Lab Assignment

profilemcamak
labs.pdf

CIS 534 - Advanced Network Security Design 1

CIS 534

Advanced Network Security Design

CIS 534 - Advanced Network Security Design 2

Table of Contents Toolwire Lab 1:Analyzing IP Protocols with Wireshark ........................................................................ 6

Introduction ............................................................................................................................................. 6

Learning Objectives ................................................................................................................................ 6

Tools and Software ................................................................................................................................. 7

Deliverables ............................................................................................................................................. 7

Evaluation Criteria and Rubrics ........................................................................................................... 7

Hands-On Steps ....................................................................................................................................... 8

Part 1: Exploring Wireshark ............................................................................................................... 8

Part 2: Analyzing Wireshark Capture Information .......................................................................... 12

Lab #1 - Assessment Worksheet .............................................................................................................. 19

Analyzing IP Protocols with Wireshark ............................................................................................. 19

Overview ................................................................................................................................................ 20

Lab Assessment Questions & Answers ............................................................................................... 20

Toolwire Lab 2: Using Wireshark and Netwitness Investigator to Analyze Wireless Traffic ........... 22

Introduction ........................................................................................................................................... 22

Learning Objectives .............................................................................................................................. 23

Tools and Software ............................................................................................................................... 23

Deliverables ........................................................................................................................................... 23

Evaluation Criteria and Rubrics ......................................................................................................... 23

Hands-On Steps ..................................................................................................................................... 24

Part 1: Analyzing Wireless Traffic with Wireshark .......................................................................... 24

Part 2: NetWitness Investigator ......................................................................................................... 31

Lab #2 - Assessment Worksheet .............................................................................................................. 34

Using Wireshark and NetWitness Investigator to Analyze Wireless Traffic .................................. 34

Overview ................................................................................................................................................ 34

Lab Assessment Questions & Answers ............................................................................................... 35

Toolwire Lab 3: Configuring a pfSense Firewall on the Client ............................................................ 36

Introduction ........................................................................................................................................... 36

Learning Objectives .............................................................................................................................. 37

Tools and Software ............................................................................................................................... 37

Deliverables ........................................................................................................................................... 37

Evaluation Criteria and Rubrics ......................................................................................................... 37

CIS 534 - Advanced Network Security Design 3

Hands-On Steps ..................................................................................................................................... 38

Part 1: Planning the Configuration .................................................................................................. 38

Part 2: Configuring the Firewall ....................................................................................................... 46

Lab #3 - Assessment Worksheet .............................................................................................................. 48

Configuring a pfSense Firewall on the Client ..................................................................................... 48

Overview ................................................................................................................................................ 48

Lab Assessment Questions ................................................................................................................... 49

Toolwire Lab 4: Configuring a pfSense Firewall on the Server ........................................................... 50

Introduction ........................................................................................................................................... 50

Learning Objectives .............................................................................................................................. 51

Tools and Software ............................................................................................................................... 51

Deliverables ........................................................................................................................................... 51

Evaluation Criteria and Rubrics ......................................................................................................... 51

Hands-On Steps ..................................................................................................................................... 52

Part 1: Planning the Configuration .................................................................................................. 52

Part 2: Configuring the Firewall ....................................................................................................... 59

Lab #4 - Assessment Worksheet .............................................................................................................. 63

Configuring a pfSense Firewall on the Server .................................................................................... 63

Overview ................................................................................................................................................ 63

Lab Assessment Questions & Answers ............................................................................................... 63

Toolwire Lab 5: Penetration Testing a pfSense Firewall ...................................................................... 65

Introduction ........................................................................................................................................... 65

Learning Objectives .............................................................................................................................. 66

Tools and Software ............................................................................................................................... 66

Deliverables ........................................................................................................................................... 66

Evaluation Criteria and Rubrics ......................................................................................................... 66

Hands-On Steps ..................................................................................................................................... 67

Part 1: Configuring a pfSense Server Firewall ................................................................................ 67

Part 2: Penetration Testing ................................................................................................................ 68

Lab #5 - Assessment Worksheet .............................................................................................................. 72

Penetration Testing a pfSense Firewall ............................................................................................... 72

Overview ................................................................................................................................................ 72

Lab Assessment Questions & Answers ............................................................................................... 72

CIS 534 - Advanced Network Security Design 4

Toolwire Lab 6: Using Social Engineering Techniques to Plan an Attack .......................................... 74

Introduction ........................................................................................................................................... 74

Learning Objectives .............................................................................................................................. 75

Tools and Software ............................................................................................................................... 75

Deliverables ........................................................................................................................................... 75

Evaluation Criteria and Rubrics ......................................................................................................... 76

Hands-On Steps ..................................................................................................................................... 76

Part 1: Targeted Social Engineering Attack ..................................................................................... 76

Part 2: Targeted Reverse Social Engineering Attack ....................................................................... 82

Lab #6 - Assessment Worksheet .............................................................................................................. 84

Using Social Engineering Techniques to Plan an Attack .................................................................. 84

Overview ................................................................................................................................................ 84

Lab Assessment Questions ................................................................................................................... 84

Toolwire Lab 7: Configuring a Virtual Private Network Server ......................................................... 87

Introduction ........................................................................................................................................... 87

Learning Objectives .............................................................................................................................. 88

Tools and Software ............................................................................................................................... 88

Deliverables ........................................................................................................................................... 88

Evaluation Criteria and Rubrics ......................................................................................................... 89

Hands-On Steps ..................................................................................................................................... 89

Part 1: Configuring the VPN: Server Side ........................................................................................ 89

Lab #7 - Assessment Worksheet .............................................................................................................. 98

Configuring a Virtual Private Network Server .................................................................................. 98

Overview ................................................................................................................................................ 98

Lab Assessment Questions & Answers ............................................................................................... 98

Host-to-Host Configuration Worksheet .............................................................................................. 99

IPsec.conf file ......................................................................................................................................... 99

Toolwire Lab 8: Configuring a VPN Client for Secure File Transfers .............................................. 100

Introduction ......................................................................................................................................... 100

Learning Objectives ............................................................................................................................ 101

Tools and Software ............................................................................................................................. 101

Deliverables ......................................................................................................................................... 101

Evaluation Criteria and Rubrics ....................................................................................................... 102

CIS 534 - Advanced Network Security Design 5

Hands-On Steps ................................................................................................................................... 102

Part 1: Configuring a Windows VPN Client to work with a Linux VPN Server ........................... 102

Part 2: Comparing Secure and Non-secure File Transfers in Wireshark ..................................... 107

Lab #8 - Assessment Worksheet ............................................................................................................ 116

Configuring a VPN Client for Secure File Transfers ...................................................................... 116

Overview .............................................................................................................................................. 117

Lab Assessment Questions & Answers ............................................................................................. 117

Toolwire Lab 9: Attacking a Virtual Private Network ........................................................................ 118

Introduction ......................................................................................................................................... 118

Learning Objectives ............................................................................................................................ 119

Tools and Software ............................................................................................................................. 119

Deliverables ......................................................................................................................................... 119

Evaluation Criteria and Rubrics ....................................................................................................... 120

Hands-On Steps ................................................................................................................................... 120

Part 1: Social Engineering / Reverse Social Engineering Attack .................................................. 120

Part 2: Creating Spam Emails ......................................................................................................... 126

Lab #9 - Assessment Worksheet ............................................................................................................ 129

Attacking a Virtual Private Network ................................................................................................ 129

Overview .............................................................................................................................................. 129

Lab Assessment Questions & Answers ............................................................................................. 129

Toolwire Lab 10: Investigating and Responding to Security Incidents ............................................. 131

Introduction ......................................................................................................................................... 131

Learning Objectives ............................................................................................................................ 132

Tools and Software ............................................................................................................................. 132

Deliverables ......................................................................................................................................... 132

Evaluation Criteria and Rubrics ....................................................................................................... 133

Hands-On Steps ................................................................................................................................... 133

Part 1: Gather System Performance Information .......................................................................... 133

Part 2: Scan a Windows 2008 Server for Vulnerabilities ............................................................... 136

Lab #10 - Assessment Worksheet .......................................................................................................... 138

Investigating and Responding to Security Incidents........................................................................ 138

Overview .............................................................................................................................................. 138

Lab Assessment Questions & Answers ............................................................................................. 138

CIS 534 - Advanced Network Security Design 6

Toolwire Lab 1:Analyzing IP Protocols with Wireshark

Introduction

Click the link below to view the network topology for this lab:

Topology

Wireshark is probably the most widely used packet capture and analysis software in the world. It is available free of charge and while it lacks some of the more sophisticated diagnostic tools of similar commercial products, the use of Wireshark saves many organizations thousands of dollars and thousands of hours. And, Wireshark allows capture of network packet traffic and the ability to save frame detail in multiple formats that make them usable by the more sophisticated, more expensive software tools.

This lab has three parts which you should complete in order.

1. In the first part of the lab, you will either learn the basics of Wireshark, if you have not already used it, or you will improve and fine tune your Wireshark skills. In either case, you will learn about probe placement, clocking/timing issues, Wireshark traffic capture and the use of filters.

2. In the second part of the lab, you will utilize a capture file to answer basic questions about key IP protocols and the basic configuration of the IP hosts from which traffic is captured.

3. Finally, if assigned by your instructor, you will explore the virtual environment on your own in the third part of the lab to answer a set of challenge questions that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.

Learning Objectives

Upon completing this lab, you will be able to:

• Use basic features of the Wireshark packet capture and analysis software> • Apply appropriate filters to view only the traffic subset of interest • Be able to reliably and consistently place probes to capture packet traffic> • Determine if timing and clocking is synchronized for better reliability and repeatability

CIS 534 - Advanced Network Security Design 7

• Guarantee that all traffic is being captured and that the interface rate and capture rate are compatible

• Capture and analyze basic Internet Protocol transactions and determine basic configuration information about the IP hosts from which traffic is captured

Tools and Software

The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.

• Wireshark

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. Lab Assessments file; 2. Optional: Challenge Questions file, if assigned by your instructor.

Evaluation Criteria and Rubrics

The following are the evaluation criteria for this lab that students must perform:

1. Use basic features of the Wireshark packet capture and analysis software. - [10%] 2. Apply appropriate filters to view only the traffic subset of interest. - [20%] 3. Be able to reliably and consistently place probes to capture packet traffic. - [20%] 4. Determine if timing and clocking is synchronized for better reliability and repeatability. -

[20%] 5. Guarantee that all traffic is being captured and that the interface rate and capture rate are

compatible. - [20%] 6. Capture and analyze basic Internet Protocol transactions and determine basic

configuration information about the IP hosts from which traffic is captured. - [10%]

CIS 534 - Advanced Network Security Design 8

Hands-On Steps

Note: This lab contains detailed lab procedures which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab.

1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the file in Adobe Reader.

If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Instructions for transferring the file can be found in the file itself.

Figure 1 “Student Landing” workstation

2. On your local computer, create the lab deliverable files. 3. Review the Lab Assessment Worksheet at the end of this lab. You will find

answers to these questions as you proceed through the lab steps.

Part 1: Exploring Wireshark

Note: Wireshark is already loaded on the vWorkstation, as indicated by the Wireshark shortcut on the desktop. Wireshark can be downloaded, free of charge, from http://www.wireshark.org if you would like to have your own personal copy, though doing so is not a requirement for this lab.

1. Double-click the Wireshark icon on the desktop to start the Wireshark application.

Figure 2 Wireshark splash screen

The main screen of Wireshark includes several shortcuts to make your job easier. There are four categories of shortcuts.

Wireshark Screen Sections SECTION TITLE DESCRIPTION

CIS 534 - Advanced Network Security Design 9

Capture This section displays a list of the network interfaces, or machines, that Wireshark has identified, and from which packets can be captured and analyzed.

Files This section displays the most recent list of files that you were analyzing in Wireshark. The default status for this section is blank because no files have been opened yet.

Online This section displays shortcuts to the Wireshark website. Capture Help This section displays shortcuts to the Wireshark website for help in

using the tool.

2. Click Interface List to bring up a list of active interfaces.

Figure 3 Wireshark Capture Interfaces

Notice that only one interface, the student workstation, is available for capturing packets in the virtual lab. This Capture Interface is a virtual interface described as “Citrix” with an IP address of 172.30.0.2.

Note: If you were running Wireshark on your local computer, it is possible that would see many interfaces. It is also possible that some interfaces you were expecting to see may not appear on the list at all. If you know that a logical or physical interface exists but it does not show up on the list, check the installation of winpcap and troubleshoot accordingly. Very often it is necessary to reinstall or update the Network Interface Card (NIC) drivers.

3. Click the checkbox to the left of the Student device to select it, and click Details to display additional information about the interface.

The Interface Details dialog box displays a great deal of information about the interface that may be useful in troubleshooting and resolving packet capture problems, for instance if you are not capturing all of the packets you may be exceeding the transmit and/or receive buffers. Take a moment to review the information in this dialog box before proceeding with the lab.

Figure 4 Wireshark Capture Interface Details

4. Click Close to close the Interface Details dialog box. 5. With the Student checkbox still checked, click Start to open Wireshark and

begin capturing data packets affecting the Student’s virtual workstation.

Note: Because Wireshark is capturing traffic live, your default content will be different from the screen captures in this part of the lab. However, in Part 2, you will load a static file and your results should match the examples almost

CIS 534 - Advanced Network Security Design 10

exactly once. All of these steps are not needed for every packet analysis, but it is a good way of familiarizing yourself with the various capabilities of Wireshark.

6. Maximize the Wireshark window.

The Wireshark window opens with the detailed information about the first packet captured, Frame 1, displayed in the middle pane. Use your mouse to drag the borders of any pane up or down to change its size.

o The top pane of the Wireshark window contains all of the packets that Wireshark has captured, in time order and provides a summary of the contents of the packet in a format close to English. Keep in mind that the content will be different depending upon where you capture packets in the network. Also remember that the “source” and “destination” is relative to where a packet is captured. This area of the Wireshark window will be referred to as the frame summary.

o The middle pane of the Wireshark window is used to display the packet structure and contents of fields within the packet. This area of the Wireshark window will be referred to as the frame detail.

o The bottom pane of the Wireshark window displays the byte data. All of the information in the packet is displayed in hexadecimal on the left and in decimal, in characters when possible, on the left. This can be a very useful feature, especially if passwords for which you are looking are unencrypted. This area of the Wireshark window will be referred to as the byte data.

Figure 5 Wireshark application window

How Does Wireshark Work?

Wireshark can be used in a variety of ways. The following figures illustrate the Wireshark Capture Environment. In the simplest terms, Wireshark is used to capture all packets to and from the IP Host on the left (a computer workstation) and the IP Host on the right (a server).

Figure 6 Wireshark capture environment

The most common configuration for Wireshark, and the configuration that we are running in this lab, has the software running on a local host.

Figure 7 Wireshark running on local host

CIS 534 - Advanced Network Security Design 11

In the next figure, Wireshark is running on the Local Area Network of the IP Host. Wireshark can also run within the network.

Figure 8 Wireshark capturing packets from a probe or hub

In the final figure, Wireshark is running in a peer-to-peer configuration, as opposed to a client-server configuration, with Wireshark running on the right IP Host.

Figure 9 Wireshark capturing packets in a peer-to-peer configuration

Where packets are captured and how they are captured has a big impact on how the packets are analyzed. By running the Wireshark software on the same computer that is generating the packets, the capture is specific to that machine but Wireshark may impact the operation of the machine itself and its applications. On the other hand, using a network probe or hub device, or the capture port (frequently called a SPAN port (Switched Port Analyzer)) of a LAN switch can provide more accurate timing information but requires use of filters to identify traffic between the proper endpoints.

7. Click Capture on the Wireshark menu and Stop to stop the packet capture.

Packet Capture must be stopped before packets can be analyzed. You may wish to look through the packets that have been captured live during this session before continuing to see the variety of data captured by Wireshark.

8. Drag the frame borders of the frame detail pane to expand it.

Notice, that Wireshark displays the content in the frame detail pane in reverse order of the Open Systems Interconnection (OSI) Reference Model. In Wireshark, the physical layer appears at the top of the list and the application layer appears at the bottom of the list.

Note: Remember, because Wireshark is capturing traffic live, your default content will be different from the screen captures in this part of the lab. Explore your Wireshark traffic to see how it compares.

Figure 10 Frame detail pane

9. Click the plus sign at the beginning of the frame number line to expand the fields. Notice the number of fields related to time.

Figure 11 Expanded frame detail

Note: There are two very important considerations relative to how Wireshark handles time. Very often certain events are reported relative to clock time. It is important to

CIS 534 - Advanced Network Security Design 12

consider the fact that clock time may or may not be the same as the system time of the device or devices used to run Wireshark and capture packets. The timestamp used by Wireshark is the current system time on the machine upon which Wireshark is running. Attempting to synchronize Wireshark captures made on two different machines requires consideration of time differences, including time zone. The potential problems can be alleviated somewhat by using Network Time Protocol (NTP) on both machines but there are still a myriad issues such as which clocks were used for synchronization and even if the same clock is used there is propagation delay for the timing packets which could introduce discrepancies which, though small, matter a lot especially when capturing packets from high speed interfaces. In order to overcome time zone mismatches, a common best practice is to use the UTC (Coordinated Universal Time) time zone.

Part 2: Analyzing Wireshark Capture Information

Note: In this part of the lab, you will load a file of traffic that has been previously captured by Wireshark so that all of the packets reviewed within the lab are the same for every student and match the instructions. Throughout this part of the lab, you should spend a few moments looking at the data captured by Wireshark and familiarize yourself with the Wireshark format and the English language descriptions Wireshark uses to explain frame details. You may need this information to answer the questions at the end of the lab.

1. Select File > Open from the Wireshark menu to open the lab’s capture file.

A pop-up alert will remind you to consider saving your data. Opening any new capture file will overwrite the packets already in the Wireshark window unless those packets are explicitly saved.

Figure 12 Wireshark save warning

2. At the prompt, click Continue without Saving for this part of the lab. 3. In the Open Capture File dialog box, navigate to the Desktop, select the

PacketCapture file, and click Open.

CIS 534 - Advanced Network Security Design 13

The PacketCapture.pcapng capture file will open in the Wireshark application window. The first column in Wireshark is the packet frame number. These numbers appear sequentially, and there are 765 frames in the PacketCapture.pcapng file.

Figure 13 PacketCapture.pcapng displayed in Wireshark

4. Click frame 546. Use the scrollbar in the frame summary pane to find the appropriate frame number.

5. In the frame detail pane, click the plus sign at the beginning of the Frame 546 line to expand the fields. If necessary, drag the frame borders of the frame detail pane to expand it.

6. Look at the frame header for frame 546. The number of bytes captured (175) was the same number as bytes on the wire (175).

A difference between bytes on the wire and bytes captured can indicate that not everything is being captured or that partial or malformed packets may be captured which could lead to incorrect analysis. If there are regularly more bytes on the wire than captured it is possible that the computer on which Wireshark is running is not able to keep up with the interface.

Figure 14 Wireshark frame header information

7. Click the minus sign at the beginning of the frame 546 line to close the Physical Layer detail.

8. Click the plus sign at the beginning of the Ethernet II line to expand the Ethernet II detail.

Wireshark takes a lot of the work out of analyzing packets and presents a wide range of information. In this detail layer, Wireshark has determined the following:

• The frame type is Ethernet II • The source is Intel Core hardware • The destination is IPv4 multicast • The type of traffic carried in the next layer is Internet Protocol (IP)

Note: The MAC address for the source device is 00:22:fa:1c:eb:e6. To the left of the full MAC address Wireshark shows IntelCor_1c:eb:e6. It means that Wireshark has interpreted 00:22:fa as the IEEE-assigned manufacturer’s unique ID. This information is almost always correct but can be manipulated. The first 6 hexadecimal characters of the MAC address are called the OUI (Organizationally Unique Identifier) and denote

CIS 534 - Advanced Network Security Design 14

the company that manufactured the device’s network card. The company associated with each unique OUI can be found online at http://standards.ieee.org/develop/regauth/oui/public.html.

Figure 15 Ethernet II frame detail

1. Record the complete hexadecimal representation for the source and destination Media Access Control (MAC) addresses. You may choose to make a screen capture of the data and paste it into a new word processing document for later reference.

2. Record the code assigned by the IEEE to Intel for use in identifying Intel Core network interfaces. You may choose to make a screen capture of the data and paste it into your document for later reference.

3. Record the MAC address used for IPv4 multicast. You may choose to make a screen capture of the data and paste it into your document for later reference.

4. Click the minus sign at the beginning of the Ethernet II line to close the Data Link Layer detail.

5. Click the plus sign at the beginning of the Internet Protocol line to expand the Internet Protocol detail.

Figure 16 Internet Protocol frame detail

6. Record the version of the Internet Protocol is being used. You may choose to make a screen capture of the data and paste it into your document for later reference.

A variety of packets can exist on any given network. The IP version will determine how the rest of the packet is interpreted. Almost all modern networks, except for academic and research networks, use IP version 4 or IP version 6. A different number can be faked by malicious software or might mean that a packet has been corrupted. As IPv6 gains in popularity it is increasingly likely that IPv4 and IPv6 will be encountered on the same network. Both IPv4 and IPv6 will use the same lower layer protocols, such as Ethernet, but may have their own specialized version of higher layer protocols.

7. Record the source IP address number. The source IP address is the IP address of the local IP host (workstation) from which Wireshark is capturing packets. You may choose to make a screen capture of the data and paste it into your document for later reference.

8. Click the minus sign at the beginning of the Internet Protocol line to close the Internet Protocol detail.

CIS 534 - Advanced Network Security Design 15

9. Click the plus sign at the beginning of the User Datagram Protocol line to expand the Transport Layer detail.

The information in the User Datagram Protocol confirms that the source port in this capture file is an ephemeral, or temporary, port on the source computer. We know this because of its numeric range. The port on the destination computer, however, is in the range of assigned port numbers. Port number 1900 is assigned to SSDP, the Simple Service Discovery Protocol, and indicates that SSDP is being queried for the existence of services on the network.

Note: The Internet Assigned Numbers Authority (IANA) maintains the official list of service names and port numbers for all services such as TCP, UDP, and SSDOP that run over the Transport Layer. See the complete list at http://www.iana.org/assignments/service-names-port-numbers/service-names- port-numbers.xhtml.

Figure 17 User Datagram Protocol frame detail

10. Click the minus sign at the beginning of the User Datagram Protocol line to close the Transport Layer detail.

11. Click the plus sign at the beginning of the Hypertext Transfer Protocol line to expand the In Application Layer detail.

Figure 18 Hypertext Transfer Protocol frame detail

12. Click the minus sign at the beginning of the Hypertext Transfer Protocol line to close the Application Layer detail.

Note: In the next steps, you will explore the content of the related frame, number 545. This too is a UDP SSDP requests. While frame 546 used IPv4, frame 545 uses IPv6, but both carry a similarly formatted SSDP request.

13. Click frame 545. Use the scrollbar in the frame summary pane to find the appropriate frame number.

14. In the frame detail pane, click the plus sign at the beginning of the Frame 545 line to expand the fields. If necessary, drag the frame borders of the frame detail pane to expand it.

Figure 19 Frame detail for frame 545

CIS 534 - Advanced Network Security Design 16

15. Repeat steps 9-20 to explore the content of this packet and note any differences between the two frames as this information may be needed to complete the lab deliverables.

Note: In the next steps, you will see how applying filters can make analyzing your data much easier. Filters are one of the most powerful tools in Wireshark. They allow a very complex set of criteria to be applied to the captured packets and only the result is displayed. The rest of the packets are still there, they are just not included in a filtered analysis but can be restored very easily. It is also possible to save a filtered view of the packets without the additional packets. Filter expressions may either be built with the Filter Edit dialog widow or be typed in directly into the Filter field. For the lab we will start by focusing just on any packets in the file relating to a visit to Google.com. The IP address for Google is 74.125.227.112, an IP version 4 address.

16. Click the Expression… button next to the Filter text box below the Wireshark menu to open the Filter Expression dialog box.

Figure 20 The Expression… button

17. In the Filter Expression dialog box, use the scrollbars in the Field name box to locate IPv4 - Internet Protocol Version 4.

18. Click the plus sign at the beginning of the IPv4 - Internet Protocol Version 4 option to reveal the many different fields within IPv4 that can be used in a filter expression.

19. Click ip.addr to select it.

Figure 21 Starting a filter expression

20. In the Relation box, click == (the double equal sign) to select the equivalent of equals.

21. In the Value box, type 74.125.227.112 (the IP address for Google.com).

Figure 22 Building a filter expression

22. Click OK to complete the filter and close the Filter Expression dialog box. Notice that the filter expression that you built now appears in the Filter field below the Wireshark menu, but there is no change to your data view.

Figure 23 Wireshark filter expression

CIS 534 - Advanced Network Security Design 17

23. Click the Apply button. Notice the change in the frame number column. All of the packets visible in the frame summary pane now apply only to Google. All of the other packets still exist, they are just not displayed.

24. Click Statistics from the Wireshark menu, and select Flow Graph to open the Flow Graph dialog box.

Figure 24 Flow Graph dialog box

25. Click the TCP flow radio button and click OK.

Wireshark opens the Graph Analysis window. By selecting a TCP flow in the Flow Graph, you are telling Wireshark that you want to see all of the elements in a TCP three-way handshake (SYN, SYN-ACK, ACK).

In the filter expression that you applied earlier in the lab, you filtered the packets to show only the traffic with Google.com (IP Address 74.125.227.112).

Figure 25 Wireshark Flow Graph

26. Expand the center pane of the Flow Graph dialog box until you can see both the local IP host (192.168.1.64) and the Google.com IP address (74.125.227.112).

Pay attention to the arrows in this pane. The arrow’s direction indicates the direction of the TCP traffic, and the length of the arrow indicates between which two addresses the interaction is taking place.

27. Use the scrollbar on the right side of the Flow Graph to locate the first three- way TCP handshake between the local IP host and Google.

28. In your document, record the time (found in the Time box on the left) that each step (SYN, SYN-ACK and ACK) occurred. You may choose to make a screen capture of the data and paste it into your document.

Note: This situation is a bit tricky. You will notice if you look closely at the flow graph, also known very commonly as a ladder diagram, that the interaction between 192.168.1.64 (the local IP host) and 74.125.227.112 (google.com) is already occurring when the new connection is requested. What is seen in the diagram is the SYN for the new connection at -14408.59765 but it is not followed immediately by the SYN-ACK and ACK. It is followed immediately by the PSH-ACK, ACK, PSH-ACK which is required to close the existing connection. Only then can the SYN-ACK and ACK be exchanged to open the new connection.

CIS 534 - Advanced Network Security Design 18

29. Click Close to close the Graph Analysis window. 30. Click Cancel to close Flow Graph Options.

Note: In the next steps, you will manually apply a new filter to examine all DNS-related packets. You will have the opportunity to trace a recursive query to resolve a DNS request.

31. In the Filter box below the Wireshark menu, highlight ip.addr == 74.125.227.112 (the existing filter expression) and type dns to overwrite the existing filter.

32. Click Apply to display on the DNS and DNS-related packets.

Figure 26 DNS filter applied

33. In the frame summary pane, click Frame 115 to select it.

Frame 115 is the request from the local IP host (192.168.1.64) to its local Domain Name Server (192.168.1.254) to resolve the name of issaseries.org into an IP address.

34. Drag the frame borders of the frame detail pane to expand it.

Note: In some browsers we have noticed the pane of the graphic analysis window may show the captured text in Wireshark display as small boxes for some browsers. The lab is still functional. Please ignore and continue to the next step.

35. Click the plus sign at the beginning of the Domain Name System (query) line to expand the detail.

In this section of the detail pane, we learn that the query was a standard query with 1 question: what is issaseries.org, and that the response to this query can be found in Frame 116. You’ll examine that frame later in this lab.

36. Click the plus sign at the beginning of the Queries line. 37. Click the plus sign at the beginning of the issaseries.org line.

Figure 27 DNS query of the issaseries.org domain

38. Click the plus sign at the beginning of the Flags line.

Within the Flags detail is a flag titled recursion desired. This flag indicates whether or not the local Domain Name Server should continue to query other

CIS 534 - Advanced Network Security Design 19

DNSs if it is unable to resolve the current query (in this case issaseries.org). As this DNS is local it may or may not have the enough information to allow issaseries.org to be resolved. If the recursion flag is set (as it is in this query), the local DNS will continue to query higher level DNSs until it is able to resolve the address. The resolution of this recursive query should appear later in the frame summary.

Figure 28 Display DNS Detail

39. In the frame summary pane, click Frame 116 (the response to the issaseries.org query).

In the Queries section of this packet we can confirm that this is the response to the query for issaseries.org. Further, in the Flags section of this packet, we learn that the response was “No such name” indicating that the local DNS could not find the issaseries.org domain. This does not necessarily mean that issaseries.org does not exist but, rather, that issaseries.org is not known to any of the Domain Name Servers that were searched. But, because the recursive flag is on it is likely that issaseries.org does not exist or no longer exists.

