Correctly implemented and configured virtual local area networks (VLANs) can segment switched networks for greater security.

A DMZ offers added security and is a more secure approach to a firewall.

Multi-homed firewall architecture and dual firewall architecture are popular DMZ designs.

Virtual private network (VPN) gateways and firewalls can be arranged to complement

each other. VPN gateways can be configured in many ways; each has advantages and disadvantages.

Redundancy architecture helps in case a device or connection in the primary system fails. The secondary system can take over the operations of the primary system.

Authentication, authorization, accounting (AAA) architecture makes network security management more flexible, scalable, and practical.

Using an access control list (ACL), it is possible to deny or allow IP packets on a given network device. ACLs can be applied to enforce security policies for a given network.



Glossary

Term Definition

ACK Flag ACK, short for acknowledgment, is a flag used in the Transmission Control Protocol (TCP) to acknowledge receipt of a packet.

Access Control List An access control list (ACL) is a table or a data file that informs a computer operating system which access rights each user has to a particular system object.

Algorithm This is a mathematical formula or set of steps to accomplish a particular task, such as encryption or decryption.

Authentication Authentication involves confirming a user's identity. A form of access control, authentication requires users to confirm their identities before they can access a system.

Brute-Force Attack A brute-force attack is a strategy in which an attacker (or tool) tries every possible combination of keystrokes until it finds the right combination.

Confidentiality Confidentiality means allowing only authorized people or systems to access certain types of information. Confidentiality is also known as secrecy.

Denial of Service Denial of service (DoS) or distributed denial of service (DDoS) attacks flood a target site with large volumes of traffic using “zombie” servers. This flood of traffic consumes all of the target site’s network or system resources and denies access to legitimate users.

Demilitarized Zone A demilitarized zone (DMZ) is a proxy network that is placed between the organization's public network and a private LAN. It shields servers that contain company data from external users.

DNS Server This server provides DNS services to client systems located on the Internet, providing Internet users with information regarding the organization's domain name records.

Domain A domain name is an identification label that defines a realm of administrative autonomy, authority, or control in the Internet.

Established Keyword An established keyword indicates that a session is established. By adding the established keyword, an ACL will allow only those connections that have been already established by the router.

Ethernet Ethernet is the most widely installed local area network technology.

Exploit An exploit is a sequence of commands that takes advantage of a bug, glitch, or vulnerability to cause unintended or unanticipated behavior to occur on computer software or hardware.



Term Definition

File Transfer Protocol File Transfer Protocol (FTP) is an application protocol that uses the TCP/IP protocol, or the Internet, to transfer files between computers.

Fingerprinting A fingerprinting algorithm is a procedure that maps a large data item such as a computer file to a much shorter bit string. This fingerprint uniquely identifies the original data just as human fingerprints uniquely identify people.

Firewall A firewall is the hardware or software that prevents unauthorized users from accessing a computer or a network.

Gateway A gateway is a network device that acts as an entrance to another network.

Hash-Based Message Authentication Code

Hash-Based Message Authentication Code (HMAC) is a specific construction for calculating a Message Authentication Code (MAC) involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. HMAC is used to decode MACs by using a cryptographic function along with a secret key. HMAC is used in many authentication protocols.

Host-Based Intrusion Detection System

A host-based intrusion detection system (HIDS) is a system on which anti-threat applications such as firewalls, antivirus software, and spyware-detection programs are installed to monitor and analyze threats.

Hypertext Transfer Protocol

Hypertext Transfer Protocol (HTTP) transmits Web pages to clients.

Internet Control Message Protocol

The Internet Control Message Protocol (ICMP) integrates with the Internet Protocol (IP). It reports error, control, and informational messages between a host and a gateway.

Intrusion Detection System

An intrusion detection system (IDS) detects malicious activities on the network and reports them to the system administrator.

Insider Threats Insider threats are crimes such as theft, fraud, and workplace violence committed by an organization’s employees or contractors.

Integrity The goal of integrity is to ensure that unauthorized people or systems are unable to modify data.

Interface An interface consists of a set of dials, knobs, operating system commands, graphic display formats, and other devices provided by a computer or a program to allow usersto use the computer or program.



Term Definition

Internet The Internet is a computer network consisting of a worldwide network of computer networks that use the TCP/IP network protocols to facilitate data transmission and exchange.

