Design and Configuration of a Network Security and Forensics Lab

Transcription

1 Design and Configuration of a Network Security and Forensics Lab Billy Harris Billy-Harris@utc.edu Joseph Kizza Joseph-Kizza@utc.edu Mike Ward Mike-Ward@utc.edu ABSTRACT This paper describes the design and implementation of the security and forensic lab at UTC. The lab supports teaching and research in computer networks, network security, and information forensics. The lab uses a faculty-administered server to record Internet attacks as they occur, five student-administered network servers, and 20 client machines. Keywords Network forensics, graduate education 1. INTRODUCTION The at the University of Tennessee at Chattanooga has been offering a course in network security. The department is also adding a computer forensics course to its catalog and received funds to set up a security and forensics lab. While the lab as been tested and is running smoothly, it presents a security challenge of its own to the department. The lab must allow students to use a variety of methods to prevent, detect, and trace network attacks yet prevent the attacks from actually compromising any of the machines. Additionally, the lab was designed to expose students to a wide variety of operating systems. With these design goals, the resulting lab has 4 Macintosh machines, 6 Windows machines, 8 Linux machines, and 5 FreeBSD machines. It also has a Wireless Access Point, and 2 Windows laptop computers. To accurately detect and record attempted attacks, the lab lives outside of the campus firewall. This means that in addition to protecting the lab machines, student actions must be closely logged to prevent hostile actions originating from the lab. These goals, along with our desire to have as many network servers as possible to support hands-on training in network administration lead to the tree topology shown in Figure 1. Specifically, our lab provides for five machines to act as servers; each with assigned address space (we use various subnets in the range x.x), and the faculty server which correctly routes among the various subnets. This structure allows up to 5 machines to run network services such as DNS or DHCP. For example, Server1 can run its own Network Address Translation (NAT) system using the /16 subnet rather than use the assigned /8 subnet. Note that currently server5 does not have any client machines and thus is not using its assigned subnet.

2 2. MASTER SERVER The master server, or faculty server, acts as the firewall and main intranet router. It provides detailed logs of both intrusion attempts (hacks) and student/lab activity. It also acts as the main intra-lab router and serves as the DNS server (it can be configured to forward internal requests to the various student servers for named subdomains). Currently, the lab is configured into distinct subnets, allowing for student-administered networks. The master server (administered by computer science faculty) provides DHCP service for the 5 student servers as well as the printer, the wireless access point, and the wireless clients. It is also configured to use IP masquerading (NAT) to further protect the lab from attacks. Students do not have accounts on this machine. If a slightly different configuration is used, the master server would not delegate anything to the student servers, and the lab would then function as a generalpurpose lab with a slightly odd network topology. A PowerEdge 2600 machine was selected to act as the lab s main server. Currently, the machine runs the Debian version of Linux, using a customized version of the Linux kernel version Out to Internet T1 Line & router Printer x Server0 (faculty administered) Firewall, DNS, DHCP, NAT, logs, router Server1 (shown running its own DNS and NAT) net x Server x net3 Server3 WAP net4 Server4 Server5 Clients 5 to 8 Clients 13 to 16 Clients 9 to 12 net2 Wireless clients Clients 1 to 4 Figure 1: Network Topology for Network Forensics Lab