Figure 29 Display DNS Detail

40. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this lab.

Lab #1 - Assessment Worksheet Analyzing IP Protocols with Wireshark

Course Name and Number: _____________________________________________________

Student Name: ________________________________________________________________

Instructor Name: ______________________________________________________________

CIS 534 - Advanced Network Security Design 20

Lab Due Date: ________________________________________________________________

Overview

In this lab, you exercised a wide variety of capabilities of the Wireshark packet capture and analysis software. In the first part of the lab, you learned about probe placement, clocking/timing issues, Wireshark traffic capture, and the use of filters. In the second part of the lab, you utilized a capture file to answer basic questions about key IP protocols and the basic configuration of the IP hosts from which traffic is captured. Finally, in the third part of the lab, you explored Wireshark on your own to answer a set of challenge questions.

Lab Assessment Questions & Answers 1. What are some causes of the number of bytes on the wire exceeding the number of bytes being captured?

2. What are the source and destination MAC address in Frame 546?

3. What is the manufacturer specific ID for Intel Core?

4. What is the MAC address used for IPv4 multicast?

5. What version of IP is present in Frame 546? What is the source IP address?

6. At what times did the various steps of the Google three step TCP handshake occur?

7. A DNS query failure is referred to a higher level Domain Name Server under what condition?

CIS 534 - Advanced Network Security Design 21

8. The descriptive text that accompanies the packet analysis is provided by Wireshark. True or False?

CIS 534 - Advanced Network Security Design 22

Toolwire Lab 2: Using Wireshark and Netwitness Investigator to Analyze

Wireless Traffic

Introduction

Click the link below to view the network topology for this lab:

Topology

The Wireshark protocol analyzer is multi-faceted. In fact, a person can use Wireshark for many years and not use all of the various capabilities of Wireshark. For instance, Wireshark can be used by a security analyst to find anomalies in network traffic indicative of viruses or exfiltration of information while at the same time, even on the same traffic from same organization, it can be used to troubleshoot application performance issues or benchmark VoIP latencies. In this lab, we begin by using Wireshark to analyze some of the specifics of wireless transmissions and then move on to analyze the network packets using a more security-specific tool, NetWitness Investigator. It is also noteworthy that Wireshark is available at no charge while NetWitness is a commercial product that is widely utilized and may be encountered in any well-equipped cyber forensics lab and in many field investigations.

This lab has three parts that should be completed in the order specified.

1. In the first part of the lab, you will use an existing capture file to view some of the wireless aspects of networks as well as some of the aspects of network traffic that remain the same regardless of the physical transport, be it wired or wireless.

2. In the second part of the lab, you will utilize the same capture file but with a more security-focused tool, NetWitness Investigator.

3. Finally, if assigned by your instructor, you will explore the virtual environment on your own in the third part of the lab to answer a set of challenge questions. The questions allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.

CIS 534 - Advanced Network Security Design 23

Learning Objectives

Upon completing this lab, you will be able to:

• Analyze the wireless-specific portion of network traffic using Wireshark • Identify the portions of network traffic that remain the same regardless of whether the

packets traverse wires or fly through the air wirelessly • Use features of the NetWitness Investigator tool to analyze traffic with wireless content • Determine which tool, Wireshark or NetWitness Investigator, is the preferred tool for a

given task • Utilize both Wireshark and NetWitness Investigator together to provide a complete

picture of the interactions being investigated. • Be able to generalize your new knowledge of Wi-Fi traffic to other types of wireless

traffic analyzed by using the Wireshark analyzer • Differentiate between the more generalized capabilities of Wireshark and the more

specialized cybersecurity analysis-focused uses of NetWitness Investigator

Tools and Software

The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.

• Wireshark • NetWitness Investigator

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. Lab Report file including screen captures of the following steps: Part 1 Step 15, Part 1 Step 29, Part 2 Step 8, and Part 2 Step 10;

2. Lab Assessments file; 3. Optional: Challenge Questions file, if assigned by your instructor.

Evaluation Criteria and Rubrics

The following are the evaluation criteria for this lab that students must perform:

CIS 534 - Advanced Network Security Design 24

1. Analyze the wireless-specific portion of network traffic using Wireshark. – [20%] 2. Identify the portions of network traffic that remain the same regardless of whether the

packets traverse wires or fly through the air wirelessly. – [10%] 3. Use features of the NetWitness Investigator tool to analyze traffic with wireless content.

– [20%] 4. Determine which tool, Wireshark or NetWitness Investigator is the preferred tool for a

given task. – [10%] 5. Utilize both Wireshark and NetWitness Investigator together to provide a complete

picture of the interactions being investigated. – [20%] 6. Be able to generalize your new knowledge of Wi-Fi traffic to other types of wireless

traffic analyzed by using the Wireshark analyzer. – [10%] 7. Differentiate between the more generalized capabilities of Wireshark and the more

specialized cybersecurity analysis-focused uses of NetWitness Investigator. – [10%]

Hands-On Steps

Note: This lab contains detailed lab procedures which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab.

1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the file in Adobe Reader.

If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Instructions for transferring the file can be found in the file itself.

Figure 1 “Student Landing” workstation

2. On your local computer, create the lab deliverable files. 3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to

these questions as you proceed through the lab steps.

Part 1: Analyzing Wireless Traffic with Wireshark

1. Double-click the Wireshark icon on the desktop to start the Wireshark application.

Figure 2 Main Wireshark Screen

CIS 534 - Advanced Network Security Design 25

The main screen of Wireshark include several shortcuts to make your job easier. There are four categories of shortcuts.

Wireshark Screen Sections SECTION TITLE DESCRIPTION

Capture This section displays a list of the network interfaces, or machines, that Wireshark has identified, and from which packets can be captured and analyzed.

Files This section displays the most recent list of files that you were analyzing in Wireshark. The default status for this section is blank because no files have been opened yet.

Online This section displays shortcuts to the Wireshark website.

Capture Help This section displays shortcuts to the Wireshark website for help in using the tool.

2. Click Open to display a list of files that are on the desktop.

Figure 3 Wireshark Open Capture File

3. Double-click the DemoCapturepcap.pcapng file to load the packet capture data into the Wireshark window.

Note: Wireshark capture files, like the DemoCapture file found in this lab, have a “.pcapng” extension, which stands for packet capture, next generation.

Figure 4 Wireshark Frame Summary

Note: Many people believe that it is necessary to enable the Wireless Toolbar (View > Wireless Toolbar) any time they are looking at wireless traffic. However, even if you were to enable the Wireless Toolbar at this point, the option would remain “greyed out” because the toolbar is only used when capturing live traffic, and then only if the AirPcap interface is enabled. In this virtual lab, we are using a pre-captured file and are not capturing live traffic, so it is not necessary to turn on the Wireless Toolbar.

4. Drag the top border of the Frame Detail pane up to expand it until only the summaries of frames 1, 2, and 3 are shown.

Figure 5 Wireshark window with enlarged Frame Detail pane

5. Click the plus sign at the beginning of the Frame 1 line in the Frame Detail pane to expand the fields. Notice the number of fields related to time. This part of the display will be the same for wired or wireless traffic. However, the Encapsulation type: Per-Packet Information indicator, a field unique to wireless traffic, confirms that this is a wireless packet.

CIS 534 - Advanced Network Security Design 26

Figure 6 Expanded frame physical detail

6. Click the minus sign at the beginning of Frame 1 line in the Frame Detail pane to collapse the fields.

Note: Double-clicking headings in the Frame Detail pane will also expand or collapse the detail below.

7. Click the plus sign at the beginning of the PPI version 0 line in the Frame Detail pane to expand the fields and display the Per-Packet Information encapsulation.

8. Click the plus sign at the beginning of the Flags line in the Frame Detail pane to expand the fields.

Figure 7 Expanded PPI encapsulation frame detail

9. Notice the following information contained within these headers:

Alignment is set to 0, or not aligned, which means that the next byte after the field contains the next field.

Header length is 84 octets refers to the length of the PPI header only and does not include any other headers that may be present in the frame.

A Data Link Type (DLT) of 105, indicates that data is transferred over an 802.11n wireless network.

Note: All of this information can be verified, if one wishes, by consulting the hexadecimal representation of the field at the bottom of the window in the Byte Data pane.

10. Click the plus sign at the beginning of the 802.11-Common line in the Frame Detail pane to expand the fields relative to fields common to all 802.11 wireless protocols. Along with some very specific information about radio frequencies and channels, the fields indicate that the maximum rate of transmission is 300 Mbps (Rate: 300.0 Mbps).

Figure 8 Expanded 802.11-Common frame detail

11. Click the plus sign at the beginning of the 802.11n MAC+PHY line to expand those fields.

12. Use the scrollbar as necessary to view all of the newly expanded fields. Notice that data reveals a large amount of data about the 802.11n connection including signal strengths, noise ratios and other information about the antennae.

Figure 9 Expanded 802.11n MAC+PHY frame detail

CIS 534 - Advanced Network Security Design 27

Note: The detailed information the Wireshark provides about the antennae, signal strengths, and other aspects of the wireless communications environment can be very useful for installation, antenna placement, and troubleshooting. It can also be very valuable in terms of computer forensics because it can be used to map who was able to communicate with whom, the measured strength of signals, what frequencies are used, and other data. In addition to forensics on standard Wi-Fi and other forms of traditional wireless communications, this information can also be very useful for jamming certain frequencies, determining which devices likely were used to set off remote bombs and Improvised Explosive Devices (IEDs), and a spectrum of other things.

13. If desired, click the minus sign in front of the PPI version 0 line to collapse the information relative to the Per-Packet Information encapsulation.

You may have to use the scrollbar to return to this header line.

14. Click the plus sign at the beginning of the IEEE 802.11 QoS Data, Flags line to expand the 802.11 Quality of Service information and Flags fields.

In this group of fields, Wireshark displays information about the transmitters and receivers of the data, which allow the network administrator to determine which Media Access Control (MAC) addresses match each transmitter and receiver.

Figure 10 Frame Address Information

15. Make a screen capture showing the receiver address, the transmitter address, the source address, and the destination address found in the IEEE 802.11 QoS Data fields.

Note: Remember, Wireshark displays transmitter/receiver addresses in both full hexadecimal (00:14:a5:cd:74:7b) and a kind of shorthand, in this case, GemtekTe_cd:74:7b. That shorthand code is Wireshark’s translation of the first part of the receiver address (00:14:a5) into the manufacturer’s name or alphanumeric designation (GemtekTe_). The IEEE has compiled a list of company names that correspond to the first six characters of the MAC ID, which can be accessed on their Web site at http://standards.ieee.org/develop/regauth/oui/public.html). While Wireshark’s translation is most likely correct, it is also possible that some manufacturers, especially those that have acquired other companies, will have more than one numeric designation that resolves to their name or alphanumeric designation. It is therefore better to refer to the entire hexadecimal representation of the address rather than the shorthand. It is also possible, though not likely, for sophisticated criminals to “spoof,” or send false information to, Wireshark. It is unlikely that common criminals, even savvy cybercriminals, take into account the receiver and transmitter addresses or, even if they do, have the knowledge and skills to modify the hardware to spoof this information. It is much more common that the MAC addresses (source and/or destination addresses) are

CIS 534 - Advanced Network Security Design 28

spoofed, but matching them to their appropriate transmitter and receiver addresses can provide the needed forensic evidence of which devices were involved in a particular communication and their role in the suspect activity.

16. Click the plus sign in front of the Frame check sequence line to expand those additional fields.

17. Click the plus sign in front of the QoS Control line to expand those additional fields.

Study the fields and their values. It is within the scope of this lab to understand that the fields exist but beyond the scope of this lab to explain what each field means and the interaction of the fields.

Figure 11 Quality of Service detail

18. Click the minus sign in front of the IEEE 802.11 QoS Data, Flags line to collapse these fields.

Note: There are literally hundreds of fields of data available, depending upon the wireless communications protocols that are present and those that are captured, and a thousand different ways to interpret it. The fields that have been examined thus far are unique to wireless networking. There are some important aspects to know about capturing the wireless data with Wireshark. Wireshark is regularly installed with a packet capture library called WinPcap. Based on the wireless interfaces and how the capture is set up, Wireshark, using this tool, will display all of the fields it can capture. However, it is possible that in some cases there is wireless information that Wireshark cannot capture, or can capture only the essence of the command and control information, but not the information itself. For this reason, packet capture add-ons, like AirPcap, are frequently installed with Wireshark. These add-ons allow you to capture more wireless information than without it. Most network analysts feel that AirPcap is absolutely required for capturing wireless traffic between devices or between other devices and, say, a wireless access point depending on your goals and the objectives of the capture. From this point of the lab forward, all of the data captured will be common to both wired and wireless networking and would have been captured with Wireshark using AirPcap or WinPcap.

19. Click the plus sign in front of the Logical-Link Control line to expand the LLC fields and familiarize yourself with the data available.

20. Click the minus sign in front of the Logical-Link Control line to collapse the LLC fields.

21. Click the plus sign in front of the Internet Protocol version 4 line to expand the header and familiarize yourself with the data available.

22. Click the plus sign in front of each subfield and familiarize yourself with the data available.

CIS 534 - Advanced Network Security Design 29

Figure 12 Internet Protocol data

23. Click the minus sign in front of the Internet Protocol version 4 line to collapse the fields.

24. Click the plus sign in front of the User Datagram Protocol line and familiarize yourself with the data available.

25. Click the minus sign in front of the User Datagram Protocol line to collapse the UDP fields.

26. Click the plus sign in front of the Domain Name System (query) line to expand its fields. These fields record data related to an Internet query.

27. Click the plus sign in front of the Flags line to expand those fields and familiarize yourself with the data available.

28. Click the plus sign in front of the Queries line and familiarize yourself with the data available. Notice that the data indicates that someone tried to access the www.polito.it Web site.

Note: The ultimate payload, regardless of whether the packet is sent through the air or on a wire is a Domain Name System query. In this case, the DNS information is being requested for www.polito.it. Any DNS request, regardless of whether the packet is sent wirelessly or via wire, includes the same fields in a Wireshark packet capture, but the wireless portion of the frame information requires special consideration in a forensic investigation. Suppose that a forensic investigator needed to monitor all Web traffic within a coffee shop to determine which Web sites were accessed by the subject of an investigation, then the fact that the Web query was conducted wirelessly is really unimportant to the investigation except perhaps that the investigation was aided by getting easy access to unencrypted airborne packets. An investigator may choose to set a filter on the resulting capture file that shows only DNS requests. In this way, the investigator can determine which Web sites the subject wished to visit, and then is able to visit those Web sites himself later to determine the nature of the Web sites. It is also possible to set a filter that displays both the DNS requests and their resulting DNS responses to determine which Web sites existed at the time the capture file was made, as opposed to which Web sites still existed when subsequent research was done. Consider, for example, a drug or human trafficking case. The owner of an illegal Web site may shut down the Web site after a subject is taken into custody, but before the research is completed. This type of filter will allow investigators to determine that while they were unable to access the Web site, the subject was able to complete the transaction. Packet capture files can also be display the results of the Web page requests, such as any audio and video content, as well as provide further analysis using NetWitness Investigator. On the other hand, a key part of another investigation may be to determine what information was gathered by the subject of an investigation, or to determine by whom certain information was gathered. The investigator may use information in a packet

CIS 534 - Advanced Network Security Design 30

capture, either by linking the Layer 2 Media Access Control address and/or the Layer 3 IP address to specific wireless information. In this case, the wireless information that is captured becomes the central point of the investigation. As has happened many times, forensic investigators, often law enforcement, track illegal content, such as child pornography, to a quiet residential neighborhood, obtain legal search warrants based on probable cause and execute a search of the premises only to find that there is no illegal pornographic content, or other content covered by the warrant present. At this point the investigators could give up, or they could do further research on the wireless portion of captured traffic to determine that none of the devices owned by the residents of the home, or their guest’s mobile wireless devices, were responsible for the traffic. What could have happened? Criminals sitting in a car outside the home—or a nearby coffee shop, hotel, or other location—could have used the wireless access point to transmit/receive illegal information and then departed the scene. Investigative tools such as video surveillance, stakeouts, sting operations, and similar law enforcement tools could be brought into play to further the investigation, but the wireless part of the captured traffic is a critical part of guiding the investigation and possibly of ultimate prosecution of the suspects.

29. Click the plus sign in front of the www.polito.it line and familiarize yourself with the data available. Use the scrollbar, if necessary, to reveal all of the data.

Figure 13 Expanded www.polito.it query frame detail

30. Make a screen capture showing the query name (www.polito.it), the Source IP address, and the Destination IP address.

31. In the Frame Summary pane, click frame 2 to display the related data in the Frame Detail pane.

Frame 2 is a wireless command and control packet acknowledging receipt of frame 1.

32. If necessary, click the plus sign at the beginning of the IEEE 802.11 Acknowledgement, Flags line to expand the fields.

Notice that the receiver address for frame 2 (00:14:a5:cb:6e:1a) is the same as the transmitter address in frame 1.

Figure 14 802.11 command and control packet detail

33. In the Frame Summary pane, click frame 3 to display the related data in the Frame Detail pane.

34. If necessary, click the plus sign in front of the Domain Name System (response) line to expand its fields. Use the scrollbar as necessary to locate this header line.

35. If necessary, click the plus sign in front of the Answers line to expand the fields. Use the scrollbar as necessary to locate this header line.

36. Click the plus sign in front of each line in the Answers section to expand the fields. Use the scrollbar as necessary to see the details.

CIS 534 - Advanced Network Security Design 31

These fields detail the response to the DNS query. Data shown in these fields includes the IP address for polito.it (130.192.73.1), and other DNS information such as a DNS time to live (or, the time before the DNS cache for this entry must be refreshed) of 23 hours, 59 minutes, 25 seconds.

Figure 15 DNS Response for www.polito.it

Note: In Part 2 of this lab, you will analyze these same packets using NetWitness Investigator. It is important to realize that NetWitness can also be used to capture and save network traffic without ever using Wireshark, but if you are using Wireshark for packet capture and a cursory analysis, as you did in Part 1 of this lab, you will need to save the captured frames in a format that NetWitness can interpret. The current release of NetWitness Investigator does not support the pcapng file format, so you must first save the DemoCapture.pcapng file in the older *.pcap format.

37. Click File > Save As from the Wireshark menu. If necessary, click the Desktop icon, select Wireshark/tcpdump/ from the drop-down option in the Save as type box. Type DemoCapture in the File name box.

Figure 16 Wireshark Save As dialog box

38. Click Save to save the new DemoCapturepcap file in the preferred format for NetWitness.

39. Click File > Quit to close Wireshark.

Part 2: NetWitness Investigator

Note: In this part of the lab, you will use NetWitness Investigator to analyze the same packet capture file you reviewed in Part 1 of this lab. Because Wireshark is available for free, it is often used for packet capture and for some initial analysis. NetWitness Investigator, on the other hand, requires the purchase of a license for use, so it is often only used by more senior, more skilled and better trained security analysts for specific types of analysis. Often, investigators, or even clients, with little training can capture needed information with the no-cost Wireshark while a more in-depth security-focused analysis is later done with NetWitness.

1. Double-click the NetWitness Investigator icon on the desktop to open the application window.

Figure 17 NetWitness Investigator application window

Note: The Welcome screen in NetWitness Investigator displays a list of frequently asked questions and links to a YouTube channel (http://www.youtube.com/user/SecuredByRSA) with demonstration videos for using the software. You are encouraged, though not required, to review this material. Remember,

CIS 534 - Advanced Network Security Design 32

the virtual lab does not have access to the Internet, so not all of these links will work on within this environment.

2. On the NetWitness Investigator menu, select Collection > New Local Collection to open the New Local Collection dialog box.

3. Type DemoCapture in the Collection Name box and click OK.

Similar to creating a new file folder, creating a new local collection within NetWitness Investigator provides a place to put the packets from the DemoCapture file. This collection, DemoCapture, will appear in the left pane, the Collection pane, of NetWitness Investigator.

Figure 18 New Local Collection Creation Window

4. Double-click DemoCapture in the Collection pane to select it and change the status to Ready.

Figure 19 NetWitness Investigator Collection pane

5. On the NetWitness Investigator menu, select Collection > Import Packets to open the Open dialog box.

6. If necessary, click the Desktop icon to display the files from the desktop of the vWorkstation and double-click the DemoCapture file you created in Step 37 of the last section to begin the import process.

Figure 20 Open dialog box

The Collection pane will display a progress report while the import progress in underway. When the import is finished, the DemoCapture collection will again display a status of Ready.

7. Double-click DemoCapture in the Collection pane to open the packet capture file.

The packets from the capture file have been analyzed by NetWitness and all of the reports generated by NetWitness are displayed in the right pane. Use the scrollbar as necessary to view the complete list of reports.

Figure 21 Reports from the DemoCapture Collection

Note: The first thing you may notice about the NetWitness reports is that while you will not find any of the low- level wireless information, such as command and control, you will find that the kind of sophisticated analysis that requires some work to accomplish within Wireshark is automated by NetWitness. For instance, the Layer 2 MAC addresses, which in this case are Ethernet, and the Layer 3 IP addresses are available in both Wireshark and NetWitness, but you will not find the transmitter and receiver addresses in NetWitness. What you will find, easily, in NetWitness is information about the

CIS 534 - Advanced Network Security Design 33

geographic location of the transmitter and receiver which, when plotted on Google Earth, can aid an investigation. You should also notice that where both tools provide the same information, such as the DNS request, the two tools differ in how that information is displayed.

8. In the Service Type report, click DNS to drill down and get further information about the DNS request.

The (1) that follows the DNS label indicates that there is only one DNS request in this packet capture file. In the next steps, you will investigate this DNS request and compare the results against the Wireshark findings.

Figure 22 DNS Query Detail for DemoCapturepcap

9. Make a screen capture of the DNS query showing the host name alias, the source IP address, and the destination IP address. Compare the information provided by NetWitness to the screen capture you made in Wireshark (step 29 in Part 1 of this lab).

10. Use the scrollbar to locate the Ethernet Source and Ethernet Destination reports.

Figure 23 Ethernet fields

11. Make a screen capture showing the Ethernet source and Ethernet destination addresses. Compare the information provided by NetWitness to the screen capture you made in Wireshark (step 15 in Part 1 of this lab).

12. In the NetWitness navigation bar, click DemoCapture to return to the high-level analysis of the entire packet capture file.

Figure 24 NetWitness Investigator navigation bar

13. Use the scrollbar to locate the Destination City report. 14. Click turin to reveal additional details from this report.

Figure 25 NetWitness Investigator Destination City – Turin report

15. Use the scrollbar to investigate all of the data associated with this report. From the data, you can determine that the transaction originated in Turin, Italy and was an HTTP get request in which a Web site was retrieved. NetWitness has done a lot of analysis of the higher level transaction without revealing the lower level frame or packet detail to the user.

Note: While it is accurate to say that the Top Level Domain (TLD) “.it” “belongs” to Italy, there is no assurance that the web site is physically located in Italy, only that a domain name is registered with the appropriate registrar for the .it TLD. Only by physically finding the server hosting the website, using geolocation technology such as

CIS 534 - Advanced Network Security Design 34

IP-geolocation, or triangulation using PINGs, is it possible to determine the actual physical location of the server.

16. Click Collection > Exit in the NetWitness Investigator menu to close the NetWitness Investigator window.

Note: Having investigated the very same capture file with both tools, Wireshark and NetWitness Investigator you are now better equipped to determine when to use which tool is appropriate for specific tasks. You may also realize that using both tools together may be required to show a complete picture for a forensic investigation. Remember, too, that in any forensic investigation special care must be taken to protect the chain of custody for any evidence which will be used in legal proceedings. It is important to realize that capture files are just digital files and can easily be manipulated and edited and should be handled as would any volatile digital evidence. Maintaining chain of custody is particularly important to ensure the recovered evidence is admissible in a court of law.

17. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this lab.

Lab #2 - Assessment Worksheet Using Wireshark and NetWitness Investigator to Analyze Wireless Traffic

Course Name and Number: _____________________________________________________

Student Name: ________________________________________________________________

Instructor Name: ______________________________________________________________

Lab Due Date: ________________________________________________________________

Overview

In this lab, you used two common forensic analysis tools, Wireshark and NetWitness Investigator, to review wireless traffic in the same packet capture file. You learned to

CIS 534 - Advanced Network Security Design 35

differentiate between the more generalized capabilities of Wireshark and the more specialized cybersecurity analysis-focused uses of NetWitness Investigator. You also identified those parts aspects of network traffic that remain the same regardless of the physical transport, be it wired or wireless. Finally, in the third part of the lab, you explored Wireshark on your own to answer a set of challenge questions.

Lab Assessment Questions & Answers

1. Which tool, Wireshark or NetWitness, provides information about the wireless antenna strength during a captured transmission?

2. Which tool displays the MAC address and IP address information and allows them to be correlated for a given capture transmission?

3. What is the manufacturer specific ID for the GemTek radio transmitter/receiver?

4. The receiver and/or transmitter address is hard-coded in hardware and cannot be changed: it can always be counted on to correctly identify the device transmitting. True or False.

5. The actual web host name to which www.polito.it resolved was?

6. How can one determine that the website www.polito.it is in Italy?

7. What is the IP address for www.polito.it?

8. What destination organization is the owner of record of www.polito.it?

CIS 534 - Advanced Network Security Design 36

Toolwire Lab 3: Configuring a pfSense Firewall on the Client

Introduction

Click the link below to view the network topology for this lab:

Topology

There are a multitude of firewalls commercially available within the market. Some organizations even build their own, custom solutions. An organization may have a single firewall sitting on the only connection to the global Internet, or a sophisticated defense in-depth structure of firewalls providing more protection for certain subnets than for others. Organizations may also establish internal zones that allow them to use firewalls to protect internal departments from each other and another system protecting the entire organization from outsiders. According to the 2013 Data Breach Investigations Report (http://www.verizonenterprise.com/resources/reports/rp_data- breach-investigations-report-2013_en_xg.pdf), fourteen percent of all successful data breaches involved internal attackers.

Firewalls may be completely software-based and run on an endpoint or a server. They may be implemented in stand-alone hardware, or may be some hybrid. Increasingly, vendors are making their firewalls available as virtual appliances. In any case the job of the firewall is fairly straightforward: to examine traffic going between the "outside" and the "inside" and determine if that traffic adheres to a set of rules and what to do if it does not. It is in defining the rules and in determining what to do if the traffic does not meet those rules where most firewalls differ: not in the conceptual function, but, rather, in the implementation and the ongoing management of the device.

In this lab, you will delve into the configuration of the pfSense Firewall to protect a client computer. The pfSense Firewall is a current generation product which has most of the functionality and options that will be found in most firewall products though the implementation may vary somewhat from firewall to firewall.

This lab has three parts which should be completed in the order specified:

1. In the first part of the lab, you will plan the implementation of a local pfSense Firewall using a spreadsheet. You will answer all of the configuration questions in advance of actually making any changes to the firewall.

CIS 534 - Advanced Network Security Design 37

2. In the second part of the lab, you will implement the configuration choices that you planned in Part 1 of this lab.

3. Finally, if assigned by your instructor, you will explore the virtual environment on your own in the third part of the lab to answer a set of challenge questions that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.

Learning Objectives

Upon completing this lab, you will be able to:

1. Complete a Physical Configuration planning worksheet and understand the general rules of physical configuration planning for a firewall which protects a client workstation.

2. Complete the Firewall Rules planning worksheet and understand the general rules for firewall rules planning for a firewall which protects a client workstation.

3. Configure the physical connectivity of a firewall which protects a client workstation. 4. Configure firewall rules for a firewall which protects a client workstation.

Tools and Software

The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.

• pfSense Firewall

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. A completed pfSenseFirewallPlanning.xlsx spreadsheet; 2. Lab Report file including screen captures of the following steps: Part 2, Step 22; 3. Lab Assessments file; 4. Optional: Challenge Questions file, if assigned by your instructor.

Evaluation Criteria and Rubrics

The following are the evaluation criteria for this lab that students must perform:

CIS 534 - Advanced Network Security Design 38

1. Complete the Physical Configuration planning spreadsheet for a firewall which protects a client workstation. - [20%]

2. Complete the Firewall Rules planning spreadsheet for a firewall which protects a client workstation. - [20%]

3. Configure the physical connectivity of the firewall which protects a client workstation. - [30%]

4. Configure the firewall rules for a firewall which protects a client workstation. - [30%]

Hands-On Steps

Note: This lab contains detailed lab procedures which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab.

1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the file in Adobe Reader.

If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Instructions for transferring the file can be found in the file itself.

Figure 1 “Student Landing” workstation

2. On your local computer, create the lab deliverable files. 3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to

these questions as you proceed through the lab steps.

