Security Labs in OPNET IT Guru



Similar documents
Planning a Network with Different Users, Hosts, and Services

Lab 3: Evaluating Application Performance across a WAN

Testing Network Security Using OPNET

BGP: Border Gateway Protocol

Lab 1: Evaluating Internet Connection Choices for a Small Home PC Network

Usage of OPNET IT tool to Simulate and Test the Security of Cloud under varying Firewall conditions

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Home Networking Evaluating Internet Connection Choices for a Small Home PC Network

Step-by-Step Configuration

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Guideline for setting up a functional VPN

RIP: Routing Information Protocol

About Firewall Protection

Multi-Homing Dual WAN Firewall Router

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

Firewall Defaults and Some Basic Rules

RIP: Routing Information Protocol

Chapter 12 Supporting Network Address Translation (NAT)

Applications. Network Application Performance Analysis. Laboratory. Objective. Overview

10 Configuring Packet Filtering and Routing Rules

FSM73xx GSM73xx GMS72xxR Shared access to the Internet across Multiple routing VLANs using a Prosafe Firewall

Multi-Homing Security Gateway

Deploying Windows Streaming Media Servers NLB Cluster and metasan

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

IP Filter/Firewall Setup

Securing Networks with PIX and ASA

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Barracuda Link Balancer Administrator s Guide

Chapter 4 Customizing Your Network Settings

Protecting the Home Network (Firewall)

Configuring PA Firewalls for a Layer 3 Deployment

WhatsUpGold. v3.0. WhatsConnected User Guide

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Basic Network Configuration

allow all such packets? While outgoing communications request information from a

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

Chapter 9 Monitoring System Performance

Network Agent Quick Start

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Procedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch

Multi-Homing Gateway. User s Manual

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Chapter 4 Firewall Protection and Content Filtering

Deployment Guide: Transparent Mode

LAB 1: Evaluating Internet Connection Choices for a Small Home PC Network

Chapter 8 Router and Network Management

The Advantages of Using EIGRP on an Enterprise Network

SSVP SIP School VoIP Professional Certification

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Multifunctional Broadband Router User Guide. Copyright Statement

Security Technology: Firewalls and VPNs

EXPLORER. TFT Filter CONFIGURATION

NETWORK DESIGN BY USING OPNET IT GURU ACADEMIC EDITION SOFTWARE

GregSowell.com. Mikrotik Basics

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

Configuring IP Load Sharing in AOS Quick Configuration Guide

Load Balancing Router. User s Guide

Internet Protocol: IP packet headers. vendredi 18 octobre 13

How To Configure SSL VPN in Cyberoam

Barracuda Link Balancer

BASIC ANALYSIS OF TCP/IP NETWORKS

UIP1868P User Interface Guide

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Chapter 3 LAN Configuration

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab

Interconnecting Cisco Network Devices 1 Course, Class Outline

Getting Started KX-TDA5480

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Configuring Network Address Translation (NAT)

Chapter 4 Customizing Your Network Settings

Using WhatsUp IP Address Manager 1.0

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Skills Assessment Student Training Exam

Network Configuration Settings

SuperLumin Nemesis. Administration Guide. February 2011

GE Measurement & Control. Remote Comms System. Installation and User Reference Guide

A Addendum to LCOS-Version 7.20

There are numerous ways to access monitors:

VMware vcloud Air Networking Guide

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

How To Understand and Configure Your Network for IntraVUE

Chapter 6 Using Network Monitoring Tools

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

DSL-G604T Install Guides

Getting Started. 16-Channel VoIP Gateway Card. Model No. KX-TDA0490

Evaluation guide. Vyatta Quick Evaluation Guide

Technical Support Information

Load Balancer LB-2. User s Guide

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)

EVS Broadcast Equipment S.A. Copyright All rights reserved.

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Lab - Configure a Windows 7 Firewall

FAQs: MATRIX NAVAN CNX200. Q: How to configure port triggering?

Transcription:

Security Labs in OPNET IT Guru Universitat Ramon Llull Barcelona 2004

Security Labs in OPNET IT Guru Authors: Cesc Canet Juan Agustín Zaballos Translation from Catalan: Cesc Canet -I-

Overview This project consists in practical networking scenarios to be done with OPNET IT Guru Academic Edition, with a particular interest in security issues. The first two parts are a short installation manual and an introduction to OPNET. After that there are 10 Labs that bring into practice different networking technologies. Every Lab consists in a theoretical introduction, a step-by-step construction of the scenario and finally Q&A referring to the issues exposed. Lab 1: ICMP Ping, we study Ping traces and link failures. Lab 2: Subnetting and OSI Model, we study tiers 1,2 and 3 of the OSI model, and the Packet Analyzer tool to observe TCP connections. Lab 3: Firewalls, we begin with proxies and firewalls. We will deny multimedia traffic with a proxy, and study the link usage performance. Lab 4: RIP explains the RIP routing protocol, and how to create timed link failures and recoveries. Lab 5: OSPF compares RIP. We study areas and Load Balancing. Lab 6: VPN studies secure non-local connections. A Hacker will try to access into a server that we will try to protect using virtual private networks. Lab 7: VLAN creates user logical groups with Virtual LANs. Studies One-Armed- Router interconnections. Lab 8: Dual Homed Router/Host, Lab 9: Screened Host/Subnet. DMZ and Lab 10: Collapsed DMZ explains the static routing tables, ACLs, proxies and internal vs. perimetric security. Lab 10 is 100% practical, we want you to create it on your own, a piece of cake if you did the other Labs!

