Exercise Manual for Course Defending the Perimeter From Cyber Attacks

Transcription

1 Exercise Manual for Course 2010 Defending the Perimeter From Cyber Attacks 2010/MA/B.2/410/B.1 by Adrian Bryan Technical Editor: Jay Hickman

2 LEARNING TREE INTERNATIONAL, INC. All rights reserved. All trademarked product and company names are the property of their respective trademark holders. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, or translated into any language, without the prior written permission of the publisher. Copying software used in this course is prohibited without the express permission of Learning Tree International, Inc. Making unauthorized copies of such software violates federal copyright law, which includes both civil and criminal penalties.

3 Exercise Manual Contents Legend for Course Icons...ii Hands-On Exercise 1.1: Exploring the Case Study... 1 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall Hands-On Exercise 2.2: Content Filtering Hands-On Exercise 3.1: Supporting DNS Through a Firewall Hands-On Exercise 3.2: Supporting SMTP Mail Through a Firewall Hands-On Exercise 3.3: Protecting The DMZ With Cisco ACLs Hands-On Exercise 4.1: Using Snort IDS Hands-On Exercise 4.2: Using Intrusion Prevention Hands-On Exercise 5.1: Remote User VPN Using L2TP Over IPsec Hands-On Exercise 5.2: Using an SSL VPN Hands-On Exercise 6.1: IPsec Site-to-Site VPN Hands-On Exercise 6.2: Cisco GRE IPsec VPN Hands-On Exercise 7.1: Cisco IOS SYN Flood Defense Hands-On Exercise 7.2: Sophos UTM 9 DoS Defense MA-i

4 Legend for Course Icons Standard icons are used in the hands-on exercises to illustrate various phases of each exercise. Major step Warning 1. Action Hint Checkpoint Stop Question Congratulations Information Bonus 2010-MA-ii

5 Hands-On Exercise 1.1: Exploring the Case Study Objective In this exercise, you will explore the case study to see some of the security issues with your current configuration. We will be investigating ways to protect against each of these issues throughout the rest of the course MA-1

6 Hands-On Exercise 1.1: Exploring the Case Study Confirming your VMware network First, we will record the IP addresses of your team s PCs and then confirm that the current VMware configuration is correct. You should have 4 VMware PCs running: a. Windows Server 2008 b. Windows 7 Internal c. Windows 7 Router d. Windows 7 Attacker 1. Switch to the Windows 7 Internal VM by clicking on its tab. Open a command prompt window using the shortcut on your desktop and type ipconfig <Enter>. 2. Record the IP address for the Ethernet adapter Local Area Connection on your network diagram. The IP address will be of the form 10.1.X.50, where X is your team number. 3. Repeat steps 1 and 2 for the Windows Server 2008 and Windows 7 Attacker VMs. 4. Switch to Windows 7 Router VM. This VM will be running GNS3 with a virtual Cisco 2600 series router. This router is your organization s border router. You will first configure the router MA-2

7 Hands-On Exercise 1.1: Exploring the Case Study 5. Open the folder containing the router configuration files using the shortcut (Router Configs) on your desktop. Your router configuration file is called Router.cfg. 6. Open Router.cfg in Notepad by double-clicking it. The file currently has Xs in place of your team number. 7. Replace X with your team number in four locations. The four locations are hostname, IP address entry for interface FastEthernet0/0, IP address entry for interface FastEthernet0/1, and IP address entry for interface Loopback0/0. The entry for the IP address entry for interface FastEthernet0/0 is (200+team number), so if your team number is >9 you will have to replace the 0 and X. 8. Save the file. 9. Start GNS3 using the shortcut on your desktop. GNS3 will start and display a New Project window. 10. Click the Recent Files button and select the only entry shown. You will see a network diagram with two clouds connected by a router MA-3

8 Hands-On Exercise 1.1: Exploring the Case Study The router interfaces are green if the router is running and red if it is not. 11. Right-click the router symbol and select Start. After a few seconds, the router interfaces should turn green, indicating that the router is running. 12. Right-click the router symbol in GNS3 and select Console. When the router has finished booting, you should see a console window open with a prompt similar to RX#. If not, press <Enter>. The console window that you see is exactly the same as you would see if you had a terminal connected to the console port of a Cisco 2600 series router. 13. Switch to the new console window and type: show int f0/0 <Enter> 14. Record the Internet Address on your network diagram. The IP address will be of the form <200+X>, where X is your team number. This is the IP address of the outside of your border router the interface that connects you to the classroom network MA-4

9 Hands-On Exercise 1.1: Exploring the Case Study 15. In the command window, type show int f0/1 <Enter> 16. Record the Internet Address on your network diagram. The IP address will be of the form 10.1.X.254, where X is your team number. This is the IP address of the inside of your border router the interface that connects your internal network. 17. Switch to the Windows 7 Attacker VM, open a command prompt, and use ping to check that you can reach both interfaces of your border router and the two internal VMs. The ping should be successful to all of the recorded IP addresses. If not, bring this to the attention of your instructor. You may find that the first ping to each new address will time out. This is normal! Try pinging the addresses again and you will see that they are all successful MA-5

