NETWORK SECURITY WITH OPENSOURCE FIREWALL



Similar documents
Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

Introduction to Network Security Lab 2 - NMap

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Host Discovery with nmap

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Host Fingerprinting and Firewalking With hping

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Penetration Testing 2014

Looking for Trouble: ICMP and IP Statistics to Watch

Development of a Network Intrusion Detection System

Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

Outline. Outline. Outline

Lecture 5: Network Attacks I. Course Admin

CIT 380: Securing Computer Systems

Penetration Testing. What Is a Penetration Testing?

Lab 3: Recon and Firewalls

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

SECURITY TOOLS SOFTWARE IN AN OPEN SOURCE ENVIRONMENT. Napoleon Alexandru SIRETEANU *

Attacks and Defense. Phase 1: Reconnaissance

Network and Services Discovery

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Remote Network Analysis

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Protecting and controlling Virtual LANs by Linux router-firewall

CS5008: Internet Computing

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

How To Hack A Nmap Port Scan With A 10 Second Delay On A Network With A Network On A Windows Server (For A Freebie) On A Linux Computer (For Freebie). For A Free Download) On An Ipnet (For

Learn Ethical Hacking, Become a Pentester

Linux Network Security

Lab Objectives & Turn In

Network Security CS 192

Development of an Intrusion Detection and Prevention Course Project Using Virtualization Technology. Te-Shun Chou East Carolina University, USA

Introduction. Nmap from an Ethical Hacker's View Part 1. By Kirby Tucker

Network Monitoring Tool to Identify Malware Infected Computers

Network Traffic Analysis

Stop that Big Hack Attack Protecting Your Network from Hackers.

Security: Attack and Defense

CSCE 465 Computer & Network Security

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Chapter 6 Phase 2: Scanning

Penetration Testing Workshop

The Nexpose Expert System

Installing and Configuring Nessus by Nitesh Dhanjani

A Study on The Information Gathering Method for Penetration Testing

Project 2: Firewall Design (Phase I)

Network Mapper and Vulnerability Scanning

Nmap: Scanning the Internet

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Dynamic Honeypot Construction

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Network Security. Network Scanning

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

Network Security In Linux: Scanning and Hacking

Firewall implementation and testing

Payment Card Industry (PCI) Executive Report. Pukka Software

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

CMPT 471 Networking II

TECHNICAL NOTE. Technical Note P/N REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

Linux MDS Firewall Supplement

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

Lab 10: Security Testing Linux Server

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Medical Device Security Health Group Digital Output

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Network/Internet Forensic and Intrusion Log Analysis

AC : TEACHING NETWORK SECURITY THROUGH SIGNA- TURE ANALYSIS OF COMPUTER NETWORK ATTACKS

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

General Network Security

Firewalls. Network Security. Firewalls Defined. Firewalls

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

IOSMap: TCP and UDP Port Scanning on Cisco IOS Platforms

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

Strategies to Protect Against Distributed Denial of Service (DD

Firewall Firewall August, 2003

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Penetration Testing LAB Setup Guide

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Introduction of Intrusion Detection Systems

NetView for z/os V6.1 Packet Trace Analysis

Passive Vulnerability Detection

CTS2134 Introduction to Networking. Module Network Security

Certified Ethical Hacker (CEH)

Solution of Exercise Sheet 5

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Transcription:

NETWORK SECURITY WITH OPENSOURCE FIREWALL Vivek Kathayat,Dr Laxmi Ahuja AIIT Amity University,Noida vivekkathayat@gmail.com lahuja@amity.edu ATTACKER SYSTEM: Backtrack 5r3( 192.168.75.10 ) HOST: Backtrack 4r2 (192.168.101.100) FIREWALL: Pfsense Firewall (192.168.75.1, 192.168.101.1) ABSTRACT-Information technology changes constantly and it is very important to protect our systems and network infrastructure from compromising. So the main purpose of this educational research is to test the weaknesses of the secure and unsecured environments.the methods used to test our environments is white box testing with the help of backtrack tools. And with the help of sense firewall we analyse the logs to make our network infrastructure more secure. Fig 2 : SCENARIO 2 IMAGE RESEARCH METHODS The method used in this research is Whitebox Testing. Whitebox testing is the part of the penetration testing INTRODUCTION Aim: The aim of this research is to analyse the system logs that are generated in the virtual environment 2 (Which is secure with pfsense firewall). 1. INTRODUCTION OF OUR LAB SCENARIOS SCENARIO 1 LEVEL OF SECURITY: Low ATTACKER SYSTEM: Backtrack 5r3 (192.168.189.129) HOST 1: Windows XP (192.168.189.128) HOST 2: Backtrack 4r2 (192.168.189.130) The Fig 1 : SCENARIO 1 IMAGE SCENARIO 2 LEVEL OF SECURITY: High Penetration Testing [ 1 ][ 4 ] Penetration Testing is a process that is used to conduct audit of the network or particular system. It can be of different type - 2. Black-box Testing 3. White-box Testing Black-box Testing : In this testing a security expert is not aware of the network of a company or the technologies that are used in target company or organization. White-box Testing : In this testing,security expert is aware of the network and the technologies that are used in the target company or organization.. Backtrack : To perform testing we use backtrack [2][3]. THE TOOL & SCRIPT USED IN THIS TESTING ARE 1. Nmap (Network Mapper) Description It is a network mapper which is used to scan a remote machine through various nmap scanning techniques like TCP connect scan(tcp), Stealth scan (SYN), UDP Scan,Acknowledgement Scan (ACK), Operating System Scan (-O). 2. traceroute Description traceroute is used to find the firewall on the VLAN's. Here we can analyse the output of the command in backtrack 5 and also analyse the pfsense firewall log. 3. tcptraceroute Description While using traceroute we are unable to see behind the firewall, but now we use tcptraceroute to see behind the firewall. 4. Nmap Firewalk Script

