This chapter is dedicated to security solutions, as well as their installation and configuration. It will show you how to protect the lab environment from external attacks and unauthorized access, and how improve the lab complexity to practice advanced penetration testing and hacking techniques at the same time. We are going to divide security solutions and measures into two main groups: host-based (protecting hosts they are installed on) and network-based (protecting the whole lab network). Additionally, we want to have a closer look at a security information and event management solution that can be used to work together with the security mechanisms in order to identify network attacks and constantly monitor the security of a network.
This chapter covers the following topics:
- Network-based security measures
- Host-based security measures
- Security information and event management system
In this chapter, we are not trying to adhere to the levels of the standard ISO/OSI model, but we distinguish two main abstract security levels: network and host levels.
The host level is represented with host-based security solutions that are aimed towards protecting a certain host. However, network-based solutions are aimed towards protecting the whole network or its parts (or groups of hosts). We would like to start the chapter with network-based solutions.
In order to imitate a real network and to protect our lab from access from an external network, we need to implement access control measures between our various lab VLANs on the network level. The access control mechanism that we are going to use is called access control lists (ACLs) and can be implemented on the core router.
Generally speaking, ACL is a list of rules determining which traffic is allowed or disallowed and in which directions. We are also going to create several ACLs that will block or allow network traffic between various VLANs.
You may think that logically it should be done in Chapter 3, Configuring Networking Lab Components during the network device configuration and you would be right! But we decided to put the ACL subtopic in this chapter because it influences the security of the whole lab environment and not only devices, and it should be emphasized.
For the security of our lab, we need to isolate untrusted network segments as is required according to the communication rules described in Chapter 3, Configuring Networking Lab Components. Let's quickly recall them:
|
Source |
Allowed destination |
Purpose |
|---|---|---|
|
Admin workstation |
|
Network and system administration |
|
Servers |
|
Software installation and updates |
|
User workstations |
|
Internet access, access to the internal network services |
|
Trusted WLAN |
|
Internet access, access to the internal network services |
|
Guest WLAN |
|
Internet access |
First, we need to block all the incoming traffic from the external network and isolate the guest WLAN. Log in to the router console, start the configuration mode, and create an ACL for that purpose called wan with the following commands:
ip access-list extended wan remark deny access from wan deny ip 192.168.0.0 0.0.255.255 any log deny icmp 192.168.0.0 0.0.255.255 any exit ip access-list extended guest remark deny access to guest wlan deny ip any 192.168.0.0 0.0.255.255 deny icmp any 192.168.0.0 0.0.255.255
Let's quickly explain what we have just done:
- The first and the sixth lines create extended named ACLs with the names
wanandguestand enter the ACL configuration mode. - The second and seventh commands set the user-friendly comments for the new ACLs.
- The third and fourth lines deny all IP and ICMP traffic from the network 192.168.0.0/16 to any destination. We are using the keyword
logto write all denied packets to the log for a further analysis (it allows us to detect possible attacks on our lab). - The last two commands deny all IP and ICMP traffic from any source to the 192.168.0.0/16 network.
Now, we need to apply the ACL to the router subinterface, serving communications with an external network (in our case it is fa0/0.5). Exit the ACL configuration mode and get into the interface configuration mode (if you have defined sub-interfaces other than the ones we have done, just substitute fa0/0.5 with the one corresponding to your subinterface connected to a SOHO router):
interface fa0/0.5
Now, assign the ACL called wan to be applied on network traffic coming to the subinterface from outside:
access-group wan-in in
Next, assign the ACL called guest to be applied on network traffic coming to the subinterface from inside:
access-group guest-out out
The following ACL for the rest of the router subinterfaces can be created and applied in a similar manner. Therefore, we will put them in a table for convenience:
|
Name |
Subinterface |
Direction |
ACL |
Remark |
|---|---|---|---|---|
|
|
|
|
|
Access from trusted WLANs |
|
|
|
|
| |
|
|
|
|
|
Deny connections to users and trusted WLANs initiated by servers |
According to our lab idea, we want to have secure wireless access to the lab environment, a trusted WLAN.
As you remember from Chapter 1, Understanding Wireless Network Security and Risks, the best way to secure WLAN access is to implement WPA-Enterprise security based on the IEEE 802.1x standard. To be more exact, it should be based on EAP over LAN (EAPOL) and an AAA server.
