Research on Network Attack-Defense Training Based on Virtual Machine

Transcription

1 Research on Network Attack-Defense Training Based on Virtual Machine 1 Zhang Hui, 2 Sun Yanwei *1, School of Computer Science and Technology, HuBei University of Education, [email protected] 2, College of Computer Science and Technology, ChongQing University of Posts and Telecommunications, [email protected] Abstract For modern information warfare, a bridle-wise team sophisticated in computer network attackdefense skills can be the key to the win or lose. Aiming at present military requirement for network attack-defense training and difficulties involved, a realistic and economical method for building network environment with virtual machine was put forward, which can construct a relative complicated network experiment environment with limited hardware condition. The related key technologies such as three kinds of network accessing pattern in VMware, the architecture of network attack-defense and the virtual network topology are also detailed. Finally, a simulation example was presented to prove the feasibility of the method. It can provide beneficial reference for building a network shooting range for attack-defense training, and soldiers can be versed in theories and skills of computer network attack-defense by training during short term. Keywords: Network Attack-Defense, Virtual Machine, Vmware, Network Address Translation, Virtual Simulation Network 1. Introduction Computer network war will be the leading pattern of operations on future information battlefield. It is an armchair strategist to keep initiative anytime and anywhere without a bridle-wise team sophisticated in computer network attack-defense skills. Researches of network information security and information secrecy are always attached much more importance. But the central point of the research emphasizes particularly on theory and soldiers can t get corresponding network attack-defense simulation training system to be used for training. So it is great important of developing network attack-defense simulation training system to build a network shooting range for attack-defense training, and soldiers can be versed in theories and skills of computer network attack-defense by training during short term. But in light of current reality of current network attack-defense areas, the biggest challenge is how to build a realistic simulation network environment and experimentation platform serving for training and researching in the limited condition of hardware and software. As the combination of hardware and software, virtual machine can create a running platform for Operation System and other software by using functions of existing Operation System and special hardware. The advent of virtual machine technology and its powerful virtual function, which make it possible to perform the experiment that is hampered by limited equipment before time. Accordingly, developing a network attack-defense training system based on virtual machine is brought forward. In this system, Red-Blue antagonizing mechanism is introduced to network security and Attack-Defense technologies are implemented. The large-scale network antagonizing drill can be put in practice by planning the scenario of both sides in the system. By observing the whole network attack and defense process, the trainer can get great skills and more experience. At the same time, the researcher can test research results of network Attack-Defense technologies. The system will provide scientific training means for network Attack-Defense drill of future information warfare, and it will also provide advantaged training support for improving network operational capability of digital troops. 2. Related works Works on network Attack-Defense training simulation based on virtual machine are seldom found in related research fields and approaches. But building test platform and performing Journal of Convergence Information Technology(JCIT) Volume 7, Number 21, Nov 2012 doi : /jcit.vol7.issue

2 network security experiment by using virtual machine have been gained great advancement in recent years and can provide beneficial reference. New progresses have been achieved in network Attack-Defense technology. The typical attacks against IP communications network security, such as different kinds of denial-of-service and attacks against RIP/OSPF/ISIS routing protocols are analyzed by Cheng Yanli [1]. Various network attacks and the security protection technologies including disclosure, counterfeiting, tampering, malicious attacks, vulnerabilities, denial of service, data stream encryption, access control, data stream filtering, intrusion detection and security scanning are detailed by Wei Junhua [2]. A kind of simulation platform model of network attack-defense was put forward by Wu Xianhong [3]. Within the platform model, every component is analyzed and its function is pointed out. In terms of the component of virtual network environment, the design of virtual network topology, the saving and parsing of virtual network topology and the creation of virtual network environment, the simulation environment of network attack-defense is designed and implemented in detail. A network confrontation training simulation system has been designed by Gan Gang [4], and its related subsystems including interactive confrontation training simulation system, support software system, evaluation system, and information database are discussed. Due to performance increase of computer hardware, research on virtual machine and its application has attracted more attention. According to the principle and the purpose of the network technology experiment platform, a plan using virtual machines was offered by Gong Tao [5]. The content and flow of building the network technology experiment platform were introduced. Basing on the virtual machine software named VMware Workstation, the plan and design solution scheme for virtual machine is chiefly discussed by Wang Taicheng [6], which can implement and finish complex network experiments including DHCP relay agent and VPN remote access. The benefits of using virtual machine and the prospects of application for the National Meteorological Information Center of China are discussed by Zhang Haitao [7]. He also established a high available test environment with two Suse Linux servers sharing storage, and it can replace the actual expensive hardware environment. An approach of applying VMware virtual machine technology to support windows soft route labs under stand-alone computer environment was presented by Ren Yingxue [8]. Through his approach, there is no need to construct real intranet or networked lab and the interconnected communication of different IP address fields could be achieved by using virtual network composed of virtual machines and router constructed by Windows 2000 routing & remote access service. Based on the research actualities mentioned above, it is easy to know that the existing research results mainly focused on single network attack-defense technology and application of virtual machine. But how to build an experiment platform applying to skill training for different network attack-defense technologies by virtual machine can t be found yet. So research on network attack-defense training simulation system based on virtual machine will gain important practical significance for improving training effect. 3. Virtual machine The virtual machine technology can simulate an absolute physical environment with virtual machine software, which can be CPU, hard disk, CD-ROM, USB interface, network adapter and sound adapter etc. The Operation System can be installed in the virtual physical environment and runs well. The computer with virtual machine software running is called host computer and the memory of host computer must be large enough when virtual machine is running. The large numbers of memory will be occupied and host computer speed will be slow down in running time. The virtual machine can be used in most different virtual network environment and its advantages are summed up as follow. 1) Several virtual machines can be with just one host computer and each virtual machine is a independence computer. Different kinds of operation systems will be simulated in the same host computer such as Windows, Linux and FreeBSD etc. Every machine can run independently or subsequently, they can communicate with other virtual machine and host computer including dialog, files sharing and etc. 229

