CS640 Assignment 2: Security Lab

Due: December 15, 2011, In class

Description

Network security is largely concerned with three distinct activities. The first is deploying systems that actively block unwanted traffic in an infrastructure. Common devices for active packet blocking include firewalls and Network Intrusion Prevention Systems. A firewall is a system which blocks traffic based on simple rules that specify different features in network packet headers. For example, a firewall rule might say "block all traffic with destination port 135". These simple rules end up being quite useful and firewalls are widely used devices. An NIPS has the ability to be much more discerning about which traffic is blocked. This is done through the use of signatures which typically specify a bit pattern in packet payloads. If a given packet matches a one of the signature patterns, that packet is dropped by the NIPS - which prevents the attack from being successful.

A second activity of network security is to monitor the infrastructure for malicious activity. A basic tenet of security is that it is essential to have as much information as possible about ones environment in order to effectively protect it. One of the most basic tools for monitoring a network infrastructure is a Network Intrusion Detection System (NIDS). Like NIPS, NIDS are used to monitor traffic streams to/from a network. They also use signatures of known malicious activity to detection attacks. When a NIDS identifies a packet that matches one of its signatures, it does not drop the packet (then it would be a NIPS). Instead, it generates an alert/alarm that warns the analyst that security has been breeched.

A third activity of network security is to mitigate the effects of successful attacks. One can never assume that one has sufficient defenses to counter all attacks forever. Thus, when an NIDS or other monitoring system indicates an attack took place, the security analyst must assess the damage and do whatever is necessary to recover from it.

The purpose of this laboratory experiment is to familiarize you with the first and second activity mentioned above using some security tools: Snort, Nessus, and firewall routers. We will use the Junosphere virtual networks and routers for this lab.

Reading Material

The following reading material are suggested before you start working on the lab assignment to get you familiar with the topics:

This lab description from previous years introduces the concepts that will be covered in this lab.
This Web site provides an introduction to network security.
This wiki article on firewalls is helpful.
Refer to the Juniper technical documentation for information on how to change the firewall policies.
Here you can find some examples of how to change the firewall policies in the firewall router.
This document is going to be very helpful when you play with the firewall router configuration. Specifically, pay attention to Part 1.
Take some time looking through "Junos as a second language", if you have not already done so, which is available here. You need to register, but it is free. This is very useful to get you ready to work through the labs.
In addition, here is a list of sources that may be useful for learning more about JunOS. The material includes free self-study courses, pdf downloads etc.

Lab Description

Here is the lab setup. The lab consists of the following sections:

Pre-lab questions
Snort and Nessus experiment
Firewall experiment
Post-lab questions

Pre-lab Questions

Please enter the answers to the questions below in your lab report:

1. Would it ever make sense to use more than one NIDS in a network security infrastructure (explain)?
2. Would it ever make sense to use more than one Firewall in a network security infrastructure (explain)?
3. What are some of the limitations in using a tool like Nessus to test the security of a given network infrastructure?
4. Describe the some of the details/features of signatures that are used by Snort.
5. How do you think that signatures for Snort are generated and what are some of their potential limitations?

Snort and Nessus Experiments

Snort and Nessus are already installed for your experiment on the lab testbed. Please do not change the installation settings. Snort is installed on the PublicIDS machine and Nessus is installed on the PublicPC4.

Note that for the purposes of this assignment you should use the IP addresses that you get by running the "ifconfig" command on these 2 machines; and not the IP addresses shown in the lab setup.

Sharing the PCs

Once you login into any of the machines create a folder /root/<your color in CAPS> (ex. /root/RED) for your group's use.

Running Nessus

Nessus is installed on the PublicPC4 machine. You need to do the following:

Once per group: Run /opt/nessus//sbin/nessus-adduser to add a user. Give this user 'admin' privileges.
Once per Nessus installation: you need to get an activation code from here and run the following command: /opt/nessus/bin/nessus-fetch --register <Your activation code>
This command will be sent to your E-mail address once you apply for an activation code.
You can start nessus by typing /sbin/service nessusd start
If you are asked for a paranoia level, choose 3.
Run "/opt/nessus/bin/nessus -q -T txt localhost 1241 <Your user name > <Your password> targetsfile resultfile" to start the scan.
Include in the targets file the IP address of the PublicIDS machine that you got by running the ifconfig command on that machine.