Part 1: Planning the Configuration

Note: There are two different approaches to configuring a firewall, or any computer software for that matter. The first, and most common, is to “dive right in” and trust that the process will be fairly easy and straight-forward. The second approach is to plan the configuration steps in advance before implementing your choices. While the “dive right in” approach is very common, especially in smaller shops or for individuals, the more prudent, careful and professional approach is to plan the configuration in advance. By documenting the configuration choices in advance, carefully considering each in the proper context, you streamline your process. And, since even the most diligent planner can overlook something, by recording any changes that made during the implementation process, you will have a starting point for replicating the configuration in the future—either to assist in adding new firewalls or replacing the existing one (in case of an outage).

CIS 534 - Advanced Network Security Design 39

In the next steps, you will complete the pfSenseFirewallPlanner spreadsheet. This spreadsheet contains two worksheets: Physical Configuration and Firewall Rules. The spreadsheet was designed to document answers to the questions prompted by the pfSense Firewall Setup Wizard, in the order you will be required to answer them. You will record the configuration settings for the pfSense Firewall in this spreadsheet as you proceed through the lab. It is a good idea to scan Part 2 of this lab if you are unfamiliar with firewall configurations. Seeing how the questions are posed by the wizard might help you understand how the pfSenseFirewallPlanner spreadsheet works in conjunction with the wizard. Many of the steps in this part of the lab follow basic Windows conventions on a Windows 2008 server. If you are an experienced Windows user who is already familiar with these steps, feel free to write down the information provided and move ahead with the lab exercises. If you are not familiar with these functions, please follow the steps and see the results but also understand that they very somewhat between different versions of Windows and vary greatly from the way similar information is derived in other operating systems.

1. Click the File Transfer button on the vWorkstation desktop to transfer the pfSenseFirewallPlanner file from the virtual desktop to your local computer.

2. Open the pfSenseFirewallPlanner spreadsheet on your local computer.

The first item on the Physical Configuration worksheet is Hostname. A hostname is the unique name of the computer (host) on the network capable of originating or responding to an interaction using the Internet Protocol. The hostname can be found in the Windows Control Panel.

3. Click Start > Control Panel on the vWorkstation desktop to open the Windows Control Panel.

Figure 2 Windows Control Panel

4. Click the Network and Internet icon to open the related option list.

Figure 3 Network and Internet options

5. Click View network status and tasks under the Network and Sharing Center heading.

The first icon in the network map at the top of the window indicates that BASE- WIN2008 is the name of this computer.

Figure 4 Network and Sharing Center

6. In the Settings column of the Physical Configuration worksheet, type base-win2008.

Note: Because security is heavily influenced by the practices of the Linux and Unix operating systems, and because Windows does not differentiate between upper and lower

CIS 534 - Advanced Network Security Design 40

case, standard practice in network security is to use the lowercase whenever possible. Therefore, the hostname of BASE-WIN2008 will be entered in the spreadsheet as base- win2008. You might notice also that this hostname is unusual as it does not include a unique ID such as a number (besides the year 2008), but it is still a valid name, so it is added to the worksheet. We may wish to make some special mark, such as an asterisk (*) or plus sign (+) to indicate that this information will vary for each computer we configure.

7. In the Comments column of the Physical Configuration worksheet, type *changed for each configuration to indicate that this information will vary with each computer that will be configured.

Figure 5 Hostname configuration

8. The next item on the Physical Configuration worksheet is Domain. As this is a local firewall, type local in the Settings column.

9. The next two items are Primary DNS Server and Secondary DNS Server. The local DHCP service will provide the IP addresses that work for local DNS, wherever we happen to turn on this computer. Leave these fields blank, and add a note in the Comments column.

Note: DNS Server questions are potentially problematic and could leave the local computer open to various security problems, and could even cause the local PC not to work properly. There are a number of pieces of malicious software which will change the Domain Name Server addresses to its own DNS Servers in order to monitor what sites are being visited, hijack the browser sessions, or other, more nefarious things. If this field is left blank then the computer will use Dynamic Host Configuration Protocol (DHCP) to identify the two best DNS servers, and provide the IP addresses for those servers. This leaves the computer at the mercy of the local DHCP available when the computer attaches to a local network. If, on the other hand, DNS IP addresses are provided for internal DNS servers, those servers may not be available at the time the computer needs them and may not operate properly. This is true for well-known DNS servers, such as Google, openDNS, or Verizon too.

10. The next item on the Physical Configuration worksheet is the Time Server Hostname. This information has been provided by the network administrator, so type the IP address 172.21.4.10 in the Settings column. Include a note in the Comments column to indicate the source of the hostname.

Note: The pfSense firewall timestamps log entries therefore it is essential that all logs use the same time and date so that they may be easily correlated. Also, one benefit to specifying an IP address here, as opposed to an actual hostname, is that the Domain Name Service is not used to resolve an alphanumeric hostname to an IP address and, therefore, it will be faster and will not be subject to problems—be it security or any other problem—associated with DNS. The obvious downside to specifying an IP address is that whenever the IP address of the server is changed, it must be changed everywhere it

CIS 534 - Advanced Network Security Design 41

appears. Using a hostname instead of an IP address eliminates this step if the IP address changes.

11. The next item on the Physical Configuration worksheet is Timezone. This information has been provided by the network administrator, so type Etc/UTC in the Settings column. Include a note in the Comments column to indicate the source of the Timezone information.

12. The next item on the Physical Configuration worksheet is the WAN Interface. The pfSense Firewall wizard allows a choice of DHCP, Static, PPPoE, and PPTP WAN interface types. According to the network administrator, this computer uses a Point-to- Point over Ethernet connection, so type PPPoE in the Settings column.

In general, this will be the Layer 2 protocol for all local machines, even if the machines are in travel status or use a wireless physical interface.

13. The next item on the Physical Configuration worksheet is the MAC Address. If required by your network configuration, enter the source MAC address field. In this lab, there is no interface that will require this feature. Leave this field blank, and add a note in the Comments column.

14. The next item on the Physical Configuration worksheet is the MTU (Maximum Transmission Unit). For compatibility with the widest range of networks pfSense allows us to specify an MTU size, but in this lab, you have already specified a PPPoE WAN interface, so you will use the default value of 1,492 octets maximum. Leave this field blank, and add a note in the Comments column to indicate the default value is accurate.

15. The next items on the Physical Configuration worksheet are the IPv4 address and Classless Interdomain Routing (CIDR) /n fields. The pfSense Firewall Setup Wizard automatically fills in these items, so leave these fields blank, and add a note in the Comments column to indicate that these items are populated automatically.

16. The next item on the Physical Configuration worksheet is the Gateway. The computer on the virtual lab uses any available gateway, so a specific Gateway name is not required. Leave this field blank, and add a note in the Comments column.

17. The next item on the Physical Configuration worksheet is the DHCP Hostname. DHCP hostname is not required in this configuration, though some Internet Service Providers require it (for security and verification reasons). Leave this field blank, and add a note in the Comments column.

18. The next items on the Physical Configuration worksheet are a series of fields related to the PPPoE WAN interface. The PPPoE connection used by the virtual lab is established as a permanent connection and requires no specific configuration. Leave these fields blank, and add a note in the Comments column.

19. The next items on the Physical Configuration worksheet are a series of fields related to the Point-to-Point Tunneling Protocol (PPTP). The virtual lab does not using Point-to- Point Tunneling Protocol. Leave these fields blank, and add a note in the Comments column.

20. The next item on the Physical Configuration worksheet is requirement to block RFC1918 Private Networks. Type YES in the Settings column to block traffic from those networks, since they are likely not from requested sources.

CIS 534 - Advanced Network Security Design 42

Note: RFC1918 is an Internet Activity Board document, called a Request for Comment—which is as close as one gets to a “standard” on the Internet—that describes what addresses can be used for private networks, or, more accurately, re-used for all private networks. Under normal circumstances, these addresses are never seen in the Internet. Hackers often use traffic with these address ranges in an attempt to confuse hardware and or software in a variety of ways. It is a good idea to force the firewall to block this traffic and not allow it onto your computer.

21. The next item on the Physical Configuration worksheet is requirement to block bogon networks. Type Don’t block in the Settings column since there are no longer any unassigned IPv4 address blocks.

Note: Packets with addresses in address spaces not yet assigned by the Internet Assigned Names and Numbers Authority (IANA), but are not described in RFC1918, are referred to as bogons, or packets with bogus addresses. By setting this configuration option to “Don’t block”, you are allowing traffic with those addresses. The IANA assigned all of the IPv4 address blocks as of mid-2011, therefore eliminating the possibility of bogus address blocks, even though there is no assurance that addresses in those blocks are valid.

22. The next item on the Physical Configuration worksheet is the LAN IP Address (172.30.0.5) and Subnet Mask of the LAN (/24). The pfSense Firewall Setup Wizard will automatically fill this field, and it will change from configuration to configuration. Leave these fields blank, and add a note in the Comments column.

23. The final item on the Physical Configuration worksheet is the Admin password. The network administrator has asked you to use a specific password, P&ss9999. Type P&ss9999 in the Settings column as a record of the password, and add a note in the Comments column.

Note that the new password has the following characteristics: an uppercase character, at least one special character (the ampersand - &) and numbers, in this case 9999. Passwords are admittedly poor secrets to secure our assets but are still used extensively within the Internet and by security tools.

Note: Up to this point, you have planned for the administrative configuration of the local firewall using the pfSense Firewall Planner spreadsheet. Now, you will complete the Firewall Rules worksheet. The first consideration you will encounter is the order of your definition lists. You can compare the process of defining firewall rules to the process of defining most Access Control Lists (ACLs). In both cases, the simplest approach is best. These are not sophisticated programs with conditional branching logic, but rather simple lists of rules that are evaluated in order, and when there are two conflicting rules, the first rule in the list that applies is used. For example, if the line 3 of the definition, says “don’t allow X for a certain condition,” but in line 22 you decide to “allow X for a certain condition,” the first rule that matches “a certain condition” is in line 3, so that is the rule that will always be followed.

CIS 534 - Advanced Network Security Design 43

The second consideration is whether the firewall is, by default, permissive or restrictive. That is to say whether everything is allowed by default (permissive) or not allowed by default (restrictive). In the first case (permissive), very few support calls are generated and users are usually happier because everything that they wish to do is allowed by default as rules exist only for known security problems which rarely interfere with what a user wants to do. However, this approach also leaves the door open for a wide variety of security risks. The restrictive approach says that, by default, everything is restricted unless it is specifically allowed. From a security standpoint, this is the preferred approach, though it requires more thoughtful configuration of the rules. The second approach, restrictive, is applied by the pfSense Firewall: every type of packet that is not explicitly passed is blocked by default. In other words, every packet that comes into the computer is evaluated by the firewall rules and is blocked by the firewall if it is not explicitly allowed (or passed). In the next steps, you will use the Firewall Rules worksheet to plan the configuration of a local firewall for this virtual computer. You will allow specific actions and block everything else. You will begin by deciding which actions to allow. You must recognize that any actions you allow may have security implications in and of themselves, but to be useful you have to allow the computer to do some actions and have some interactions with the network.

24. Click the Firewall Rules tab at the bottom of the pfSenseFirewallPlanner spreadsheet to open the Firewall Rules worksheet.

Figure 6 Firewall Rules worksheet

25. Compare the headings in the Firewall Rules worksheet with the following table. Each field in the worksheet is described in this table. You will need this information to complete the firewall rules configuration.

Column Column Title Description A Action Action indicates the action you wish the pfSense Firewall

to take when it encounters a certain type of network traffic. The choices are pass, block, or reject. The difference between block and reject is important and only works when the protocol is set to one of the Internet Protocols: Transmission Control Protocol (TCP) or User Datagram Protocol (UDP), but not TCP/UDP. In the case of block, the questionable incoming packet is blocked and discarded (or logged, based upon the setting for that option). There is no indication to the sender that the packet has not reached the intended destination. If reject is chosen, then a packet is returned to the sender indicating that the packet or packets they sent were not accepted. There are numerous cases of the rejected packets being

CIS 534 - Advanced Network Security Design 44

Column Column Title Description used by malicious software and malicious individuals to verify that a computer exists at the designated IP address, and then to attempt additional infiltration. It is, therefore, recommended that traffic be rejected only in very specific cases.

B Disabled Disabled allows a rule to be disabled but not deleted. This can be used for testing purposes or to temporarily allow a certain action.

C Interface Interface allows a firewall rule to be applied only to a specific interface (WAN or LAN) or type of tunnel within the interface (PPPoE, PPTP or IPSec).

D Protocol Protocol allows rules to be applied only to certain type of packets which use a specific protocol.

E-H Source IP Address

Source IP Address allows inverting the address comparison (if NOT is marked) as well as specification of the IPv4 address and CIDR (/n) indicator.

I-J Source Port Range

Source Port Range allows the rule to be applied only to specific source port ranges or to any source port ranges. Because the source computer uses the ephemeral ports (usually port numbers from 49152 to 65535) as the source port and can use any available ephemeral port, this option is usually left blank or “Any”.

K Source O/S Source O/S allows for traffic to be allowed by a certain rule only from specific operating systems and only for Transmission Control Protocol (TCP) traffic.

L-O Destination IP address

Destination IP Address allows inverting the address comparison (if NOT is marked) as well as specification of the IPv4 address and CIDR (/n) indicator.

P-Q Destination Port Range

Destination Port Range allows the rule to be applied only to specific destination port ranges or to any source port ranges.

R Log Log indicates if the packets handled by this specific rule should be logged.

S Description Description allows a brief alphanumeric description of each rule to be entered.

26. 27. Note: In the next steps, you will use the Firewall Rules worksheet to plan the

configuration of a local firewall for this virtual computer. You will allow specific actions and block everything else. You will begin by deciding which actions to allow. You must recognize that any actions you allow may have security implications in and of themselves, but to be useful you have to allow the computer to do some actions and have some interactions with the network. In this lab, you will allow the traffic displayed in this figure.

CIS 534 - Advanced Network Security Design 45

Figure 7 Firewall Rules allowable traffic The pfSense Firewall requires a different rule for Secure Hypertext Transfer Protocol (HTTPS) traffic. At this time we will not specify a rule for HTTPS traffic. This means that when the browser encounters a web site that utilizes the HTTPS protocol that traffic will not be passed through the firewall. Keep in mind, that this is a good example for a lab exercise, but not for practical implementation. In actual implementations there should also be a rule to pass, block, or reject HTTPS traffic.

28. In Column S of the Firewall Rules worksheet, type Internet browsing.

You will create a rule to allow browsing of the Internet according to the following definition: Pass (Column A) all traffic on the LAN interface (Column C) using TCP protocol (Column D) from any type of address with any value with any subnet mask (Column E-H) for the standard port range for Hyper Text Transport Protocol (HTTP) (Column I-J) for any operating system (Column K) for any Destination IP Address (Column L-O) for the HTTP port range (Column P-Q) and there is no need to log the traffic (Column R).

29. In Column A of the Firewall Rules worksheet, select Pass from the drop-down list to allow Internet traffic.

30. In Column C, type LAN. 31. In Column D, type TCP. 32. In Column F and G, type Any. 33. In Column I and J, type Any. 34. In Column K, type Any. 35. In Column M and N, type Any. 36. In Column P and Q, type HTTP. 37. In Column R, type No. 38. Repeat steps 26-35 to create the following rule descriptions. If necessary, use the table

following to determine which adjustments to make. o Allow email to/from anyone, specify the port range as that used by the Simple

Mail Transfer Protocol (SMTP) o Allow File Transfer Protocol (FTP) so that users can send files back and forth o Allow Domain Name Service (DNS) so that users can type URLs, instead of

requiring them to know specific IP addresses of any Web sites they wish to visit o Allow Internet Control Message Protocol (ICMP) messages, such as the PING

diagnostic message o Allow Dynamic Host Configuration Protocol (DHCP) so that the computer will

get an IP address dynamically

Firewall Rule Protocol Destination Port Range Allow SMTP TCP Any-Any Allow FTP TCP Any-Any Allow DNS TCP Any-Any Allow ICMP ICMP Any-Any

CIS 534 - Advanced Network Security Design 46

Allow DHCP UDP 67-68

39. Close the Network and Sharing Center window.

Part 2: Configuring the Firewall

1. Double-click the pfSense firewall icon on the virtual desktop to open the pfSense Firewall application within an Internet Explorer window.

Figure 8 pfSense Firewall splash screen

2. Click OK to accept the default username and password and open the application. 3. Maximize the application window, if necessary.

Figure 9 pfSense Firewall System Overview

4. Click System > Setup wizard from the pfSense menu.

Figure 10 pfSense Setup Wizard initial configuration screen

5. Click Next to continue. 6. Refer to the Physical Configuration worksheet from the pfSenseFirewallPlanner

spreadsheet that you completed in Part 1 of this lab. 7. Use the entries in the Settings column of the Physical Configuration worksheet to

complete the fields on the pfSense Firewall Setup Wizard.

Figure 11 pfSense configuration settings

8. Click Next to continue. 9. Repeat steps 7-8 for the remaining fields of the pfSense Firewall Setup Wizard. 10. When prompted by the pfSense Firewall Setup Wizard, click Reload to reload pfSense

with new changes.

Figure 12 pfSense Firewall Setup Wizard Reload prompt

11. When prompted, type P&ss9999, the new pfSense Firewall password to continue.

While reloading, the pfSense Firewall will display a progress meter. When the process is completed, the pfSense Firewall System Overview screen will be displayed.

12. Click Firewall > Rules from the pfSense Firewall menu to configure the firewall with the rules you defined in Part 1 of this lab.

CIS 534 - Advanced Network Security Design 47

Notice that there is already a rule on the WAN tab: “Block private networks.” This rule was created as a result of running the pfSense Configuration Wizard because of the action you took in Step 20 of Part 1 of this lab. In that step, you opted to block RFC1918 Private Networks, and you selected that checkbox during the Configuration Wizard process. Those actions are reflected here.

Figure 13 pfSense Rules specification screen

13. Refer to the Firewall Rules worksheet of the pfSenseFirewallPlanner spreadsheet and add the Block private networks rule definition.

Note:The purpose of the pfSenseFirewallPlanner spreadsheet is to plan the firewall configuration in advance; however, as you learned earlier even the most diligent planner can overlook something (the rule definition to block private networks, in this case), so recording any changes to the original plan make the completed pfSenseFirewallPlanner spreadsheet an excellent starting point for replicating this configuration in the future.

14. Click the LAN tab to begin adding the new rules that you configured in Part 1 of this lab.

Notice that there is already a rule on the LAN tab: “Default LAN -> Any.” This rule allows any traffic that originates on, or goes through, the Local Area Network to which the computer is attached. This is safe and reasonable on a desktop computer that will not be moved to a public location such as a coffee shop or airport lounge, but might not be the wisest choice for a laptop. For the purposes of this lab, leave the rule as is. You will need to add this existing rule to the pfSenseFirewallPlanner spreadsheet.

15. Double-click the Default LAN -> any row to open the Firewall: Rules: Edit screen. 16. Use the data in the Firewall: Rules: Edit fields to record the rule in the

pfSenseFirewallPlanner. 17. Click Cancel to return to the Firewall Rules screen without making any changes to the

existing rule. 18. Click the Plus button (the Add new rule button) at the bottom right side of the Rules

table on the pfSense Firewall application window to add a new rule.

Figure 14 Add new rule button

19. Use the entries in the Firewall Rules worksheet to create a rule for Internet browsing.

You will notice that there are additional fields in this screen (Advanced Options, State Type, No XMLRPC Sync, Schedule and Gateway). Do not make any changes to those fields for the purposes of this lab.

Figure 15 New Firewall Rules: Edit screen

20. Click Save to save the rule and return to the Firewall Rules screen.

CIS 534 - Advanced Network Security Design 48

Figure 16 pfSense Rules table

21. Repeat steps 18-20 for the remaining rules on the Firewall Rules worksheet.

Figure 17 Completed pfSense Rules table

22. Make a screen capture showing your completed Rules table and paste it into your Lab Report file.

23. After any discrepancies in the rules have been corrected, click the Apply changes button above the Rules table to apply the rule changes that you have made to the firewall.

Figure 18 Apply changes button

After the settings have been applied, the red message bar will change to indicate that fact.

Figure 19 Confirmation message

24. Save the completed spreadsheet as yourname_pfSenseFirewallPlanner.xls, replacing yourname with your own name and submit the file with your lab deliverables.

25. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this lab.

Lab #3 - Assessment Worksheet Configuring a pfSense Firewall on the Client

Course Name and Number: _____________________________________________________

Student Name: ________________________________________________________________

Instructor Name: ______________________________________________________________

Lab Due Date: ________________________________________________________________

Overview

In this lab, you first planned a configuration of the pfSense Firewall to protect a client computer using a spreadsheet, the pfSenseFirewallPlanner. The pfSense Firewall is a current generation

CIS 534 - Advanced Network Security Design 49

product which has most of the functionality and options that will be found in most firewall products though the implementation may vary somewhat from firewall to firewall. In the second part of the lab, you configured the pfSense Firewall using the planning spreadsheet that you created in Part 1 of the lab.

Lab Assessment Questions 1. TCP stands for?

2. UDP stands for?

3. The File Transfer Protocol (FTP) uses which transport protocol, TCP or UDP?

4. The PING diagnostic is part of which protocol?

5. TCP uses which Layer 3 protocol?

6. UDP uses which Layer 3 protocol?

7. Hyper Text Transfer Protocol (HTTP) and Secure HTTP (HTTPS) are the same protocol from a standpoint of passing or blocking them with a firewall. True or False?

8. A Host is defined as ___________________

CIS 534 - Advanced Network Security Design 50

Toolwire Lab 4: Configuring a pfSense Firewall on the Server

Introduction

Click the link below to view the network topology for this lab:

Topology

The term firewall is actually adopted from aircraft or auto engineering - take your pick. The firewall in an aircraft or car, just as it does in network security, blocks bad stuff from the area that contains people. In an aircraft or car the firewall is the actual, physical, fireproof wall between the cockpit and the passenger compartment, or between the engine compartment and the driver and passengers. In networking, a firewall is either software or dedicated hardware that exists between the network and the resource being protected. The firewall used in this virtual environment is pfSense Firewall software application.

In this lab, you will delve into the configuration of the pfSense Firewall to protect a server. The pfSense Firewall is a current-generation product with most of the functionality and options that are found in most firewall products, though the implementation may vary from firewall to firewall. The actual keystrokes will vary little between configuring a firewall to protect a server and configuring one to protect a client machine, but the thought process - the logic - will be very different.

This lab has three parts, which should be completed in the following order:

1. In the first part of the lab, you will plan the implementation of a remote pfSense Firewall using a spreadsheet. You will answer all of the configuration questions in advance of actually making any changes to the firewall.

2. In the second part of the lab, you will implement the configuration choices that you planned in Part 1 of this lab.

3. Finally, if assigned by your instructor, you will explore the virtual environment on your own in the third part of the lab to answer a set of challenge questions that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.

CIS 534 - Advanced Network Security Design 51

Learning Objectives

Upon completing this lab, you will be able to:

1. Complete a Physical Configuration planning worksheet and understand the general rules of physical configuration planning for a firewall that protects a server.

2. Complete the Firewall Rules planning worksheet and understand the general rules for firewall rules planning for a firewall that protects a server.

3. Configure the physical connectivity of a firewall that protects a server. 4. Configure firewall rules for a firewall that protects a server.

Tools and Software

The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.

• pfSense Firewall

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. A completed pfSenseFirewallPlanning_EmailServer.xlsx spreadsheet; 2. Lab Report file including a screen capture of successful local firewall configuration (Part

2, Step 29); 3. Lab Assessments file; 4. Optional: Challenge Questions file, if assigned by your instructor.

Evaluation Criteria and Rubrics

The following are the evaluation criteria for this lab that students must perform:

1. Complete a Physical Configuration planning worksheet and understand the general rules of physical configuration planning of a firewall that protects a server. - [5%]

CIS 534 - Advanced Network Security Design 52

2. Complete the Firewall Rules planning worksheet and understand the general rules for firewall rules planning of a firewall that protects a server. - [60%]

3. Configure the physical connectivity of a firewall that protects a server. - [5%] 4. Configure firewall rules of a firewall that protects a server. - [30%]

Hands-On Steps

Note: This lab contains detailed lab procedures which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab.

1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the file in Adobe Reader.

If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Instructions for transferring the file can be found in the file itself.

Figure 1 “Student Landing” workstation

2. On your local computer, create the lab deliverable files. 3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to

these questions as you proceed through the lab steps.

Part 1: Planning the Configuration

Note: There are two different approaches to configuring a firewall, or any computer software for that matter. The first, and most common, is to “dive right in” and trust that the process will be fairly easy and straight-forward. The second approach is to plan the configuration steps in advance before implementing your choices. While the “dive right in” approach is very common, especially in smaller shops or for home environments, the more prudent, careful, and professional approach is to plan the configuration in advance. By documenting the configuration choices in advance, carefully considering each in the proper context, you streamline your process and increase the chances of the desired outcome on the first pass. Even the most diligent planner can overlook something. By recording any changes made during the implementation process, you will have a starting point for replicating the configuration in the future-either to assist in adding new firewalls or replacing the existing one. In the next steps, you will complete the pfSenseFirewallPlanner_EmailServer spreadsheet. This

CIS 534 - Advanced Network Security Design 53

spreadsheet contains two worksheets: Physical Configuration and Firewall Rules. The spreadsheet was designed to document answers to the questions prompted by the pfSense Firewall Configuration Wizard, in the order you will be required to answer them. You will record the configuration settings for the pfSense Firewall in this spreadsheet as you proceed through the lab. It is a good idea to scan Part 2 of this lab if you are unfamiliar with firewall configurations. Seeing how the questions are posed by the wizard might help you understand how the pfSenseFirewallPlanner_EmailServer spreadsheet works in conjunction with the wizard. Many of the steps in this part of the lab follow basic Windows conventions in Windows Server 2008. If you are an experienced Windows user who is already familiar with these steps, feel free to write down the information provided and move ahead with the lab exercises. If you are not familiar with these functions, please follow the steps and see the results but also understand that they vary somewhat between different versions of Windows and vary greatly from the way similar information is derived in other operating systems.

1. Click the File Transfer button on the vWorkstation desktop to transfer the pfSenseFirewallPlanner_EmailServer spreadsheet from the virtual desktop to your local computer.

2. Open the pfSenseFirewallPlanner_EmailServer spreadsheet on your local computer.

This is a blank firewall planning spreadsheet that you will use to plan the configuration of the Firewall software prior to making any changes in the software itself. It is also used to record any configuration changes to this original plan.

Note: There are many factors to consider when planning how a server will be set up and secured. Because the lab environment is intended to be as straightforward as possible, you will configure a single, stand-alone server that provides only a single service: e-mail. In an actual production environment, it is possible that multiple e-mail servers are configured on the same, shared, hardware or that the same hardware be used to support multiple services, such as Web services and the File Transfer Protocol, in addition to e- mail. Look at each service offered in the following figure and determine what must be configured and why. Figure 2 Server configuration environment In this figure, the server is the machine on the right. The first protocol allowed for the server is the File Transfer Protocol (FTP). Allowing this protocol will allow new software to be loaded to the server and other support files to be copied as needed. A more secure approach would be to not allow FTP at all, instead, loading new software and other needed files locally via CD/DVD or USB memory stick. While this approach is more secure, it is not as convenient and requires that a human be seated at the e-mail server, rather than remotely connected. In this virtual lab, you will turn off the firewall rule that allows FTP except when the server is being updated. Another option would to use secure FTP (sFTP) protocol, which encrypts the file transfer commands.

CIS 534 - Advanced Network Security Design 54

Domain Name Service (DNS) is allowed on this server because the e-mail server uses DNS for a variety of functions, such as resolving IP addresses of domain names associated with e-mail addresses, and therefore, it must be explicitly allowed. The Simple Mail Transfer Protocol (SMTP) and the Post Office Protocol (POP3) are both allowed so that the e-mail server may send (POP3) and receive (SMTP) e-mail. This may seem backwards from what is normally understood, but remember that the POP3 protocol is between the e-mail server and the e-mail client and allows the client to receive (and therefore the server to send) emails. The reverse is true of SMTP: the e-mail client sends and the e-mail server receives. And what about the more secure POP3S? It will not be considered in this lab, nor will the more complex Internet Message Access Protocol (IMAP) which may be used in place of, or in addition to, POP3 or POP3S. Lastly, Secure Shell (SSH) is allowed on both the remote e-mail server whose firewall is being configured as well as on the workstation from which the configuration is being done. As mentioned in the discussion on FTP, it would be far more secure though far less convenient to require administration of the e-mail server to be performed by a person sitting directly in front of the server.

3. Refer to the Firewall Rules worksheet of the pfSenseFirewallPlanner_EmailServer spreadsheet to determine the first item.

The first item on the Physical Configuration worksheet is Hostname. A hostname is the unique name of the computer (host) on the network capable of originating or responding to an interaction using the Internet Protocol. The hostname has been assigned by the system administrator as email-server. The Internet Protocol address, which also serves as the domain for this server, associated with the e-mail server is an IP version 4 (IPv4) address of 172.30.0.100.