10 Hands-On Exercise 1.1: Exploring the Case Study Scanning and attacking your internal machines We will now mimic some of the simple attack methods used by hackers to profile a potential target. 18. Start Zenmap using the shortcut on your desktop. Zenmap is a Windows GUI implementation of the popular Nmap scanning tool. It is widely used to scan machines across a network. 19. In the Target field, type 10.1.X.0/24 where X is replaced with your team number. Select Ping scan from the Profile drop-down. 20. Click the Scan button. Zenmap is pinging the IP address range that you entered, looking for addresses that respond. It will take around 20 seconds. 21. Enter the IP addresses of the responding hosts below: IP address 1: IP address 2: IP address 3: This should correspond to the addresses that you recorded earlier in the exercise MA-6

11 Hands-On Exercise 1.1: Exploring the Case Study 22. Configure Zenmap as follows: Target: <IP address 1 from step 21> Profile: Intense scan 23. Click the Scan button. When the scan has finished, record some of the findings below: OS best guess: List the open ports: Would any of this information be useful to an attacker? Yes No 24. Change Zenmap as follows: Target: <IP address 2 from step 21> Profile: Intense Scan 2010-MA-7

12 Hands-On Exercise 1.1: Exploring the Case Study 25. Click the Scan button. When the scan has finished, record some of the findings below: OS best guess: List the open ports: Would any of this information be useful to an attacker? Yes No 26. Change Zenmap as follows: Target: <IP address 3 from step 21> 27. Click the Scan button. When the scan has finished, record some of the findings below: OS best guess: List the open ports: Would any of this information be useful to an attacker? Yes No 28. Close Zenmap MA-8

13 Hands-On Exercise 1.1: Exploring the Case Study Attacking a host One of the open ports on your Windows Server 2008 PC is TCP port 139. This port is the Windows NetBIOS session port. We will now attack it and investigate the impact. 29. Start SynGUI using the SynGUI.bat shortcut on your desktop. This is a simple DoS tool that opens multiple TCP connections to a target IP address and port number. 30. In the SynGUI tool, enter the following (replacing X with your team number): IP or Hostname: 10.1.X.100 Port number: 139 and click SYN Flood. In the command window that appeared when you started the tool, you should see Sent, followed by how many packets the tool has sent. Despite its name, this is not a true SYN flood tool, as the TCP connection is completed. You will learn more about SYN food attacks (and how to defend against them) in Chapter MA-9

14 Hands-On Exercise 1.1: Exploring the Case Study 31. After a few minutes, switch to your Windows Server 2008 VM, open a command prompt and type netstat <Enter> You will see a list of all of the TCP connections to this PC, together with local and remote IP addresses and port numbers local first, then remote. To what local port number are most of the connections? What impact might this number of open connections have? 32. Switch back to the Windows 7 Attacker VM. Stop the attack by closing the command window. Congratulations! You have completed the exercise MA-10

15 Hands-On Exercise 1.1: Exploring the Case Study If you have more time 33. On the Windows 7 Attacker VM, select Start All Programs Winfingerprint Winfingerprint. 34. In Input Options, select Single Host and enter the address of your Windows 7 Internal VM (10.1.X.50). 35. In Scan Options, select RPC Bindings and leave all other options at the default. 36. Click Scan. 37. When that scan has completed, examine the output. Would any of this information be of use to an attacker? Yes No Congratulations! You have completed the bonus exercise MA-11

16 2010-MA-12

17 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall Objective In this exercise, you will reconfigure your border network into a typical DMZ-style firewall. You will then install and configure a (virtual) firewall appliance between the DMZ and your internal network. You will then test the new configuration MA-13

18 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall Reconfiguring your border network You will now reconfigure your border network within VMware. You should have four VMware PCs running: a. Windows Server 2008 b. Windows 7 Internal c. Windows 7 Router d. Windows 7 Attacker 1. In VMware Workstation, right-click the Windows 7 Internal tab and select Settings. 2. In the left pane, click Network Adapter. The network adapter is currently connected to the DMZ network. You will now move it to the Internal network. 3. In the Network connection section, select Internal from the LAN segment drop-down. 4. Click OK. You will now change the IP address to an appropriate one for the new network. 5. In the Windows 7 Internal VM, right-click the network symbol at the right of the task bar at the bottom of the VM window, and select Open Network and Sharing Center MA-14

19 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall 6. Click Change adapter settings. 7. Right-click Local Area Connection and select Properties. 8. Click Internet Protocol Version 4 (TCP/IPv4) and click the Properties button. 9. Change the settings to: IP address: Default gateway: Preferred DNS Server: Leave all other settings at their default value. 10. Click OK and close all open windows. You have now configured the internal host. These settings are temporary to allow you to connect to the bastion for initial configuration. Next, you will install and configure the firewall bastion MA-15

20 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall Installing and configuring Sophos UTM firewall 11. In VMware Workstation, select the UTM_9.003_vmware_x64_smp VM and click Power on this virtual machine. The Sophos UTM firewall runs on a pre-hardened Linux OS. 12. When you see the login prompt, switch to the Windows 7 Internal VM. You will need to hit <Ctrl><Alt> to regain control of your mouse. All configuration of the firewall is carried out via a browser. The configuration server is listening on port Open Internet Explorer and enter the following URL: You will see a page telling you that there is a problem with the website s security certificate. 14. Click Continue to this web site (not recommended). You will see the Sophos UTM page. Notice that the location bar is red, reminding you that there is a problem with the website s certificate. The certificate error is due to IE not trusting the issuer of the certificate. You will configure IE to trust the certificate later MA-16

