This chapter is dedicated to security solutions, as well as their installation and configuration. It will show you how to protect the lab environment from external attacks and unauthorized access, and how improve the lab complexity to practice advanced penetration testing and hacking techniques at the same time. We are going to divide security solutions and measures into two main groups: host-based (protecting hosts they are installed on) and network-based (protecting the whole lab network). Additionally, we want to have a closer look at a security information and event management solution that can be used to work together with the security mechanisms in order to identify network attacks and constantly monitor the security of a network.
This chapter covers the following topics:
In this chapter, we are not trying to adhere to the levels of the standard ISO/OSI model, but we distinguish two main abstract security levels: network and host levels.
The host level is represented with host-based security solutions that are aimed towards protecting a certain host. However, network-based solutions are aimed towards protecting the whole network or its parts (or groups of hosts). We would like to start the chapter with network-based solutions.
In order to imitate a real network and to protect our lab from access from an external network, we need to implement access control measures between our various lab VLANs on the network level. The access control mechanism that we are going to use is called access control lists (ACLs) and can be implemented on the core router.
Generally speaking, ACL is a list of rules determining which traffic is allowed or disallowed and in which directions. We are also going to create several ACLs that will block or allow network traffic between various VLANs.
You may think that logically it should be done in Chapter 3, Configuring Networking Lab Components during the network device configuration and you would be right! But we decided to put the ACL subtopic in this chapter because it influences the security of the whole lab environment and not only devices, and it should be emphasized.
For the security of our lab, we need to isolate untrusted network segments as is required according to the communication rules described in Chapter 3, Configuring Networking Lab Components. Let's quickly recall them:
Source |
Allowed destination |
Purpose |
---|---|---|
Admin workstation |
|
Network and system administration |
Servers |
|
Software installation and updates |
User workstations |
|
Internet access, access to the internal network services |
Trusted WLAN |
|
Internet access, access to the internal network services |
Guest WLAN |
|
Internet access |
First, we need to block all the incoming traffic from the external network and isolate the guest WLAN. Log in to the router console, start the configuration mode, and create an ACL for that purpose called wan
with the following commands:
ip access-list extended wan remark deny access from wan deny ip 192.168.0.0 0.0.255.255 any log deny icmp 192.168.0.0 0.0.255.255 any exit ip access-list extended guest remark deny access to guest wlan deny ip any 192.168.0.0 0.0.255.255 deny icmp any 192.168.0.0 0.0.255.255
Let's quickly explain what we have just done:
wan
and guest
and enter the ACL configuration mode.log
to write all denied packets to the log for a further analysis (it allows us to detect possible attacks on our lab).Now, we need to apply the ACL to the router subinterface, serving communications with an external network (in our case it is fa0/0.5
). Exit the ACL configuration mode and get into the interface configuration mode (if you have defined sub-interfaces other than the ones we have done, just substitute fa0/0.5
with the one corresponding to your subinterface connected to a SOHO router):
interface fa0/0.5
Now, assign the ACL called wan
to be applied on network traffic coming to the subinterface from outside:
access-group wan-in in
Next, assign the ACL called guest
to be applied on network traffic coming to the subinterface from inside:
access-group guest-out out
The following ACL for the rest of the router subinterfaces can be created and applied in a similar manner. Therefore, we will put them in a table for convenience:
Name |
Subinterface |
Direction |
ACL |
Remark |
---|---|---|---|---|
|
|
|
|
Access from trusted WLANs |
|
|
|
| |
|
|
|
|
Deny connections to users and trusted WLANs initiated by servers |
According to our lab idea, we want to have secure wireless access to the lab environment, a trusted WLAN.
As you remember from Chapter 1, Understanding Wireless Network Security and Risks, the best way to secure WLAN access is to implement WPA-Enterprise security based on the IEEE 802.1x standard. To be more exact, it should be based on EAP over LAN (EAPOL) and an AAA server.
We decided to choose FreeRADIUS as a suitable solution for an AAA server. FreeRADIUS is a software package containing a RADIUS server software and several auxiliary libraries and modules. Currently, we are interested only in the RADIUS server, which is enough to fulfill our tasks.
FreeRADIUS is a very popular solution with a modular architecture. It works really fast and distributes the important services for a lab, free of charge.
Before we start implementing the solution, we would like to list our next steps to give you a clearer overview of the whole process:
We are going to install FreeRADIUS on a Debian-based virtual Linux server and put it into the server subnet on IP address 10.0.0.6. The installation process is very similar to the Ubuntu Server installation process:
/etc/apt/sources.list
file contains the following line:deb http://ftp.debian.org/debian jessie main
apt-get update apt-get install freeradius
Alternatively, you can download the newest version of FreeRADIUS from the official FTP server and compile it (change the package version number to the current one and make sure that the gcc
compiler is installed):
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.9.tar.gz tar zxfv freeradius-server-3.0.9.tar.gz cd freeradius-server-3.0.9 ./configure make make install
Every authorized user in our lab will have a personal certificate for the trusted WLAN connections, and it is logical to prepare certificates before we start to put their paths into the server's configuration.
