NETWORK SECURITY WITH OPENSOURCE FIREWALL

Transcription

1 NETWORK SECURITY WITH OPENSOURCE FIREWALL Vivek Kathayat,Dr Laxmi Ahuja AIIT Amity University,Noida ATTACKER SYSTEM: Backtrack 5r3( ) HOST: Backtrack 4r2 ( ) FIREWALL: Pfsense Firewall ( , ) ABSTRACT-Information technology changes constantly and it is very important to protect our systems and network infrastructure from compromising. So the main purpose of this educational research is to test the weaknesses of the secure and unsecured environments.the methods used to test our environments is white box testing with the help of backtrack tools. And with the help of sense firewall we analyse the logs to make our network infrastructure more secure. Fig 2 : SCENARIO 2 IMAGE RESEARCH METHODS The method used in this research is Whitebox Testing. Whitebox testing is the part of the penetration testing INTRODUCTION Aim: The aim of this research is to analyse the system logs that are generated in the virtual environment 2 (Which is secure with pfsense firewall). 1. INTRODUCTION OF OUR LAB SCENARIOS SCENARIO 1 LEVEL OF SECURITY: Low ATTACKER SYSTEM: Backtrack 5r3 ( ) HOST 1: Windows XP ( ) HOST 2: Backtrack 4r2 ( ) The Fig 1 : SCENARIO 1 IMAGE SCENARIO 2 LEVEL OF SECURITY: High Penetration Testing [ 1 ][ 4 ] Penetration Testing is a process that is used to conduct audit of the network or particular system. It can be of different type - 2. Black-box Testing 3. White-box Testing Black-box Testing : In this testing a security expert is not aware of the network of a company or the technologies that are used in target company or organization. White-box Testing : In this testing,security expert is aware of the network and the technologies that are used in the target company or organization.. Backtrack : To perform testing we use backtrack [2][3]. THE TOOL & SCRIPT USED IN THIS TESTING ARE 1. Nmap (Network Mapper) Description It is a network mapper which is used to scan a remote machine through various nmap scanning techniques like TCP connect scan(tcp), Stealth scan (SYN), UDP Scan,Acknowledgement Scan (ACK), Operating System Scan (-O). 2. traceroute Description traceroute is used to find the firewall on the VLAN's. Here we can analyse the output of the command in backtrack 5 and also analyse the pfsense firewall log. 3. tcptraceroute Description While using traceroute we are unable to see behind the firewall, but now we use tcptraceroute to see behind the firewall. 4. Nmap Firewalk Script

2 Description It is the special feature in the nmap that is used to find the open ports behind the pfsense firewall. International Research Journal of Computers and Electronics Engineering (URJCEE) 5. XPROBE2 Description : It is the Operating System fingerprinting Tool. From this tool we can detect which OS target host is running. Tool is just a information gathering tool. While scanning we also analyse the pfsense firewall logs and see which packets are send to the target to do a OS fingerprinting. 6. ARMITAGE Description: This tool is used to do a target exploitation,this tool is developed by the rapd7. Through this tool we exploit the target according its weak hole or vulnerability in the target machine and also check the what happen and importance of the firewall. FINDING AND ANALYSIS After setting labs we, we start our experiment, Our first step of the experiment is Information Gathering. In this Information Gathering tool we use nmap to scan both the scenarios. Fig.2.2 STEALTH SCAN (SYN SCAN) It also known as half open scan because it never forms a complete connection between the target and the scanner machine. Now let see the outcome of the stealth scan without a firewall (scenario1) and with a pfsense firewall (scenario 2). WITHOUT FIREWALL Command : nmap -ss The below image shows the output of the Stealth scan. INFORMATION GATHERING We perform a scan through nmap(2),with this scan we get the information about the host system, what ports are opened etc. When we done same scanning on the scenario # 2, it shows all that port 21[ ftp ], 80[http],443 [ https ] are closed and rest of the ports are filtered. BENEFIT OF FIREWALL: You can see that, the firewall filtered all the ports and state as a close port. Fig3.1 Fig3.2 PFSENSE FIREWALL LOG FOR STEALTH SCAN Fig 2.1 PFSENSE FIREWALL LOG FOR TCP CONNECT SCAN Now lets analyse the pfsense firewall log, here you can see that the attack is start from the Source address ( ) to Destination ( ) and also see the ports used in this scanning. The Protocol used in TCP connect scan is: TCP:S In the log we can analyse the what type of protocol used, scanning done from Source to destination and type of interface and what time this scan is performed.