Note: Do not forget that the e-mail server is a different machine from the vWorkstation desktop. Later in this lab, you will use the pfSense Firewall software to connect to the e- mail server remotely and configure it.

Figure 3 pfSenseFirewallPlanner_EmailServer spreadsheet

4. In the Settings column of the Physical Configuration worksheet in the Hostname row, type email-server.

5. In the Comments column of the Physical Configuration worksheet, type *changed for each configuration to indicate that this information will vary with each computer that will be configured.

6. In the Settings column of the Physical Configuration worksheet in the Domain row, type 172.30.0.100.

7. In the Comments column of the Physical Configuration worksheet, type Provided by the administrator to indicate that this information will vary with each computer that will be configured.

CIS 534 - Advanced Network Security Design 55

8. In the Settings column of the Physical Configuration worksheet in the Allow DNS server list to be overwritten row, type Yes.

Note: DNS Server questions are potentially problematic and could leave the local computer open to various security problems, and could even cause the local PC not to work properly. There are a number of pieces of malicious software that will change the Domain Name Server addresses to its own DNS Servers in order to monitor what sites are being visited, hijack the browser sessions, or other, more nefarious things. If the DNS Server fields are left blank and a numeric IP address is used in the Domain field, as is the case with this configuration, then the computer will not use Dynamic Host Configuration Protocol (DHCP), which is not allowed anyway, and security vulnerabilities due to DNS can be avoided completely.

9. In the Comments column of the Physical Configuration worksheet, type Provided by the administrator to indicate that this information will vary with each computer that will be configured.

Note: There are additional physical configuration questions, such as information about the username and password for this server, which will have already been answered correctly by the system administrator at the time the server was installed. You will know that the firewall was properly configured if you are able to remotely access the e-mail server using the pfSense Firewall software. In the interest of being thorough and secure, you will review the options used to configure the e-mail server and record them in the pfSenseFirewallPlanner_EmailServer spreadsheet during Part 2 of this lab.

10. Save the completed spreadsheet as yourname_pfSenseFirewallPlanner_EmailServer.xls, replacing yourname with your own name and submit the file with your lab deliverables.

Note: Up to this point, you have planned for the administrative configuration of the remote e-mail firewall using the pfSenseFirewallPlanner_EmailServer spreadsheet. Now, you will complete the Firewall Rules worksheet. The first consideration you will encounter is the order of your definition lists. You can compare the process of defining firewall rules to the process of defining most access control lists (ACLs). In both cases, the simplest approach is best. These are not sophisticated programs with conditional branching logic, but rather simple lists of rules that are evaluated in order, and when there are two conflicting rules, the first rule in the list that applies is used. For example, if line 3 of the definition says “don’t allow X for a certain condition,” but in line 22 you decide to “allow X for a certain condition,” the first rule that matches “a certain condition” is in line 3, so that is the rule that will always be followed. The second consideration is whether the firewall is, by default, permissive or restrictive. That is to say whether everything is allowed by default (permissive) or not allowed by default (restrictive). In the first case (permissive), very few support calls are generated

CIS 534 - Advanced Network Security Design 56

and users are usually happier because everything they wish to do is allowed by default as rules exist only for known security problems, which rarely interfere with what a user wants to do. However, this approach also leaves the door open for a wide variety of security risks. The restrictive approach says that, by default, everything is restricted unless it is specifically allowed. This approach is known as “default deny.” From a security standpoint, this is the preferred approach, though it requires more thoughtful configuration of the rules. The second approach, restrictive, is applied by the pfSense Firewall: every type of packet that is not explicitly allowed (or passed) is blocked by default. In other words, every packet that comes into the computer is evaluated by the firewall rules and is blocked by the firewall if it is not explicitly allowed. In the next steps, you will use the Firewall Rules worksheet to plan the configuration of the remote e-mail firewall. You will allow specific actions and block everything else. You will begin by deciding which actions to allow. You must recognize that any actions you allow may have security implications in and of themselves, but to be useful you have to allow the computer to do some actions and have some interactions with the network.

11. Click the Firewall Rules tab at the bottom of the pfSenseFirewallPlanner_EmailServer spreadsheet to open the Firewall Rules worksheet.

Figure 4 Firewall Rules worksheet

12. Compare the headings in the Firewall Rules worksheet with the following table. Each field in the worksheet is described in this table. You will need this information to complete the firewall rules configuration.

Column Column Title Description A Action Action indicates the action you wish the pfSense Firewall

to take when it encounters a certain type of network traffic. The choices are pass, block, or reject. The difference between block and reject is important and only works when the protocol is set to one of the Internet protocols: Transmission Control Protocol (TCP) or User Datagram Protocol (UDP), but not TCP/UDP. In the case of block, the questionable incoming packet is blocked and discarded (or logged, based upon the setting for that option). There is no indication to the sender that the packet has not reached the intended destination. If reject is chosen, a packet is returned to the sender indicating that the packet or packets they sent were not accepted. There are numerous cases of the rejected packets being used by malicious software and malicious individuals to verify that a computer exists at the designated IP address, and then to attempt additional infiltration. It is, therefore, recommended that traffic be rejected only in specific cases.

CIS 534 - Advanced Network Security Design 57

Column Column Title Description B Disabled Disabled allows a rule to be disabled but not deleted. This

can be used for testing purposes or to temporarily allow a certain action.

C Interface Interface allows a firewall rule to be applied only to a specific interface (WAN or LAN) or type of tunnel within the interface (PPPoE, PPTP, or IPSec).

D Protocol Protocol allows rules to be applied only to certain types of packets that use a specific protocol.

E-H Source IP Address

Source IP Address allows inverting the address comparison (if NOT is marked) as well as specification of the IPv4 address and CIDR (/n) indicator.

I-J Source Port Range

Source Port Range allows the rule to be applied only to specific source port ranges or to any source port ranges. Because the source computer uses the ephemeral ports (usually port numbers from 49152 to 65535) as the source port and can use any available ephemeral port, this option is usually left blank or “Any”.

K Source O/S Source O/S allows for traffic to be allowed by a certain rule only from specific operating systems and only for Transmission Control Protocol (TCP) traffic.

L-O Destination IP address

Destination IP Address allows inverting the address comparison (if NOT is marked) as well as specification of the IPv4 address and CIDR (/n) indicator.

P-Q Destination Port Range

Destination Port Range allows the rule to be applied only to specific destination port ranges or to any source port ranges.

R Log Log indicates if the packets handled by this specific rule should be logged.

S Description Description allows a brief alphanumeric description of each rule to be entered.

13.

14. Note: In the next steps, you will use the Firewall Rules worksheet to plan the configuration of a local firewall for this virtual computer. You will allow specific actions and block everything else. You will begin by deciding which actions to allow. You must recognize that any actions you allow may have security implications in and of themselves, but to be useful you have to allow the computer to do some actions and have some interactions with the network. In this lab, you will allow the traffic displayed in this figure. Figure 5 Firewall Rules allowable traffic The pfSense Firewall requires a different rule for Secure Hypertext Transfer Protocol

CIS 534 - Advanced Network Security Design 58

(HTTPS) traffic. At this time we will not specify a rule for HTTPS traffic. This means that when the browser encounters a Web site that utilizes the HTTPS protocol, traffic will be blocked by the firewall. Keep in mind that this is a good example for a lab exercise but not for practical implementation. In actual implementations there should also be a rule to pass, block, or reject HTTPS traffic.

15. In Column S of the Firewall Rules worksheet, type File Transfer Protocol. Don’t forget that we are going to configure the server, the device on the right-hand side of the diagram in Figure 5.

You will create a rule to allow file transfers to and from the Internet to facilitate the loading and updating of the software on the e-mail server, according to the following definition: Pass (Column A) all traffic on the LAN interface (Column C) using TCP protocol (Column D) from any type of address with any value with any subnet mask (Columns E-H) for the standard port range (Columns I-J) for any operating system (Column K) for any destination IP address (Columns L-O) for the FTP port range (Columns P-Q) and there is no need to log the traffic (Column R).

16. In Column A of the Firewall Rules worksheet, select Pass from the drop-down list to allow Internet traffic.

17. In Column C, type LAN. 18. In Column D, type TCP. 19. In Columns F and G, type Any. 20. In Columns I and J, type Any. 21. In Column K, type Any. 22. In Columns M and N, type Any. 23. In Columns P and Q, type FTP. 24. In Column R, type No. 25. Repeat steps 13-22 to create the following rule descriptions, making adjustments where

necessary. Use the following table as a guide.

• Allow Domain Name Service (DNS) so that the e-mail software can resolve text URLs, into numeric IP addresses instead of requiring them to be typed in as IP addresses. This is very useful for the e-mail server in functions varying from resolving destination addresses such as [email protected] to checking allowed and blacklisted e- mail servers so that Unsolicited Commercial Email (UCE/SPAM) can be detected and, potentially, blocked.

• Allow e-mail to be received to/from anyone using Simple Mail Transfer Protocol (SMTP).

• Allow Post Office Protocol, version 3 (POP3) so that users can retrieve e-mail from the server.

• Allow Secure Shell (SSH) so that the e-mail server can be remotely managed by a secure command-line interface. (SSH is quickly replacing Telnet for this purpose.)

Firewall Rule Protocol Destination Port Range Allow DNS TCP Any-Any Allow SMTP TCP Any-Any

CIS 534 - Advanced Network Security Design 59

Allow POP3 TCP Any-Any Allow SSH TCP Any-Any

Note: Three very important protocols are not defined on the e-mail server in this lab: HTTP, DHCP, and ICMP. If you wish to use a browser for any reason on the e-mail server, either HTTP and/or its secure version, HTTPS, must be defined. In our case, the server will be managed remotely using an application that communicates with the e-mail server using the Secure Shell (SSH) protocol. The Dynamic Host Configuration Protocol is not used because the server will be statically configured with a non-changing IP address and other characteristics. In addition, Internet Control Message Protocol (ICMP) will not be allowed in this lab because it is not desirable for the e-mail server in this environment to respond to ICMP requests and be susceptible to the associated vulnerabilities. This is an individual decision of the organization that owns and/or administers the server and varies from environment to environment.

Part 2: Configuring the Firewall

1. Double-click the pfSense firewall icon on the virtual desktop to open the pfSense Firewall application within an Internet Explorer window.

Figure 6 pfSense Firewall splash screen

2. Click OK to accept the default username and password and open the application. 3. Maximize the application window, if necessary.

Figure 7 pfSense Firewall System Overview

4. Click System > General Setup from the pfSense menu. 5. Refer to the Physical Configuration worksheet from the

pfSenseFirewallPlanner_EmailServer spreadsheet that you completed in Part 1 of this lab.

6. Use the entries in the Settings column of the Physical Configuration worksheet to complete the Hostname and Domain fields on the pfSense Firewall System: General Setup screen.

You will be configuring the firewall on the e-mail server, not the local virtual computer, so you will need to overwrite any existing information on the General Setup screen to properly configure the server.

Figure 8 pfSense System General Setup

CIS 534 - Advanced Network Security Design 60

7. Use the data from the System: General Setup screento complete the Physical Configuration worksheet of the pfSenseFirewallPlanner_EmailServer spreadsheet and properly document the server firewall.

Note: Remember, the purpose of the pfSenseFirewallPlanner_EmailServer spreadsheet is to plan the firewall configuration in advance. However, as you learned earlier, even the most diligent planner can overlook something (the rule definition to block private networks, in this case). Recording any changes to the original plan makes the completed pfSenseFirewallPlanner_EmailServer spreadsheet an excellent starting point for replicating this configuration in the future.

8. Compare the data from the Physical Configuration worksheet of the pfSenseFirewallPlanner_EmailServer spreadsheet with the fields on the System: General Setup screen, and record any missing information in the spreadsheet.

9. Click Save at the bottom of the System: General Setup screen to continue.

The following message will appear at the top of the pfSense Firewall System: General Setup screen indicating that the configuration changes, if any, have been applied.

Figure 9 pfSense has saved the desired changes

10. On the pfSense Firewall menu, click Firewall > Rules to open the Firewall: Rules screen on the WAN tab.

Figure 10 pfSense Firewall WAN Rules table

11. Click the LAN tab to begin adding the new rules that you configured in Part 1 of this lab.

Figure 11 Firewall LAN Rules table

Notice that there is already a rule on the LAN tab: “Default LAN -> any.” This rule allows any traffic that originates on, or goes through, the local area network to which the computer is attached.

12. Double-click the Default LAN -> any row to open the Firewall: Rules: Edit screen. 13. Use the data in the Firewall: Rules: Edit fields to record the rule after the last entry in

the Firewall Rules worksheet of the pfSenseFirewallPlanner_EmailServer spreadsheet. 14. Click Cancel to return to the Firewall Rules screen without making changes to the

existing rule.

You will notice that there is an additional field in this screen (Theme). Do not make any changes to that field for the purposes of this lab.

CIS 534 - Advanced Network Security Design 61

15. Click the Plus button at the bottom right side of the Rules table on the pfSense Firewall application window to add a new rule.

Figure 12 Add new rule button

16. Use the entries in the Firewall Rules worksheet to create a rule for File Transfer Protocol.

Figure 13 New Firewall Rules: Edit screen

17. Click Save to return to the Firewall Rules screen. 18. Repeat steps 15-17 for the remaining rules on the Firewall Rules worksheet. 19. Compare your Rules table with the one in the following figure.

Figure 14 pfSense Firewall LAN Rules table

20. After any discrepancies in the rules have been corrected, click the Apply changes button above the Rules table to apply the rule changes that you have made to the firewall.

Figure 15 Apply changes button

After the settings have been applied, the red message bar will change to indicate that fact.

Figure 16 Confirmation message

Note: Up to this point, configuration of the firewall has been done using the Telnet protocol. However, it is more secure to use the Secure Shell (SSH) protocol, which makes it more difficult for hackers to reconfigure our e-mail server firewall remotely. In the next steps, you will change the remote configuration protocol to SSH.

21. From the pfSense Firewall menu, click System > Advanced. 22. Use the scrollbar on the pfSense Firewall as necessary to locate the Secure Shell portion

of the System: Advanced functions screen. 23. Click the Enable Secure Shell checkbox to enable this option.

For this lab all of the remaining fields will be left at their defaults, though it is strongly advised to use authorized keys to authenticate users in an actual implementation.

Figure 17 System: Advanced functions screen

24. Click Save to complete the change.

Note: There is only one administrative step left: saving a copy of the configuration file that so that this configuration may be easily restored if there is a problem. Problems that would require restoration of the configuration file could be unintentional, such as a complete hardware crash of the server, an unintentional modification of the configuration

CIS 534 - Advanced Network Security Design 62

due to careless typing, or even memory modification due to a cause such as static electricity. Intentional problems could also warrant restoration of the configuration file. Malicious insiders could intentionally replace or modify the configuration file. Malicious outsiders or malware could do the same. The backup configuration file for this lab will be stored, and restored if needed, locally, but it is common practice for backup copies of configuration files to be stored in a separate, secure server and transferred either via FTP or, better yet, by an external USB memory stick.

25. From the pfSense Firewall menu, select Diagnostics > Backup/Restore.

Figure 18 Diagnostics: Backup/restore screen

26. Click the Download configuration button. 27. Click Save on the resulting File Download dialog box to open the Save As dialog box

and click Downloads to save the file in the Downloads folder.

Figure 19 Save As dialog box

28. Accept the default options in this dialog box, and click Save.

Figure 20 Download complete dialog box

29. Make a screen capture showing the Download complete dialog box and paste it into your Lab Report file.

Note: At this point of the lab, you may click Close to close the dialog box and end this part of the lab; however, the configuration information in this backup/restore file is stored in a human and machine readable format call eXtensible Markup Language (XML) that is a couple of evolutionary steps up from Hypertext Markup Language (HTML) and some other markup languages used in the Internet. If you are interested in learning more about this topic, click Open to open the text file containing the XML code and inspect what is displayed. You will note that there are <tags> defined to contain all of the information in the firewall configuration and that they contain values that were either entered as a part of this lab or are default values provided by the pfSense Firewall application. It will probably also occur to you that humans with editor programs (such as this one) or other programs could read, and potentially modify, this file. It may also occur to you that you could bypass the clunky and cumbersome menu structure and go right to entering the XML in the configuration file, as many professionals do. You could also write code to generate different, custom configuration files to assure consistency and reduce typos. There is really no limit to what can be accomplished with this type of code.

30. Save the completed spreadsheet as yourname_pfSenseFirewallPlanner_EmailServer.xls, replacing yourname with your own name and submit the file with your deliverables.

CIS 534 - Advanced Network Security Design 63

31. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this lab.

Lab #4 - Assessment Worksheet Configuring a pfSense Firewall on the Server

Course Name and Number: _____________________________________________________

Student Name: ________________________________________________________________

Instructor Name: ______________________________________________________________

Lab Due Date: ________________________________________________________________

Overview

In this lab, you first planned a configuration of the pfSense Firewall using a spreadsheet, the pfSenseFirewallPlanner_EmailServer, to protect an e-mail server computer. The pfSense Firewall is a current-generation product with most of the functionality and options that are found in most firewall products, though the implementation may vary from firewall to firewall. In the second part of the lab, you configured the pfSense Firewall using the planning spreadsheet that you created in Part 1 of the lab.

Lab Assessment Questions & Answers

1. Most remote configuration and administration uses the _______ protocol?

2. SSH stands for?

CIS 534 - Advanced Network Security Design 64

3. The File Transfer Protocol (FTP) uses which transport protocol, TCP or UDP?

4. From a security standpoint, it is more desirable to use the numeric IP address of a static IP host, such as an e-mail server, than to allow the address to be looked up the Domain Name Service. True or False?

5. Because the e-mail server will not be required to run a browser, which protocol is not allowed by the firewall rules?

6. Because the e-mail server uses a fixed, static, predetermined IP address, which protocol is not used, and, therefore, not specifically allowed to pass through the firewall?

7. Hyper Text Transfer Protocol (HTTP) and Secure HTTP (HTTPS) are the same protocol from a standpoint of passing or blocking them with a firewall. True or False?

8. Which protocol is used for a variety of functions in the e-mail server, such as resolving the numeric address of [email protected], and which servers are blacklisted for being sources of Unsolicited Commercial Email (UCE)?

CIS 534 - Advanced Network Security Design 65

Toolwire Lab 5: Penetration Testing a pfSense Firewall Introduction

Click the link below to view the network topology for this lab:

Topology

Penetration testing tests the strengths and weaknesses of the IT security, as well as the readiness of the facility and/or employees to respond to an attack. Pen testing, as it is often called, can be as much of an art as it is a science. It can be done by security professionals, either part of the organization being tested, or hired by that organization, to assure that the IT defenses are sound (at least as sound as reasonably possible) and consistent with policy, or it can be done by black- hat hackers, the bad guys, as a part of their targeting rituals. In many cases, pen testing is done by those clueless beginners known as script kiddies in their search for a great story to tell.

In any case, effective penetration testing consists of five main steps: reconnaissance, scanning, vulnerability analysis (enumeration), exploitation (the actual attack), and post-attack activities, including remediation of the vulnerabilities. Before attacking a system, the pen tester first utilizes an automated tool or tools, at least initially, to scan for and identify the various vulnerabilities which can be exploited. It is important to realize that not all automated tools are the same. Some tools work against a variety of target environments (any device with an IP address on the network) while other tools work against only a subset of possible targets (e.g.: 802.11 Wi-Fi network, ERP system, email server, etc.). Often, pen testers will use more than one tool to help identify vulnerabilities from a number of sources: in fact it is beneficial to run more than one vulnerability scan because different vulnerability scanners may get different results. Regardless of their effectiveness against specific targets, all share the characteristic that they replace the laborious, time-consuming job of typing commands out the old-fashioned way. Many times the automated tools can be used to complete the entire task of identifying vulnerabilities, but many times the automated tools are used only for targeting with humans typing specialized commands for specialized circumstances.

In this lab, you will use a popular automated tool, OpenVAS, to expedite the beginning of the hacking process, and identify the logic and strategy behind the attack or attacks. Though you will stop short of actually attacking the system, you will gain a better understanding of the capabilities of this and other widely-available vulnerability assessment tools.

This lab has three parts which should be completed in the order specified.

CIS 534 - Advanced Network Security Design 66

1. In the first part of the lab, you will validate the existing pfSense Firewall rules in preparation for completing a penetration test.

2. In the second part of the lab, you will use OpenVAS to check for the vulnerabilities on a virtual Windows server, and then reconfigure the firewall eliminate those vulnerabilities.

3. Finally, if assigned by your instructor, you will explore the virtual environment on your own to answer a set of challenge questions that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.

Learning Objectives

Upon completing this lab, you will be able to:

1. Describe the steps of a penetration test. 2. Perform a penetration test against a system protected by a pfSense firewall. 3. Discuss measures that can be taken to harden a target against attacks while balancing

system access and usability needs.

Tools and Software

The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.

• pfSense Firewall • OpenVAS

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. Lab Report file including: a. screen captures of the following steps: Part 2, Steps 6, 9, 16, and 23, b. DCE Services Enumeration research from Part 2, Step 11;

2. Lab Assessments file; 3. Optional: Challenge Questions file, if assigned by your instructor.

Evaluation Criteria and Rubrics

CIS 534 - Advanced Network Security Design 67

The following are the evaluation criteria for this lab that students must perform:

1. Describe the steps of a Penetration Test. - [30%] 2. Perform a Penetration Test against a system which is behind a pfSense firewall. - [50%] 3. Discuss measures that can be taken to harden a target against attacks while balancing

system access and usability needs. - [20%]

Hands-On Steps

Note: This lab contains detailed lab procedures which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab.

1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the file in Adobe Reader.

If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Instructions for transferring the file can be found in the file itself.

Figure 1 "Student Landing" workstation

2. On your local computer, create the lab deliverable files. 3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to

these questions as you proceed through the lab steps.

Part 1: Configuring a pfSense Server Firewall

Note: White-hat hackers, whether employees of the target company or hired for the specific purpose, generally know the security configuration of the IT system they are trying to penetrate. There are many possible security postures of any network and its constituent parts (the workstations, servers, firewalls, load balancers and the like), from highly secure to not secure at all. Knowing information about the configuration including its IP addresses, software and versions, and the logical and physical configurations of a network can be very useful in terms of understanding what defenses must be built and how to check the vulnerabilities of a system, but is also very unrealistic because actual attackers are unlikely to know as much about your environment and may devise attacks which are outside your ability to easily predict. This lab begins by validating a pfSense firewall for a basic network which will be pen tested in Part 2.

CIS 534 - Advanced Network Security Design 68

1. Double-click the pfSense Firewall icon to open the firewall configuration in an Internet Explorer window

2. Click OK to accept the default credentials and open the pfSense Firewall application.

Figure 2 pfSense firewall overview

3. Select Firewall > Rules from the pfSense toolbar. 4. Click the LAN tab to validate the existing firewall rules meet the following criteria.

o Allow File Transfer Protocol (FTP) so that users can send files back and forth o Allow Domain Name Service (DNS) so that users can type URLs, instead of

requiring them to know specific IP addresses of any Web sites they wish to visit o Allow email to be received to/from anyone, specify the port range as that used by

the Simple Mail Transfer Protocol (SMTP) o Allow Post Office Protocol, version 3 (POP3) so that users can retrieve email

from the server o Allow Secure Shell (SSH) so that the email server can be remotely managed by a

secure command line interface (SSH is quickly replacing TELNET for this purpose).

o Allow Internet browsing using the HTTP protocol o Allow secure Internet browsing using the HTTPS protocol o Allow Internet Control Message Protocol (ICMP) messages, such as the PING

diagnostic message

Figure 3 pfSense firewall rules

5. Minimize the pfSense Firewall window.

Note: As you just verified, the pfSense Firewall has been configured as shown in the following figure. Remember that this information is available to you because you are the defender of the information system you are testing. If you were an actual attacker, you would not have access to this information and you would have to use some alternate means (reconnaissance) to gain access it. Figure 4 Lab configuration

Part 2: Penetration Testing

Note: Every penetration tester, from script kiddies to the most serious professional hackers, has their own set of steps but they all fall into the same rough categories: network scanning, port scanning, vulnerability analysis, and exploitation. For defenders, there is also a remediation step during which vulnerabilities are fixed and then the steps are repeated to ensure the attack can't occur again. For attackers, the last step is often an attempt to cover their tracks by destroying or modifying log files or other bits of forensic information that will prove that they were there.

CIS 534 - Advanced Network Security Design 69

The security industry is adopting what it calls the attacker kill chain to describe the process of attack. Reconnaissance can use a combination of technical and social engineering approaches and leads to the weaponization of specific tools, such as spear-fishing emails or mobile apps. The delivery phase, often left to specialists, wherein the malicious software is delivered to the intended victim or victims. Often a pen test is a precursor to delivery. Next, is the exploitation phase in which the attack is unleashed. Most modern attacks have a C2, or command and control, component during which, at minimum, the results of exploitation are reported but can also include additional targeting and tasks. Certain disruptive software does not have a C2 phase, such as malware intended to operate without reporting results or requesting additional direction from an outside source. During the final phase, extraction, logs may be modified, malicious software may "self-destruct" to avoid detection, or other steps. In a strange egomaniacal twist, it has also become common practice for attackers to leave some sort of indication that they were present, often as a dare to defenders and/or law enforcement but often in an attempt to redirect blame to other parties. Figure 5 Attacker kill chain Automated tools, such as OpenVAS or the Retina Network Security Scanner, can be used to perform the vulnerability assessment portion of a penetration test. In the next step you will use OpenVAS to check for any vulnerabilities in the virtual environment and then craft a plan to reduce or eliminate those vulnerabilities hopefully without creating new ones.

1. Double-click the OpenVAS Web icon to start the OpenVAS application. The Greenbone Security Assistant will open in a new Internet Explorer tab.

The OpenVAS server takes several minutes to initialize. Do not click any other buttons; you will be prompted for a password when the server is ready.

2. When prompted, type the following credentials and click Login to open the Greenbone Security Assistant window.

o Username: openvasadmin o Password: pass

Figure 6 Greenbone Security Assistant

3. In the IP address or hostname box under the Quick Start section of the page, type 192.168.16.15 (the IP address for the Windows 2008 Server on Network 2) and press Start Scan.

When the scan is completed, you will see a blue Done button in the Status column of the table. The scan can take several minutes to complete. You can manually refresh the page during this time, or set the page to automatically refresh.

Figure 7 Scan 192.168.16.15

CIS 534 - Advanced Network Security Design 70

4. In the Tasks header, select Refresh every 10 Sec from the first drop-down menu and click the Set Button (green refresh arrows button) to its right.

Figure 8 Refresh the screen

5. When the scan completes, click today's date in the Reports table on the main screen, which corresponds to the scan you just ran, to open the Reports Summary.

Note: At this point of your review, the Report Summary simply tells you that the tool has identified medium- and low-ranked vulnerabilities. You will explore these findings later in this lab. Security analysts use this type of report to compare the findings of several scans over time.

6. Make a screen capture showing the number of Medium and Low security issues found on the Reports Summary and paste it into your Lab Report file.

7. Use the scrollbar to locate the Results Filtering portion of the report.

Note: The results can be filtered a number of different ways. This is less important for this lab where you are scanning one IP address with a minimum or ports and there are only a minimum of results, but it can be a significant time saver when a specific vulnerability is being searched for.

Figure 9 Result Filtering for scan of 192.168.16.15

8. Use the scrollbar to locate the Filtered Results portion of the report.

Note: In the Results Filtering portion of the report, the findings are sorted by port and then threat in ascending order. Notice that the port summary above the first vulnerability in the report includes port 135 indicating that the first vulnerability, or set of vulnerabilities, is related to Windows Client Server communication. The detailed summary information that follows this summary table provides a plain-English high-level description of the problem as well as a hint at the solution (which in this case is to filter port 135).

Figure 10 First detailed security issue

9. Make a screen capture showing the security issues reported for 192.168.16.15 and paste it into your Lab Report file. You may need to make multiple images to capture the entire summary.

Note: Because the virtual Workstation has no direct Internet connection, in the next steps, you will explore the threats identified by OpenVAS using your own computer's Internet connection.

10. On your local computer, open a new Internet browser session.

CIS 534 - Advanced Network Security Design 71

11. From your favorite search engine, search for DCE Services Enumeration (the first security issue identified by OpenVAS) to determine why port 135 should be filtered and document this information in your Lab Report file.

12. On the vWorkstation, click the firewall.local tab in the Internet Explorer window.

Recall that the first pfSense firewall rule in the existing configuration is a default permit (allow any) rule.