IP Address An Internet Protocol (IP) address is a numeric label that identifies each device within a computer network that communicates over the Internet.

LAN A local area network (LAN) allows individual computers to communicate with each other over a network to share information and services.

Media Access Control (MAC) Address

A Media Access Control (MAC) address is a unique identifier assigned to network devices to ease communication over the network.

Malware Malware refers to a category of malicious software or any software that is intended to harm a computer or a network.

Message-Digest Algorithm 5

Message-Digest Algorithm 5 (MD5) is a popular cryptographic hash function that uses a 128-bit hash value.

MySQL MySQL is a relational database management system based on SQL (Structured Query Language).

Network Intrusion Detection System

A network intrusion detection system (NIDS) monitors network traffic to detect malicious activity. It may detect DoS attacks, port scans, or attempts to crack into individual computers. In an NIDS, anti-threat software is installed only at specific points that interface between the outside environment and the network segment that needs protection.

Operating System An operating system is a program that manages all the applications on a computer.

OSI Reference Model The Open Systems Interconnection (OSI) reference model is the standard model that defines how computers on a network communicate.

Packet-Filtering Firewall A packet-filtering firewall filters data packets based on certain rules defined in access control lists.

Port A port is a specific place allowing physical connection to some other device, usually with a socket and plug.

Port Scanner A port scanner is a software application designed to probe a server or host for open ports. A port scanner is used by administrators to verify network security policies and by attackers to identify services running on a host.

P0f P0f is a tool that can passively fingerprint an operating system.

RST flag RST is a flag used in the Transmission Control Protocol (TCP) to acknowledge that a packet has been accepted.



Term Definition

Secure Hypertext Transfer Protocol

Secure Hypertext Transfer Protocol (HTTPS) supports secure transmission of confidential information, such as credit card and Social Security numbers, over the Internet.

Secure Mail Transfer Protocol

Secure Mail Transfer Protocol (SMTP) is most commonly used for electronic mail exchange between servers.

Secure Shell Secure Shell (SSH) is a secure version of Telnet. It is resistant to attacks by eavesdroppers.

Secure Sockets Layer Secure Sockets Layer (SSL) is a standard security protocol that creates an encrypted link between a Web server and a Web browser to secure all data that passes between a Web site and a customer.

Server Message Block A Server Message Block (SMB) is an application-layer network protocol used mainly to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.

Session Initiation Protocol

Session Initiation Protocol (SIP) is a protocol widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol (IP).

Shell A shell is the outermost layer of a program. Shell is another term for user interface. Operating systems and applications sometimes provide an alternative shell to make interaction with the program easier.

Shellcode A shellcode is a small piece of code used as data to exploit software vulnerability. It is called shellcode because it usually starts a command shell from which an attacker can control a compromised machine.

Signature A signature is a digital code that can be attached to a message. Like a written signature, the signature uniquely identifies the sender and serves as a guarantee of that sender’s identity.

Spanning Port A spanning port, or monitoring port, is a special port in a managed switch that can mirror the traffic of other ports in the same switch. It is often used for monitoring network traffic.

SQL SQL is a standardized query language for requesting information from a database.

SSH Secure Shell (SSH) is a data exchange protocol that allows data to be exchanged using a secure channel between two network devices.

Switches Switches are devices that facilitate smooth and direct communication between the different nodes in a network and that speed up the flow of traffic.

SYN SYN stands for synchronization; it is used to ask a destination computer to establish a connection.



Term Definition

SYN Flood An SYN flood is a form of a DoS attack in which an attacker sends a succession of SYN requests to a target's system.

TCP/IP Transmission Control Protocol/Internet Protocol (TCP/IP) is the communication protocol suite for the Internet.

Trivial File Transfer Protocol

Trivial File Transfer Protocol (TFTP) is a protocol used to transfer files. TFTP only reads and writes files or mail from/to a remote server. It cannot list directories and does not authenticate user identity.

User Datagram Protocol User Datagram Protocol (UDP) is a network protocol that allows computers to exchange messages over an Internet network without the need for special transmission channels or data paths.

Virus A virus is a software program that can harm files or programs on a computer.

WAN A wide area network (WAN) covers a larger footprint, geographically, than a LAN and is often a group of connected LANs.

Worm A worm is a type of self-replicating virus.

Documents

Contents · UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640 © UMUC 2012 Page 2 of 47 Topic 1: Analogy Analogy: A Challenge