You can use the lab certificate authority installed in Chapter 4, Designing Application Lab Components, to create all the necessary certificates. We already have a CA certificate created, so we only need to create server and client certificates and sign them with the CA:
openssl genrsa -out radius.key 2048 openssl req -key radius.key -new -our radius.csr
lab_ca.srl
file with a two-digit serial number in it, for example, 01.openssl x509 -req -in radius.csr -CA rootCA.crt -CAKey rootCA.key -out radius.pem
openssl genrsa -out attacker1.key 2048 openssl req -new -key attacker1.key -out attacker1.csr
attacker1
or alex
.openssl x509 -req -in attacker1.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out attacker1.crt -days 365
openssl pkcs12 -export -in attacker1.crt -inkey attacker1.key -out attacker1.p12 -clcerts
You can create multiple client certificates for as many users as you would like to allow access to your lab via the trusted WLAN. Copy the server and CA certificates into the /etc/freeradius/certs/lab
directory on the FreeRADIUS server.
Now, it is time to configure FreeRADIUS for our needs. The configuration files can be found in the /etc/freeradius
directory.
We are interested in the following configuration files now:
We need to add the following lines to the file to set the connection parameters for the authenticator:
client 172.16.1.2 { secret = YourSecret shortname = TrustedWLAN }
The secret
parameter contains a password used by an AP to connect to the RADIUS server, so you might want to use a strong combination of symbols to raise the security of your lab.
Here, we set all the necessary parameters for the EAP-TLS authentication:
default_eap_type = tls tls { certdir = ${confdir}/certs/lab cadir = ${confdir}/certs/lab private_key_password = YourServerKeyPassword private_key_file = ${certdir}/radius.key certificate_file = ${certdir}/radius.pem CA_file = ${cadir}/rootCA.crt dh_file = ${certdir}/../dh random_file = /dev/urandom }
The certdir
and cadir
parameters set the directory where FreeRADIUS will search for server and CA certificates. In our case, they are both in /etc/freeradius/certs/lab
.
The private_key_password
parameter is the password that you typed when creating the server's private key.
We have already configured the Ethernet interface of the access point in Chapter 3, Configuring Networking Lab Components, but we have omitted the wireless interface configuration because it is highly dependent on a RADIUS server which we didn't have before the current chapter. Now it is time to fill this gap:
enable
command and the password that you set during the initial AP configuration in Chapter 3, Configuring Networking Lab Components (the default password is Cisco
).configure terminal aaa group server radius rad_eap server 10.0.0.6 auth-port 1812 acct-port 1813 exit aaa new-model aaa authentication login eap_methods group rad_eap radius-server host 10.0.0.6 auth-port 1812 acct-port 1813 key YourSecret end write memory
YourSecret
to the value that you have set in clients.conf
during the FreeRADIUS configuration.dot11radio
:configure terminal interface dot11radio 0 encryption mode ciphers aes-ccm exit write memory
lab_private
is the SSID for our trusted WLAN and you can change it to anything you like.configure terminal dot11 ssid lab_private authentication open eap eap-tls authentication key-management wpa version 2 guest-mode end write memory
guest-mode
command to disable SSID broadcasting, making your WLAN slightly more secure (but not really raising the security level).configure terminal interface dot11radio 0 ssid lab_private no shutdown exit copy running-config startup-config
If you have chosen to set a software AP for the trusted WLAN, you can use the following tools:
hostapd
software on Linux (we will show how to install and configure it in Chapter 7, Preparing a Wireless Penetration Testing Platform)After installing and configuring the chosen software, you will need to add a link between a wireless network and the virtual lab infrastructure using the tool Cloud of the GNS3 system, as described earlier in Chapter 3, Configuring Networking Lab Components.
As a closing step, we need to test our newly created WLAN by connecting a client machine to it. Let's do it on a Windows 8.1 machine:
Now, you are connected to the trusted WLAN and can penetrate our vulnerable servers. So far, we have reliably secured our trusted WLAN and the whole lab network from an unauthorized network access. We have almost reached the main goal of the book: building a lab with wireless access protected from attacks from outside.
Now, let's see how we go ahead with installing the system in our network to detect any intrusion.
Cisco devices have a feature called Switched Port Analyzer (SPAN), which basically mirrors network traffic from selected source ports to a selected destination port. We need this feature to copy network traffic coming through the server VLAN to our network-based IDS for further analysis.
We are going to monitor the whole server traffic (ports fa0/7
-fa0/10
) on the fa0/11
port, so let's configure SPAN on our core switch with the following commands:
enable config t interface fa0/11 port monitor fa0/7 port monitor fa0/8 port monitor fa0/9 port monitor fa0/10 end copy running-config startup-config
Snort is a free, open source network Intrusion Detection System (IDS) capable of performing packet logging and real-time traffic analysis in IP-based networks.