3 2) All hardware simulated by virtual machine are standard hardware. But all hardware simulated by host computer are on the same and can be copied between different physical hosts without considering the difference among these hardware. So virtual operation system will be reverted and resumed quickly when different kinds of problems appeared. 3) The virtual hard disk used by virtual machine is one or multi files, so it made the virtual machine can be renewed fleetly. Virtual machine can save and revert system state with the function mentioned above. All configuration parameters of virtual machine can be backed up by function named with snapshot. Both virtual machine and host computer have characteristic of isolation and operations in virtual machine will have no influences with the hard disk partition and its data of physical host. Now VMware has been the most commonly used virtual machine software and it can provide three kinds of network accessing pattern for user, which has been named as bridged pattern, Network Address Translation (NAT) pattern and host pattern. The principle diagram of these patterns can be shown as Fig. 1 to Fig 3. It can help connecting the virtual machine to network according the actual network environment after the virtual machine was created. As it is shown in three figures, the dashed framework is built by VMware software. Bridged Pattern. In this pattern, virtual machine and physical host are all connected to one same virtual Ethernet switch named VMnet0. The switch is equal to concatenating to the physical network switch of upper layer. At this time, the virtual machine and the other computer in actual local area network are all at the same local network. It is shown in Figure 1. Figure 1. The principle diagram of bridge pattern Network Address Translation (NAT) Pattern. In this pattern, virtual machine is connected to virtual switch VMnet8 and VMware simulated DHCP server and NAT device all together. It can provide both DHCP service and NAT service, which help itself to acquire network configuration parameters automatically and connect to outside physical network. Two VMware network adapters (VMnet1 and VMnet8) will be created in physical host when the virtual machine software (VMware) is installed. It is shown in Figure

4 Figure 2. The principle diagram of NAT pattern Host Pattern. In this pattern, virtual machine is connected to virtual Ethernet switch VMnet1 and DHCP Server is provided by VMware. The virtual network adapter in physical host is connected to VMnet1 of virtual switch, and physical host can communicate with the other virtual machine connected to this virtual switch by this virtual network adapter. If it is disabled, physical host may not communicate with other virtual machines, but it has no effect on the communication among these virtual machines. It is shown in Figure Network attack-defense training Figure 3. The principle diagram of host pattern The network attack-defense simulation training has characteristic of complicated architecture, too many software tools involved, higher requirement of training fidelity and complicated harmonizing of relationship. Above-mentioned are the greatest difficulty of system realization and the key approach of solving them is confirming the training subject in reason. According to architecture and base process of network attack-defense, it can be described with different sub-technology which is shown in Figure

5 Network Attack-Defense Technology Network Attack Network Defense Scanning Net Topology Detection OS Fingerprint Recognizing Port Scanning Leak Scanning Sniffer ARP Deceiving Wiretap Recognizing Redirection Hack Password OS Password Application Password Document Password Secret Key Exploit OS Exploit Database Exploit Application Exploit Social Engineering Network Fishing Network Deceiving Network Pretending Trojan Horse Keyboard Record Remote Control Network Ferry Integrative Function Security Policy Encryption Data Encryption Identification Authentication Honey Pot Firewall Soft Firewall Hardware Firewall Virtual Private Network Network Proxy Server Intrusion Detection SQL Injection Backdoor Figure 4. The architecture of network attack-defense A whole network attack-defense flow includes information collection of target system, bug analyzing, attacking/defense, result studying and deploying solving project. So typical training subject and software tools are arranged in every necessary step, such as net topology detection for scanning with tools named Trace Router, ARP deceiving for sniffer with tools named Sniffer Pro, OS exploit for exploit attach with tools named Winnt Auto Attack, etc. Trained soldiers can grasp comprehensive and integrative network attack-defense theories and skills by training with the software tools mentioned above. Simulation of virtual computer network is crucial sup-port for attack-defense training and integrative drilling. The whole virtual simulation network environment is composed of gray net, yellow net, green net and black net. The topology of virtual simulation network is shown in Figure