21 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall 15. On the SOPHOS UTM 9 Basic system setup page, fill in the information as follows, replacing X with your team number: Hostname: Company or Organization Name: City: Country: admin account password: Repeat password: admin account address: bastion.ltreex.com TeamX <where you are> <where you are> adminpw adminpw admin@ltreex.com 16. Select the I accept the license agreement checkbox at the bottom of the page and click Perform Basic System Setup. There will be a pause of around 40 seconds, followed by the certificate error page, as before. 17. Click Continue to this web site (not recommended). 18. Enter the following: You will see the Login to WebAdmin page. Username: Password: admin adminpw and click Login. 19. Click Next. You will see the License Installation page MA-17

22 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall Sophos UTM can be used without a license for 30 days. You can apply for a free license to continue to use the basic firewall! 20. Click Next. You will see the Internal (LAN) Network Settings page. Usually, these settings would be fine for our current network configuration. However, as we will be using a VPN to connect all our team networks together in a later exercise, we will give the internal networks a unique IP address. 21. Change the Internal (LAN) firewall IP: to X.1 (replacing X with your team number) and click Next. You will see the Internet Uplink (WAN) Settings page. 22. Ensure that this is shown as Eth1 and select Standard Ethernet interface with static IP address from the Internet uplink type drop-down. Enter the following information, replacing X with your team number: IP address: Netmask: Default gateway: DNS forwarder IP: 10.1.X.1 leave at default 10.1.X X.100 and click Next. You will see the Firewall Settings page MA-18

23 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall 23. Select the Web (HTTP, HTTPS, FTP) checkbox. Leave all other settings at the default and click Next. We will leave the ping settings at the default for the moment so that we can test connectivity. It would normally be good practice to disable all pings. You will see the Intrusion Prevention Settings page. We ll leave IPS turned off for now. We will be configuring this in a later exercise. 24. Leave everything clear on the IPS page and click Next. 25. Accept the default by clicking Next. You will see the Application Control and Network Visibility Settings Page. 26. Click Next. You will see the Web Protection Settings page. We leave everything cleared for now. We will be configuring this in a later exercise. 27. Click Next. You will see the Protection Settings page MA-19

24 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall We will leave everything cleared for now. We will be configuring this in a later exercise. 28. Click Next. 29. Click Finish. You will see the Summary page. As you have changed the IP address of the local bastion interface, IE will no longer be able to connect. You will now change the IP address of your internal VM so that it can communicate with the bastion. 30. In the Windows 7 Internal VM, right-click the network symbol at the right of the task bar and select Open Network and Sharing Center. 31. Click Change adapter settings. 32. Right-click Local Area Connection and select Properties. 33. Click Internet Protocol Version 4 (TCP/IPv4) and click the Properties button. 34. Change the settings to: IP address: X.50 Default gateway: X.1 Preferred DNS Server: Click OK and close all open windows except IE MA-20

25 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall 36. Return to IE and connect to the following URL: Click Continue to this web site (not recommended). 38. Enter the following and click Login. Username: Password: admin adminpw You will see the Sophos UTM Dashboard. You will now configure IE to trust the bastion s SSL certificate. If you get a pop-up about helping to improve UTM, select No and Close. 39. From the left column, select Management WebAdmin Settings. 40. Click the HTTPS Certificate tab. 41. Click Import CA Certificate. 42. In the pop-up at the bottom of IE, select Open and then Open again. You will see a Certificate window. 43. Click Install Certificate. 44. Click Next MA-21

26 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall 45. In the Certificate Store window, select the Place all certificates in the following store radio button. 46. Click Browse, select Trusted Root Certification Authorities, and click OK. 47. Click Next. 48. Click Finish. You will see a Security Warning telling you that you are about to install a CA certificate. 49. Click Yes. You will see a message that the import was successful. 50. Click OK and then OK again to close the Certificate window. 51. Close and then open IE and connect to the bastion, as before: You will receive a different warning. This warning is about the certificate being issued for a different website s name. This is being caused by the certificate being issued for a domain name and we are using an IP address. This will be resolved when you configure DNS later MA-22

27 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall Testing the new network and firewall configuration 52. Switch to the Windows 7 Attacker VM. 53. Open a command prompt and use ping to check connectivity with the external address of your newly installed bastion host. Check your network diagram if you do not know this address. The ping should be successful. If not, troubleshoot the network using any tool at your disposal. 54. Switch to the Windows 7 Internal VM. Use ping to test connectivity to your bastion s internal address ( X.1). The ping should be successful. If not, troubleshoot the network using any tool at your disposal. The bastion currently has two rules: one allowing access from internal hosts to the external network for web traffic and one (which is added automatically) allowing DNS lookups. All other traffic is blocked. We will now test the web traffic rule MA-23

28 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall 55. Try pinging the IP address of your Windows Server 2008 host (on your DMZ: 10.1.X.100). The ping should fail, saying, Request timed out. The bastion is silently blocking pings from internal hosts. 56. In IE, open a new tab and enter the URL (replacing X with your team number): If all is well, you will see your team s public web server home page. 57. Change the URL from the previous step to check connectivity with the classroom web server ( ) MA-24

29 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall Changing a firewall rule In your initial configuration of the bastion, you allowed it to be ping visible. This is usually disabled! 58. Change to the IE tab, which is connected to your bastion. The bastion s management interface has an inactivity timeout, so you will probably need to log in again. 59. In the left column of the Sophos UTM 9 configuration page, select Network Protection Firewall. 60. Click the ICMP tab. You will see the two rules referred to earlier. You will see that the only enabled ICMP functions are Gateway is Ping visible and Ping from Gateway. 61. Clear the two boxes in the Ping Settings section and click Apply (in the Ping Settings section). 62. Switch to the Windows 7 Attacker VM and try to ping the bastion s external address (10.1.X.1). The ping should fail. Congratulations! You have reconfigured your border network and installed and configured your bastion host MA-25