This IDS identifies the following:
Taking into account the following points, we have a system with powerful features for security monitoring:
Snort can be executed on various operating systems: Windows and Unix-like. In our case, we are using Ubuntu Server 14 and we will consider the Linux distribution.
So, the installation process is pretty simple in Ubuntu Linux. We should just execute one command:
apt-get install snort
After a few minutes, installation will be complete and we can start the Snort service on our system using the following command:
service snort start
Next, let's update the Snort rules set. You can get the latest version of the rules from the official website at https://www.snort.org/downloads in the Rules section. We will use the Registered user release set, because it is the most up-to-date one. However, it needs registration. You can sign up at https://www.snort.org/users/sign_up.
After downloading, let's unpack the downloaded archive file and copy the rules directories so_rules
and preproc_rules
in /etc/snort
:
cp -R ./rules/ /etc/snort/ cp -R ./so_rules/ /etc/snort/ cp -R ./preproc_rules/ /etc/snort/
After that, we need to restart Snort:
service snort restart
After all these manipulations, we have a working instance of the IDS Snort system. Next, let's configure our intrusion detection system in more detail.
The main configuration of Snort is located in the snort.conf
file in the /etc/snort/
directory. Initially, this file is based on the example configuration. It is big but very well commented, so it should not make you seriously confused. The configuration file consists of nine sections:
Let's start with basic variables that will describe our infrastructure:
Type |
Variable |
Value |
Description |
---|---|---|---|
|
|
[10.0.0.0/24,10.1.0.0/24] |
Home network, from which attacks are possible. It is a host or a list of hosts whose traffic will analyze Snort. |
|
|
[172.16.0.0/24,192.168.0.0/24,172.16.2.0/24] |
The network from which the attack could begin. |
|
|
10.0.0.2 |
It is a list of DNS servers. |
|
|
10.0.0.3,10.0.0.5 |
It is a list of web servers. |
|
|
10.0.0.3 |
It is a list of SQL servers. |
|
|
80,443 |
It is a list of web ports. |
|
|
10.0.0.4 |
It is a list of SIP servers. |
We leave the default values for the other settings in this file. Of course, you can configure Snort to work in the way that best suits your needs. Since this is a learning laboratory, settings in a particular case may be quite different.
In order for the changes to take effect, we need to restart the Snort daemon:
service snort restart
Now, we can try to run Snort:
snort -D -dev -c /etc/snort.conf
After starting the daemon, we will check the network interface that Snort is listening to:
ifconfig -a
If the interface is in promisc mode, everything is fine.
Writing your own rules is not difficult but is often necessary, because vulnerabilities are found every day, and in the case of a test laboratory, infrastructure is changing for the needs of tests.
The structure of the rules corresponds to the following scheme:
<Action> <Protocol> <Port> <Direction> <Port> ([metadata] [content of the package] [Data] [Action after detection])
Actions are divided into the following parts:
Action |
Description |
---|---|
|
Create an alert using the selected method, and pass the information to the system log. |
|
Use the system log to record information about the package. |
|
Ignore the package. |
|
Use another dynamic rule. |
|
After you have made the active rule, a rule is activated with the procedure logging. |
|
Discard packet using a firewall, and pass information to the system log. It works only in the inline mode. |
|
Discard the packet using software firewall and do not use the system log. It works only in the inline mode. |
|
Using firewall, discard the packet if the protocol is TCP, or record a message in the log file: ICMP port is not available if the package comes over UDP. It works only in the inline mode. |
Next, follow the protocol. This parameter can take the following values: TCP, UDP, IP, and ICMP.
The next three parameters determine the source and destination IP addresses and port numbers for the rule to be applied to. They can be set as a certain value, a range, or any value. A range of IP addresses can be set with a CIRD block mask starting with /
, for example: /24
. A range of ports can be set with the start and end port numbers separated with a colon, for example: 25 : 445
.
It also important to specify the traffic direction in which the rule should be applied with the symbols ->
for the direction from source to destination or <>
for a bidirectional traffic flow.
After specifying all the parameters of a rule, you can also set several options that follow the rule header in brackets and should be separated from each other with a semicolon. The option keywords should be separated from their values with a colon.
All options can be divided into four categories:
Category |
Description |
---|---|
|
These options are not specified for a data validation package. It contains information about the type of attack, the possible vulnerability of the materials, links, and so on. |
|
Parameters of this category contain information about the data itself, which contains a package. |
|
This category contains official information about the packet (header). |
|
It specifies the tasks to be carried out after finding the information in the package. |
For effective monitoring of activities, you should learn the language rules of Snort. Unfortunately, the full description of all rules is beyond the scope of this book, but you can find more information on the Internet.
For now, we have a working network intrusion detection system and we can develop it for specific needs.
3.147.85.183