We decided to choose FreeRADIUS as a suitable solution for an AAA server. FreeRADIUS is a software package containing a RADIUS server software and several auxiliary libraries and modules. Currently, we are interested only in the RADIUS server, which is enough to fulfill our tasks.
FreeRADIUS is a very popular solution with a modular architecture. It works really fast and distributes the important services for a lab, free of charge.
Before we start implementing the solution, we would like to list our next steps to give you a clearer overview of the whole process:
- Preparing a VM with FreeRADIUS.
- Creating certificates.
- Configuring a RADIUS server.
- Configuring an access point.
- Configuring a WLAN client.
We are going to install FreeRADIUS on a Debian-based virtual Linux server and put it into the server subnet on IP address 10.0.0.6. The installation process is very similar to the Ubuntu Server installation process:
- Create a VM with 1024 MB RAM.
- Download a Debian Linux 8 (Jessie) image from the official website.
- Install Debian Linux using guided installation and don't forget to set strong passwords for the root and non-root users during the installation, as this server will provide lab's security and we don't want it to be vulnerable.
- After the installation, start the VM and log in under the root account.
- Make sure that the VM can access the Internet. Use NAT if is not connected to the lab network or configure IP settings if it is.
- Check whether the
/etc/apt/sources.listfile contains the following line:deb http://ftp.debian.org/debian jessie main - If not, add this line to the file.
- Update the packages list.
- Install FreeRADIUS using the following commands:
apt-get update apt-get install freeradius
Note
Alternatively, you can download the newest version of FreeRADIUS from the official FTP server and compile it (change the package version number to the current one and make sure that the gcc compiler is installed):
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.9.tar.gz tar zxfv freeradius-server-3.0.9.tar.gz cd freeradius-server-3.0.9 ./configure make make install
Every authorized user in our lab will have a personal certificate for the trusted WLAN connections, and it is logical to prepare certificates before we start to put their paths into the server's configuration.
You can use the lab certificate authority installed in Chapter 4, Designing Application Lab Components, to create all the necessary certificates. We already have a CA certificate created, so we only need to create server and client certificates and sign them with the CA:
- Create a server key and a certificate request:
openssl genrsa -out radius.key 2048 openssl req -key radius.key -new -our radius.csr
- Create a
lab_ca.srlfile with a two-digit serial number in it, for example, 01. - Sign the server certificate request using the CA (you will need to provide a path to the CA certificate and key files if they are not in the current directory) and create a server certificate:
openssl x509 -req -in radius.csr -CA rootCA.crt -CAKey rootCA.key -out radius.pem - Create a client key and certificate request:
openssl genrsa -out attacker1.key 2048 openssl req -new -key attacker1.key -out attacker1.csr
- Here, you should fill the certificate's field Common name with the identity of the user that will hold the certificate, for example,
attacker1oralex. - Sign the client certificate using the certificate authority:
openssl x509 -req -in attacker1.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out attacker1.crt -days 365 - Export the client certificate in the PKCS#12 format for a Windows client:
openssl pkcs12 -export -in attacker1.crt -inkey attacker1.key -out attacker1.p12 -clcerts
You can create multiple client certificates for as many users as you would like to allow access to your lab via the trusted WLAN. Copy the server and CA certificates into the /etc/freeradius/certs/lab directory on the FreeRADIUS server.
Now, it is time to configure FreeRADIUS for our needs. The configuration files can be found in the /etc/freeradius directory.
We are interested in the following configuration files now:
We need to add the following lines to the file to set the connection parameters for the authenticator:
client 172.16.1.2 {
secret = YourSecret
shortname = TrustedWLAN
}The secret parameter contains a password used by an AP to connect to the RADIUS server, so you might want to use a strong combination of symbols to raise the security of your lab.
Here, we set all the necessary parameters for the EAP-TLS authentication:
default_eap_type = tls
tls {
certdir = ${confdir}/certs/lab
cadir = ${confdir}/certs/lab
private_key_password = YourServerKeyPassword
private_key_file = ${certdir}/radius.key
certificate_file = ${certdir}/radius.pem
CA_file = ${cadir}/rootCA.crt
dh_file = ${certdir}/../dh
random_file = /dev/urandom
}The certdir and cadir parameters set the directory where FreeRADIUS will search for server and CA certificates. In our case, they are both in /etc/freeradius/certs/lab.
The private_key_password parameter is the password that you typed when creating the server's private key.