30 Hands-On Exercise 2.1: Installing the Sophos UTM Firewall Scanning the DMZ 63. Use Zenmap to scan your team s DMZ and compare the results with those found in Exercise If you have forgotten how to use Zenmap, refer back to Exercise Notice that Zenmap does not find your bastion host. ping. By default, Zenmap will only scan hosts that it can successfully 64. Use Zenmap to scan the external IP address of your bastion host using the Intense scan, no ping profile. How useful was the Nmap output? Congratulations! You have completed the bonus exercise MA-26

31 Hands-On Exercise 2.2: Content Filtering Objective In the previous exercise, you configured your firewall rules to allow internal hosts to access websites. This will allow all web traffic (and content), as long as the connection is made from an internal host to external HTTP, HTTPS, or FTP server. Unfortunately, all the allowed protocols allow potentially harmful content. You will now configure your firewall to block harmful content and other malware MA-27

32 Hands-On Exercise 2.2: Content Filtering Configuring Sophos UTM 9 Web Protection You should have all five VMware PCs running: a. Windows Server 2008 b. Windows 7 Internal c. Windows 7 Router d. Windows 7 Attacker e. UTM 1. Switch to the Windows 7 Internal VM. If necessary, start IE, connect to your bastion s web interface ( and log in, as before. 2. In the left column, click Web Protection. You will see the Web Protection options. 3. In the Web Protection section of the left column, click Web Filtering. Web filtering is disabled by default. 4. Click the Enable button (to the right of the page). The Internal Network is added to the Allowed networks by default. You can delete it and be more specific about which internal networks are allowed access to the web. The default is fine for our purposes MA-28

33 Hands-On Exercise 2.2: Content Filtering 5. Browse through the other tabs in the section to see some of the capabilities of the Web Filtering Sophos UTM 9 firewall. 6. Click the Antivirus/Malware tab. You will see settings for Antivirus scanning, File extension filter, MIME type filter, and Active Content Removal. 7. Select the Use Antivirus scanning checkbox. Leave the other settings at their defaults and click Apply. When antivirus scanning is enabled, the firewall uses a single scanning engine (Sophos s own) by default to keep performance at an acceptable level. You can specify a second scanning engine but this will decrease performance. Every scanning engine has suffered from false negatives (missing a piece of malware) at some time in its history. The chances of two separate scanning engines both having false negatives for the same malware is very low. 8. Move to the File extension filter section and browse through the list of blocked file extensions. This is the default list of file extensions blocked as soon as you enable web filtering. You can add/remove extensions from this list. 9. Open Firefox and connect to the classroom web server home page Click the Win a Fortune! link MA-29

34 Hands-On Exercise 2.2: Content Filtering This link will start downloading an executable file (.exe file extension) to your PC. What happened and why? 11. On the classroom web server page in Firefox, click the link to Free Money. What happened and why? JavaScript on the page your browser is trying to load has a loop that shows a JavaScript Alert. 12. Click OK in the Alert pop-up. An option will be displayed to prevent this page from creating additional dialogs. 13. Leave the checkbox clear and click OK a few more times to show that you are in an infinite loop. Select the checkbox and click OK to stop the loop. 14. Close Firefox. This will clear Firefox's cache MA-30

35 Hands-On Exercise 2.2: Content Filtering 15. Return to IE connected to your bastion s configuration page. If necessary, log in again and return to Web Protection Web Filtering Antivirus/Malware tab. 16. Scroll down to the Active Content Removal section. Select Disable Javascript and click Apply. 17. Start Firefox, and return to the classroom web server ( Click the link to Free Money. What happened and why? The JavaScript on the web page is being blocked by the firewall MA-31

36 Hands-On Exercise 2.2: Content Filtering Filtering encrypted web traffic 18. Using Firefox, return to the classroom web server using the URL: This will connect to the classroom web server using TLS/SSL. All traffic between the server and your web browser will be encrypted. 19. Click I understand the risks in the warning that appears. 20. Click the Add Exception button and click Confirm Security Exception. 21. Click the link to Free Money. What happened and why? 22. Close Firefox. This will prevent the page being displayed from Firefox s cache later in the exercise. 23. Return to IE connected to your bastion host. Navigate to Web Protection Web Filtering HTTPS CAs tab. In the Verification CAs section, you will see a list of CAs trusted by the bastion. This list is equivalent to those listed in your browser MA-32

37 Hands-On Exercise 2.2: Content Filtering We will be using certificates issued by our classroom CA. We will need to configure the bastion to trust certificates issued by this CA. You will learn more about CAs and certificates in Chapter In IE, open a new tab and connect to the classroom web server with the following URL: Click the link to the classroom CA. You will now download the classroom CA s certificate so that it can be uploaded to the bastion. 26. Click Download a CA certificate, certificate chain, or CRL. 27. In the Encoding method section, select Base 64 and click Download CA certificate. 28. Click the down arrow to the right of Save, select Save as, and save the file to your desktop. 29. Return to the IE tab connected to your bastion. 30. In the Verification CAs section, click the folder icon to the right of Upload local CA, click Browse, navigate to the file you just saved to your desktop (certnew.cer), and click Open. 31. Click Start Upload and then Upload. You will see the classroom CA listed in the Local Verification CAs section MA-33