Lab 3: Firewalls Firewalls are a network access control system that divides a network that we presume it s secure from a network that may be unsecure. Although it can control the ingoing and outgoing traffic, the most common usage of firewalls is to control the ingoing traffic. Note that Firewalls do not provide any security from internal attacks. Network Firewalls (packet filtering) Routers can control the IP packets that go across them by accepting/denying traffic according to policies affecting to protocol headers (IP, ICMP, UDP, TCP,..). We can analyze source/destination addresses and ports, protocol types, packet contents and size, etc. There are two general policies: a) accept all packets except for a finite set of cases, and b) deny all traffic except for a finite set of cases. Case b is more difficult to implement, but it is generally more recommendable. Each packet reaching the device will lookup the filtering rules and stop at the first match, and after that will decide the decision of either denying or accepting the traffic. A default policy is always set. Proxies (Application Gateways) They behave as Application-level retransmission devices. Network users establish a communication with the proxy, thus dividing the source-destination connection in two independent connections (source-firewall and firewall-destination). The proxy server manages the requested connections. This technology has a slower performance that network firewalling because it is working on the upmost OSI layer. It is usual to use both firewalls at the same time. Cache Proxies are a popular way to increase performance by storing the data the gateway transmits into the firewall, so it is not necessary to lookup in the Internet for the same data next time another computer requests it. -2-

Lab Description Lab3 Corporation has two departments, each one with its own network (LAN1 and LAN2), trying to access a database server where a database with customers information is stored, and an e-mail and HTTP server. At the same time, some company guys are using illegal multimedia downloading, and so slowing the Internet link performance. The company is requesting to set up a Firewall to avoid multimedia traffic in order to decrease the mean database access time to a 1 sec threshold. Creating the Scenario 1. Open OPNET IT Guru Academic Edition: (File New Project) using these parameters (use default values for the remainder): Project Name: <your_name>_ Firewall Scenario Name: NoFirewall Network Scale: Campus Size: 100x100 meters Press Next several times until we finish the Startup Wizard. 2. Network creation: We create the scenario of picture L3.1. The components that are used and the palette where they can be found in the Object Palette are summarized in table L3.2. L3.1 The scenario -3-

Qty Component Palette Description 1 ethernet16_switch internet_toolbox Switches 2 10BaseT_LAN internet_toolbox LAN network models 1 ethernet2_slip8_firewall internet_toolbox Routers 1 ip32_cloud internet_toolbox Internet model 2 ppp_server internet_toolbox EmailAndWebServer DBServer 1 ppp_wkstn internet_toolbox MusicAndVideoServer 1 Application Config internet_toolbox 1 Profile Config internet_toolbox 3 10BaseT internet_toolbox Connects the Switch with the Firewalls and the two LANs 1 ppp_adv links_advanced Connects the Firewall to the Internet 3 T1 links Connects the 3 servers to the Internet L3.2 Components list L3.3 Application Config Attributes Right click on every node, click on Set Name and write the same names as seen in the picture. 3. Setting up the Application Config control: Select the Application Config control, and go to Edit Attributes. All we need to modify are the Application Definitions. Delete all the applications that may be defined (tip: set rows: 0), and create 4 applications as seen in the picture (set rows: 4 and edit the four applications as seen in the picture L3.3). First step is to change the Name: Email, HTTP, DB and MusicAndVideo. Change the application load afterwards: -4-

HTTP: Permits HTTP (Light Browsing). Email: Permits Email (Low Load) These two applications can be configured automatically by double-clicking on the corresponding fields. To configure MusicAndVideo and DB, double-click on the fields of picture L3.3 marked with the (...) symbol: DB Database, MusicAndVideo Voice, and then set the values as in pictures L3.4 and L3.5. L3.4 and L3.5 Configuring the application traffic -5-

L3.6 Configuring Profile Config Select the control Profile Config and use the right button to click on Edit Attributes and create 4 profiles: WebBrowser, to admit HTTP application EMailProfile, to admit Email application MusicAndVideoProfile, to admit MusicAndVideo application BDProfile, to admit DB application. -6-