We have already configured the Ethernet interface of the access point in Chapter 3, Configuring Networking Lab Components, but we have omitted the wireless interface configuration because it is highly dependent on a RADIUS server which we didn't have before the current chapter. Now it is time to fill this gap:
- Connect to the AP's console port and enter the privileged mode with the
enablecommand and the password that you set during the initial AP configuration in Chapter 3, Configuring Networking Lab Components (the default password isCisco). - Let's configure the authentication server (RADIUS) settings first:
configure terminal aaa group server radius rad_eap server 10.0.0.6 auth-port 1812 acct-port 1813 exit aaa new-model aaa authentication login eap_methods group rad_eap radius-server host 10.0.0.6 auth-port 1812 acct-port 1813 key YourSecret end write memory
- Change
YourSecretto the value that you have set inclients.confduring the FreeRADIUS configuration. - Now, we need to configure the radio interface called
dot11radio:configure terminal interface dot11radio 0 encryption mode ciphers aes-ccm exit write memory
lab_privateis the SSID for our trusted WLAN and you can change it to anything you like.- As the next step, we will configure the WLAN settings:
configure terminal dot11 ssid lab_private authentication open eap eap-tls authentication key-management wpa version 2 guest-mode end write memory
- You can omit the
guest-modecommand to disable SSID broadcasting, making your WLAN slightly more secure (but not really raising the security level). - After configuring the radio interface and the SSID, we can assign the SSID to the interface and turn the interface on:
configure terminal interface dot11radio 0 ssid lab_private no shutdown exit copy running-config startup-config
Note
If you have chosen to set a software AP for the trusted WLAN, you can use the following tools:
- Built-in tools or
hostapdsoftware on Linux (we will show how to install and configure it in Chapter 7, Preparing a Wireless Penetration Testing Platform) - Special software (for example, Connectify or ARPMiner) on Windows
After installing and configuring the chosen software, you will need to add a link between a wireless network and the virtual lab infrastructure using the tool Cloud of the GNS3 system, as described earlier in Chapter 3, Configuring Networking Lab Components.
As a closing step, we need to test our newly created WLAN by connecting a client machine to it. Let's do it on a Windows 8.1 machine:
- First, you need to copy the attacker's certificate in the PKCS#12 format to a client machine and install it.
- Then you need to click on the networking icon in the system tray to get a list of available wireless networks, as with WEP- or WPA-PSK-protected networks.
- Choose the lab_private option in the wireless network list and click on the Other ways to connect link:
- Then, click on Certificate, choose the lab certificate, and click on OK:
Now, you are connected to the trusted WLAN and can penetrate our vulnerable servers. So far, we have reliably secured our trusted WLAN and the whole lab network from an unauthorized network access. We have almost reached the main goal of the book: building a lab with wireless access protected from attacks from outside.
Now, let's see how we go ahead with installing the system in our network to detect any intrusion.
Cisco devices have a feature called Switched Port Analyzer (SPAN), which basically mirrors network traffic from selected source ports to a selected destination port. We need this feature to copy network traffic coming through the server VLAN to our network-based IDS for further analysis.
We are going to monitor the whole server traffic (ports fa0/7-fa0/10) on the fa0/11 port, so let's configure SPAN on our core switch with the following commands:
enable config t interface fa0/11 port monitor fa0/7 port monitor fa0/8 port monitor fa0/9 port monitor fa0/10 end copy running-config startup-config
Snort is a free, open source network Intrusion Detection System (IDS) capable of performing packet logging and real-time traffic analysis in IP-based networks.
This IDS identifies the following:
- Attacks on network protocols
- Scanning (ports and services)
- DoS attacks
- Attacks on services such as FTP, DNS, e-mail, and so on
- Attacks on databases
- Attacks on the Web
- Exploits and various malwares
Taking into account the following points, we have a system with powerful features for security monitoring:
- Ability to write their own rules
- Enhanced functionality by using the connectivity modules
- Flexible system of warning about the attacks (log files, output devices, or a database ID)
Snort can be executed on various operating systems: Windows and Unix-like. In our case, we are using Ubuntu Server 14 and we will consider the Linux distribution.
So, the installation process is pretty simple in Ubuntu Linux. We should just execute one command:
apt-get install snort
After a few minutes, installation will be complete and we can start the Snort service on our system using the following command:
service snort start
Next, let's update the Snort rules set. You can get the latest version of the rules from the official website at https://www.snort.org/downloads in the Rules section. We will use the Registered user release set, because it is the most up-to-date one. However, it needs registration. You can sign up at https://www.snort.org/users/sign_up.