Figure 11 Default permit rule

13. Click the Default LAN -> any checkbox and click the Delete button to remove that firewall rule.

Figure 12 Delete Default permit rule

14. When prompted, click OK to confirm the change. 15. Click the Apply changes button.

Figure 13 Apply changes

16. Make a screen capture showing the modified firewall rules and paste it into your Lab Report file.

17. Click the Greenbone Security Assistant (OpenVAS) tab in the Internet Explorer window.

18. Click the Greenbone Security Assistant logo at the top of the page to return to the home page.

19. In the OpenVAS Tasks table, click the start icon (green arrow) to re-start the scan of 192.168.16.15.

Figure 14 Re-start the scan

20. Repeat step 4 to automatically refresh the screen.

Note: Pen testing is an excellent security control, but you should always rescan a system or network to validate changes. It is also important to rerun a vulnerability scan after patching programs or closing vulnerabilities because in closing some you may have opened others.

When the scan is complete note that the Trend arrow is pointed down indicating that there are fewer vulnerabilities found in this scan as compared to the last scan.

Figure 15 Trend indicator

21. When the scan completes, click today's date in the Reports table on the main screen, which corresponds to the scan you just ran, to open the Reports Summary.

22. In the Reports Summary, note the number of Medium and Low security issues found.

CIS 534 - Advanced Network Security Design 72

23. Make a screen capture showing the number of Medium and Low security issues found on the Reports Summary and paste it into your Lab Report file.

24. Use the scrollbar to locate the Filtered Results portion of the report.

Notice that the threat on port 135 is no longer an issue because of the changes you've made to the firewall rules.

25. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this lab.

Lab #5 - Assessment Worksheet Penetration Testing a pfSense Firewall

Course Name and Number: _____________________________________________________

Student Name: ________________________________________________________________

Instructor Name: ______________________________________________________________

Lab Due Date: ________________________________________________________________

Overview

In this lab you began by configuring a pfSense firewall. You then analyzed the vulnerabilities and potential attack strategies against the firewall and a server which is on Network 2, beyond the firewall from your attack position. If assigned by your instructor you performed an additional vulnerability scan and researched the details and possible threats of the vulnerabilities.

Lab Assessment Questions & Answers

1. What does an effective penetration test consist of?

2. Which is not part of the Attacker Kill Chain?

CIS 534 - Advanced Network Security Design 73

a. Reconnaissance b. Exploitation c. Weaponization d. System Hardening

3. Time and dollar budgets permitting, it is beneficial to run more than one vulnerability scan because different vulnerability scanners may get different results. True or False?

4. It is important to rerun a vulnerability scan after patching programs or closing vulnerabilities because in closing some you may have opened others. True or False?

5. Domain Name Service runs on port ___.

6. Network 1, including the host connection for the firewall, is a part of the _________ Class C or CIDR /24 subnetwork.

CIS 534 - Advanced Network Security Design 74

Toolwire Lab 6: Using Social Engineering Techniques to Plan an

Attack

Introduction

Click the link below to view the network topology for this lab:

Topology

It is often said within the security community that to be the best defender one must be the best attacker. It is very common during security exercises to have the Red Team and Blue Team change places and allow the attackers to become the defenders and the defenders to become the attackers. Very often, the best security professionals will go "outside the wall" and look back in with the intention of getting an attacker's-eye view and use that experience to see their own defenses in a different light. This lab will demonstrate the thinking process an attacker might use when attacking a firewall-protected site using primarily social engineering and reverse social engineering. Take note that these same concepts and methods can be applied to any other attack/defend situation.

There are two major categories of attacks: the bulk, non-targeted attacks and the highly targeted attack. Targeted attacks may be an attack against a class of targets, such as hospitals or networks protected by XYZ Company firewalls, or Windows 2008 servers for instance. An attacker may also target a single, specific target. Generally, non-specific attacks are termed "attacks of convenience" and the targeted variety are called "targeted attacks".

Very often, attackers will use a wide-sweeping attack of convenience to gather information for an attack, for instance, to uncover a certain vulnerability, before targeting a specific subject or subjects (perhaps those in a particular industry, such as finance or healthcare).

This lab will concentrate on the targeted attack. Targeted attacks are growing in popularity as defenders improve their defenses against the historically successful attacks of convenience and attackers narrow their objectives to get bigger and bigger pay-offs from a smaller list of targets, often coupling real-world crime or terrorism with cybercrime and cyberterrorism.

This lab has three parts which should be completed in the order specified.

CIS 534 - Advanced Network Security Design 75

1. The first part of the lab will focus on social engineering. By following the sample attack, you will learn many of the ways in which information can be gathered from a subject, or subjects, and combined for either real-world or cybercrimes.

2. The second part of the lab will concentrate on reverse social engineering. By following the example provide, you will learn the importance of open source intelligence in designing a reverse social engineering attack.

3. Finally, if assigned by your instructor, you will do further research on the technical aspects of the attack plan and develop a social engineering campaign against a target.

This lab is a paper-based lab and requires the use of the Virtual Security Cloud Lab (VSCL) only to access the relevant documents.

Learning Objectives

Upon completing this lab, you will be able to:

1. Recognize some of the key characteristics of a social engineering attack. 2. Identify some of the key signs of a reverse social engineering attack. 3. Describe the differences and similarities of an attack of convenience and a targeted

attack. 4. Implement countermeasures to social and reverse social engineering attacks.

Tools and Software

The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.

• None

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. Lab Report file including screen captures of the following steps: Part 1, Steps 7, 12, 15, 18, and 22;

2. Lab Assessments file; 3. Optional: Challenge Questions answers and a sample open source intelligence plan if

assigned by your instructor.

CIS 534 - Advanced Network Security Design 76

Evaluation Criteria and Rubrics

The following are the evaluation criteria for this lab that students must perform:

1. Recognize some of the key characteristics of a social engineering attack. .- [20%] 2. Identify some of the key signs of a reverse social engineering attack. .- [20%] 3. Describe the differences and similarities of an attack of convenience and a targeted

attack. .- [10%] 4. Implement countermeasures to social and reverse social engineering attacks.- [50%]

Hands-On Steps

Note: This lab contains detailed lab procedures which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab.

1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the file in Adobe Reader.

If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Instructions for transferring the file can be found in the file itself.

Figure 1 “Student Landing” workstation

2. On your local computer, create the lab deliverable files. 3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to

these questions as you proceed through the lab steps.

Part 1: Targeted Social Engineering Attack

Note: Many attacks are achieved either by purely technical (such as determining IP address ranges and performing port and vulnerability scans) or purely socially engineered methods. Increasingly, however, attacks blend social engineering with technical means in complicated, sophisticated, and mature targeted attacks. Very often senior criminals or terrorist leaders will coordinate the efforts of specialists, paying each for their services, to bring about the most effective attacks. In this way, among others, cyber criminality is beginning to resemble traditional criminal enterprises: in the non-cyber world there are specialists for picking locks,

CIS 534 - Advanced Network Security Design 77

cracking safes, and driving get-away cars. The same sort of specialization is happening in cyberspace. In Part 1 of this lab, you will be shadowing a cybercriminal specializing in social engineering techniques. You will follow the steps in the lab to discover just how he gathers the information he needs to develop an attack on the targeted company. The documents required for this lab are located on the vWorkstation desktop. It is imperative to maximize your learning from the lab that you not read ahead and that you stop and execute the various steps of the lab as instructed. Each section will show a series of vignettes which may be successful in and of themselves or may be woven together with other social and reverse social engineering methods, and possibly technical hacking, to represent an entire campaign against the target. While the scenario in this lab targets a fictitious company and simulates the information gathering phase of the hacking process, the steps described are typical of the real-world. Your cybercriminal mentor has informed you that the targeted company for this attack is an organization called Global Enterprises, Inc., located in Dalton, Georgia. You have been hired to collect enough information to enable an attack on their email system. Though you anticipate that the email server will be protected by a firewall, you don't know what firewall or what type of email server. The first step in this reconnaissance mission is to conduct a simple Internet search to find the correct target company. The easiest things are frequently overlooked by highly technical hackers: most enterprises try to get a URL that is some variation of their name. Your mentor knows better and types www.globalenterprises.com into his browser.

1. Double-click the website.pdf icon on the vWorkstation desktop to see the result of the browser search.

Figure 2 Global Enterprises home page (Photo copyright MIXA next/Thinkstock)

Note: Remember, the only thing we know about the targeted is the name and location. The home page of this Web site confirms the name of the company is the same as the targeted company, but doesn't provide the location. Further research is required. Your mentor informs you that most companies will list address and phone numbers on the Contact Us page, so that's that next step.

2. Close the website.pdf file. 3. Double-click the contact.pdf icon to open the Contact Us page.

Figure 3 Global Enterprises Contact Us page

Note: Because of the relatively small size of Dalton, Georgia and the reassurance you gained from the fact that the company's name appears in the URL, you can be fairly confident that this is the correct Global Enterprises, but it may be wise to double check with the client.

CIS 534 - Advanced Network Security Design 78

You might be tempted to take time to guess at what the client might want to accomplish with an attack on the email system of an engineered flooring company based in north Georgia: Are they a competitor who wishes to get inside information? To exfiltrate intellectual processes such as manufacturing methods, customer lists or information to support, or derail, an upcoming merger? Is there a financial or personal motive? In the end, as a professional hacker, you don't really care: you are being hired to provide information which can be used by others to mount the attack so the "why" is interesting, but not important. What is important, then, is to learn as much more about the target as possible.

4. Close the contact.pdf file.

Note: A general Internet search using Google, Bing or some other search engine returns thousands of references, most of which refer to some other Global Enterprises, but don't refer to the target Global Enterprises, so you must keep looking. Perhaps you could find information about employees of the company. Start by checking the email address format for the target company, Global Enterprises. The Contact Us page on the company's Web site lists an email link as [email protected]lobalenterprises.com, rather than [email protected], or some other variant. This is as you would expect from inspecting the site's URL but, as usual, it is good to verify the information and avoid a waste of time and effort. You might think that you could just type "@globalenterprises.com" into your search engine as a starting point for your search, but you can't. There are no major search engines that search email addresses, so you must take another approach. One thing to consider, but which is beyond the scope of this exercise, is the hacking of Google itself or of purchasing lists that are the result of hacking Google or other email collection efforts, known as harvesting. Hacking Google itself is very risky and could lead to jail time faster than hacking other sites due to Google's investment in security and legal action. However, purchasing bulk mailing lists from organizations that sell such things openly on the Internet and searching the doc or txt files that you have purchased may yield the results for which you are looking at a very low price. Another common source of information is a domain name registration service, such as whois.net. These sites, and there are dozens of them, have provided a lot of useful information in the past, so that's the next step. The newer registrations protect employee privacy, but older registrations can yield technical and administrative contact names, addresses, phone numbers, and a host of other details that can be very useful in putting together in putting together a very effective social engineering campaign.

5. Double-click the whois.pdf icon to see the whois.net results for Global Enterprises.

CIS 534 - Advanced Network Security Design 79

Figure 4 Whois information for Global Enterprises

6. Make a screen capture showing the whois information for Global Enterprises and paste it into your Lab Report file.

Note: The whois information for Global Enterprises reveals very little useful information largely because the useful information is hidden from view. The most useful information, according to your mentor, are the names of the name servers which could be used to launch some sort of DNS poisoning or similar DNS attack. Keep this information on hand in case it is needed at a later date, but for now this is a dead end. In many cases, however, whois returns some very useful information. In a real situation, you would try several different whois sites to see if any reveal more, or different, information than the others.

7. Close the whois.pdf file.

Note: Having reached a dead end with the whois tools, your mentor wants to use a variety of social engineering and open source intelligence tools to collect information about the site, company or their servers or services. For publicly-traded companies, one excellent open source intelligence approach would be to download the Security and Exchange Commission's 10K report and Annual Report to Stock Holders for the company. Either as an intelligence-gathering exercise of its own, or as a precursor to further research, these are invaluable documents because they generally list officers of the company, the company's financial state, any legal settlements affecting the company, and short- and long-term development plans. Since this information is not available for Global Enterprises from their Web site, you must continue to look elsewhere for the information your client is paying you to find. Because you are currently searching for people who work at a business, as opposed to school children, artists, model ship hobbyists, or some other specific, non-business group, you might want to consider using a business contact or networking site, such as LinkedIn.com. For this lab, you will use a similar, though not real, site called GetConnected.com. You will search for employees of Global Enterprises and are located in Georgia.

8. Double-click the getconnected.pdf icon to open the results of a search for Global Enterprises in the fictitious business networking site, GetConnected.com.

Figure 5 GetConnected search results (Silhouette copyright John Takai/iStock/Thinkstock; Headshot copyright Comstock Images/Stockbyte/Thinkstock)

Note: Take a look at the search results generated by GetConnected.com. The networking site found five people who are currently employed at a company called Global Enterprises, and one employee who worked there previous to his current position. The

CIS 534 - Advanced Network Security Design 80

search criteria you entered eliminated anyone who works for any Global Enterprises located anywhere other than Dalton or North Georgia, even if they are working at a different location of the same target company. For this hacking assignment, you would not consider them good candidates for an attack if they are located elsewhere. Your mentor helps you determine which of the employees in the search research might be good candidates for further research. Remember, the information you are looking for: anything about the firewall or email server that Global Enterprises is using. Anne Lawrence: Because she is in HR recruiting, she might know the information you need, and because her job involves talking to people, she might be open about revealing the information if you approach her in the right manner. She is your number one candidate right now. Steve Burns: Steve is a project manager and PMP (Project Management Professional) who previously worked at Rich's Department Stores which means that he is probably more of a physical project manager, not an IT person, so does not move to the top of your list. Ravi Purim: Mr. Purim is not a current employee and he was a high-level executive when he did work at Global Enterprises. Best not to include him in your list; he will not easily give up the information you need. Heath Andreeson: As Assistant Director of Systems Development, he makes a great candidate. He probably knows what we want to know and there are a number of ways you might be able to approach him to obtain the information with or without his knowledge; however, he was formerly with the Los Angeles Police Department. Without knowing what his role was in the police department, you will need to investigate further. If he was ever a law enforcement officer, as opposed to a civilian support person, he might be trained in detecting deception, even on the telephone or via email, and has a high chance of revealing our true intentions. Keep him on the list, but continue seeking a better candidate. LouAnne Garfinkle: She is Director of Global IT and Global Enterprises is small enough that she probably knows what we need to know. Because this job is a promotion from her previous position at Rugs-R-Us as Assistant Director, you can assume that was her goal in leaving Rugs-R-Us. In addition, her name is relatively unique, so it will be easier to find her in subsequent Internet searches. She has just moved to number one in your list of possible candidates. Bryan Smythe: As a director of business development, he is further removed from the information you need, and with a common name, he is added to the bottom of your list. So now you know that the best option for your social engineering attack on Global Enterprises is LouAnne Garfinkle with Anne Lawrence a close second. You need to find out a little more about LouAnne, so you decide to view her GetConnected profile.

CIS 534 - Advanced Network Security Design 81

9. Close the getconnected.pdf file. 10. Double-click the profile.pdf icon to review LouAnne Garfinkle's GetConnected profile.

Figure 6 GetConnected profile (Headshot copyright Comstock Images/Stockbyte/Thinkstock)

11. Make a screen capture showing LouAnne's profile and paste it into your Lab Report file.

Note: You've hit the jackpot with this profile: LouAnne writes a blog, IT Insights, so it may not even be necessary to contact her directly to gain a great deal of information about Global Enterprises. Even if she is security conscious and does not post the name of her employer on her blog, you can be fairly confident that anything posted since 2009, her date of employment at Global Enterprises, is likely to be relevant to your open intelligence gathering goals. A simple Internet search for LouAnne's name and the name of her blog should lead you to the blog. From there, it is a matter of searching her blog for information about Global Enterprises' firewall and email server. Your search results in two promising blog entries.

12. Close the profile.pdf file. 13. Double-click the blog1.pdf icon to open the first important blog entry.

Figure 7 IT Insights blog header (Headshot copyright Comstock Images/Stockbyte/Thinkstock)

14. Make a screen capture showing the entire blog entry and paste it into your Lab Report file.

15. Close the blog1.pdf file. 16. Double-click the blog2.pdf icon to open the next important blog entry. 17. Make a screen capture showing the entire blog entry and paste it into your Lab Report

file. 18. Close the blog2.pdf file.

Note: It is very likely that you now know which email server Global Enterprises is using and the type of firewall and version that LouAnne has installed, though it is possible that she may have upgraded if there is a later version of the firewall software.

19. On your local computer, open an Internet browser session for your favorite search engine.

20. Perform an Internet search to find the current version of the firewall software used by Global Enterprises.

21. Make a screen capture showing the current version number and paste it into your Lab Report file.

22. Minimize the local browser session.

CIS 534 - Advanced Network Security Design 82

Note: What else can LouAnne's blog tell us? The rest of LouAnne's blog is a treasure trove of open source intelligence. Other blog entries reveal additional technical details and specific problems she has had with the software and how most of those problems were fixed. She even lists user group meetings and conferences she will be attending, and, best of all, those at which she will be speaking! Even people who should know better, are not always aware of the trail they leave behind. They leave traces of information behind in a variety of places never thinking that someone else might be trying to connect the pieces together. Information gathering is often as simple as following the breadcrumbs. Sometimes a simple Internet search is the best approach. In this case, you could search for "LouAnne Garfinkle and Global Enterprises", or variants of her possible email address, such as "lgarfinkle" or "lagarfinkle". The search would likely result in a large amount of unrelated results, but could provide some open intelligence hits, especially for someone you already know has a Web presence via her own blog and speaking engagements. Be especially aware of hits related to technical support Web sites since the questions and answers she might have posted on those sites might be very revealing. Another approach is to concentrate on personal details, such as hobbies, family and other personal interests revealed in a blog that might become very useful in building a targeted social engineering campaign, spearfishing (phishing) emails, or even direct contact via telephone or personal contact. Depending upon your client's budget, the sky is the limit for data mining and LouAnne Garfinkle is only one of several Global Enterprises employees that may be good targets for gathering intelligence about the company. No matter which approach you follow, you certainly know a lot more than you did before and with no intrusive hacking and no likelihood that you will be detected in any way. In the worst case scenario, your browser history will give you away, but a quick scrub of the browser's cache will alleviate that problem. Secure storage and ultimate destruction of your screen captures will erase any forensic evidence.

Part 2: Targeted Reverse Social Engineering Attack

Note: At the most basic level, social engineering is a fancy term for a con job. The goal of the social engineer is to in some way to create a set of "facts" so believable by the subject, often called the target or mark, to get them to take some action that reveals some information of importance to you. In many cases, such as those where the information may be compartmentalized-that is to say that no one person or source knows all the facts-a single person is only part of the overall puzzle, a puzzle whose pieces must be collected, vetted for misinformation and properly assembled. In true social engineering, the social engineer approaches the subject and attempts to extract

CIS 534 - Advanced Network Security Design 83

information or to get the subject to take some action that will cause the desired information to be revealed. However, there is a subset of social engineering called reverse social engineering in which a set of circumstances are set up that cause the subject to approach the social engineer and reveal the desired information. In Part 2 of this lab, you will see how your hacking mentor used a common reverse social engineering technique to obtain more information from LouAnne Garfinkle. After studying LouAnne's GetConnected profile, your mentor made an educated guess that LouAnne might have left her old job (Assistant Director of IT) for her new job (Director of Global IT) for a promotion. He has also guessed that visibility and responsibility were more important to her than salary, as long as salary was similar. Based on this very simple psychological profile, and knowing that LouAnne has already been in her current job since 2009, your mentor thinks LouAnne might be in the market for another promotion. He places an ad in several newspaper near Dalton, Georgia, to see if LouAnne Garfinkle will respond.

Figure 8 Ad used to lure LouAnne Garfinkle

1. Double-click the ad.pdf icon on the vWorkstation desktop to view the details of the job ad.

2. Close the ad.pdf file.

Note: So, did this ruse work? Like a charm. LouAnne not only responded to the ad, but she submitted her resume via email as requested and went through what seemed to be a normal hiring process. LouAnne participated in a number of phone interviews with the "VP of Global IT" for the hiring company, the person whom she would replace if she was the successful candidate. During these interviews LouAnne unwittingly revealed a great deal of very specific information about the technology in place at Global Enterprises- information that would have been very difficult to get any other way. The final interview was held at a downtown hotel with a "corporate recruiter" because, as LouAnne was told, the prospective employer did not want to reveal its identity for reasons of confidentiality, but LouAnne was assured that any job offers would come directly from the company. Three days later LouAnne was contacted by the "recruiter" and was let down easily. She was told that the individual whom she was to replace had decided to put off retirement for another year, but that she impressed everyone throughout the interview process and could expect a call within the year. LouAnne didn't realize it but all phone interviews were conducted with your hacking mentor using burner cell phones that were discarded after the desired information was obtained. The email address she submitted her resume to was an anonymous account, which she was told was being directed to the recruiter's private account because the hiring company wanted confidentiality until the final candidate was offered a job. How can an organization guard against social engineering and reverse social engineering? The answer is awareness training and constant vigilance, but that does not come without a price. An organization must be very careful that the awareness training initiatives, including the use of formal classes, posters, rewards for leads on intellectual

CIS 534 - Advanced Network Security Design 84

property leaks, and occasional internal news stories of how social engineering could happen even within the company, do not curtail or destroy the cooperation and team- building that the organization strives so hard to build. It is a tough balance but one that organizations can achieve with a strong program that defines clearly what is acceptable and what is not, does so in writing, and asks the employee to acknowledge in writing, at time of hire and annually thereafter, that they have read, understand and will abide by the rules. It is also important for an organization to be prepared to enforce the policy by terminating employees, contractors, and subcontractors who do not abide by the policy.

3. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this lab.

Lab #6 - Assessment Worksheet

Using Social Engineering Techniques to Plan an Attack

Course Name and Number: _____________________________________________________

Student Name: ________________________________________________________________

Instructor Name: ______________________________________________________________

Lab Due Date: ________________________________________________________________

Overview In this lab, you followed a social engineering scenario. You acted as a cybercriminal and used social engineering techniques to gather enough information to develop an attack on a targeted company. You learned the importance of open source intelligence in designing a reverse social engineering attack.

Lab Assessment Questions

CIS 534 - Advanced Network Security Design 85

1. What firewall does Global Enterprises use?

2. What version of firewall did Global Enterprises install?

3. What is the current version number of the firewall software used by Global Enterprises?

4. What email server does Global Enterprises use?

5. What are Global Enterprises Domain Name Servers?

6. Which Global Enterprises employee used to work for the Los Angeles Police Department?

7. Where did LouAnne Garfinkle work before coming to Global Enterprises?

8. Job applicants often feel as if the job description were written especially for them, in LouAnne’s case that was true. Briefly describe what elements of the job ad from Part 2 of the lab might appeal specifically to LouAnne Garfinkle.

9. What is the difference between social engineering and reverse social engineering? a. Social engineering is used in the real world. Reverse social engineering is used in

the cyber world. b. Social engineering is used on most people. Reverse social engineering is used on

people with specialized law enforcement training. c. In social engineering the con artist goes to the target, in reverse social engineering

the con artist gets the target to come to them. d. In social engineering email is taken from the subject, in reverse social engineering

the subject is sent email or SPAM. e. Only script kiddies do social engineering, Reverse social engineering is done by

professional cyber criminals.

CIS 534 - Advanced Network Security Design 86

10. What is the top objective of an anti-social engineering campaign within an organization? a. Penalties b. Awareness c. Spying on co-workers d. Spying on bosses e. Spying on subordinates f. All of c-e above

CIS 534 - Advanced Network Security Design 87

Toolwire Lab 7: Configuring a Virtual Private Network Server

Introduction

Click the link below to view the network topology for this lab:

Topology

A Virtual Private Network (VPN) is a private network that enables remote users (for example, employees, suppliers, partners, and customers) to leverage the inherently insecure public Internet to connect to an enterprise's private network resources in a secure manner. To do this, companies create a secure tunnel from the client to the server and use encryption to keep unauthorized parties from viewing or intercepting the data in transit.

A VPN is typically built using keys and certificates which must also be kept secure. But that method is not infallible. It is widely felt, for instance, that massive security breaches perpetrated by Edward Snowden against the allegedly most secure organization in the world, the National Security Administration (NSA), involved, at least in part, compromising keys and certificates and creating and using false credentials.

Another way in which VPN security can be compromised is through hairpinning. Hairpinning involves an unauthorized access of a computer connected to a VPN, usually by malicious software, but sometimes by active hacking. For example, malicious software can be surreptitiously loaded on a computer connected to a VPN which allows the malware to enter the VPN tunnel as valid traffic. In this way, the malware enters the tunnel, without having to break the encryption or deal with any of the protective mechanisms. In other words, it gains access to the network at the other side of the VPN tunnel completely unchallenged.

Unfortunately, VPNs are often established and administered by network operations or system administrators with little or no security training. To make matters worse, advances in attack sophistication have rendered the protection tools of the 1990s ineffective, yet not all organizations regularly update their VPN configurations and associated policies. Other organizations are quick to adopt the "latest and greatest" approaches and leave themselves vulnerable to attacks which are as yet unknown within the community of defenders but which are exploited routinely within the attacker community.

In light of advances in both attacks and defenses the configuration of an organization's VPN should be reviewed periodically, some might argue as often as once per month, but in no case less often than annually. In addition, the VPN infrastructure should routinely be subjected to a

CIS 534 - Advanced Network Security Design 88

penetration test to ascertain the likelihood and impact of a potential breach. Any changes to the configuration should be applied uniformly to all VPN connections within the organization.

In this lab, you will configure the server side of the Linux Debian Openswan VPN. Only someone with security knowledge and an understanding of the organization's operating environment can properly protect the network's resources. Once the server side of the VPN is configured, the systems operational personnel can apply the configuration to the client devices, reboot both machines, and test the VPN connection. You will configure the other side of the VPN in the Configuring the Linux Debian Openswan VPN: Client Side lab later in this lab manual.

This lab has two parts which you should complete in order.

1. In the first part of the lab, you will configure the server side of a Linux Debian Openswan VPN.

2. Finally, if assigned by your instructor, you will explore the virtual environment on your own in the Challenge Questions section of the lab and use the skills you learned in the lab to and practice a basic, but important, skill required of systems operators and security analysts and engineers alike.

Learning Objectives

Upon completing this lab, you will be able to:

1. Configure the server side of a Linux Debian Openswan VPN. 2. Describe the advantages and disadvantages of different VPN configuration options. 3. Discuss how to prevent attacks against data in transit using a properly configured VPN.

Tools and Software

The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.

• PuTTY • Openswan VPN

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

CIS 534 - Advanced Network Security Design 89

1. Lab Report file including screen captures of the following steps: Part 1, Step 49; 2. A completed Openswan Host-Host Configuration your name.xlsx file; 3. Lab Assessments file; 4. Optional: Challenge Questions file, if assigned by your instructor.

Evaluation Criteria and Rubrics

The following are the evaluation criteria for this lab that students must perform:

1. Configure the server side of a Linux Debian Openswan VPN. - [10%] 2. Describe the advantages and disadvantages of different VPN configuration options. -

[70%] 3. Discuss how to prevent attacks against data in transit using a properly configured VPN. -

[20%]

Hands-On Steps

Note: This lab contains detailed lab procedures which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab.

1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the file in Adobe Reader.

If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Instructions for transferring the file can be found in the file itself.

Figure 1 "Student Landing" workstation

2. On your local computer, create the lab deliverable files. 3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to

these questions as you proceed through the lab steps.

Part 1: Configuring the VPN: Server Side

Note: In the virtual lab environment, you have access to the vWorkstation (shown on the left in the following diagram) and a Linux Debian server (shown on the right), on which you will later

CIS 534 - Advanced Network Security Design 90

configure the Openswan VPN. In the next steps, you will use PuTTY, a terminal emulator, to connect to remote server. The PuTTY application is being used in this lab, but any terminal emulator will yield the same results. It is also possible to log onto the VPN server directly. Figure 2 Virtual lab configuration

1. Double-click the putty.exe icon on the vWorkstation desktop to open the application window.

2. In the Host Name box, type 172.30.0.100 (the IP address of the Linux Debian Openswan VPN server).

Figure 3 PuTTY Configuration dialog box

3. If necessary, click the SSH radio button to use a Secure Shell (SSH) connection. 4. Click Open to complete the connection. 5. Log in to the server using the following credentials.

o Login: student and press Enter. o password: type ISS316Security and press Enter.

You are now logged into Debian Linux in the student account. In order to configure the Openswan VPN, you must have super user (su) privileges.

6. Log in to the server using the super user credentials. 7. At the prompt, type su and press Enter. 8. When prompted for a password, type toor and press Enter.

You are now logged into the Linux Debian machine with super user access.

Note: The Openswan software has already been installed on the server by the system administrator. In the next steps, you will use the ipsec verify command to assure that the ipsec is properly installed and working, use the ipsec whack command to check for any existing VPN tunnels, and then update the ipsec configuration file.

9. At the prompt, type ipsec verify and press Enter.

A cursory glance will indicate that the results for the ipsec verify command include mostly OKs and no FAILURES, which it good. The IPSec Verify sidebar will explain each check in detail.