38 Hands-On Exercise 2.2: Content Filtering 32. Select the Global tab. Select the Scan HTTPS (SSL) Traffic checkbox, and click the Apply button. Your bastion host will now intercept the TLS/SSL connection, allowing it to scan the contents. You will now configure the bastion to trust certificates issued by our classroom CA. 33. Using Firefox, return to the classroom web server using the URL: Click I understand the risks in the warning that appears. 35. Click the Add Exception button and click Confirm Security Exception. 36. Click the link to Free Money. What happened and why? The bastion is now intercepting and decrypting the traffic and is able to block the malicious code. 37. Close Firefox. Congratulations! You have completed the exercise MA-34

39 Hands-On Exercise 3.1: Supporting DNS Through a Firewall Objective In this exercise, you will configure dual (split) DNS. This will allow internal users to use DNS to look up addresses on both internal and external networks, while only allowing external users to look up your external addresses MA-35

40 Hands-On Exercise 3.1: Supporting DNS Through a Firewall Configuring dual DNS You should have all five VMware PCs running: a. Windows Server 2008 b. Windows 7 Internal c. Windows 7 Router d. Windows 7 Attacker e. UTM The Windows Server 2008 on your DMZ currently will provide DNS information for your external hosts. 1. Switch to the Windows Server 2008 VM. 2. Click Start Administrative Tools DNS. You will see the DNS Manager. 3. Expand your DNS server by clicking the + next to its name. 4. Right-click Forward Lookup Zones and Select New Zone... A forward lookup zone provides translations from DNS name to IP address. 5. Click Next. 6. Ensure Primary Zone is selected and click Next. 7. Enter a zone name of ltreex.com (replace X with your team number) and click Next MA-36

41 Hands-On Exercise 3.1: Supporting DNS Through a Firewall 8. Click Next. 9. Click Next. 10. Click Finish. You will see your new zone listed in the Forward Lookup Zones container. You will now add a new reverse lookup zone. A reverse lookup zone provides translations from IP address to DNS name. 11. Right-click Reverse Lookup Zones and select New Zone Click Next. 13. Ensure Primary Zone is selected and click Next. 14. Ensure IPv4 Reverse Lookup Zone is selected and click Next. 15. Enter a Network ID of 10.1.X (replace X with your team number) and click Next. 16. Click Next. 17. Click Next. 18. Click Finish. You will see your new zone listed in the Reverse Lookup Zones container MA-37

42 Hands-On Exercise 3.1: Supporting DNS Through a Firewall You will now add DNS entries for your external hosts. This will be just two entries: your web server and the bastion (which will act as your server). 19. If necessary, expand Forward Lookup Zones by clicking the + next to its name. 20. Right-click ltreex.com in the left pane and select New Host (A or AAAA) Enter information as follows: Name: IP Address: www 10.1.X.100 (replacing X with your team number) and click Add Host. Click OK in the confirmation. 22. Enter another host s information as follows: Name: IP Address: bastion 10.1.X.1 (replacing X with your team number) and click Add Host. Click OK in the confirmation. 23. Click Done. You will need to add an internal DNS server to allow internal hosts to use DNS to look up internal addresses. We will use BIND for Windows to add this functionality to your Windows 7 Internal VM. BIND is free software from ISC ( MA-38

43 Hands-On Exercise 3.1: Supporting DNS Through a Firewall 24. Switch to the Windows 7 Internal VM. 25. Use the shortcut (BIND config) on your desktop to open the folder containing the BIND configuration files. The master configuration file for BIND is called named.conf. You will need to modify it for your team s configuration. 26. Open named.conf in Notepad by double-clicking it. 27. Replace the X with your team number in the five places indicated in the file. Just before the lines that need changing, you will see *** change X to your team...*** in a comment field. 28. Save named.conf in its original location. 29. Open the file ltreex-int.com.db in Notepad by double-clicking it. 30. Replace the X with your team number in six places. 31. Save the file, then rename it to replace X in the filename with your team number. You will now start the DNS server. 32. Right-click the task bar of the Windows 7 Internal VM, select Start Task Manager, and click the Services tab MA-39

44 Hands-On Exercise 3.1: Supporting DNS Through a Firewall 33. Scroll down the list of services until you locate named. Named is the name of the BIND DNS nameserver. It s pronounced name d the nameserver daemon. Daemon is what services are called in the UNIX/Linux world. 34. Right-click named and select Start Service. If named is already running, select Stop Service then Start Service. After a few seconds, you should see the Status column change from Stopped to Running. If not, go back and check the changes you made to the configuration file. 35. Open a command prompt and type nslookup <Enter> Nslookup is a utility that allows you to query the nameserver directly. 36. Type the following (replacing the X with your team number) and record the responses from the nameserver: bastion.ltreex.com <Enter> <Enter> response: response: Your nameserver is forwarding the DNS query to the bastion so that it can forward it to the DNS server on your DMZ. This was set during the initial configuration of the bastion MA-40

45 Hands-On Exercise 3.1: Supporting DNS Through a Firewall 37. Use IE to connect to your bastion using the URL: (replacing the X with your team number) and login. You should no longer see a warning about the certificate. 38. Navigate to Network Services DNS and click the Forwarders tab. 39. Hover the mouse over the DNS Forwarder entry. You will see the address of your DMZ nameserver (added by installation wizard). 40. Use nslookup, as before, to make the following queries: <Enter> response: <Enter> response: <Enter> response: (where ltreey is another team) All should resolve correctly MA-41