Description It is the special feature in the nmap that is used to find the open ports behind the pfsense firewall. International Research Journal of Computers and Electronics Engineering (URJCEE) 5. XPROBE2 Description : It is the Operating System fingerprinting Tool. From this tool we can detect which OS target host is running. Tool is just a information gathering tool. While scanning we also analyse the pfsense firewall logs and see which packets are send to the target to do a OS fingerprinting. 6. ARMITAGE Description: This tool is used to do a target exploitation,this tool is developed by the rapd7. Through this tool we exploit the target according its weak hole or vulnerability in the target machine and also check the what happen and importance of the firewall. FINDING AND ANALYSIS After setting labs we, we start our experiment, Our first step of the experiment is Information Gathering. In this Information Gathering tool we use nmap to scan both the scenarios. Fig.2.2 STEALTH SCAN (SYN SCAN) It also known as half open scan because it never forms a complete connection between the target and the scanner machine. Now let see the outcome of the stealth scan without a firewall (scenario1) and with a pfsense firewall (scenario 2). WITHOUT FIREWALL Command : nmap -ss 192.168.189.130 The below image shows the output of the Stealth scan. INFORMATION GATHERING We perform a scan through nmap(2),with this scan we get the information about the host system, what ports are opened etc. When we done same scanning on the scenario # 2, it shows all that port 21[ ftp ], 80[http],443 [ https ] are closed and rest of the ports are filtered. BENEFIT OF FIREWALL: You can see that, the firewall filtered all the ports and state as a close port. Fig3.1 Fig3.2 PFSENSE FIREWALL LOG FOR STEALTH SCAN Fig 2.1 PFSENSE FIREWALL LOG FOR TCP CONNECT SCAN Now lets analyse the pfsense firewall log, here you can see that the attack is start from the Source address (192.168.75.10) to Destination (192.168.101.100) and also see the ports used in this scanning. The Protocol used in TCP connect scan is: TCP:S In the log we can analyse the what type of protocol used, scanning done from Source to destination and type of interface and what time this scan is performed.

It shows weather the target ports are filtered or unfiltered.it sends TCP ACK frames to remote port and if there is no response, then it is considered to be filtered. And if the response come in RST (RESET) then it means it is unfiltered. WITHOUT FIREWALL Without a firewall, it normally shows all the 1000 ports are unfiltered. Fig 3.3 4.UDP SCANNING UDP scanning is used to check the remote target is open closed or open/filtered. In this scanning we used the UDP packets, we send the UDP packets to the target host and according to the reply it can give the result. For example : when we send the udp packets to the target machine a ICMP : Unreachable reply will come, it means that the ports are closed. If UDP packet reached to the target machine and no reply will come back it means, port is open but filtered. And if the proper reply is come back then it means the port is closed. Now in the firewall environment, when we done a UDP scan the output will look as shown below Fig.5.1 When we done a acknowledgement scan in scenario 2, it display that host is block the ping probes. Basically this is done by the pfsense firewall that blocks the ping probes, that's why this type of response will come. Fig.5.2 PFSENSE FIREWALL LOG FOR ACKNOWLEDGEMENT SCAN Now when we analyse the firewall logs we can see that the acknowledgement scan is detected with the source and destination ipv4 addresses. Fig.4.1 Shows that all the 1000 scanned ports on 192.168.101.100 are open/filtered. PFSENSE FIREWALL LOG FOR UDP SCAN Below the log is captured while we scan the host which is behind the firewall. In this log you can see that in the proto section it display the UDP ports, It means the attacker used the UDP scan technique. One more thing to analyse is the ports are constantly changing. Fig.5.3 WITH -PN PARAMETERS Now if we use a -Pn parameter with the our command, it displayed that All 1000 scanned ports on 192.168.189.130 are filtered. This type of scanning helps the attacker to know which ports are filtered and unfiltered on the network. Fig.4.2 4. ACKNOWLEDGEMENT SCAN Fig 5.4 FIREWALL LOG : In this firewall log you will see the Acknowledgement packets are detected and it very easy for the administrator to understand

