Security Labs in OPNET IT Guru

Transcription

1 Security Labs in OPNET IT Guru Universitat Ramon Llull Barcelona 2004

2 Security Labs in OPNET IT Guru Authors: Cesc Canet Juan Agustín Zaballos Translation from Catalan: Cesc Canet -I-

3 Overview This project consists in practical networking scenarios to be done with OPNET IT Guru Academic Edition, with a particular interest in security issues. The first two parts are a short installation manual and an introduction to OPNET. After that there are 10 Labs that bring into practice different networking technologies. Every Lab consists in a theoretical introduction, a step-by-step construction of the scenario and finally Q&A referring to the issues exposed. Lab 1: ICMP Ping, we study Ping traces and link failures. Lab 2: Subnetting and OSI Model, we study tiers 1,2 and 3 of the OSI model, and the Packet Analyzer tool to observe TCP connections. Lab 3: Firewalls, we begin with proxies and firewalls. We will deny multimedia traffic with a proxy, and study the link usage performance. Lab 4: RIP explains the RIP routing protocol, and how to create timed link failures and recoveries. Lab 5: OSPF compares RIP. We study areas and Load Balancing. Lab 6: VPN studies secure non-local connections. A Hacker will try to access into a server that we will try to protect using virtual private networks. Lab 7: VLAN creates user logical groups with Virtual LANs. Studies One-Armed- Router interconnections. Lab 8: Dual Homed Router/Host, Lab 9: Screened Host/Subnet. DMZ and Lab 10: Collapsed DMZ explains the static routing tables, ACLs, proxies and internal vs. perimetric security. Lab 10 is 100% practical, we want you to create it on your own, a piece of cake if you did the other Labs!

4 Lab 3: Firewalls Firewalls are a network access control system that divides a network that we presume it s secure from a network that may be unsecure. Although it can control the ingoing and outgoing traffic, the most common usage of firewalls is to control the ingoing traffic. Note that Firewalls do not provide any security from internal attacks. Network Firewalls (packet filtering) Routers can control the IP packets that go across them by accepting/denying traffic according to policies affecting to protocol headers (IP, ICMP, UDP, TCP,..). We can analyze source/destination addresses and ports, protocol types, packet contents and size, etc. There are two general policies: a) accept all packets except for a finite set of cases, and b) deny all traffic except for a finite set of cases. Case b is more difficult to implement, but it is generally more recommendable. Each packet reaching the device will lookup the filtering rules and stop at the first match, and after that will decide the decision of either denying or accepting the traffic. A default policy is always set. Proxies (Application Gateways) They behave as Application-level retransmission devices. Network users establish a communication with the proxy, thus dividing the source-destination connection in two independent connections (source-firewall and firewall-destination). The proxy server manages the requested connections. This technology has a slower performance that network firewalling because it is working on the upmost OSI layer. It is usual to use both firewalls at the same time. Cache Proxies are a popular way to increase performance by storing the data the gateway transmits into the firewall, so it is not necessary to lookup in the Internet for the same data next time another computer requests it. -2-

5 Lab Description Lab3 Corporation has two departments, each one with its own network (LAN1 and LAN2), trying to access a database server where a database with customers information is stored, and an and HTTP server. At the same time, some company guys are using illegal multimedia downloading, and so slowing the Internet link performance. The company is requesting to set up a Firewall to avoid multimedia traffic in order to decrease the mean database access time to a 1 sec threshold. Creating the Scenario 1. Open OPNET IT Guru Academic Edition: (File New Project) using these parameters (use default values for the remainder): Project Name: <your_name>_ Firewall Scenario Name: NoFirewall Network Scale: Campus Size: 100x100 meters Press Next several times until we finish the Startup Wizard. 2. Network creation: We create the scenario of picture L3.1. The components that are used and the palette where they can be found in the Object Palette are summarized in table L3.2. L3.1 The scenario -3-

6 Qty Component Palette Description 1 ethernet16_switch internet_toolbox Switches 2 10BaseT_LAN internet_toolbox LAN network models 1 ethernet2_slip8_firewall internet_toolbox Routers 1 ip32_cloud internet_toolbox Internet model 2 ppp_server internet_toolbox AndWebServer DBServer 1 ppp_wkstn internet_toolbox MusicAndVideoServer 1 Application Config internet_toolbox 1 Profile Config internet_toolbox 3 10BaseT internet_toolbox Connects the Switch with the Firewalls and the two LANs 1 ppp_adv links_advanced Connects the Firewall to the Internet 3 T1 links Connects the 3 servers to the Internet L3.2 Components list L3.3 Application Config Attributes Right click on every node, click on Set Name and write the same names as seen in the picture. 3. Setting up the Application Config control: Select the Application Config control, and go to Edit Attributes. All we need to modify are the Application Definitions. Delete all the applications that may be defined (tip: set rows: 0), and create 4 applications as seen in the picture (set rows: 4 and edit the four applications as seen in the picture L3.3). First step is to change the Name: , HTTP, DB and MusicAndVideo. Change the application load afterwards: -4-

7 HTTP: Permits HTTP (Light Browsing). Permits (Low Load) These two applications can be configured automatically by double-clicking on the corresponding fields. To configure MusicAndVideo and DB, double-click on the fields of picture L3.3 marked with the (...) symbol: DB Database, MusicAndVideo Voice, and then set the values as in pictures L3.4 and L3.5. L3.4 and L3.5 Configuring the application traffic -5-