46 2010-MA-42

47 Hands-On Exercise 3.2: Supporting SMTP Mail Through a Firewall Objective In this exercise, you will configure your firewall to allow incoming and outgoing mail without exposing your mail server to external attack. You will also configure the firewall bastion to scan incoming mail for viruses and malware MA-43

48 Hands-On Exercise 3.2: Supporting SMTP Mail Through a Firewall Supporting Mail through your firewall Mail servers deliver mail to the recipient s server using SMTP. A DNS MX record is used by SMTP to look up the address that should be used to deliver all mail to your domain. 1. Switch to the Windows Server 2008 VM. 2. If not already open, start the DNS manager console (Start Administrative Tools DNS). 3. Highlight, then right-click the ltreex.com container in the left pane and select New Host (A or AAAA). 4. Enter: Name: IP address: smtp 10.1.X.1 (your bastion host s external address) and click Add Host, OK, and Done. 5. Right-click the ltreex.com container in the left pane and select New Mail Exchanger (MX). 6. Enter Fully qualified domain name (FQDN) of mail server : smtp.ltreex.com (replacing X with your team number) and click OK MA-44

49 Hands-On Exercise 3.2: Supporting SMTP Mail Through a Firewall 7. Switch to the Windows 7 Internal VM. Start nslookup (if necessary) and type: set type=mx <Enter> ltreex.com Response: (replace X with your team) You should see the external IP address of your bastion host listed as the mail exchanger for your domain. You will now configure the SMTP proxy on your bastion. 8. Use IE to connect to your bastion host and log in. Navigate to Protection SMTP. 9. Accept all other defaults, then click the Enable button (to the right of the page) and click Apply. 10. Click the Routing tab. Here, you will set the domain for which the SMTP proxy will accept mail and the address of your internal mail server(s). 11. In the Domains section, add an entry for your domain (ltreex.com). 12. In the Host list section, add an entry for your internal mail server by clicking the green + sign; in the Add network definition pop-up, enter SMTP for name, leave type as host, and use X.50 as the IPv4 Address. Click Save MA-45

50 Hands-On Exercise 3.2: Supporting SMTP Mail Through a Firewall 13. Click Apply. 14. Click the Advanced tab, scroll down to the Transparent mode section and select the Use transparent mode checkbox. In the Transparent mode section, click Apply. The bastion will now accept SMTP mail (on TCP port 25) and forward it to your internal mail server. Next, you will configure your internal mail server. 15. Click the Relaying tab. Scroll down to the Host-based relay section. Click the folder icon, and from the list that pops up on the left, drag the Internal (Network) icon to the Allowed hosts/network box. Click Apply. 16. In the Windows 7 Internal VM, click Start hmailserver hmailserver Administrator. Enter a password of adminpw and click OK. You will see the hmailserver Administrator. hmailserver is a free mail server for Windows. 17. In the left column, expand Domains, click ltreex.com and replace the X with your team number. 18. Click Save. 19. In the left column, expand Settings, Advanced, and Incoming relays MA-46

51 Hands-On Exercise 3.2: Supporting SMTP Mail Through a Firewall 20. Click proxy and replace the Lower IP and Upper IP with the internal IP address of your bastion ( X.1). 21. Click Save, then exit hmail Server. Your mail server is now configured. Next, you will configure your mail client. We will be using Thunderbird, which is a free mail client from Mozilla. 22. Start Thunderbird using the shortcut on your desktop. 23. In the right pane, click View settings for this account. 24. Make the following changes: Account Name: Address: Replace X with your team number Replace X with your team number 25. In the left column, click Server Settings. Make the following change: User Name: Replace X with your team number 26. In the left column, click Outgoing Server (SMTP). Click Edit and make the following change: User Name: Replace X with your team number and click OK to save Edits and then OK to save Account Settings. You are now ready to check your mail! 2010-MA-47

52 Hands-On Exercise 3.2: Supporting SMTP Mail Through a Firewall 27. Click Get Mail (upper left of the Thunderbird window). Enter a password of userpw and click OK. If all is well, you will see a new in your inbox from your instructor with a subject of Welcome to the world of ! 28. Click the from your instructor and send a reply. Check that your instructor receives the reply. If you have more time, investigate the protection options in your bastion. 29. Use IE to connect to your bastion and login. Navigate to Protection SMTP. 30. By clicking on the appropriate tabs, investigate the options available for Antivirus and AntiSpam. Congratulations! You have configured through a firewall MA-48

53 Hands-On Exercise 3.3: Protecting the DMZ With Cisco ACLs Objective Hosts on the DMZ currently have no network protection other than any that is built into the OS. In addition, as demonstrated in Exercise 1.1, any listening network services can be reached (and probed) from external sources. In this exercise, you will use Cisco stateless packet filters (ACLs) to limit external access to required IP address/port number combinations MA-49