We have to do the same steps as before: Set 0 rows to erase all rows we may have, and then set 4 rows to program the four applications, and deploy each row and set the values as seen on pictures. The hierarchies that are not deployed on pictures use default values. Applications can be appended to profiles adding new rows to the Applications field, and setting the field Name on every row 0 of the Applications branch. We can also modify the Start Time of all Applications and Profiles (packet reception distribution), the Operation Mode, and the Repetition Pattern. 4. Setting up the Firewall: This first scenario permits the voice traffic. Picture L3.7 shows the main options to be configured in the router. The attributes to modify are the following: Address and Subnet Mask: AutoAddressed on all rows of IP Routing Parameters Interface Information and IP Routing Parameters Loopback Interfaces. We need to set up the routing protocol OSPF: OSPF Parameters Interface Information row 0 and row 1 (the unique router interfaces) Type: Broadcast. Set Point to Point to the remainder (rows 2 9). Proxy Server Information row 6 (corresponds to Application Remote Login, necessary for Database access) Proxy Server Deployed: Yes, this ensures that database traffic has the right to pass. -7-

L3.7 Configuring the Firewall 5. Setting up MusicAndVideoServer: Right click on the MusicAndVideoServer and click on Edit Attributes. We have to modify the Application: Supported Services, by setting the parameters as seen in the picture below (we need to set rows: 1 to accept MusicAndVideo). Leave the remainder options with default values. -8-

L3.8 MusicAndVideoServer supported Services 6. Setting up the DBServer and WebAndEmailServer: This server Supported Services have to be set as seen in the picture below: Server Supported Services DBServer DB WebAndEmailServer HTTP Email L3.9 Supported Services 7. Configuring LANs: Select LAN 1 by clicking on it, and then right button Edit Attributes. Use the values from picture L3.10 (non-deployed branches use default parameters). This configuration will use 250 workstations for each and every LAN (Number of Workstations), 5 of them will be doing web browsing, 5 will be using email, 50 attempting to connect to the database and 9 using MusicAndVideoServers illegally (Application: Supported Profiles). When finished, click on OK. L3.10 Assigning profiles to workstations at LAN 1 LAN 2 will be configured with the same values. Use Copy & Paste to duplicate the LAN and change the name afterwards. -9-

8. Internet-Firewall link configuration: Right-click on the link and Edit Attributes. Set Data Rate: T1. 9. Configuring the simulation statistics: The performance and throughput statistic parameters can give interesting information, as well as the DB Query delay: Right click on the Internet-Firewall link Choose Individual Statistics and mark the checkboxes as in picture L3.11. Click OK. L3.11 Internet-Firewall link statistics In order to choose the DB Query simulation statistics, right click anywhere else in the grid except of a node, select Choose Individual Statistics and check the fields as in picture L3.12. Click OK. L3.12 Global statistics -10-

To check all the son statistics of a parent node, click on the parent node and then all the son nodes will be check marked. 10. Configuring the simulation: From the Project Editor, click on configure/run simulation Duration: 1 hour(s). Don t start the simulation yet., set Creating the second scenario The second scenario is a duplicate of the first, but with some router rules avoiding particular packets from and to music and data services. Later on we will see how this decreases the internet link throughput and database access time fair enough below the 1 second limit. From the Project Editor, Scenarios Duplicate Scenario... Rename the new scenario: WithFirewall, and right click on Firewall and Edit Attributes. Leave all the values as they are, except the Proxy Server Information row 8 (Application Voice data), using Proxy Server Deployed:No. Results Analysis Run all the simulations of the scenarios, and take a look at the graphics: 1. At the Project Editor, Scenarios Manage Scenarios... and configure the simulation parameters as seen in the picture, setting <collect> on the Results row on both scenarios (use <recollect> if this is not the first time you run the simulation). Click OK. L3.13 Manage Scenarios -11-

2. Compare the DB Query Response Time by right-clicking on the Grid on any scenario and Compare Results. Now we can browse in all the general statistics we programmed before in the left side tree. Check out that Overlaid Statistics, All Scenarios and average options are marked. L3.14 Compare Results Questions Q1 Compare the DB Query Response time (sec). Can you see a significant improvement when the firewall is implemented at the proxy? Do we respect the 1 sec threshold? Q2 Compare the point-to-point throughput (packets/sec) in any direction of the Firewall-Internet link. How is the non-illegal applications effective bandwidth affected by the proxy? Q3 Compare the utilization of the same link. What changes do you appreciate? -12-

Answers Q1 The DB Query Response time was in a giddy high of 2.5 seconds, and it decreased to 0.5 seconds when the proxy is on because of a effective bandwidth net gain, significantly below the 1 second threshold. L3.15 Average DB Query Response Time Q2 It is remarkable the big amount of packets per second there were when the multimedia traffic was permitted (around 4,500), and the way this decreases to a residual value when the traffic is banned. The bandwidth was absolutely saturated. L3.16 Average point-to-point throughput of the link Q3 The main part of the network traffic was voice traffic, but what we didn t know is that this was saturating the Internet link capacity. When the proxy is on, the utilization reaches almost 0%. -13-

L3.17 Average utilization of the link -14-

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information