Reading
Introduction to Network Security
Improving security on Cisco routers
Firewall overview
Tasks
This lab is focused on basic aspects of IT and network security. IT
security is a large and diverse domain with roots that can be traced
back to the problems that been faced for hundreds of years in
ensuring that messages are only able to be read by those for whom
they are intended (also called message confidentiality). This is one
of the basic problem of cryptography. The basic tools of
cryptology are codes and algorithms are used to obfuscate messages.
Alternatively, the basic problem of breaking codes is called
cryptanalysis, which is a very challenging field as well.
Modern crtypography and cryptanalysis are both largely based on
mathematical techniques that are beyond the scope of this lab. But,
all modern Internet commerce depends on these codes, so they are
certainly important!
Like other labs, our focus will be on the security tasks that are
typical in day to day IT operations. The distinction between "IT"
and "network" security, is that IT security broadly refers to all
computer and communications security, thus network security is a
subset. Other aspects of IT security include end host security, data
center security and creating policies and other mechanisms for
dealing with computer and communications systems and users that
ensure that systems and data are protected from unwanted access. A
variety of tools are used for IT security beyond the network,
e.g., anti-virus systems which are common on end hosts.
Network security is largely concerned with three distinct
activities. The first is deploying systems that actively block
unwanted traffic in an infrastructure. Common devices for active
packet blocking include firewalls and Network Intrusion
Prevention Systems. A firewall is a system which blocks traffic
based on simple rules that specify different features in network
packet headers. For example, a firewall rule might say "block all
traffic with desitination port 135". These simple rules end up being
quite useful and firewalls are widely used devices. An NIPS has the
ability to be much more discerning about which traffic is blocked.
This is done through the use of signatures which typically
specify a bit pattern in packet payloads. If a given packet matches
a one of the signature patterns, that packet is dropped by the NIPS -
which prevents the attack from being successful.
A second activity of network security is to monitor the infrastructure
for malicious activity. A basic tenet of security is that it is
essential to have as much information as possible about ones
environment in order to effectively protect it. One of the most
basic tools for monitoring a network infrastructure is a Network
Intrusion Detection System (NIDS). Like NIPS, NIDS are used to
monitor traffic streams to/from a network. They also use signatures
of known malicious activity to detection attacks. When a NIDS
identifies a packet that matches one of its signatures, it does not
drop the packet (then it would be a NIPS). Instead, it generates an
alert/alarm that warns the analyst that security has been
breeched.
A third activity of network security is to mitigate the effects of
successful attacks. One can never assume that one has sufficient
defenses to counter all attacks forever. Thus, when an NIDS or other
monitoring system indicates an attack took place, the security
analyst must assess the damage and do whatever is necessary to
recover from it.
In this lab, you will gain experience with the Snort NIDS, which is
widely used in networks throughout the Internet and has a very active
user community. You will run several different experiments that
exercise Snort in different ways. Of course, since Snort is a network
security tool, you will want to be able to generate different kinds of
traffic that trigger alerts. The tool for traffic generation for this
lab is Nessus, which is also widely used for penetration testing.
Details on both tools can be found in the readings. The basic
approach for this lab will be to construct a simple topology in
Schooner, load Snort on one node and Nessus on the other and then
generate traffic to exercise the NIDS.
Tools
This lab is focused on two tools: the Snort NIDS and the Nessus
security scanner. Information on both tools can be found in the
following:
Nessus Client Guide
(Optional) Nessus Advanced User Guide
What is Snort?
While Snort and Nessus are two widely-used tools, there are a number of
others of each type that are feely available. Another excellent NIDS is
called Bro.
Another well known scanning tool is called Nmap .
NOTE: Be very careful using the scanning tools. If this traffic is
detected beyond WAIL, you will most certainly get a seriously nasty note
from either the UW network administrators or other security administrators
beyond the campus whoes network was the target. These are serious tools
and should be used carefully. If you have any doubt or questions about
them, see Prof. Barford.
Topology
The topology for this lab should contain at least two workstations
connected to a LAN: 6 are shown below, but a 2 node network should be
fine.
Questions
Please enter the answers to these questions into your lab notebooks before you
start the lab.
1. Would it ever make sense to use more than one NIDS in a network
security infrastructure (explain)?
2. Would it ever make sense to use more than one Firewall in a
network security infrastructure (explain)?
3. What are some of the limitations in using a tool like Nessus to
test the security of a given network infrastructure?
4. Describe the some of the details/features of signature that are
used by Snort.
5. How do you think that signatures for Snort are generated and
what are some of their potential limitations?
|