54 Hands-On Exercise 3.3: Protecting the DMZ With Cisco ACLs Configuring Cisco ACLs You should have five VMware PCs running: a. Windows Server 2008 b. Windows 7 Internal c. Windows 7 Router d. Windows 7 Attacker e. UTM The Windows 7 Router VM is running a virtualized Cisco router. This is configured in the same way as a real Cisco router. 1. Switch to the Windows 7 Router VM. You will see GNS3 with a network diagram of two clouds (Internet and DMZ) with a router connecting them. 2. Right-click the router symbol in GNS3 and select Stop. You will see the interface on the router change to red. Cisco routers load their settings from a configuration file. With a physical router, this file can be edited from the router console or uploaded to the router using TFTP. As we are using a virtual router, we can edit the file locally. 3. Open the folder containing the router configurations using the Router Configs shortcut on your desktop MA-50

55 Hands-On Exercise 3.3: Protecting the DMZ With Cisco ACLs You will see some configuration files (.cfg) and a file called acls.txt. Your router is currently using the router.cfg file to load its startup config. The acls.txt file is a template for the Cisco ACLs that you will need for your configuration. You will first backup the original config file to router.orig. 4. Open the file router.cfg in Notepad by double-clicking it. 5. In Notepad, select File Save As. Change the filename to router.orig and change Save as type to All Files (*.*). 6. Close Notepad. 7. Open the file acls.txt in Notepad by double-clicking it. 8. In Notepad, select Edit Replace. 9. In the Replace pop-up, enter: Find what: Replace with: X <your team number> Then select the Match case checkbox and click Replace All. 10. Click Cancel to close the Replace pop-up. 11. In Notepad, select Edit Select All. 12. In Notepad, select Edit Copy MA-51

56 Hands-On Exercise 3.3: Protecting the DMZ With Cisco ACLs 13. Close Notepad, selecting Don't Save when prompted. 14. Open the file router.cfg in Notepad by double-clicking it, and browse through the file. This file contains the configuration for your border router. Lines preceded with! are comments. 15. Locate the line! Replace this line with the ACLs, select the entire line, and select Edit Paste. 16. Locate the section that starts interface FastEthernet0/0 and remove the! from the beginning of the two lines indicated. 17. Locate the section that starts interface FastEthernet0/1 and remove the! from the beginning of the two lines indicated. 18. Save the file by clicking File Save and close Notepad. You will now restart the router. 19. Return to the GNS3 window, right-click the router, and click Start. After a few seconds, you should see the router interfaces change to green, indicating that the router is running. If not, check the router configuration file that you have just edited for any obvious syntax errors. You will now check that internal users can access external websites and that external access is still allowed to your DMZ web server MA-52

57 Hands-On Exercise 3.3: Protecting the DMZ With Cisco ACLs 20. Change to the Windows 7 Internal VM, open IE, and enter the URL of the classroom web server: You should see the classroom web server home page. 21. Change to the Windows 7 Attacker VM, open IE, and enter the URL of your DMZ web server: (replace X with your team number). You should see your team s home page. 22. If all is well, proceed to the next section. If not, troubleshoot your configuration. Scanning the DMZ servers with Zenmap 23. On the Windows 7 Attacker VM, start Zenmap. Then enter: Target: Profile: 10.1.X.100 (replacing X with your team number) Intense scan, no ping and click Scan. Ping is blocked by the ACLs in your border router MA-53

58 Hands-On Exercise 3.3: Protecting the DMZ With Cisco ACLs 24. When the scan is complete, answer the following: a. How many open ports did Zenmap find? b. Which port(s) is/are open? c. How does this compare with the scan from Exercise 1.1? Adding stateless packet filtering at the border router has significantly enhanced the protection of the DMZ servers. However, we will now remove the filtering to allow us to test other defensive techniques to build defense-in-depth. 25. Change to the Windows 7 Router VM. In the GNS3 window stop the router, as before. 26. Locate the router configuration file (router.cfg) and rename it router.acl 27. Rename router.orig to router.cfg and start the router in GNS3. After a few seconds, you should see the router interfaces change to green, indicating that the router is running MA-54

59 Hands-On Exercise 3.3: Protecting the DMZ With Cisco ACLs 28. Switch to the Windows 7 Attacker VM and check that you can ping the DMZ web server (10.1.X.100). Congratulations! You have protected the DMZ servers using Cisco ACLs. If you have more time How could the DMZ web server be further protected? 29. Switch to the Windows 7 Internal VM and use IE to connect to the bastion. Investigate the Webserver Protection section. a. What features does Sophos UTM 9 have for protecting web servers? 2010-MA-55

60 Hands-On Exercise 3.3: Protecting the DMZ With Cisco ACLs b. What changes would have to be made to our network topology to utilize these features? Congratulations! You have completed the bonus exercise MA-56

61 Hands-On Exercise 4.1: Using Snort IDS Objective Snort is a widely deployed, open source intrusion detection system. In this exercise, you will configure it to monitor traffic on your team s DMZ network and analyze some Snort alerts MA-57

62 Hands-On Exercise 4.1: Using Snort IDS Configuring Snort IDS 1. In VMware Workstation, suspend the Windows 7 Internal VM. 2. In VMware Workstation, in the left pane, select the Ubuntu VM and select Power On this VM. 3. When Ubuntu has finished booting, it will present you with a login screen. Click Other and log in with: Username: Password: root rootpw You will be logged in. 4. Select Applications Accessories Terminal to open a terminal window. Now you will configure Snort. Snort is controlled via the file snort.conf, which points to individual rules files, each with the extension of.rules. 5. Switch to the Snort installation directory by typing the following in the Terminal window (remember that UNIX commands are casesensitive and spaces matter). cd /etc/snort <Enter> 6. List all Snort rules files by typing: ls l /etc/snort/rules <Enter> 2010-MA-58