Figure 4 Results of ipsec verify command

IPsec Verify The ipsec verify command is used to confirm that the ipsec is active and communicating properly. The following table describes each of the checks that the command performs.

CIS 534 - Advanced Network Security Design 91

Check Performed Description of Results

Version check and ipsec on-path

The version of IPsec is correct (or at least consistent with the rest of the installed modules), and the IPsec software components are where they are supposed to be.

Linux Openswan U2.6.37-g955aaafb- dirty/K3.2.0-4-amd64 (netkey)

Openswan is installed with the NETKEY IPsec protocol stack. This check will return one of two choices: the native NETKEY protocol stack or the new alternative KLIPS. Each choice has its own advantages and disadvantages, but because the virtual lab uses IPv4, NETKEY has been chosen.

Checking for IPsec support in kernel IPsec was successful installed in the operating system.

SAref kernel support Support for Security Association reference (SAref) is not applicable for this installation. NETKEY: Testing XFRM related proc values

The XFRM (transform) procedures which provide additional policy management and enforcement for establishing and operating Security Associations (SAs) are working properly.

Checking that pluto is running

The daemon that performs the Internet Key Exchange (IKE) functions configured with the build is called pluto, and it is running.

Pluto listening for IKE on udp 500

Pluto is listening for IKE requests on port 500 and is using the User Datagram Protocol (UDP).

Pluto listening for NAT-T on udp 4500

Pluto is listening for Network Address Translation Traversal (NAT-T) on port 4500 using UDP.

Checking for 'ip' command The ip command is operational.

Checking /bin/sh is not /bin/dash

The sh shell is required to assure support consistency in Openswan. This check assures that the shell is sh, and not dash.

Checking for 'iptables' command

This check assures that the iptables command is operational. The iptables command allows configuration of certain options and rules for IPv4. The ipv6tables command is required for similar functionality for the IPv6 protocol.

Opportunistic Encryption Support

Opportunistic Encryption (OE) begins the connection negotiation process with encrypted messages, but if the encrypted messages are not responded to, or not responded to properly, the fallback is unencrypted support. In the case of this configuration, OE is disabled therefore the systems must use encrypted messages to negotiate connection establishment.

Note: Next we will use the ipsec whack --status command to display the status of the IPsec installation and verify the status of any existing tunnels prior to configuring a VPN tunnel. Tunnel set-up can be done manually or automatically. Automatic configuration is done by accepting the software's default configuration. Contrary to common practice, in most cases a manual configuration is easier, less error prone, and gives the security engineer more control. Within Openswan; however, the automatic approach is usually preferred so that is the approach you will use in this lab.

CIS 534 - Advanced Network Security Design 92

Prior to beginning the configuration process, there is one more very serious security consideration. What if you inadvertently make a configuration change, select a configuration option improperly, or properly select an option, but improperly document it. Any of these actions could cause the two systems to stop communicating with each other. This would be the IT equivalent of locking your keys in the house. If you left the back door unlocked or hid a key under the mat, you would be able to access your house. You could do the same thing in an IT situation, if you don't mind the system being less secure. In most cases, however, systems are most secure if either two people with administrative rights are physically sitting each at the local and remote keyboards, or if both systems are physically brought to the same place so that one person, with admin rights, has access to both systems. Either option is valid, but the second approach is the most secure.

10. At the prompt, type ipsec whack --status and press Enter. 11. Use the scrollbar to scroll back to the top of the results.

The first part of the ipsec whack --status results confirms that NETKEY is used as the protocol stack and explains how the interfaces are configured. The results also indicate that debug mode is turned off.

Figure 5 Result of ipsec whack --status command (Part 1)

The second part of the ipsec whack --status results delineates which virtual private networks are allowed and which are disallowed. The warning message here points out that no virtual private subnets are disallowed. Pay close attention to the list of allowed virtual private networks. fd00::/8 and fe80::/10 are allowed. These are IPv6 addresses, whereas the others are IPv4 with Classless Inter-Domain Routing (CIDR) designations.

Figure 6 Result of ipsec whack --status command (Part 2)

The third part of the ipsec whack --status results specifies the configuration of all possible Encapsulating Security Payload (ESP) values and ESP authorization (auth) attributes (attr). The ESP encryption configurations include the name, Initialization Vector Length (ivlen), minimum and maximum key sizes (keysizemin and keysizemax) allowed, and also includes the name of the algorithm. The last algorithm, id=251, is a null authentication with a minimum and maximum key size of zero, which indiciates no key at all.

Figure 7 Result of ipsec whack --status command (Part 3)

The final part of the results shows the configuration of the allowable Internet Key Exchange (IKE) types. First, you will see the encryption algorithm, the block size and key length. Next, the results display the hashing algorithms and hash size. The Diffie- Hellman group and bit length follow, and finally, database statistics are shown.

CIS 534 - Advanced Network Security Design 93

Figure 8 Result of ipsec whack --status command (Part 4)

Note: There is no perfect way to configure a VPN. The correct configuration depends on the needs of the organization and the environment. In this lab, you will establish what is generally called a Host-to-Host VPN or Host-to-Host Tunnel. To begin, review the following diagram of the virtual lab environment. In contrast to the diagram in Figure 2, this diagram follows the convention of placing the VPN server on the left, and the vWorkstation on the right. The left side of the diagram is usually reserved for the local machine (the one you are currently working on), and the right side is usually the remote machine. This makes it easy to remember because the first letter of both left and local is L, and the first letter of both right and remote is R. It is important to remember that these machines can have any name (Tom/Jerry, East/West, or Black/White), but the convention of left and right is used in this diagram. Figure 9 VPN configuration diagram Now that the machines have been identified, the next step is to create the configuration file (ipsec.conf). As is the case with most VPN software packages, the configuration file for Openswan is configured by entering a series of configuration statements using a general purpose text editor, such as the vi editor which ships with Debian7. Other software packages use menus and other graphical user interface (GUI) devices to make the job easier for less knowledgeable users, but the command line approach can actually be faster and easier. It is common practice for experienced security engineers to sit down and enter commands from memory or scraps of paper. These security engineers start from the existing configuration file and edit it to create a new file, but it is a bad practice that can often lead to lengthy troubleshooting and sometimes to errors that can go undetected but can leave a system vulnerable to certain kinds of attacks. For this reason, it is a strongly recommended best practice to begin fresh and create a new configuration file each time. In this lab, you will use the Openswan Host-to-Host Configuration worksheet to generate a set of commands you will need to create a new configuration file.

12. Double-click the Openswan Host-Host Configuration icon on the vWorkstation desktop to open the spreadsheet in OpenOffice. If necessary, move or minimize the PuTTY window: Do not close the window.

This spreadsheet will generate the correct spacing and syntax required to create the new ipsec configuration file, ipsec.conf. Review the instructions at the top of the worksheet before proceeding.

Figure 10 Openswan Host-to-Host Configuration worksheet

CIS 534 - Advanced Network Security Design 94

Note: While this spreadsheet does not include all possible configuration options, it does include more options that you will need for this lab. The Options column includes the configuration options for the commands generated by the worksheet. For any cell in the Options column, click the arrow to display a drop-down menu of available options.

13. In cell C2 of the spreadsheet, type your own name, replacing the text already in that cell. 14. In cell D20, type 2 to identify the specification version that the file conforms to.

This statement is required in configuration files after version 1.

15. In cell D23, type %defaultroute to allow Debian to fill in the relevant IP addresses when the configuration file is run.

If you were configuring a specific route, you would type the IP address for that route in this cell.

16. In cell F24, type Y to exclude the klipsdebug configuration statement.

Unless asked to do so by a developer or security analyst, this command should not be enabled.

17. In cell F25, type Y to exclude the plutodebug configuration statement.

Unless asked to do so by a developer or security analyst, this command should not be enabled.

18. In cell D26, type /var/run/pluto to specify the dump directory.

Though not required, it is good practice to include a dumpdir statement.

19. Leave cell F27 blank to include the NAT traversal statement.

The statement is not required in the virtual lab because there is no Network Address Translation gateway in the configuration, let alone one to be traversed. It is included in the spreadsheet because it is common in most VPN configurations. This statement tells Openswan to properly handle the unencrypted header information prepended to encrypted IPSec packets that must traverse NAT gateways.

20. In cell D28, select auto to allow the protocol stack to be selected dynamically.

The NETKEY or KLIPS protocol stacks may be specified, or the protocol stack may be selected dynamically. The default is NETKEY if no protostack= statement exists, if both ends have protostack=auto, or if there is a conflict.

CIS 534 - Advanced Network Security Design 95

21. In cell C30, type %default to add the section title that begins the group of commands that configures the Security Associations (SA), and their related tunnels for negotiating key administration.

The second conn section, beginning in cell C42, creates the section title that begins the group of commands that configures the actual tunnel between the Local/Left and Remote/Right machines that are used securely carry the user's information.

22. In cell C31, select ignore, the default auto configuration statement. 23. In cell C32, review the options in the cell's drop-down menu. The default authentication

method is RSA signatures (rasig). Leave cell F32 blank to include the default statement.

Another option is to use Pre-Shared Keys (PSK) or a more sophisticated approach, such as Rivest-Shamir-Adelman (RSA). Very often, PSK is chosen because it appears to be easier to set up; however, a passphrase, or even a string of random keyboard characters, used as a pre-shared key, can be cracked fairly easily with modern techniques and hardware. On the other hand, RSA creates the keys using an algorithm that intentionally creates keys that are much harder to crack. There are ways to make PSK more secure, but in this lab, you will use RSA.

24. In cell C33, select 3des from the cell's drop-down menu to establish the desired IKE ciphers. Leave cell F33 blank to include the command.

It is noteworthy that with Openswan's automatic configuration mode the Internet Key Exchange (IKE) protocol is used to automate certain aspects of the set-up. The IKE statement in cell A33 will include the options selected in the next two rows of the spreadsheet, so selections made in those rows will change the statement in cell A33.

25. In cell C34, select md5 from the cell's drop-down menu to specify the IKE hash in cell A33. In cell F34, the Y excludes a separate IKE hashes statement.

26. In cell C35, select modp1024 from the cell's drop-down menu to specify the IKE pfsgroup in cell A33. In cell F35, the Y excludes a separate IKE pfsgroups statement.

27. In cell F36, type Y to exclude the Phase 2 algorithm statement. 28. In cell C37, review the options in the cell's drop-down menu. In cell F37, type Y to

accept any Phase 2 combinations and exclude a separate Phase 2 ciphers statement.

The Phase 2 statement will include the options selected in the next two rows of the spreadsheet; however, in this lab, you will exclude these statements and accept any default Phase 2 combinations.

29. In cell C38, review the options in the cell's drop-down menu. In cell F38, the Y excludes a separate Phase 2 hashes statement.

30. In cell C39, review the options in the cell's drop-down menu. In cell F39, the Y excludes a separate Phase 2 pfsgroups statement.

31. In cell F40, type Y to exclude the IKE key statement.

CIS 534 - Advanced Network Security Design 96

32. In cell C43, select 0.0.0.0 from the cell's drop-down menu to allow any address on that side of the VPN to work with the VPN.

There are several options for handling the left IP address, as one can see by selecting the drop-down menu in the Options column. If you wanted to enter a specific IP address, select [ip address] from the drop-down menu in the Options column and type the IP address in cell D43.

33. In cell D44, type 172.30.0.0/24, the subnet address for the Local machine, specified in Classless Inter-Domain Routing (CIDR) notation.

34. In cell D45, type 172.30.0.2, the IP address of the Remote machine in Figure 9. 35. In cell D46, type 172.30.0.0/24, the subnet address for the Remote machine, specified in

Classless Inter-Domain Routing (CIDR) notation. 36. In cell C47, select tunnel from the cell's drop-down menu to establish a VPN tunnel as

the connection type. Leave cell F47 blank to include the command. 37. There is no Left RSA signature authentication key for this lab. In cell C48, select %none

from the cell's drop-down menu. Leave cell F48 blank to include the command. 38. There is no Right RSA signature authentication key for this lab. In cell C49, select

%none from the cell's drop-down menu. Leave cell F49 blank to include the command. 39. Select File > Save As from the OpenOffice menu. If necessary, click the Desktop icon,

select Microsoft Excel 97/2000/XP (.xls)(*.xls) from the Save as type drop-down menu, type Openswan Host-Host Configuration your name in the File name box, and click Save. When prompted, click Keep Current Format to close the popup message.

Replace your name with your own name.

Note: In the previous steps, the options you selected in the Openswan Host-to-Host Configuration worksheet created a set of command lines in column A with the correct spacing and syntax required to create an ipsec configuration file. The # signs indicate comments and are not executed. The blank lines and white space are required and are properly set-up. This approach is far more consistent and less error-prone than typing in commands and then troubleshooting the results. Every organization should have some procedures in place, whether an Excel spreadsheet, a word processing document or a formal program that provides consistent guidance in the creation of the ipsec.conf file as well as other important configuration files. In the next steps, you will use the command lines you created in this worksheet to create the ipsec.conf file. This file is found in the /etc/ directory.

40. Select cells A19 through A50 of the worksheet, right-click within the highlighted cells, and select Copy from the context menu to copy the text to the system clipboard.

Figure 11 Highlighted command lines in the configuration worksheet

41. Minimize the OpenOffice window.

CIS 534 - Advanced Network Security Design 97

Note: In the next steps, you will save a copy of the existing ipsec.conf file before editing it using the vi editor, a standard text editor that ships with Debian7. Other text editors will work as well, but you will use the vi editor in this virtual environment. You may get additional help with the configuration at any time by using the command man ipsec.conf at the command line in the PuTTY window. A cheat sheet of vi commands is also available on the virtual desktop. If necessary, type :q! and press Enter at the vi command prompt to exit the editor without saving your changes and return to the command prompt.

42. Click anywhere in the PuTTY window to activate it. 43. At the prompt, type cp /etc/ipsec.conf /etc/ipsec_conf.old and press Enter to save a

copy of the existing configuration file.

It is good practice to save a copy of the existing file before you begin editing in case you need to restore the original. In this virtual lab, this step is added only as a reminder.

44. At the prompt, type vi /etc/ipsec.conf and press Enter to open the existing configuration file in the vi editor.

45. At the prompt, type A to enter the append mode and move the cursor to the end of the current line.

46. Right-click to paste the copied text from the configuration worksheet.

Figure 12 Text copied from configuration worksheet

47. Press Ctrl+C twice to leave the append mode and return to the vi command prompt. 48. Expand the PuTTY window as necessary to see the entire contents of the configuration

file. 49. Make a screen capture showing the entire contents of the configuration file and paste it

into your Lab Report file. 50. Type :x and press Enter to save your changes, exit the editor, and return to the Linux

command prompt. 51. In the PuTTY window, type exit and press Enter to exit superuser root access, and type

exit and press Enter again to close the terminal emulator.

Note: The server side of the VPN tunnel is now configured. In order to test the connection the other end of the VPN connection must be configured and Openswan must be restarted on both machines in order for the configuration changes to take effect. The other end of the connection will be configured in a separate lab, Configuring a VPN Client for Secure File Transfers.

52. Maximize the OpenOffice window and close the application. 53. Click Save when prompted to save your changes. 54. Click the File Transfer button on the vWorkstation desktop to transfer the Openswan

Host-Host Configuration your name file from the virtual desktop to your local computer for your own future use.

CIS 534 - Advanced Network Security Design 98

Note: Refer to the Preface of this lab manual for more detailed instructions on the File Transfer process.

55. If desired, click the File Transfer button on the vWorkstation desktop to transfer the VI Cheat Sheet file from the virtual desktop to your local computer for your own future use.

56. Close the virtual lab, or proceed with Part 2 to answer the challenge questions for this lab.

Lab #7 - Assessment Worksheet Configuring a Virtual Private Network Server

Course Name and Number: _____________________________________________________

Student Name: ________________________________________________________________

Instructor Name: ______________________________________________________________

Lab Due Date: ________________________________________________________________

Overview

In this lab, you learned that a Virtual Private Network (VPN) is a private network that enables remote users (for example, employees, suppliers, partners, and customers) to leverage the inherently insecure public Internet to connect to an enterprise's private network resources in a secure manner. To do this, companies create a secure tunnel from the client to the server and use encryption to keep unauthorized parties from viewing or intercepting the data in transit. You used a worksheet to guide your configuration decisions and created a new ipsec.conf file to configure the server side of a Linux Debian Openswan VPN.

Lab Assessment Questions & Answers

1. The traditional IPsec protocol stack that is installed with Openswan is ________. The new alternative is ________.

CIS 534 - Advanced Network Security Design 99

2. Which command displays the status of the IPsec installation? 3. Tunnels may either be established using manual mode or automatic mode. Which mode

preferred? 4. The convention when drawing configuration diagrams of the VPN connection is to place

the VPN server on the left or right (circle one), and the vWorkstation on the left or right (circle one). In this way, the left side of the diagram is usually reserved for the ________ machine, and the right side is usually the ________ machine.

5. Which of the following commands can be used to place a section break between sections when creating the ipsec.conf file?

a. A # character b. A blank line c. section=%break d. SECTION-%break e. None of the above

6. The klipsdebug and/or plutodebug should only be __________. a. loaded in Openswan versions greater than 2.5. b. enabled if specifically requested. c. generated on systems with aggregate bandwidth greater than 100 Mbps. d. used by Government Intelligence Agencies.

7. What is the name of the ipsec configuration file? In which directory is it stored? 8. Which of the following are valid options for the tunnel= command?

a. ESP, AH, null b. Diffie-Hellman, OAKLEY, IKE c. IKE and TINA d. Tunnel, transport and passthrough e. Tunnel, transport, *null*

Lab #7 - Completed Configuration Worksheet and IPsec.conf File

Host-to-Host Configuration Worksheet

Figure 13 Completed Host-to-Host Configuration worksheet

IPsec.conf file

Figure 14 Content of the new ipsec.conf file

CIS 534 - Advanced Network Security Design 100

Toolwire Lab 8: Configuring a VPN Client for Secure File Transfers

Introduction

Click the link below to view the network topology for this lab:

Topology

Virtual Private Networks (VPNs) enable the secure (virtually private, in fact) transmission of data across a network that may inherently not have security built-in, for example, the Internet. There are actually three major types of Virtual Private Network (VPN) connections, which can be implemented as a dedicated form or as some combination of all three depending upon the security needs of the given environment.

• A tunnel VPN, the most common type, encrypts and sends the content using a secure path, or tunnel, between two points across an unencrypted network. Tunnel mode encrypts the entire data packet including the headers and the payload.

• A transport VPN encrypts the transported content, the data payload, but leaves the header information, including IP addresses unencrypted. Transport mode is generally used when both end points are known, for example in remote desktop services or terminal emulators.

• A passthrough VPN, used primarily by small and home offices (SOHOs), enables the VPN traffic to pass through the router. The traffic on a passthrough VPN is not interpreted, decoded or encoded in any way.

A tunnel VPN establishes a secure information tunnel, rather than a physical tunnel, that uses a sophisticated combination of encryption and authentication, most often via the IPsec protocol. Although most VPN tunnels typically employ some encryption, they do not necessarily have to. One example of a VPN tunnel that logically separates connections without using encryption is a Multiprotocol Label Switching (MPLS) VPN in which labels are used to identify the contents of a packet and allows the packet to use any transport protocol.

Another versatile feature of VPNs is that they may be implemented between endpoints which do not share the same operating system or even the same VPN application software as long as they use the same VPN protocol. In the same way that browsers communicate with web servers: the browsers and web servers may be mismatched in a variety of ways, but as long as both ends interpret HTML the same way, they will work just fine.

This lab, potentially, has three parts which should be completed in the order specified.

CIS 534 - Advanced Network Security Design 101

1. In the first part of this lab, you will configure the vWorkstation, a Windows Server 2008 machine, as a VPN client to connect to a Linux Debian Openswan VPN.

2. In the second part of this lab, you will use the Wireshark protocol analyzer to look at the tunneled VPN traffic using the IPsec protocol, and compare it with the non-tunneled traffic. You will look at the detailed packet interactions of the File Transfer Protocol (FTP) and Secure Shell (SSH) protocol.

3. If assigned by your instructor, you will get some additional hands-on experience in a less structured environment in the Challenge Questions section of the lab.

Learning Objectives

Upon completing this lab, you will be able to:

1. Recognize and explain the differences between secure and non-secure file transfers. 2. Determine the password and content of non-secure file transfers. 3. Configure a Windows Server 2008 VPN client to work with a Linux Debian Openswan

VPN. 4. Describe the differences between non-tunneled and tunneled connections. 5. Discuss the roles and functions of encryption, authentication and different elements of the

IPsec protocol, such as ESP and AH. 6. Explain different phases and modes of operation of the IPsec protocol.

Tools and Software

The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.

• Openswan VPN • PuTTY • Windows Server • Wireshark

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. Lab Report file including screen captures of the following steps: Part 1, Steps 39 and 55, and Part 2, Steps 12, 38, 43, 53, and 62;

2. Lab Assessments file;

CIS 534 - Advanced Network Security Design 102

3. Optional: Challenge Questions file, if assigned by your instructor.

Evaluation Criteria and Rubrics

The following are the evaluation criteria for this lab that students must perform:

1. Recognize and explain the differences between secure and non-secure file transfers. - [10%]

2. Determine the password and content of non-secure file transfers. - [5%] 3. Configure a Windows Server 2008 VPN client to work with a Linux Debian Openswan

VPN. - [30%] 4. Describe the differences between non-tunneled and tunneled connections. - [15%] 5. Discuss the roles and functions of encryption, authentication and different elements of the

IPsec protocol, such as ESP and AH. - [30%] 6. Explain different phases and modes of operation of the IPsec protocol. - [10%]

Hands-On Steps

Note: This lab contains detailed lab procedures which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab.

1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the file in Adobe Reader.

If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Instructions for transferring the file can be found in the file itself.

Figure 1 "Student Landing" workstation

2. On your local computer, create the lab deliverable files. 3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to

these questions as you proceed through the lab steps.

Part 1: Configuring a Windows VPN Client to work with a Linux VPN Server

CIS 534 - Advanced Network Security Design 103

Note: In this part of the lab, you will use an IPsec configuration file to configure a VPN tunnel between a Windows Server 2008 client machine and a Linux Debian Openswan VPN server. Figure 2 VPN configuration diagram The IPsec configuration file establishes all of the options used to configure the VPN tunnel on the VPN server. It is considered a best practice in many organizations to document the configuration of VPN connections, firewalls, and load balancers, using a configuration spreadsheet, a manual checklist, or some other form of documentation, such as a printed copy of the configuration file. In this lab, you will work from a copy of the IPsec configuration file (ipsec.conf) provided by the security analyst or sysadmin of the Linux Debian VPN server to configure the VPN client. Following additional best practice protocol, the documentation version of the configuration file has been named ipsec-debian-vpn.conf to better describe its contents. Many organizations also include a version number and an implementation date in the file names.

1. Right-click the ipsec-debian-vpn.conf icon on the vWorkstation desktop to select it. 2. Click Open on the context menu. 3. When prompted, click the Select a program from a list of installed programs option

and click OK. 4. Click the Wordpad icon in the resulting window to select that program.

Note: Any text editor, such as Windows NotePad, or a word processing program can be used to view *.conf files. Wordpad is used here simply because it is available on the vWorkstation desktop.

5. Resize the Wordpad window to display the entire contents of the file and move the application to the far right of the desktop as shown in the following figure.

Note: You will refer to this file throughout this part of the lab. Resizing the Wordpad window keeps it in view as your proceed with the lab steps.

Figure 3 ipsec-debian-vpn.conf file displayed in Wordpad

6. Double-click the Network icon on the vWorkstation desktop.

Figure 4 Windows Network Window

7. Click the Network and Sharing Center link beneath the menu bar at the top of the window.

Figure 5 Network and Sharing Center

8. Click the Set up a new connection or network link at the bottom of the window.

CIS 534 - Advanced Network Security Design 104

Figure 6 Set Up a Connection or Network window

9. Double-click the Connect to a workplace icon.

Figure 7 Connect to a Workplace window

10. Click the Use my Internet connection (VPN) option to establish a VPN connection. 11. In the Internet address box, type 172.30.0.100, the IPv4 address of the VPN server as

specified in the ipsec-debian-vpn.conf file. 12. In the Destination name box, type Debian-VPN.

Note: The name for the VPN, which must be unique in your Network and Sharing Center, may be dictated by your organization's naming conventions. If not, the choice of the VPN connection name should be immediately identifiable. In this case, the name matches the configuration file name: ipsec-debian-vpn.conf.

13. Click the Don't connect now, just set it up so I can connect later checkbox.

Figure 8 Connect to a Workplace window (Part 2)

14. Click Next to continue. 15. In the User name box, type student. 16. Click the Show characters checkbox to view the password in clear text as you type. 17. Click the Remember this password checkbox. 18. In the Password box, type ISS316Security.

Figure 9 Connect to a Workplace window (Part 3)

19. Click Create to continue.

Figure 10 Connect to a Workplace window (Part 4)

20. Click Close to close the Connect to a Workplace window and return to the Network and Sharing Center.

21. Click the Change adapter settings link at the top left of the Network and Sharing Center to view the Debian-VPN connection icon.

Figure 11 Debian-VPN connection

22. Double-click the Debian-VPN icon in the Network Connections window to open the Connect Debian-VPN dialog box.

23. Click Properties to open the Debian-VPN Properties dialog box.

Figure 12 Connect Debian-VPN dialog box

24. Click the Networking tab.

CIS 534 - Advanced Network Security Design 105

25. Double-click Internet Protocol Version 4 to open the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box.

26. Click the Advanced button to open the Advanced TCP/IP Settings dialog box. 27. Click the Use default gateway on remote system checkbox to remove the checkmark.

Note: The Debian-VPN connection will not use a gateway on the destination machine or network. The nat_traversal=yes statement in the configuration file indicates that the VPN connection will not traverse a Network Address Translation gateway. Though not detailed, the VPN configuration diagram in Figure 2 confirms this lack of a gateway requirement.

Figure 13 Advanced TCP/IP Settings dialog box

28. Click OK to close the Advanced TCP/IP Settings dialog box. 29. Click OK to close the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box. 30. Click the Security tab in the Debian-VPN Properties dialog box. 31. Click the Advanced settings button.

Note: In the ipsec-deban-vpn.conf file, the statement also=L2TP-PSK-noNat indicates that this connection uses the Layer 2 Tunneling Protocol with Pre-Shared Keys.

32. In the L2TP tab, click the Use preshared key for authentication radio button.

Note: A preshared key is a passphrase that shared by the security analyst or systems administrator with anyone authorized to use the VPN. Often, these keys are a complex series of upper and lower case, numbers and symbols making it difficult for a hacker to guess. It is a best practice to copy and paste the pre-shared key to ensure that no keyboarding errors are made in establishing the VPN client connection. In this case, the preshared key is a simple phrase: this is the life.

33. In the Key box, type this is the life, the preshared key for this VPN connection.

Figure 14 L2TP Advanced Properties dialog box

34. Click OK to close the Advanced Properties dialog box.

Note: In the ipsec-debian-vpn.conf file, the statement pfs=no indicates that Perfect Forward Secrecy is not required by the encryption methodology. The encryption methodology in this case will be negotiated at time of connection and does not need to be specified.

35. Select Optional encryption (connect even if no encryption) from the Data encryption drop-down menu on the Security tab of the Debian-VPN Properties dialog box.

Figure 15 Select a data encryption method

CIS 534 - Advanced Network Security Design 106

36. Click OK to close the Debian-VPN Properties dialog box. 37. Click Connect in the Connect Debian-VPN dialog box to open a connection to the VPN

server.

When the Connecting to Debian-VPN window disappears from the screen, the connection has been fully established.

Figure 16 Connecting to Debian-VPN window

38. Double-click the Debian-VPN icon in the Network Connections window to open the Debian-VPN Status dialog box and view the connection details.

39. Make a screen capture showing the Debian-VPN Status window and paste it into the Lab Report file.

40. Click Close to close the Debian-VPN Status dialog box without disconnecting the VPN connection.

Note: In the next steps, you will use PuTTY to connect to the Linux Debian VPN server and verify that the IPsec is running correctly.

41. Minimize the Network Connections window. 42. Double-click the putty.exe icon on the vWorkstation desktop to open the application

window. 43. In the Host Name (or IP address) box, type 172.30.0.100 (the IP address of the Linux

Debian Openswan VPN server).

Figure 17 PuTTY Configuration dialog box

44. If necessary, click the SSH radio button to use a Secure Shell (SSH) connection. 45. Click Open to complete the connection. 46. Log in to the server using the following credentials.

o Login: student and press Enter. o [email protected]'s password: type ISS316Security and press Enter.

You are now logged into Debian Linux in the student account. In order to configure the Openswan VPN, you must have super user (su) privileges.

47. Log in to the server using the super user credentials. 48. At the prompt, type su and press Enter. 49. When prompted for a password, type toor and press Enter.