3 3. STUDENT SERVERS Server1 currently runs Microsoft Windows XP. The remaining student servers run the Debian distribution of Linux using kernel version Each server has an assigned subnet range and provides DHCP service to machines in the subnet. Server5 currently has no clients, but it can be used as a web server and/or a secondary DNS server. The Wireless Access Point (WAP) allows for the designated wireless clients to use the network. They use the DHCP service provided by the faculty server (server0). To satisfy UTC s security concerns and avoid interfering with the campus wireless network, the WAP has several security-related configuration options including: Using minimum possible power Communicating only with clients possessing the proper SSID. Routing only packets from designated MAC addresses; specifically it will only respond to wireless clients assigned to this lab. The faculty closely supervise any student access to the WAP configuration options. 4. CLIENT COMPUTERS The lab includes four Windows client computers, one for each subnet. These run Windows XP. The lab also includes two notebook computers running Windows XP; these act as wireless clients. There are also four Linux client computers, one for each subnet. These run the Debian distribution of Linux, under kernel There are 5 Unix client computers; two for the net2 subnet and one for each of the other subnets. These clients run FreeBSD version The clients have less software installed on them than do the Linux or Windows computers; they are running a text-mode interface. Finally, the lab includes 3 Macintosh clients running MacOS 10.3, and will soon have an IMac which will act as a wireless client. All clients have been kept up-to-date with the latest patches needed for the corresponding operating system. 5. PASSWORD POLICY The lab poses interesting problems in forming a password policy. In order for students to administer the network services discussed, they must have administrator (root) access to the server they are using. But this introduces the possibility of plagiarizing or sabotaging other student projects. Worse, a malicious student could pose as an innocent party while wreaking havoc. And there are not enough subnets to assign one per student.

4 We decided to give all clients a common root password, which is also used for the printer configuration menu. Each server (and also the WAP) has a unique password, which allows each group to work on their subnet free of interference from others. And, as mentioned, the faculty server will have a separate root password not shared with any student. 6. INSTITUTIONAL INVOLVEMENT The Networking department of the University of Tennessee at Chattanooga (UTC) has been working with the Computer Science department in the design and implementation of the network security laboratory. As would be expected, there were a number of concerns with having a lab dedicated to information forensics and penetration testing available to students on campus. The major concern of the Networking department was to protect UTC s network. A decision was made to separate the networking security laboratory from the rest of the campus network, placing it beyond UTC s firewall and other protective measures. This effectively made UTC an Internet Service Provider (ISP) for the networking security laboratory. The Networking staff was able to provide a router and a range of real class C Internet numbers for use in the lab. Once the router was properly configured and the Internet numbers assigned, the networking security laboratory was no different than any other potentially hostile component of the Internet. Though the networking security laboratory is acting as a separate entity from UTC s network, the potential effects to other hosts on the Internet from actions performed within the laboratory can still be traced back to UTC. The responsibility of monitoring and preventing hostile actions towards other Internet hosts falls upon the students, Computer Science faculty, and Networking staff. Part of the curriculum for any class that uses the networking security laboratory will be student instruction in proper computer security ethics and the potential penalties from abusing the resources of the laboratory. One of the most important duties of the master server (described below) is to monitor network traffic flow into and out of the lab via a packet sniffer. The server maintains a log for each network transaction including a time stamp along with the source and destination hosts involved in the transaction. This system log is parsed daily using automated scripts and a summary is mailed to faculty overseers. The log is also archived at the end of each semester onto a CDROM. The logs will also include attacks directed from other hosts on the Internet into the lab. This provides an authentic data source and compelling examples to use in the network forensics class. As with any other host or subnet at UTC, the Networking staff is authorized to disconnect any host or subnet found to be abusing its network privileges. 7. CONCLUSIONS We have designed and configured a computer lab suitable for use in a networking or network forensics class. The lab has a faculty-administered machine to log network attacks (including possible

5 outgoing attacks), five student-run network servers with assigned subnets to use, a wireless access point, and numerous client computers running a variety of operating systems. The lab allows for students to gain hands-on experience configuring DNS, DHCP, and other network servers; it also captures attack packets for analysis by various forensic tools. Various configurations of the master server will selectively act as a full NAT or just a firewall; allow for studentrun subdomains or act like a general-purpose lab; log genuine attack packets as they come in while shielding possibly insecure machines from the actual attack. It will also log network activity to provide accountability for any mischievous students. 8. REFERENCES [1] Craig Hunt. TCP/IP Network Administration, 3 rd Edition. O'Reilly & Associates, Inc [2] William Cheswick, et al. Firewalls and Internet Security: Repelling the Wily Hacker, 2 nd Edition. Addison-Wesley [3] The Networking CD Bookshelf, version 2.0. O'Reilly & Associates