3 It shows weather the target ports are filtered or unfiltered.it sends TCP ACK frames to remote port and if there is no response, then it is considered to be filtered. And if the response come in RST (RESET) then it means it is unfiltered. WITHOUT FIREWALL Without a firewall, it normally shows all the 1000 ports are unfiltered. Fig UDP SCANNING UDP scanning is used to check the remote target is open closed or open/filtered. In this scanning we used the UDP packets, we send the UDP packets to the target host and according to the reply it can give the result. For example : when we send the udp packets to the target machine a ICMP : Unreachable reply will come, it means that the ports are closed. If UDP packet reached to the target machine and no reply will come back it means, port is open but filtered. And if the proper reply is come back then it means the port is closed. Now in the firewall environment, when we done a UDP scan the output will look as shown below Fig.5.1 When we done a acknowledgement scan in scenario 2, it display that host is block the ping probes. Basically this is done by the pfsense firewall that blocks the ping probes, that's why this type of response will come. Fig.5.2 PFSENSE FIREWALL LOG FOR ACKNOWLEDGEMENT SCAN Now when we analyse the firewall logs we can see that the acknowledgement scan is detected with the source and destination ipv4 addresses. Fig.4.1 Shows that all the 1000 scanned ports on are open/filtered. PFSENSE FIREWALL LOG FOR UDP SCAN Below the log is captured while we scan the host which is behind the firewall. In this log you can see that in the proto section it display the UDP ports, It means the attacker used the UDP scan technique. One more thing to analyse is the ports are constantly changing. Fig.5.3 WITH -PN PARAMETERS Now if we use a -Pn parameter with the our command, it displayed that All 1000 scanned ports on are filtered. This type of scanning helps the attacker to know which ports are filtered and unfiltered on the network. Fig ACKNOWLEDGEMENT SCAN Fig 5.4 FIREWALL LOG : In this firewall log you will see the Acknowledgement packets are detected and it very easy for the administrator to understand

4 that the attacker is trying to get information about the filtered and unfiltered ports in the network. In this tcptraceroute example, without a lost transmission, our packets successfully reached the target and gives all the route information. Fig TRACEROUTE It is a route analysis tool. which is used to trace the route of the target host. Below you can see that in the scenario 2 when we perform a traceroute command on target ip address,it shows packets are lost during transmission ( reasoned could be the firewall filtering ). Fig 7.1 FIREWALL LOG FOR TCPTRACEROUTE Fig NMAP FIREWALK SCRIPT nmap firewalker script is the easiest method to test all the open,closed and filtered ports on the firewall and also if you use a traceroute option then it show the route using port 80/tcp. See the below image for the output - Fig.6.1 LOG FOR TRACEROUTE Through the log analysis, we can see that the UDP protocol are used.it means the the traceroute is used UDP packets. Fig.8.1 FIREWALL LOG FOR NMAP SCRIPT In the firewall log, it detects the TCP: Syn scanning method. See the log for more details - Fig TCPTRACEROUTE (ROUTE ANALYSIS) This is also used to detect the route of the target host, it uses TCP SYN to send out the packets. The biggest advantage of using this tool is if there is a firewall in between the network, the packet is able to reach the target. Fig XPROBE2 It is used to detect the Operating System running on the target machine on the basis of the signatures based guessing of the OS.

5 Below it shows the example images of performing this tool on both the scenarios. Scenario 1 WITHOUT FIREWALL Here you can see that it detect the running OS as Linux kernel 2.4 which has a surety of 100% that it is a Linux Kernel. International Research Journal of Computers and Electronics Engineering (URJCEE) Fig.10.1 SCENARIO 2 When we trying to attack the target machine we are unable to attack that machine. We try various techniques through Armitage but all are unsuccessful because of filter device or firewall. Fig.9.1 LOG GENERATED AFTER BY PFSENSE FIREWALL Here you can see that the UDP protocol are used by this tool., to confirm that check the firewall log. Below the firewall shows the protocol used is UDP. Fig.9.2 Fig TARGET EXPLOITATION In this step of target exploitation we use armitage, its a GUI based tool that is used to find the vulnerability in the target machine and exploit that target machine. SCENARIO 1 : Using Armitage, we exploit the windows netapi_67 vulnerability. Target is easily vulnerable because there is no firewall or any other mechanism which protect the systems. Below image shows the successful exploitation on the windows machine through Backtrack 5r2 (attacker machine). RESULT Result shows the windows command shell on the linux machine. CONCLUSION After the white box testing, from the pfsense firewall logs we can understand that attacking pattern of a hacker or intruder. Also we can understand the behaviour of attack. How, by analysing those protocols, flags, ack, fin, ports and the ports number. Even administrator, security expert can study these attacking pattern from the logs and he can secure its own network infrastructure or after studying this type of virtual environments, he can redefine his secure physical infrastucture. In short this whole research helps us to improve our network security with the help of open source firewall. FUTURE RESEARCH

6 1. This research helps in the logical and practical implementation of the firewall security to make network environments more secure. 2. This research helps administrator to understand the attack. 3. He can analyse and trace attacker with the help of firewall logs. 4. It helps to make your system more secure and network infrastructure more secure. 5. It helps students to understand how things are actually going behind the scenes. 6. We can test different types of attacks on virtual environment. 7. The logs analysis helps network administrator to understand what happen when an attack is done. Like Ddos attack, Decoy attack etc. Without breaking any cyber law. 8. Also we can analyse the log and see which Tcp ports are used during the attacks so that in future we can close that ports. REFERENCES [1] Lee Allen, Advanced Penetration Testing for Highly Secured Environments: The Ultimate Security Guide,Packt Publishing, [2] [3] [4]Shakeel Ali,Tedi Hariyanto, Backtrack 4 : Assuring Security by Penetration Testing, Packt Publishing