After downloading, let's unpack the downloaded archive file and copy the rules directories so_rules and preproc_rules in /etc/snort:
cp -R ./rules/ /etc/snort/ cp -R ./so_rules/ /etc/snort/ cp -R ./preproc_rules/ /etc/snort/
After that, we need to restart Snort:
service snort restart
After all these manipulations, we have a working instance of the IDS Snort system. Next, let's configure our intrusion detection system in more detail.
The main configuration of Snort is located in the snort.conf file in the /etc/snort/ directory. Initially, this file is based on the example configuration. It is big but very well commented, so it should not make you seriously confused. The configuration file consists of nine sections:
- Network variables
- Configuration of the decoder
- Configuration of the base detection engine
- Configuration of dynamic loaded libraries
- Configuration of preprocessors
- Configuration of output plugins
- Customization of your rule set
- Customization of preprocessor and decoder rule set
- Customization of shared object rule set
Let's start with basic variables that will describe our infrastructure:
|
Type |
Variable |
Value |
Description |
|---|---|---|---|
|
|
|
[10.0.0.0/24,10.1.0.0/24] |
Home network, from which attacks are possible. It is a host or a list of hosts whose traffic will analyze Snort. |
|
|
|
[172.16.0.0/24,192.168.0.0/24,172.16.2.0/24] |
The network from which the attack could begin. |
|
|
|
10.0.0.2 |
It is a list of DNS servers. |
|
|
|
10.0.0.3,10.0.0.5 |
It is a list of web servers. |
|
|
|
10.0.0.3 |
It is a list of SQL servers. |
|
|
|
80,443 |
It is a list of web ports. |
|
|
|
10.0.0.4 |
It is a list of SIP servers. |
We leave the default values for the other settings in this file. Of course, you can configure Snort to work in the way that best suits your needs. Since this is a learning laboratory, settings in a particular case may be quite different.
In order for the changes to take effect, we need to restart the Snort daemon:
service snort restart
Now, we can try to run Snort:
snort -D -dev -c /etc/snort.conf
After starting the daemon, we will check the network interface that Snort is listening to:
ifconfig -a
If the interface is in promisc mode, everything is fine.
Writing your own rules is not difficult but is often necessary, because vulnerabilities are found every day, and in the case of a test laboratory, infrastructure is changing for the needs of tests.
The structure of the rules corresponds to the following scheme:
<Action> <Protocol> <Port> <Direction> <Port> ([metadata] [content of the package] [Data] [Action after detection])
Actions are divided into the following parts:
|
Action |
Description |
|---|---|
|
|
Create an alert using the selected method, and pass the information to the system log. |
|
|
Use the system log to record information about the package. |
|
|
Ignore the package. |
|
|
Use another dynamic rule. |
|
|
After you have made the active rule, a rule is activated with the procedure logging. |
|
|
Discard packet using a firewall, and pass information to the system log. It works only in the inline mode. |
|
|
Discard the packet using software firewall and do not use the system log. It works only in the inline mode. |
|
|
Using firewall, discard the packet if the protocol is TCP, or record a message in the log file: ICMP port is not available if the package comes over UDP. It works only in the inline mode. |
Next, follow the protocol. This parameter can take the following values: TCP, UDP, IP, and ICMP.
The next three parameters determine the source and destination IP addresses and port numbers for the rule to be applied to. They can be set as a certain value, a range, or any value. A range of IP addresses can be set with a CIRD block mask starting with /, for example: /24. A range of ports can be set with the start and end port numbers separated with a colon, for example: 25 : 445.
It also important to specify the traffic direction in which the rule should be applied with the symbols -> for the direction from source to destination or <> for a bidirectional traffic flow.
After specifying all the parameters of a rule, you can also set several options that follow the rule header in brackets and should be separated from each other with a semicolon. The option keywords should be separated from their values with a colon.
All options can be divided into four categories:
|
Category |
Description |
|---|---|
|
|
These options are not specified for a data validation package. It contains information about the type of attack, the possible vulnerability of the materials, links, and so on. |
|
|
Parameters of this category contain information about the data itself, which contains a package. |
|
|
This category contains official information about the packet (header). |
|
|
It specifies the tasks to be carried out after finding the information in the package. |
For effective monitoring of activities, you should learn the language rules of Snort. Unfortunately, the full description of all rules is beyond the scope of this book, but you can find more information on the Internet.
For now, we have a working network intrusion detection system and we can develop it for specific needs.