8 L3.6 Configuring Profile Config Select the control Profile Config and use the right button to click on Edit Attributes and create 4 profiles: WebBrowser, to admit HTTP application Profile, to admit application MusicAndVideoProfile, to admit MusicAndVideo application BDProfile, to admit DB application. -6-

9 We have to do the same steps as before: Set 0 rows to erase all rows we may have, and then set 4 rows to program the four applications, and deploy each row and set the values as seen on pictures. The hierarchies that are not deployed on pictures use default values. Applications can be appended to profiles adding new rows to the Applications field, and setting the field Name on every row 0 of the Applications branch. We can also modify the Start Time of all Applications and Profiles (packet reception distribution), the Operation Mode, and the Repetition Pattern. 4. Setting up the Firewall: This first scenario permits the voice traffic. Picture L3.7 shows the main options to be configured in the router. The attributes to modify are the following: Address and Subnet Mask: AutoAddressed on all rows of IP Routing Parameters Interface Information and IP Routing Parameters Loopback Interfaces. We need to set up the routing protocol OSPF: OSPF Parameters Interface Information row 0 and row 1 (the unique router interfaces) Type: Broadcast. Set Point to Point to the remainder (rows 2 9). Proxy Server Information row 6 (corresponds to Application Remote Login, necessary for Database access) Proxy Server Deployed: Yes, this ensures that database traffic has the right to pass. -7-

10 L3.7 Configuring the Firewall 5. Setting up MusicAndVideoServer: Right click on the MusicAndVideoServer and click on Edit Attributes. We have to modify the Application: Supported Services, by setting the parameters as seen in the picture below (we need to set rows: 1 to accept MusicAndVideo). Leave the remainder options with default values. -8-

11 L3.8 MusicAndVideoServer supported Services 6. Setting up the DBServer and WebAnd Server: This server Supported Services have to be set as seen in the picture below: Server Supported Services DBServer DB WebAnd Server HTTP L3.9 Supported Services 7. Configuring LANs: Select LAN 1 by clicking on it, and then right button Edit Attributes. Use the values from picture L3.10 (non-deployed branches use default parameters). This configuration will use 250 workstations for each and every LAN (Number of Workstations), 5 of them will be doing web browsing, 5 will be using , 50 attempting to connect to the database and 9 using MusicAndVideoServers illegally (Application: Supported Profiles). When finished, click on OK. L3.10 Assigning profiles to workstations at LAN 1 LAN 2 will be configured with the same values. Use Copy & Paste to duplicate the LAN and change the name afterwards. -9-

12 8. Internet-Firewall link configuration: Right-click on the link and Edit Attributes. Set Data Rate: T1. 9. Configuring the simulation statistics: The performance and throughput statistic parameters can give interesting information, as well as the DB Query delay: Right click on the Internet-Firewall link Choose Individual Statistics and mark the checkboxes as in picture L3.11. Click OK. L3.11 Internet-Firewall link statistics In order to choose the DB Query simulation statistics, right click anywhere else in the grid except of a node, select Choose Individual Statistics and check the fields as in picture L3.12. Click OK. L3.12 Global statistics -10-

13 To check all the son statistics of a parent node, click on the parent node and then all the son nodes will be check marked. 10. Configuring the simulation: From the Project Editor, click on configure/run simulation Duration: 1 hour(s). Don t start the simulation yet., set Creating the second scenario The second scenario is a duplicate of the first, but with some router rules avoiding particular packets from and to music and data services. Later on we will see how this decreases the internet link throughput and database access time fair enough below the 1 second limit. From the Project Editor, Scenarios Duplicate Scenario... Rename the new scenario: WithFirewall, and right click on Firewall and Edit Attributes. Leave all the values as they are, except the Proxy Server Information row 8 (Application Voice data), using Proxy Server Deployed:No. Results Analysis Run all the simulations of the scenarios, and take a look at the graphics: 1. At the Project Editor, Scenarios Manage Scenarios... and configure the simulation parameters as seen in the picture, setting <collect> on the Results row on both scenarios (use <recollect> if this is not the first time you run the simulation). Click OK. L3.13 Manage Scenarios -11-

14 2. Compare the DB Query Response Time by right-clicking on the Grid on any scenario and Compare Results. Now we can browse in all the general statistics we programmed before in the left side tree. Check out that Overlaid Statistics, All Scenarios and average options are marked. L3.14 Compare Results Questions Q1 Compare the DB Query Response time (sec). Can you see a significant improvement when the firewall is implemented at the proxy? Do we respect the 1 sec threshold? Q2 Compare the point-to-point throughput (packets/sec) in any direction of the Firewall-Internet link. How is the non-illegal applications effective bandwidth affected by the proxy? Q3 Compare the utilization of the same link. What changes do you appreciate? -12-

15 Answers Q1 The DB Query Response time was in a giddy high of 2.5 seconds, and it decreased to 0.5 seconds when the proxy is on because of a effective bandwidth net gain, significantly below the 1 second threshold. L3.15 Average DB Query Response Time Q2 It is remarkable the big amount of packets per second there were when the multimedia traffic was permitted (around 4,500), and the way this decreases to a residual value when the traffic is banned. The bandwidth was absolutely saturated. L3.16 Average point-to-point throughput of the link Q3 The main part of the network traffic was voice traffic, but what we didn t know is that this was saturating the Internet link capacity. When the proxy is on, the utilization reaches almost 0%. -13-

16 L3.17 Average utilization of the link -14-