6 Red Training Subnet Blue Training Subnet Gray Network Yellow Network Green Network Black Network Virtual Simulation Network Environment Figure 5. The topology of virtual simulation network (1) Gray net is an attack-net. Soldiers trained in this net owned the control right of all terminal. And each computer can simulate running many different operation systems synchronously by utilizing virtual machine technology. So the soldier can be trained to start attacking in various operation systems, gains the skill of network attack on different system platform and thinks about the corresponding defense measures. (2) Yellow net is a target-net to be attacked. It includes two components. One is network group composed of workstations and servers installed by all kinds of operation system, the other is network environment equipped with router, switch and firewall. As the attacking target of the gray net, its function is convenient for training the skill of deploying and setting up security project, evaluating the equipment s ability and bugs correctly. The control right of this net is not granted to the soldiers in gray net. So they must scan the yellow net at first in order to collect the bug information. (3) Green net is a net connecting with military education and training net. It provides real attackdefense drilling platform for training soldiers. The real experiences can be got with actual combat and carrying out grand drilling. (4) Black net is a study-net. It can be used for studying theory and tactics of computer network war. And the commander can be trained to ready for commanding the future net-war effectively. For the gray net, the yellow net and black net, they can be simulated by the virtual machine technology and its network simulation configuration can be shown as Figure 6. Figure 6. The network simulation configuration diagram 233

7 5. Conclusion and future works Prototype of system is development mainly with Visual C++, Oracle, prti and other attack-defense tools based on the plug-ins soft framework [9]. The simulation example of remote control is shown in Figure 7. Figure 7. The software interface of remote control training with Remote-Anything This system is realistic, controllable, repeatability and economical, which can act as a training tool. Trainer can learn about attack-defense skills with it. The user of the system can act as a commander of the net-war who conducts the soldiers to perform tactical attack-defense actions. The trainer can build a virtual simulation networks with several kinds of subnet. The networks can answer the changes of users operation. The system is running smoothly in real-time. The simulation examples prove that the development method is feasible and valid. As a future possibility, we are working on building broader, including more attack-defense tools, optimizing the simulation algorithm, and updating the system to DIS to support the training off-site [10]. 6. Acknowledgement Part of this work has been funded by the Research Project of Hubei Provincial Department of Education under Grant No. B , the Research Project of Hubei Provincial Department of Education under Grant No. B and the School of Computer Science and Technology Hubei University of Education under Grant No. 2008A007. We thank them for providing better experimentation environment and condition. 7. References [1] CHENG Yan-li, ZHANG You-chun, Attack and Protection of IP Communication Network Security, Information Security and Communication Secrecy, Vol.4, pp Apr [2] Wei Junhua, Analysis of the Offense-defense Method and Technology of the Computer Network Security, Technology Square, Vol. 1, pp Jan

8 [3] Wu xianhong, Design and Implementation of Simulation Environment of Network Attacking and Defense, Master thesis of Xidian University, Xian. Jan [4] GAN Gang, CHEN Yun, LI Fei, Design and Implementation of Network Confrontation Training Simulation System, Journal of University of Electronic Science and Techonolgy of China, Vol. 36, No. 3, pp Jun [5] GONG Tao, WAN Gang, Building Network Technology Experiment Platform Based on the Virtual Machine Technology, Computer Knowledge and Technology, Vol. 5, No. 6, pp Feb [6] WANG Tai-cheng, CAI Yong, Using Virtual Machine Technology to Perform Complex Network Experiment, Computer Technology and Development, Vol. 19, No. 4, pp Apr [7] Zhang Haitao, Zhang Junfeng, Using VMware to Simulate HA Environment and Application Prospects, Meteorological Science and Technology, Vol. 34, Nol Suppl, pp , Sep [8] LIU Wen-tao, Research of Network Security System Based on SOA, Journal of Gansu Lianhe university(natural Sciences), Vol. 24, No. 2, pp.74-77, Mar [9] Zhang Yu, Computer Network Attack Detection Based on Quantum Pso And Relevance Vector Machine, Advances in Information Sciences and Service Sciences (AISS), Vol. 4, No. 5, pp , Mar [10] Shangqin Zhong, Guosheng Xu, Yu Yang, Wenbin Yao, Yixian Yang, Algorithm of Generating Host-based Attack Graph for Overall Network, Advances in Information Sciences and Service Sciences (AISS), Vol. 3, No. 8, pp , Sep