You are now logged into the Linux Debian machine with super user access. Note that the prompt has changed to [email protected]:/home/students#.

50. At the prompt, type ipsec verify and press Enter.

CIS 534 - Advanced Network Security Design 107

A cursory glance will indicate that the results for the ipsec verify command include mostly OKs and no FAILURES, which it good.

Figure 18 Results of ipsec verify command

Note: This PuTTY connection was made across the VPN and a command (ipsec verify) has been executed and verified on the Debian Openswan VPN server.

51. In the PuTTY window, type exit and press Enter to return exit the superuser account and return to the student prompt.

52. In the PuTTY window, type exit and press Enter to close the terminal emulator. 53. Maximize the Network Connections window. 54. Right-click the Debian-VPN icon and select Status from the context menu to open the

Debian-VPN Status dialog box. 55. Make a screen capture showing the Debian-VPN Status window and paste it into the

Lab Report file.

Compare the bytes sent and received with those same fields from step 38. This data reflects the activity that took place during the PuTTY connection.

56. Click Disconnect to close the VPN connection. 57. Close the Network Connections window. 58. Close the Wordpad window.

Part 2: Comparing Secure and Non-secure File Transfers in Wireshark

Note: In this part of the lab, you will use Wireshark to review several file transfer beginning non-secure file transfers using the File Transfer Protocol (FTP). Later, you will review more secure file transfers using SSH. In this lab, you will use a set of pre-captured files to ensure that the frame numbers and content exactly match the lab contents.

1. Double-click the Wireshark icon to open the Wireshark application.

Figure 19 Wireshark interface

2. Select File > Open from the Wireshark menu and click the Desktop icon to view the files on the vWorkstation desktop.

3. Double-click the ftp-capture.pcapng file to open the file in Wireshark. 4. If necessary, maximize the Wireshark window.

CIS 534 - Advanced Network Security Design 108

The Wireshark window opens with the detailed information about the first packet captured, Frame 1, displayed in the middle pane. Use your mouse to drag the borders of any pane up or down to change its size.

o The top pane of the Wireshark window contains all of the packets that Wireshark has captured, in time order and provides a summary of the contents of the packet in a format close to English. Keep in mind that the content will be different depending upon where you capture packets in the network. Also remember that the "source" and "destination" is relative to where a packet is captured. This area of the Wireshark window will be referred to as the frame summary.

o The middle pane of the Wireshark window is used to display the packet structure and contents of fields within the packet. This area of the Wireshark window will be referred to as the frame details.

o The bottom pane of the Wireshark window displays the byte data. All of the information in the packet is displayed in hexadecimal on the left and in decimal, in characters when possible, on the right. This can be a very useful feature, especially if passwords for which you are looking are unencrypted. This area of the Wireshark window will be referred to as the byte data.

Figure 20 Wireshark application window

5. In the Filter box below the Wireshark menu, type ftp to create a filter isolating only the FTP packets.

Figure 21 Wireshark's Filter toolbar

Note: Clicking the Expression button on the Filter toolbar will open a dialog box that allows you to build a filter by selecting options from a list. To create a filter isolating only the FTP packets using this method, select FTP - File Transfer Protocol (FTP) from the Field name options and click "is present" in the Relation box, then click OK to load the expression in the Filter box. As you proceed through the next steps, take time to explore the frame details and byte data panes for each frame discussed. As you will see, one of the big security drawbacks of FTP is that all information is sent in clear text and easily deciphered with common analysis tools like Wireshark. When managing multiple servers in an organization, it is easy to become overwhelmed by the number of file transfers and servers. It is a good practice, though not necessary in this lab, to build a filter that isolates the IP addresses you are analyzing as part of an investigation.

6. Click Apply to complete the filter process.

With the filter applied, the frame summary pane now displays only those packets that relate to an FTP file transfer.

CIS 534 - Advanced Network Security Design 109

Figure 22 Filtered FTP frames 12-17

7. Click frame 12.

Frame 12 indicates that the FTP server is ready for a new user and that the server is a Debian server. You will also see that the communication is from 172.30.0.100 (the source IP address) and to 172.30.0.2 (the destination IP address).

8. Click frame 13.

Frame 13 indicates that 172.30.0.2 is attempting to logon as an anonymous user.

9. Click frame 15.

Frame 15 indicates that the user was passed some kind of message that a password is required for anonymous.

Note: The exact messages, windows, or prompts displayed to the user will vary based on the application being used. The information in frame 15 does not indicate whether or not the user received the message, or that the message was delivered correctly.

10. Click frame 16.

Frame 16 shows that the user attempted to use the password [email protected]

11. Click frame 17.

Frame 17 indicates that the [email protected] password was rejected.

Note: It is a very common practice to allow outbound file transfers for large files without a password, via anonymous FTP. It is best practice for files which are to be distributed in a non-secure fashion, such as general white papers or other documentation. It is less common, though still not rare, to allow inbound anonymous FTP, for instance, students using FTP to send papers to an instructor. It is more common, however, to have folders for each user and a password to assure some level of integrity and tracking. Most FTP servers also have log files to track senders/receivers and their data. It is possible to track individual contributions with anonymous FTP, but much simpler with individual FTP accounts.

12. Make a screen capture showing the Frame Summary for frames 12-17, including the source and destination IP addresses, and paste it into your Lab Report file.

13. Click frame 30.

Frame 30 shows that the FTP server is once again ready to accept a new user.

Figure 23 Filtered FTP frames 30-36

CIS 534 - Advanced Network Security Design 110

14. Click frame 31.

Frame 31 indicates that a user is attempting to sign in with a username of student.

15. Click frame 33.

Frame 33 indicates that a password is required to for the user student.

16. Click frame 34.

Frame 34 indicates that the password ISS366Security was attempted for user account.

17. Click frame 36.

Frame 36 indicates that the attempted password was rejected as incorrect.

Note: Notice that there is no specific error code that indicates whether or not the user account information or password is correct, which makes it a bit more difficult to hack the account, but keep in mind that hackers often obtain account information by other means before ever attempting to crack the password.

18. Click frame 49.

Frame 49 shows that the FTP server is once again ready to accept a new user.

Figure 24 Filtered FTP frames 49-55

19. Click frame 50.

Frame 50 indicates that someone is attempting to sign in with the username student.

20. Click frame 52.

Frame 52 indicates that a password is required for the user account student.

21. Click frame 53.

Frame 53 displays the password attempted: ISS316Security.

22. Click frame 55.

Frame 55 indicates that the login was accepted and user student is logged in.

Note: In the next steps, you will analyze how a file transferred using FTP appears within Wireshark.

CIS 534 - Advanced Network Security Design 111

23. Click frame 61. 24. In the frame detail pane, click the plus sign at the beginning of the File Transfer

Protocol (FTP) line to expand the fields. 25. If necessary, click the plus sign at the beginning of the SIZE line to see which file is

being retrieved: ipsec.conf.

Figure 25 Frame 61 detail

Note: Notice the file path displayed in the Request arg portion of the frame detail. This information is captured whether it was passed using a Windows Graphical User Interface (GUI) application or by manually typing the command /home/student/ipsec.conf\r\n.

26. Click frame 62.

Frame 62 is a file status message in response to the request in frame 61. It indicates that the transferred file was 2,075 octets (8 bit bytes) in length.

Figure 26 Frame 62 detail

27. Click frame 63.

Frame 63 is a retrieve request (RETR) for the /home/student/ipsec.conf file.

Figure 27 Frame 63 detail

28. Click frame 67.

Frame 67 is a response to frame 63 and indicates that a binary mode data connection has been opened.

Figure 28 Frame 67 detail

29. Click frame 73. 30. Click the plus sign at the beginning of the Transmission Control Protocol line to

expand the fields. 31. Click the plus sign at the beginning of the [SEQ/ACK analysis] line. Use the scrollbar

as necessary to locate this line. 32. Click the plus sign at the beginning of the TCP Analysis Flags line.

Figure 29 Frame 73 detail

Note: The frame detail indicates that Wireshark's expert mode suspects that frame 73 is a retransmission. A retransmission could be the result of an intentional packet injection or a false retransmission intended to cause some problem or further some exploit. Take a moment to expand more fields in the frame detail to learn more about this packet.

CIS 534 - Advanced Network Security Design 112

33. Click frame 76. 34. Click the minus sign at the beginning of the Transmission Control Protocol line to

collapse these fields.

Figure 30 Frame 76 detail

Note: Frame 76 indicates that the requested file transfer has completed. But, where is the file itself? And, if the contents of the file are in clear text, why can't we see them? In many cases it is enough just to know which file was transferred, how it was transferred, when the transfer took place, the size of the file and other information that can be determined from what we already have. The actual transfer of the information is done by a sub-set of FTP called ftp-data. In the next steps, you will re-filter the Wireshark packets and review how this information is displayed in Wireshark.

35. In the Filter box, type ftp-data and click Apply to create a new filter.

Figure 31 Wireshark's Filter toolbar

Figure 32 Frame Summary for the ftp-data filter

36. Click frame 68. 37. Resize the borders of each pane to approximate the following figure.

Figure 33 Frame 68 detail

Note: The last line of the Frame Detail pane, FTP Data, displays the transferred file name (/etc/ipsec.conf) and the first part of that file's contents. The Byte Data pane displays the complete contents of the file in clear text on the right side of the pane and the corresponding hexadecimal (base 16) code on the left side.

38. Make a screen capture showing the Frame Summary and Byte Data for Frame 68 and paste it into your Lab Report file.

39. Click frame 69.

The FTP Data line of the Frame Details for frame 69 displays the last part of the transferred file's content. This file is short and is only broken into two pieces for transmission by FTP. Shorter files could be transmitted as a single unit; longer files would be broken into more pieces.

Note: One way that FTP can be used in a more secure manner is to encrypt the file before transferring it. The file contents would still be visible as a part of a file transfer analysis using Wireshark, or any similar packet analysis program, but it would not be readable and could not even be deciphered unless we had the key. It is also noteworthy that certain secure protocols allow us to enter the proper key in Wireshark so that Wireshark can

CIS 534 - Advanced Network Security Design 113

decrypt the contents of a file and display it even though non-authorized persons-who do not possess the decryption key-could not read the file contents. In the next steps, you will analyze the Wireshark packets of an encrypted transfer of a new file, ipsec2.conf using the Secure Shell (SSH) protocol. The ipsec2.conf file is larger than the ipsec.conf file transferred using the FTP protocol.

40. Click File > Open and double-click the ssh-capture.pcapng file to open the file in Wireshark. Use the scrollbar as necessary to locate the file.

The Wireshark Frame Summary will display no frames when the file is loaded because the ftp-data filter is still applied. You could click the Clear button in the Filter toolbar to display all of the packets, or apply a new filter.

41. In the Filter box, type ssh and click Apply to create a new filter that will display only those packets related to the SSH file transfer.

42. Resize the borders of each pane to display frames 12-49 in the Frame Summary pane.

Figure 34 Frame Summary for the ssh filter

Note: The Secure Shell (SSH) protocol replaces the older, insecure Telnet protocol for keyboard mode, or as it is sometimes still called, command line interface, for the interaction between systems, such as configuration of servers, routers and switches. Telnet is still used in many cases even though it suffers from many of the same shortcomings as FTP: it operates in clear text mode and is easy to hack. In the next steps, you will see how SSH can be used to securely transfer files. Notice that this file transfer, which uses SSHv2 rather than FTP, is also between 172.30.0.2 and 172.30.0.100 so all other things about the environment are the same. Explore the Frame Details and Byte Data for each step that follows to see how this exchange differs from the FTP file transfer.

43. Make a screen capture showing the Frame Summary for Frames 12-49 and paste it into your Lab Report file.

44. Click frame 12.

Frame 12 indicates this file transfer the destination machine as 172.30.0.2, a Debian implementation of SSHv2.

45. Click frame 13.

Frame 13 indicates this file transfer the destination machine as 172.30.0.100, a Windows implementation of SSHv2.

46. Click frame 15.

CIS 534 - Advanced Network Security Design 114

Frames 15 and 18 are the Key Exchange initialization between the two systems. If you look at the detail at Frame 15 you will see that the server (172.30.0.100) proposes use of aes128-ctr (a stream cipher which utilizes an underlying block mode algorithm) as the encryption method with hmac-md5 as the authentication mechanism and no compression. Initialization strings are also proposed. In Frame 18, the proposals of the server are accepted by the client (172.30.0.2).

47. Click frame 20.

Frames 20 and 21 are the Diffie-Hellman Key Exchange initialization.

Figure 35 The SEQ/ACK analysis for frame 21

48. Click frame 22.

Frames 22 and 24 are the initial exchange in which the Client requests new keys.

49. Click frame 28.

Frames 28-49 are the transfer of the ipsec2.conf file. The contents are encrypted and are unreadable except by authorized persons who have the appropriate keys or unauthorized persons who have obtained the keys in some other way.

Figure 36 SSH file transfer in frame 28

Note: Though SSH encrypts files during the file transfer process, the content can be decrypted if the SSH encryption keys are compromised. However, if a file is encrypted prior to transfer, outside of the FTP utility, an additional measure of security is provided. Even if the SSH encryption keys are compromised, the attacker will still end up with unreadable content. In the next steps, you will analyze Wireshark packets related to a VPN file transfer of the ipsec.conf file. For each step, review the Frame Details and Byte Data for each frame.

50. Click File > Open and double-click the ipsec-capture.pcapng file to open the new file in Wireshark.

The Wireshark Frame Summary will display the SSH filtered results of the capture file.

51. Click Clear in the Filter toolbar to view the entire contents of the entire packet. 52. Resize the pane borders to view the Frame Summary for frames 1-21.

Figure 37 Frame Summary for frames 1-21

53. Make a screen capture showing the Frame Summary for frames 1-21 and paste it into your Lab Report file.

CIS 534 - Advanced Network Security Design 115

54. Click frame 1.

Frames 1-6 establish the communication between the Windows machine (172.30.0.2) and the VPN server (172.30.0.100) you configured in Part 1 of this lab. Frames 1-6 use the Internet Security Association and Key Management Protocol (ISAKMP) to perform the first step in setting up the IPsec tunnel between the two systems.

Note: The first step to establishing an administrative tunnel, the ISAKMP, for the exchange of information such as the keys and other initialization data that will be used to set up a secondary tunnel for the actual information exchange, is called Identify Protection. The Information column of the Frame Summary, refers to this first step as Main Mode, but Identity Protection, is preferable because this step and the second step, Quick Mode, are not really modes at all, but rather are two sequential phases of the same transfer. It is not a matter of choosing a mode, rather it is a matter of performing the main mode phase and then quick mode phase. ISAKMP is a protocol used to establishing Security Associations (or tunnels) and cryptographic keys in an Internet environment. Review the Request for Comment related to the ISAKMP protocol (RFC2408) at http://www.ietf.org/rfc/rfc2408.txt.

55. Click frame 7.

The Quick Mode, the second phase of setting up the IPsec virtual private network, is displayed in frames 7-9.

56. Click frame 10.

Once the ISAKMP exchange is completed and the administrative tunnel is established, the actual information exchange occurs in frames 10-21 using Encapsulating Security Payload (ESP) protocol. The alternative to ESP is the Authentication Header (AH).

Note: Frame 16 is an unencrypted NetBios Name Service (NBNS) name query, and is outside of the IPsec tunnel.

Figure 38 Frame Summary for frames 10-21

57. Click frame 47.

Frames 47-67 continue the secure IPsec exchange between 172.30.0.2 and 172.30.0.100 using the occasional Internet Group Management Protocol v3 (in frames 48, 49, 51, 64 and 66), Link Local Multicast Name Resolution (in frames 53, 58, and 63) and Address Resolution Protocol (in frame 67).

Figure 39 Frame Summary for frames 47-67

58. Click frame 252.

CIS 534 - Advanced Network Security Design 116

Frames 252-272 represent a Secure Shell (SSH) transfer between 172.30.0.2 and 172.30.100.

Figure 40 SSH file transfer in frames 252-272

59. To see the SSH packets in more detail, type ssh in the Filter box and click Apply to create a new filter that will display only those packets related to the SSH file transfer.

60. Click frame 271.

Frame 271 is the beginning of the file transfer.

61. Click the last frame in the SSH file transfer.

Use what you have learned in the lab to identify the end of the file transfer packets.

62. Make a screen capture showing the last frame in the SSH file transfer and paste it into your Lab Report file.

Note: Among the noteworthy things about this capture file is the fact that the SSH transfer occurs outside of the IPsec tunnel, otherwise it would not be possible to see the details of the SSH interaction between the two machines because the SSH protocol transactions would be encrypted within the ESP frames. The ESP frames between these two machines was carrying other traffic than SSH. What traffic? Without the keys or access to the machines (such as screen shots, key loggers or possibly log entries) it would be impossible to say but there are other types of analysis, such as traffic analysis, that could reveal more about the exchange.

63. To see the ESP exchanges over the IPsec VPN tunnel, type esp in the Filter box and click Apply.

64. Click File > Quit from the Wireshark menu to close Wireshark. 65. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this

lab.

Lab #8 - Assessment Worksheet Configuring a VPN Client for Secure File Transfers

Course Name and Number: _____________________________________________________

CIS 534 - Advanced Network Security Design 117

Student Name: ________________________________________________________________

Instructor Name: ______________________________________________________________

Lab Due Date: ________________________________________________________________

Overview

In this lab you configured the vWorkstation, a Windows Server 2008 machine, as a VPN client to connect to a Linux Debian Openswan VPN. You also used the Wireshark protocol analyzer to look at the tunneled VPN traffic using the IPsec protocol, and compare it with the non-tunneled traffic. You reviewed detailed packet interactions of the File Transfer Protocol (FTP) and Secure Shell (SSH) protocol.

Lab Assessment Questions & Answers

1. The alternative to Encapsulating Security Protocol (ESP) is __________________.

2. One of the main drawbacks of the File Transfer Protocol (FTP) is that ________________.

a. It was the first file transfer protocol invented in the IP suite b. It does not encrypt content. c. It does not encrypt passwords. d. It is widely used by web sites. e. Both b and c

3. An IPSec tunnel is step up in two stages. In the Information column of the Frame Summary, these steps are called _________.

4. The first phase of setting up an IPsec tunnel is called _______ _______. 5. The second phase of setting up an IPsec tunnel is called ________ _______. 6. SA stands for Security Association. An equivalent word would be _________ 7. The protocol used for setting up the "administrative" tunnel in IPsec is __________. 8. ISAKMP stands for ________.

a. a. Internet Security Association and Key Management Protocol b. b. Internet Secure Admission Key Management Protocol c. c. Internet Security Association and Key Maintenance Protocol d. d. Internet Secure Admission Key Maintenance Protocol e. e. Internet Security Association and Key Management Provisioning

CIS 534 - Advanced Network Security Design 118

Toolwire Lab 9: Attacking a Virtual Private Network

Introduction

Click the link below to view the network topology for this lab:

Topology

Social Engineering is when an attacker attempts to take advantage of a weakness in a human being (vs. a network, device or application). Social engineering is often looked upon by "real" security professionals as child's play because it isn't "technical", but social engineering can be an important part of most sophisticated attacks or, in and of itself, social engineering can be every bit as effective as a traditional technical attack. Many a hacker, cybercriminal, or cyberterrorist has saved time and very often achieved what they could not otherwise by simply asking. One of the most extreme documented examples is from page 22 of Betty Medsger's book, The Burglary: The Discovery of J. Edgar Hoover's Secret FBI:

As burglars, they used some unusual techniques, ones Davidon enjoyed recalling years later, such as what some of them did in 1970 at a draft board office in Delaware. During their casing, they had noticed that the interior door that opened to the draft board office was always locked. There was no padlock to replace, as they had done at a draft board raid in Philadelphia a few months earlier, and no one in the group was able to pick the lock. The break-in technique they settled on at that office must be unique in the annals of burglary. Several hours before the burglary was to take place, one of them wrote a note and tacked it to the door they wanted to enter: "Please don't lock this door tonight." Sure enough, when the burglars arrived that night, someone had obediently left the door unlocked. The burglars entered the office with ease, stole the Selective Service records, and left. They were so pleased with themselves that one of them proposed leaving a thank-you note on the door. More cautious minds prevailed. Miss Manners be damned, they did not leave a note.

In this lab, you will learn how to use social engineering techniques to unlock the secrets of a targeted individual or organization by attacking their Virtual Private Network. While there are a number of possible technical exploits, this lab focuses on the damage that can be done using social engineering.

This lab has two parts which should be completed in the order specified:

CIS 534 - Advanced Network Security Design 119

1. The first part of the lab will focus on social engineering and reverse social engineering. By following the sample attack, you will learn many of the ways in which information can be gathered from a subject or subjects and combined for either real-world or cybercrimes.

2. In the second part of the lab, you will research email scams and use social engineering to create a believable spam email to solicit funds for a fictitious fund-raising opportunity.

3. Finally, if assigned by your instructor, you will use the skills you learned in the lab to design social and reverse social engineering attacks against several targets. Even if not assigned, you are encouraged to review to explore these real-world situations.

This lab is a paper-based lab and requires the use of the Virtual Security Cloud Lab (VSCL) only to access the relevant documents.

Learning Objectives

Upon completing this lab, you will be able to:

1. Recognize some of the key characteristics of a social engineering attack. 2. Identify some of the key signs of a reverse social engineering attack. 3. Implement countermeasures to social and reverse social engineering attacks.

Tools and Software

The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.

• None

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. Lab Report file including screen captures of the following steps: Part 1, Steps 8 and 14, and Part 2, Step 4.

2. Lab Assessments file; 3. Optional: Challenge Questions file, if assigned by your instructor.

CIS 534 - Advanced Network Security Design 120

Evaluation Criteria and Rubrics

The following are the evaluation criteria for this lab that students must perform:

1. Recognize some of the key characteristics of a social engineering attack. - [25%] 2. Identify some of the key signs of a reverse social engineering attack. - [25%] 3. Implement countermeasures to social and reverse social engineering attacks. - [50%]

Hands-On Steps

Note: This lab contains detailed lab procedures which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab.

1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the file in Adobe Reader.

If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Instructions for transferring the file can be found in the file itself.

Figure 1 “Student Landing” workstation

2. On your local computer, create the lab deliverable files. 3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to

these questions as you proceed through the lab steps.

Part 1: Social Engineering / Reverse Social Engineering Attack

Note: A properly configured Virtual Private Network which uses IPsec and adheres very closely to best practices, such as strong authentication, network segmentation, device validation, posture assessment, etc. is very formidable and protects all types of information while it is in transit from one location to the other. Actually “breaking” into a VPN tunnel is on the order of technical prowess that it may require the resources of the NSA or a nation-state intelligence apparatus to do routinely. However, VPN security is broken every day by less technically savvy cybercriminals, hackers and others. How do they do it? One way is to exploit the weaknesses of

CIS 534 - Advanced Network Security Design 121

improperly configured VPNs—still a technical challenge—but fairly common. Another way is by using social engineering and reverse social engineering to gain access by pretending to be a legitimate user. While the scenario in this lab targets a fictitious company, the social engineering steps described are typical of the real-world. In this scenario, you are the owner of a local cupcake bakery. Your biggest competitor, Marina and Rita’s Cupcakes, only came into the market about 18 months ago, but they are taking the stand-alone cupcake bakery market by storm. Since they opened a store in your neighborhood, your market presence has dwindled and their growth has crippled your franchise expansion plans. You have read all of the fine print on their website only to find that the product and franchise terms are not very different from your own.

1. Double-click the mandrwebsite.pdf icon on the vWorkstation desktop to see the Marina and Rita’s Cupcakes web site.

Figure 2 Marina and Rita’s Cupcakes’ Web site Photo credits: Profile © Yuri Arcurs/ShutterStock, Inc.; Cupcakes © luminaimages/ShutterStock, Inc.

2. Close the mandrwebsite.pdf file.

Note: You have interviewed past and present Marina and Rita’s Cupcakes employees and have purchased all of the market intelligence that you can locate from legitimate sources. You have Googled until you can’t Google anymore, but you need more information and you are willing to do anything to get it. You are desperate now and willing to do anything that it takes to stop the continuing loss of business. Anything… As part of your research you stumbled across something called the “darknet”. It is, apparently, a hidden part of the Internet where one can buy just about any product or service one might want, pay in a currency called “bitcoins”, and transact business anonymously—away from the prying eyes of law enforcement and without tracking cookies and geo-location concerns. This sounds like the place to go. But how to get there? Just days later, you find yourself at a social gathering at a local watering hole known as “The Club”. You fall into the most interesting conversation with a fellow club member with whom you have never had much in common. The conversation soon turns to bitcoins and the demise of something called Silk Road, a web site that was a black market for drugs, weapons, and killers for hire. It turns out that your club-mate was familiar with the FBI shut down of Silk Road, but tells you that he knows it has been replaced by Silk Road v2. Wanting to share your own recent knowledge, you quip, “Sounds like the darknet”. “It is,” he replies. After another half an hour of hushed conversation, your new darknet mentor gives you a number: 179.37.7.79:4096. He explains that it is an IP address that should be typed into your browser in place of a website name, after https://. He further tells you that this is not

CIS 534 - Advanced Network Security Design 122

the actual IP address. You should subtract 7 from each of the first four numbers when you type it in. To protect the darknet, he tells you can write down the number he gave you, but you must remember to subtract 7. You head to the library first thing the next morning and access the site.

3. Double-click the darknetwebsite.pdf icon on the vWorkstation desktop to see the Hackers R Us web page.

Figure 3 Hackers R Us DarkNet home page Photo © iStockphoto/Thinkstock

Note: After some emails back and forth with a mysterious person known to you only as Kitty Kat (KK), you have made a deal. Hackers R Us will provide you with remote access to Marina and Rita’s Cupcake’s internal network via their Virtual Private Network in exchange for a rather large sum of money, payable in bitcoin. You’ve already set up a Bitcoin account and made an initial payment of 50%, with the balance due as soon as you access Marina and Rita’s VPN for the first time. All you have to do is sit back and wait for KK to perform her magic.

4. Close the darknetwebsite.pdf file.

Note: KK begins her work with a quick Google search to view the company’s Web site, locate biography information about the sisters, including their birthdates, and find any news she can about the company and its owners that will help her reach her goal of accessing the company’s VPN. She finds a recent article about the company in the local business journal.

5. Double-click the newspaper.pdf icon to read the article from the business section of the Cincinnati Journal.

Figure 4 Article from business section of Cincinnati Journal

6. Close the newspaper.pdf file.

Note: From this article, KK learns that the top sales team as well as the founders, Marina and Rita, will be flying to Hawaii in time for their February 16th meeting. Her next step is to get the actual travel itinerary. Presumably the entire HQ and East US group will travel together, so KK calls Marina and Rita’s headquarters in Lakewood, Ohio, and claims to be a new hire in the US West division and that her boss, Lisa Lipscombe, asked her to make travel arrangements to Lakewood, but she has lost the name and number of the travel consultant. The helpful operator at Marina and Rita’s headquarters tells her that the travel consultant is David Spivey at Air, Land and Sea Travel. The operator also provides a direct number to assure that KK gets better service.

CIS 534 - Advanced Network Security Design 123

KK calls David Spivey, identifies herself as a temp at Marina and Rita’s Cupcakes and asks that Marina’s and Rita’s travel itinerary for the Hawaii Presidents’ Club trip be faxed to a Lakewood, Ohio phone number. David is not suspicious because it is a normal request and the phone number appears correct. He does not realize that the number is for a fax drop box that allows the fax to be retrieved from anywhere on the Internet.

7. Double-click the travel.pdf icon to see the travel itinerary for Marina and Rita Sugarton.

Figure 5 Marina and Rita Sugarton’s travel itinerary

8. Make a screen capture showing the entire travel itinerary for Marina and Rita and paste it into your Lab Report file.

9. Close the travel.pdf file.

Note: KK now has the travel itinerary, and she knows what Marina and Rita look like from the pictures on their Web site, so KK can start to assemble an attack plan. She plans to enlist the aid of a couple of accomplices to steal a tablet or smartphone from one of the Marina and Rita team on their way to Hawaii. Knowing how vulnerable these devices will be in the airport, KK will intercept the group at the airport and, along with two accomplices, will steal the device as the individual goes through the security checkpoint. KK’s team has tried this successfully before, so successfully in fact that some travel agencies are issuing warnings to their clients. The good news for KK, and for you as her client, most travelers ignore these warnings.

10. On your local computer, open an Internet browser session. 11. In the address box of the browser, type http://www.corporatetravelsafety.com/safety-

tips/category/airport-safety/tip/thefts-at-airport-screening-stations and press Enter to read the travel warning that describes how this type of theft works.