63 Hands-On Exercise 4.1: Using Snort IDS You will customize the main Snort configuration file to monitor your DMZ network. 7. Type the following to open the Snort configuration file: gedit snort.conf <Enter> The gedit text editor window should come up, displaying contents of the snort.conf file. There are six steps to customize Snort. You will only do steps 1 and 6, accepting the other defaults. 8. Scroll down in Step 1 and locate the following lines that do not begin with the # comment character: var HOME_NET any var EXTERNAL_NET any HOME_NET defines IP addresses of the targets that Snort will monitor, while EXTERNAL_NET defines the IP addresses of the source of the attack. By default, both are set to any (or /0) meaning they will match any IP addresses in packet. We want to force Snort to monitor attacks targeted to our DMZ network 10.1.X.0. We will change the EXTERNAL_NET to all other networks. 9. Modify the word any in the indicated line to the following IP address/mask, to result in: var HOME_NET 10.1.X.0/ MA-59

64 Hands-On Exercise 4.1: Using Snort IDS We want Snort to detect attacks coming only from other networks, so we replace the second line with: var EXTERNAL_NET!10.1.X.0/24. The character! says that anything not on the specified network will match. 10. Modify the word any in the indicated line to the following IP address/mask, to result in: var EXTERNAL_NET!10.1.X.0/24 We will disable NetBIOS rules, to minimize false positives. 11. Scroll down until near the end of the file, and read what you have to do in Step Insert the # comment sign in front of the following include statement: include $RULE_PATH/netbios.rules We will enable additional rules, to minimize false negatives. 13. Delete the # comment sign and blank space in front of the include statements so that they look like: include $RULE_PATH/web-attacks.rules include $RULE_PATH/icmp-info.rules 14. Save your changes by selecting File Save and close the text editor by selecting File Quit. You will now examine the Snort log directory MA-60

65 Hands-On Exercise 4.1: Using Snort IDS 15. Go into the Snort log directory with the following command: cd /var/log/snort <Enter> 16. Verify that Snort log directory is devoid of any files and folders, so that new Snort logs are not merged with any previous results. ls <Enter> The log directory can be emptied with the following steps: a. Ensure you are in the directory /var/log/snort by typing: pwd b. Clean up the Snort log directory by typing: rm rf * c. Ensure the log directory is clean by typing: ls The -r descends into subdirectories recursively, while the f suppresses prompting a dangerous command. As is typical of UNIX, return of a prompt signifies the successful completion of a command. Now you can start Snort. 17. In the terminal window, type: cd /usr/sbin <Enter> 18. Type the following to view the contents of a script file to start Snort. cat snort.sh <Enter> 2010-MA-61

66 Hands-On Exercise 4.1: Using Snort IDS The command to start Snort is: /usr/sbin/snort -m 027 -D d -l /var/log/snort -u snort -g snort c /etc/snort/snort -i eth0 19. Type the following to start detecting intrusions with Snort: sh snort.sh <Enter> While Snort is running, you will monitor its log. 20. Switch to the Snort log directory and monitor alerts with the following commands: cd /var/log/snort <Enter> tail f alert <Enter> Snort is now running and detecting intrusions. Since you did not yet send any attacks, no alerts should be generated. The -f flag (follow) keeps displaying new data as it is appended to the alert file MA-62

67 Hands-On Exercise 4.1: Using Snort IDS Generating Snort alerts First, you will check that Snort is running correctly. 21. Switch to the Windows 7 Attacker VM, open a command prompt, and ping the Windows Server 2008 on your DMZ (10.1.X.100). The ping should be successful. 22. Switch to the Ubuntu VM. You should see a message about ICMP PING. a. What is the Snort classification of the alert? b. What is the Snort priority of the alert? c. What are the source and destination IP addresses of the packet that caused the alert? You will now trigger a more serious Snort alert MA-63

68 Hands-On Exercise 4.1: Using Snort IDS 23. Switch back to the Windows 7 Attacker VM. Use Zenmap to carry out an Intense scan of your Windows Server 2008 on the DMZ (10.1.X.100). 24. While the scan is running, switch back to the Ubuntu VM. You will see multiple alerts being generated. 25. Switch to the Windows 7 Attacker VM and wait for the scan to complete. When it has completed, switch back to the Ubuntu VM. Scroll through the alerts and answer the following: a. Did Snort identify that a scan was taking place? Yes No b. What tool did Snort identify as the source of the scan? c. What was the highest-priority alert during the scan? The highest-priority alert is identified with the lowest number MA-64

69 Hands-On Exercise 4.1: Using Snort IDS 26. Switch to the Windows 7 Attacker VM. 27. Open a command prompt and type: cd \cygwin\tools <Enter> You will be using hping2 to send packets to the web server on your DMZ. Like many tools, hping2 was developed for Linux. You will be using a Windows version, developed to run in cygwin, which is a virtual Linux (POSIX) environment for Windows. 28. In the Command Prompt window, type: hping X.100 -p 80 -a 10.1.X.100 Replace X with your team number. The command is casesensitive! This command will launch a flood attack against 10.1.X.100 TCP port 80, from a spoofed source address of 10.1.X.100 with the TCP SYN flag set. Note that the source and destination addresses of the packet are identical. 29. Allow the command to run for approximately 10 seconds, and then stop it by pressing <Ctrl><C>. 30. Switch to the Ubuntu VM MA-65