that the attacker is trying to get information about the filtered and unfiltered ports in the network. In this tcptraceroute example, without a lost transmission, our packets successfully reached the target and gives all the route information. Fig.5.4 6.TRACEROUTE It is a route analysis tool. which is used to trace the route of the target host. Below you can see that in the scenario 2 when we perform a traceroute command on target ip address,it shows packets are lost during transmission ( reasoned could be the firewall filtering ). Fig 7.1 FIREWALL LOG FOR TCPTRACEROUTE Fig.7.2 8. NMAP FIREWALK SCRIPT nmap firewalker script is the easiest method to test all the open,closed and filtered ports on the firewall and also if you use a traceroute option then it show the route using port 80/tcp. See the below image for the output - Fig.6.1 LOG FOR TRACEROUTE Through the log analysis, we can see that the UDP protocol are used.it means the the traceroute is used UDP packets. Fig.8.1 FIREWALL LOG FOR NMAP SCRIPT In the firewall log, it detects the TCP: Syn scanning method. See the log for more details - Fig.6.2 7. TCPTRACEROUTE (ROUTE ANALYSIS) This is also used to detect the route of the target host, it uses TCP SYN to send out the packets. The biggest advantage of using this tool is if there is a firewall in between the network, the packet is able to reach the target. Fig.8.2 9.XPROBE2 It is used to detect the Operating System running on the target machine on the basis of the signatures based guessing of the OS.

Below it shows the example images of performing this tool on both the scenarios. Scenario 1 WITHOUT FIREWALL Here you can see that it detect the running OS as Linux kernel 2.4 which has a surety of 100% that it is a Linux Kernel. International Research Journal of Computers and Electronics Engineering (URJCEE) Fig.10.1 SCENARIO 2 When we trying to attack the target machine we are unable to attack that machine. We try various techniques through Armitage but all are unsuccessful because of filter device or firewall. Fig.9.1 LOG GENERATED AFTER BY PFSENSE FIREWALL Here you can see that the UDP protocol are used by this tool., to confirm that check the firewall log. Below the firewall shows the protocol used is UDP. Fig.9.2 Fig 10.2 10. TARGET EXPLOITATION In this step of target exploitation we use armitage, its a GUI based tool that is used to find the vulnerability in the target machine and exploit that target machine. SCENARIO 1 : Using Armitage, we exploit the windows netapi_67 vulnerability. Target is easily vulnerable because there is no firewall or any other mechanism which protect the systems. Below image shows the successful exploitation on the windows machine through Backtrack 5r2 (attacker machine). RESULT Result shows the windows command shell on the linux machine. CONCLUSION After the white box testing, from the pfsense firewall logs we can understand that attacking pattern of a hacker or intruder. Also we can understand the behaviour of attack. How, by analysing those protocols, flags, ack, fin, ports and the ports number. Even administrator, security expert can study these attacking pattern from the logs and he can secure its own network infrastructure or after studying this type of virtual environments, he can redefine his secure physical infrastucture. In short this whole research helps us to improve our network security with the help of open source firewall. FUTURE RESEARCH

1. This research helps in the logical and practical implementation of the firewall security to make network environments more secure. 2. This research helps administrator to understand the attack. 3. He can analyse and trace attacker with the help of firewall logs. 4. It helps to make your system more secure and network infrastructure more secure. 5. It helps students to understand how things are actually going behind the scenes. 6. We can test different types of attacks on virtual environment. 7. The logs analysis helps network administrator to understand what happen when an attack is done. Like Ddos attack, Decoy attack etc. Without breaking any cyber law. 8. Also we can analyse the log and see which Tcp ports are used during the attacks so that in future we can close that ports. REFERENCES [1] Lee Allen, Advanced Penetration Testing for Highly Secured Environments: The Ultimate Security Guide,Packt Publishing, www.packetpub.com [2] www.wikipedia.org [3] www.google.com [4]Shakeel Ali,Tedi Hariyanto, Backtrack 4 : Assuring Security by Penetration Testing, Packt Publishing www.packetpub.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information