12. Minimize the local browser session.

Note: On the day of the flight, KK uses the Paradise Flyer Priority number from the travel itinerary and Marina Sugarton’s birthdate found during an initial Google search to confirm, via a quick telephone call to Paradise Airlines, that Marina and Rita checked in via Internet and will be checking two pieces of luggage. KK and her accomplices arrive at the airport early and position themselves to watch for the Sugarton sisters’ arrival. Right on time, a sleek black limousine arrives and delivers the two Sugarton sisters, VP North American Franchise Sales, Sara Collier, and six large bags. The baggage porter loads a cart curbside and transports the checked luggage inside. The group is tailed by KK to the security checkpoint where KK quickly goes through the security checkpoint and waits patiently on the other side. Her accomplices position themselves in order to delay Marina, Rita, and Sara at the metal detectors long enough for one of the accomplices to grab whatever electronic devices are placed in the bowl before they go on the conveyor belt.

CIS 534 - Advanced Network Security Design 124

The thieves grab Marina Sugarton’s smartphone and surreptitiously pass the device to KK who is able to pass back through security to the safety of the airport terminal. Marina, Rita, and Sara collect their belongings and rush to catch their flight to Atlanta without noticing the missing phone. Unless their domestic flight from Cleveland to Atlanta has onboard telephones, Marina will not be able to report the loss or theft of her device until she arrives in Atlanta. This gives the criminals at least a two hour window. KK contacts her client, you, and agrees that for an extra fee KK will exploit this vulnerability window and download any information that she can.

Figure 6 Marina’s smartphone Photo © Anatolii Babii/123RF

Note: As with many busy people, Marina has neglected to include a screen lock on her smartphone, which means that anyone, including KK, can gain immediate access to her contacts and other private information. The graphic icon-based interface makes it very easy to find the access point for the Marina and Rita’s Cupcakes Virtual Private Network and, subsequently, her email. KK is able to access the Marina and Rita’s Cupcakes email via the VPN, which is set-up for Marina’s convenience to use a pre-stored password for the VPN and automatic sign-in for the email. Even though it is likely that the smartphone is fairly new, KK is quickly and easily able to determine that Marina and Rita’s email uses the IMAP protocol and, therefore, copies of all emails are stored on the server. KK is able to download a malicious piece of code which copies all email, with attachments, to KK’s server. In addition, KK is able to determine all of the characteristics required for sign-in to the Marina and Rita’s Cupcakes VPN except for the encrypted password. She might be able to use the encrypted password in a replay attack, but it would be far better off if she actually knew the password. In order to cover her tracks, KK deletes the malicious code and pays a teenager $20 to take the device and a copy of the itinerary to the Paradise Airlines counter and tell the airline representative that he “found this near the baggage check-in.” The Paradise Airlines agent sends a message to the gate agent in Atlanta who informs Marina that her lost device has been found and assures her that the airline will deliver it to the hotel in Maui tomorrow. Marina was unaware that her phone had ever been “lost”, but is glad that it will be returned, safe and sound. And she is unaware that all of her emails, with attachments, for the last several years, including the 18 months since her retail stores had begun popping up, were now in the hands of a competitor. You deposit the balance of KK’s “professional services fee” into her bitcoin account. In many cases this would be the end of the story, but you are still not satisfied. You’ve analyzed the emails and are tantalized by the gaps in the information. Gaps that could be

CIS 534 - Advanced Network Security Design 125

filled in if only you had access to the archived emails from other key people in the company. You again contact KK for advice and KK suggests a way to get those key people to change their VPN passwords so that you can attack them in the same way that Marina was attacked: download all of their emails without their knowledge. Arrangements are made for a second set of payments via the bitcoin account and KK gets to work. KK knows that the most efficient way to get the most information is to find a way to open the VPN while Marina and Rita are still in Hawaii. With the VPN tunnel open, she can download anything she wants. She decides to send an email from Marina Sugarton’s email account to several employees at the company. The email asks everyone to reset their VPN passwords.

13. Double-click the email.pdf icon to view the email sent by KK to employees of Marina and Rita’s Cupcakes.

Figure 7 Fake email sent from Marina Sugarton’s email account Photo © luminaimages/ShutterStock, Inc.

14. Make a screen capture showing Marina’s email and paste it into your Lab Report file. 15. Close the email.pdf file.

Note: All of the employees complied with the email request since they were asked to do so by one of the co-presidents. No one noticed that none of the Top Achievers who were with Marina in Hawaii (and who might have mentioned the email to Marina herself) were included in the email distribution list. With the VPN now open, KK is able to collect all of the emails from all of these email accounts. This new batch of data included information about markets, strategies, franchising and related business issues, and recipes, as well as personal information such as travel itineraries, receipts for web purchases, relationships, and gossip, that you, as KK’s client and Marina Sugarton’s competitor, will be able to exploit. In other words, a treasure trove of information about all aspects of Marina and Rita’s Cupcakes. What can be done to strengthen access procedures and make a VPN more secure? The first thing is to be sure that all parameters for the VPN, such as algorithms, Perfect Forward Secrecy, key length, and frequency of key changes are proper for the type of information being protected and are applied uniformly. All configuration procedures should be reviewed periodically and updated as needed according to current best practices. It is also possible to increase security by allowing VPN connections only from specific MAC addresses or MAC/IP address pairs. Security can also be increased by using devices that generate one-time use passwords or parts of passwords, such as RSA SecurID. Other forms of multi-factor authentication such as biometrics are possible, again, considering the value or information being protected and other factors. For more information on VPN Security, review the publication at http://www.infosec.gov.hk/english/technical/files/vpn.pdf

CIS 534 - Advanced Network Security Design 126

Part 2: Creating Spam Emails

Note: There are many types of spam emails, each used for a different purpose. A good spam email writer can expect roughly the same number of click-throughs as a legitimate marketing campaign. The email must take into account the relationship and amount of trust, if any, between the sender and receiver and what the email is asking the receiver to do. A spam email can be part of a larger campaign of deception, or it can be the entire campaign. A term often used for spam emails that attempt to get the recipient to perform some action is phishing emails. Phishing emails that are targeted to a specific individual, or group of individuals, are called spear phishing emails. Both types are highly effective, but spear phishing is even more effective than a general phishing email because they use social engineering techniques to appeal to their target. Spear phishing emails are routinely used to either get credentials that make breaking into or using a VPN easier, or are designed to ask users to do things like send money, disclose VPN credentials, or change passwords, as was done in Part 1 of this lab.

1. Maximize the browser on your local computer. 2. In the address box of the browser, type

http://netforbeginners.about.com/od/scamsandidentitytheft/ig/Phishing-Scams-and- Email-Cons/index.01.htm and press Enter to learn more about phishing scams.

3. Read at least three sample scam emails. 4. Make a screen capture showing your favorite scam email or a representative of a scam

email that you have received in the past and paste it into your Lab Report file. 5. Minimize the browser.

Note: In the next steps, you will create your own spear phishing email following the example in this lab. Actually sending the emails is beyond the scope of this lab. It is possible to use free/hobbyist, hacker, and commercial email senders or web-based services. Some sellers of email lists also have services that allow you to manage an email campaign. Some allow anonymous sending of email. Sending of emails for malicious or deceptive purposes is an entire branch of social engineering and reverse social engineering worthy of time and effort to learn about in order to have a well-rounded background in the tools of the hacker.

6. In your Lab Report file, insert a page break to place your email text on a new page. 7. In your Lab Report file, insert a 2x4 cell table and add email labels (To:, From:,Date:,

and Subject:) similar to the one in the following figure.

Figure 8 Table layout for email sample

8. In the To content cell, type Charlie Roberts <[email protected]>.

CIS 534 - Advanced Network Security Design 127

Note: >Every email campaign has a specific addressee on whom it is expected to work. This may be a single person or a list of people. Lists may be purchased, from legitimate or illegal sources, or harvested by you. It is best practice for spammers to send emails to only one person at a time, even if they intend to target a large group of individuals, unless the particular group of people being targeted might be more likely to believe the email when they see the other recipients. In this case, Charlie Roberts is being specifically targeted.

9. In the From content cell, type Susan Dougherty <[email protected]>.

Note: The sender’s identity is just as important. It has to be a person or entity with which the recipient has, or can develop, a trust relationship. This is why so many spammers compromise personal email lists from sources such as Gmail and Yahoo Mail. In many cases, malicious emails use an actual sender email addresses, but more often the emails use a temporary email address created by the spammer for the specific email campaign. The decision to use a real or false sender address depends on whether or not the spammer wishes the recipient to respond to the sender. In this case, Susan Dougherty is a known contact of the target, Charlie Roberts, and that increases the odds that the email will be believable. When the sender is a known contact of the target, using their actual email address increases the appearance that the email is proper.

10. In the Date content cell, type today’s date.

Note: The date and time of an email are usually automatically generated by the email sending software but, often, sending can be delayed until a specific date and time, or otherwise spoofed.

11. In the Subject content cell, type A favor?.

Note: Many professional spear phishers rely on a catchy subject line to increase the chance of a curious recipient opening an email. How many real emails do you receive from friends or business associates with the subject line save money or big sale? In this case, since you are using real sender and recipient names, it would be best to use a more casual subject.

Figure 9 Completed table layout for email sample

Note: The body of the email is arguably the most important, and depends entirely on the goals of the spammer. If the intent is as simple as wanting to verify that the email account is active, the recipient only has to open the email and the content is of lesser importance. If the intent is to encourage the recipient to do something, then the content becomes more important. In this case, the spammer’s intent is to gather funds and collect credit card credentials that exploited later to steal their identity. To accomplish this goal, the spammer would need to have a Web site set up to collect this information. The spammer secures an address, https://www.NotCFSCDS.com or simply an IP address, such as

CIS 534 - Advanced Network Security Design 128

https://172.30.0.99, which is even harder to trace. The spammer researched Susan Dougherty, the apparent sender of this email, online prior to selecting her as an identity for this email campaign and learned that Charlie Roberts works for Susan, and that she is associated with the Cure Strange Childhood Diseases Society. This non-profit organization is an excellent front for the spammer’s goals, so he copies the look and feel of the real Cure Strange Childhood Diseases Society’s donation page and redirects the form to forward any money received into his own foreign bank account, and stores the credit card information for later use or sale.

12. On the vWorkstation desktop, double-click the NotCSCDSwebsite.pdf icon to see the false donation processing page.

Figure 10 False donation processing page

13. Close the NotCSCDSwebsite.pdf file.

Note: Now that there is a place for Charlie Roberts to send his money, you are ready to create the body of your spear phishing email.

14. Below the email header table in your Lab Report file, type a message to Charlie from Susan that might encourage him to make a donation to the Cure Strange Childhood Diseases Society. Include the words click here to send Charlie to the fake donation Web site.

15. In your email text, highlight the words click here. 16. Use your word processing software to add a hyperlink that link the words click here to

the donation form on the fake Web site at https://172.30.0.99.

Note: Refer to the Help menu on your word processing software for more details on creating a hyperlink.

Figure 11 Deceptive email sample

17. Maximize the browser on your local computer. 18. In the address box of the browser, type http://www.verizonenterprise.com/DBIR/2013/

and press Enter. Download the 2014 Data Breach Investigations Report. Read the report to learn more about phishing scams.

19. Close the browser. 20. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this

lab.

CIS 534 - Advanced Network Security Design 129

Lab #9 - Assessment Worksheet Attacking a Virtual Private Network

Course Name and Number: _____________________________________________________

Student Name: ________________________________________________________________

Instructor Name: ______________________________________________________________

Lab Due Date: ________________________________________________________________

Overview A properly configured Virtual Private Network which uses IPsec and adheres very closely to best practices, such as strong authentication, network segmentation, device validation, posture assessment, etc. is very formidable and protects all types of information while it is in transit from one location to the other. In this lab, you learned how to use social engineering techniques to unlock the secrets of a targeted individual or organization by attacking their Virtual Private Network. You also researched email scams and used social engineering to create a believable spam email to solicit funds for a fictitious fund-raising opportunity.

Lab Assessment Questions & Answers

1. What is the darknet? a. An Internet for non-English speaking people b. The criminal side of the Internet c. An Internet just for law enforcement d. The old, IPv4 Internet that is being retired as IPv6 takes over e. None of the above

2. What email protocol does Marina and Rita's Cupcakes use and why is it important?

3. Text in an email must match the URL to which it links. True or false?

4. Instead of relying just on a user ID and password systems, VPN access can be protected by tokens like SecurID and other ____________ methods.

CIS 534 - Advanced Network Security Design 130

5. In many instances an IP address is used to access a server rather than a URL because a URL is more difficult to set up and easier to track. True or False.

6. A well designed malicious email campaign can expect ____________ number of responses, or click-throughs, as a legitimate commercial email campaign.

a. fewer b. more c. about the same

7. Were Charlie Roberts and Susan Dougherty known to each other, and did they have a trust relationship that could be exploited?

8. Which of the following steps can make VPN access more secure? a. Assure Perfect Forward Secrecy during IKE key exchange b. Allow access only from specific MAC addresses c. Allow access only from specific MAC/IP address pairs d. Use foreign words as passwords e. Change password letters to numbers, such as all Ls to 7s and all Os to 0s.

CIS 534 - Advanced Network Security Design 131

Toolwire Lab 10: Investigating and Responding to Security Incidents

Introduction

Click the link below to view the network topology for this lab:

Topology

Even with security measures such as firewalls, properly configured virtual private networks, and secure network procedures, security incidents can arise from a number of sources. Sometimes, an incident is caused by human error or mistakes. Other times, a security incident can occur as a result of deliberate actions intended to cause loss or harm to the organization. To reduce the impact of security incidents and minimize the costs to the organization, actions must be taken to prevent, detect, respond, control, and document security incidents. This five step formula serves as the basis for incident response processes and procedures.

System administrators and incident response teams use a variety of automated tools to investigate and respond to security incidents. These tools range from basic system utilities that report on the performance and configuration of a single workstation or server to enterprise-wide tools capable of finding, identifying, scanning, and reconfiguring information systems.

• System information tools, e.g. Windows Computer Management and Windows Task Manager, provide information about the current operating state of a computer system. Windows Task Manager provides information about currently running tasks, use of system resources, and system performance. Windows Computer Management provides more detailed information about the system including: lists of services (applications and operating system components) and their current state, computer hardware configuration, security and system events, and scheduled tasks.

• System configuration tools are used to scan an operating system and key software applications for security issues. Microsoft Baseline Security Analyzer (MBSA) is a system scanning tool that scans workstations and servers running Microsoft Windows operating systems. MBSA will check for system administration and mis-configuration problems, applications software issues including missing patches and updates, and missing or partially installed system security updates. MBSA can be configured to check for missing updates and recommended security settings for Internet Explorer, Internet Information Server (IIS), Microsoft Office, and SQL Server. MBSA is more powerful than Windows Update since it checks system and software settings in the registry in addition to checking for required software updates. After the scan completes, MBSA will generate a report which identifies security issues and provides recommendations for

CIS 534 - Advanced Network Security Design 132

system configuration changes required to mitigate or remove the vulnerabilities associated with those issues.

This lab has three parts which you should complete in order.

1. In the first part of the lab, you will remotely connect to a Windows 2008 server to gather information about system performance and running tasks including memory and bandwidth usage. This type of information supplements information gathered by automated tools.

2. In the second part of the lab, you will run a security scan on the Windows 2008 server using Microsoft Baseline Security Analyzer (MBSA).

3. Finally, if assigned by your instructor, you will explore the virtual environment on your own in the third part of the lab to answer a set of challenge questions that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.

Learning Objectives

Upon completing this lab, you will be able to:

• Use system administration tools to gather information. • Scan a computer system for vulnerabilities using automated tools. • Explain the use of automated tools to gather information as part of an incident response

process.

Tools and Software

The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.

• Windows Task Manager • Windows Computer Management • Microsoft Baseline Security Analyzer

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

CIS 534 - Advanced Network Security Design 133

1. Lab Report file including screen captures of the following steps: Part 1, Steps 9, 11, 15, 20, and 24. Part 2, Steps 6 and 9;

2. Lab Assessments file; 3. Optional: Challenge Questions file, if assigned by your instructor.

Evaluation Criteria and Rubrics

The following are the evaluation criteria for this lab that students must perform:

1. Use system administration tools to gather information. - [40%] 2. Scan a computer system for vulnerabilities using automated tools. - [40%] 3. Explain the use of automated tools to gather information as part of an incident response

process. - [20%]

Hands-On Steps

Note: This lab contains detailed lab procedures which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab.

1. From the vWorkstation desktop, double-click the Common Lab Tasks file to open the file in Adobe Reader.

If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Instructions for transferring the file can be found in the file itself.

Figure 1 "Student Landing" workstation

2. On your local computer, create the lab deliverable files. 3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to

these questions as you proceed through the lab steps.

Part 1: Gather System Performance Information

CIS 534 - Advanced Network Security Design 134

Note: System performance information supplements information gathered by automated tools. Some IT Help Desks will ask an end user to perform these tasks while on the phone with a Level 1 support technician. In this part of the lab, you will also look at the running processes to see if remote desktop services are available. In an enterprise environment, the support technician may walk a user through this verification and, if necessary, provide instruction on how to enable remote desktop services so that the technician can log into the workstation to gather additional information and run tests. Remote desktop services are a double-edged sword. Remote desktop services can save an organization significant amounts of time and money by eliminating the need for many desk-side support visits by IT Help Desk technicians. But, those same remote login services can become a vulnerability that is exploited by both internal and external threat agents.

1. Double-click the RDP folder on the vWorkstation desktop to open the folder. 2. Double-click the Targetw2k8a icon in the RDP folder to open the Remote Desktop

Connection dialog box. If prompted, click Yes to dismiss the pop-up window.

Figure 2 Open a remote desktop connection

3. Click Connect to accept the default IP address, 172.30.0.15. 4. If you are prompted for a password, type ISS316Security and click OK to logon.

If you are not prompted for a password, the remote desktop and its icons will replace the vWorkstation desktop immediately with the IP address displayed in the title bar.

Figure 3 TargetWindows01 title bar

Note: Refer to the Common Lab Tasks.pdf file for more detailed instructions on opening and working with remote connections.

5. Right-click the taskbar at the bottom of the remote desktop to bring up the context menu. Select Start Task Manager from the menu.

Figure 4 Windows taskbar context menu

6. Click the Services tab. 7. Click the Name column to sort the list of services alphabetically. 8. Scroll through the list of services until you find processes associated with Remote

Desktop Services. 9. Repeat step 7 on the Description column to sort the description of services

alphabetically.

The words Remote Desktop Services may appear in either the Name or Description columns.

Figure 5 Windows Task Manager: Services tab

CIS 534 - Advanced Network Security Design 135

10. Make a screen capture showing all the processes associated with Remote Desktop Services and paste it into your Lab Report file.

11. Click the Performance tab and wait 45-60 seconds for the history graphs to display data on 50% or more of the graph.

Figure 6 Windows Task Manager: Performance tab

12. Make a screen capture showing the current system performance and paste it into your Lab Report file.

13. Close the Windows Task Manager.

Use the scrollbars as necessary to view the Windows Start button.

14. Click the Windows Start button and navigate to Administrative Tools > Computer Management to open the Windows Computer Management tool.

Resize the Computer Management window so that the entire window is visible.

Figure 7 Computer Management application window

15. Navigate to System Tools > Event Viewer > Windows Logs > Application by clicking on the plus signs to open the sub menus.

The Windows Application Log records information about events. It will record successful operations, system warnings, error messages about failed operations, as well as information about both successful and unsuccessful logon attempts.

Figure 8 Windows Application Log

16. Make a screen capture showing the Application Log and paste it into your Lab Report file.

17. Click Filter Current Log from the Actions pane on the right-hand side of the window. 18. In the Event level portion of the filter form, click each of the following checkboxes to

select those event levels: o Critical o Warning o Error

Verify that the Verbose and Information checkboxes are unchecked.

Figure 9 Filter Current Log form

19. Click OK to filter the log entries. 20. Scroll down to find the first Error event entry in the log file and click the Error line item

to display the log entry. Review the Log Entry.

CIS 534 - Advanced Network Security Design 136

Figure 10 Filtered Application Log

21. Make a screen capture showing the current log entry and paste it into your Lab Report file.

Note: Many log files contain thousands of entries making them difficult to scan by eye when looking for evidence. Using a filter can help an analyst to quickly find events of interest especially when other information is available about the type of attack or when the attack occurred. The drawbacks to using filtering to reduce the number of entries is that the filter may exclude events that would be of interest if the analyst had seen them.

22. In the left navigation pane, click Security to open the Security Log and compare the information displayed in this log with that displayed in the Application Log.

23. In the left navigation pane, click System to open the System Log and compare the information displayed in this log with that displayed in the other logs.

24. Click the plus sign in front of Services and Applications at the bottom of the left navigation pane and click Services.

25. Click the Standard tab at the bottom of the Computer Management window to change the view.

26. Scroll through the list of services to find the group of services that manage the Remote Desktop.

Figure 11 List of windows services that manage the Remote Desktop Services

27. Make a screen capture showing the run status and startup type for the Windows services that manage Remote Desktop Services and paste it into your Lab Report file.

28. Close the Windows Computer Management window.

Part 2: Scan a Windows 2008 Server for Vulnerabilities

Note: Many log files contain thousands of entries making them difficult to scan by eye when looking for evidence. Using a filter can help an analyst to quickly find events of interest especially when other information is available about the type of attack or when the attack occurred. The drawbacks to using filtering to reduce the number of entries is that the filter may exclude events that would be of interest if the analyst had seen them.

1. Double-click the Microsoft Baseline Security Analyzer 2.2 icon on the remote desktop to launch the application.

Resize the Computer Management window so that the entire window is visible.

Figure 12 Microsoft Baseline Security Analyzer

CIS 534 - Advanced Network Security Design 137

2. Click Scan a computer to begin the security scan. 3. Click the Check for security updates checkbox to remove the check.

The computers in the virtual lab environment do not have direct Internet access, which is required to perform this check for updates. (If you were running this scan on a computer with Internet access, you would leave this option selected.)

Figure 13 Setting scan options

4. Click the Start Scan button. 5. Review the Report Details for VLABS scan results.

Figure 14 Report Details for VLABS scan results

6. Make a screen capture showing the first page, including the header and the Administrative Vulnerabilities report and paste it into your Lab Report file.

You may need to use the scrollbars and take multiple screen captures to view the entire report.

7. Scroll to the Additional System Information section of the report and find the entry for Shares.

Figure 15 Additional System Information report

8. Click Result Details to display the results.

Figure 16 Result details of the Shares information

9. Make a screen capture showing the result details for the Shares entry and paste it into your Lab Report file.

10. Close the Results Details window. 11. Close the Microsoft Baseline Security Analysis window. 12. Close the Remote Desktop Connection.

Note: Refer to the Common Lab Tasks.pdf file for more detailed instructions on closing remote connections.

13. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this lab.

CIS 534 - Advanced Network Security Design 138

Lab #10 - Assessment Worksheet Investigating and Responding to Security Incidents

Course Name and Number: _____________________________________________________

Student Name: ________________________________________________________________

Instructor Name: ______________________________________________________________

Lab Due Date: ________________________________________________________________

Overview

In this lab, you gathered information about system performance and running tasks including memory and bandwidth usage, and looked for remote desktop services. You also ran a security scan on the Windows 2008 server using Microsoft Baseline Security Analyzer (MBSA) to identify any missing software updates or updates which were not completely installed, and detect changes to system configuration parameters which could have occurred as the result of an intrusion or the actions of a malicious insider.

Lab Assessment Questions & Answers

1. List five types of system information that can be obtained from the Windows Task Manager? How can you use this information to confirm the presence of malware on a system? (Hint: Look at the bandwidth and CPU utilization.)

2. Windows Task Manager and Windows Computer Manager both provide information about system services. Compare and contrast the types of information (about system services) that can be obtained from these tools.

CIS 534 - Advanced Network Security Design 139

3. Explain how you could use one or more of the Windows log files to investigate a potential malware infection on a system. What types of information are available to you in your chosen log file?

4. Should you filter log files during an investigation into a security incident? Why or why not?

5. Should remote desktop services be enabled on employee workstations for use by IT Help Desk personnel? Why or why not?

6. How does Microsoft Baseline Security Analyzer (MBSA) differ from Windows Update? Why are Shares a source of system vulnerabilities?

  • Toolwire Lab 1:Analyzing IP Protocols with Wireshark
    • Introduction
    • Learning Objectives
    • Tools and Software
    • Deliverables
    • Evaluation Criteria and Rubrics
    • Hands-On Steps
      • Part 1: Exploring Wireshark
      • Part 2: Analyzing Wireshark Capture Information
  • Lab #1 - Assessment Worksheet
    • Analyzing IP Protocols with Wireshark
    • Overview
    • Lab Assessment Questions & Answers
  • Toolwire Lab 2: Using Wireshark and Netwitness Investigator to Analyze Wireless Traffic
    • Introduction
    • Learning Objectives
    • Tools and Software
    • Deliverables
    • Evaluation Criteria and Rubrics
    • Hands-On Steps
      • Part 1: Analyzing Wireless Traffic with Wireshark
      • Part 2: NetWitness Investigator
  • Lab #2 - Assessment Worksheet
    • Using Wireshark and NetWitness Investigator to Analyze Wireless Traffic
    • Overview
    • Lab Assessment Questions & Answers
  • Toolwire Lab 3: Configuring a pfSense Firewall on the Client
    • Introduction
    • Learning Objectives
    • Tools and Software
    • Deliverables
    • Evaluation Criteria and Rubrics
    • Hands-On Steps
      • Part 1: Planning the Configuration
      • Part 2: Configuring the Firewall
  • Lab #3 - Assessment Worksheet
    • Configuring a pfSense Firewall on the Client
    • Overview
    • Lab Assessment Questions
  • Toolwire Lab 4: Configuring a pfSense Firewall on the Server
    • Introduction
    • Learning Objectives
    • Tools and Software
    • Deliverables
    • Evaluation Criteria and Rubrics
    • Hands-On Steps
      • Part 1: Planning the Configuration
      • Part 2: Configuring the Firewall
  • Lab #4 - Assessment Worksheet
    • Configuring a pfSense Firewall on the Server
    • Overview
    • Lab Assessment Questions & Answers
  • Toolwire Lab 5: Penetration Testing a pfSense Firewall
    • Introduction
    • Learning Objectives
    • Tools and Software
    • Deliverables
    • Evaluation Criteria and Rubrics
    • Hands-On Steps
      • Part 1: Configuring a pfSense Server Firewall
      • Part 2: Penetration Testing
  • Lab #5 - Assessment Worksheet
    • Penetration Testing a pfSense Firewall
    • Overview
    • Lab Assessment Questions & Answers
  • Toolwire Lab 6: Using Social Engineering Techniques to Plan an Attack
    • Introduction
    • Learning Objectives
    • Tools and Software
    • Deliverables
    • Evaluation Criteria and Rubrics
    • Hands-On Steps
      • Part 1: Targeted Social Engineering Attack
      • Part 2: Targeted Reverse Social Engineering Attack
  • Lab #6 - Assessment Worksheet
    • Using Social Engineering Techniques to Plan an Attack
    • Overview
    • Lab Assessment Questions
  • Toolwire Lab 7: Configuring a Virtual Private Network Server
    • Introduction
    • Learning Objectives
    • Tools and Software
    • Deliverables
    • Evaluation Criteria and Rubrics
    • Hands-On Steps
      • Part 1: Configuring the VPN: Server Side
  • Lab #7 - Assessment Worksheet
    • Configuring a Virtual Private Network Server
    • Overview
    • Lab Assessment Questions & Answers
    • Host-to-Host Configuration Worksheet
    • IPsec.conf file
  • Toolwire Lab 8: Configuring a VPN Client for Secure File Transfers
    • Introduction
    • Learning Objectives
    • Tools and Software
    • Deliverables
    • Evaluation Criteria and Rubrics
    • Hands-On Steps
      • Part 1: Configuring a Windows VPN Client to work with a Linux VPN Server
      • Part 2: Comparing Secure and Non-secure File Transfers in Wireshark
  • Lab #8 - Assessment Worksheet
    • Configuring a VPN Client for Secure File Transfers
    • Overview
    • Lab Assessment Questions & Answers
  • Toolwire Lab 9: Attacking a Virtual Private Network
    • Introduction
    • Learning Objectives
    • Tools and Software
    • Deliverables
    • Evaluation Criteria and Rubrics
    • Hands-On Steps
      • Part 1: Social Engineering / Reverse Social Engineering Attack
      • Part 2: Creating Spam Emails
  • Lab #9 - Assessment Worksheet
    • Attacking a Virtual Private Network
    • Overview
    • Lab Assessment Questions & Answers
  • Toolwire Lab 10: Investigating and Responding to Security Incidents
    • Introduction
    • Learning Objectives
    • Tools and Software
    • Deliverables
    • Evaluation Criteria and Rubrics
    • Hands-On Steps
      • Part 1: Gather System Performance Information
      • Part 2: Scan a Windows 2008 Server for Vulnerabilities
  • Lab #10 - Assessment Worksheet
    • Investigating and Responding to Security Incidents
    • Overview
    • Lab Assessment Questions & Answers