Based on the results file answer the following questions:

Question: What kind of vulnerabilities does Nessus investigate?

Question: What kind of vulnerabilities does Nessus find?

Running Snort

We use snort as a "sniffer" in this experiment. This means that it captures all the packets that passes through it and logs them for future investigation.

You run snort as follows:

snort -l <log folder>

The snort log files will be stored in the specified log folder. Generate 2 logs:

1) Let snort run for a while and then stop it.
2) Let snort run, and then run the Nessus scanner. Once the scanner is done, stop Snort.

Snort provides an output summary of the kind of packets that it captured and also logs the packets. The log can be opened with the Wireshark application installed on CS lab machines and also available online.

Investigate the Snort output and the log files:

Copy the Snort output in both cases to your report.

Question: What kind of packets does Nessus send to do the scanning?

Provide a screenshot of the logs opened by Wireshark in both cases.

Question: In what ways are these logs different?

Question: Does the packet coloring have any interpretation? Explain your thoughts.

Question: Once you click on each packet, 4 categories of information (ex. Transmision Control Protocol) is displayed for that packet. Briefly explain what kind of information each category captures.

Setup a Firewall

You have a firewall router in your lab setup. You should use the IPs and interfaces specified in this setup for this section. Here you can find some examples of how to change the firewall policies in the firewall router.

Your task is to modify the firewall router's configuration so that:

Network 1 internal rules:
1) TELENT is never allowed
2) ssh is allowed

Public to/from Network 1:
1) FTP connections are not allowed
2) All other packets are allowed

Network 2 internal rules (suppose this is a Web server):
1) TELNET is never allowed
2) SSH always allowed

Public to/from Network 2:
1) SSH always allowed in or out
2) All outgoing TCP connections are allowed (i.e. serving content)
3) All other packets are discarded

Between Network 1 and Network 2:
1) TCP connections between Network 1 and PC3 (web server) allowed
2) All SSH connections allowed
3) Other IP packets discarded

Include a copy of your configuration in your lab report. Explain clearly what each of the filters and/or terms inside the filter accomplishes.

Sharing the Firewall router

Create a folder /root/<your color in CAPS> Each time that you work with the router configuration, save your configuration in a file and move it to your group's folder.
To save your configuration run in the edit mode:

Save <filename>

If you want to take a copy off of the router, in command mode, type:

Start shell

This will then place you into the directory where the configuration file was saved to. You can now ‘sftp’ or ‘scp’ the file out to a remote host just as you did in lab1.

Each time before you start working with the configuration and after you are done run the following to restore the router to its original state:

load override /config/juniper.conf.vmm

commit

You can also load back your configurations with the above commands. Just override the current configuration with "your" configuration file.

Post-Lab Questions

Please enter the answers to the questions below in your lab report:

1. Intrusion detection and anti-virus systems come with signature sets installed. Why is it important to keep signatures updated?
2. False alarms occur when an IDS indicates an attack has taken place when it really hasn't (false positive) or when a real attack takes place for which no alarm is raised. Which is worst (explain)?
3. Firewalls can be set to be inclusive or exclusive. Describe and compare both modes.
4. If you were an adversary and wanted to avoid being detected by an IDS, what might you do?
5. If you were a security analyst and knew that your adversaries were trying to avoid being detected, what might you do?

Accessing the Network

Send the course TA an E-mail with your group members' names to get access to the network. You can find the schedule here.

Assessment Criteria

Your hard copy report, to be submitted at the start of the class on the due date, should include:

Answers to all questions in the lab.
All results or snapshots that are asked for.

Grading

This assignment will be graded from a total of 50 points. Here is the grading criteria:

You turned in your report with some results in it. 10 points
Your report is clear and easy to read. 5 points
Firewall set up and explanation. 15 points
Snort and Nessus Experiment. 10 points
I will choose a set of questions from the Pre-Lab and Post-Lab to grade. Each will recieve the same number of points from 10 points.