it_ab-upgrade II 2004_2005 by bestt571


More Info
									                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


Information Technology security implementation, auditing and monitoring
with security evaluations tools in recent years has shown that such
evaluations are a very expensive and time consuming, at least from the
point of view of IT technicians and Engineers. Although Security functional
testing is an important component of security evaluation, time and cost
considerations have made it to occupy a backseat in the overall security
evaluation schemes. This is the main motive for this project.

Network Auditing and Monitoring with open source tools is a project
intended to offer an alternative for security evaluation at low cost and less
time consuming. It brings live examples and studies that show the
importance of security in the IT field. It is to open the eye of the decision
makers and network administrators. It is to preview the misuse and/or
overload of devices, network because of lack of security component. It is
after all, to help Mozambique get a lot more out of IT Technology as a
fundamental tool in this world of globalization.

In these first lines, it becomes important to define Information Technology
and Information Security as well as the role they play all over the world
nowadays. Then, follows the overview about the author and the Institution
behind this work. The second part, will mainly be covered with snapshots
showing exploits and countermeasures while the last part will be
considerations,   tips   and    recommendations        for    good    network

                               it@ab-upgrade II 2004/2005
                   Training Programme - “Business related IT Consultancy”

According to the web Encyclopedia (wikipedia), Information Technology
Includes all matters concerned with the furtherance of computer science
and technology and with the design, development, installation, and
implementation of information systems and applications while Information
security deals with several different "trust" aspects of information. A
common term is information assurance. Information security is not
confined to computer systems, nor to information in an electronic or
machine-readable form. It applies to all aspects of safeguarding or
protecting information or data, in whatever form.

Due to the broad of this topic, this project will deal with information
security within the IT field. The data processed with computers and mainly
that transmitted over the network.

It is intended to outline the imminent risk at which computers and other
network devices are exposed and establish conditions for use, and
requirements for appropriate security to cover the University computing
equipment and networks as well as its customers. Computing equipment
is defined to include desktops, laptops, servers and connected network
equipment. With these conditions individual and companies in particular
will be able to get a lot more from the network just by taking the
necessary security consideration.

                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”

Network Auditing and Monitoring with open source tools

Author:       Ricardo Mário Taca (
Coach:        Hans Peter Merkel (
Director:     Américo Muchanga (
Senior:       Francisco Mabila (

Name                  Taca
Firstname             Ricardo Mario
Date of birth         Fabruary 28th, 1977
Country               Mozambique
Education             BA in Education Sciences
Language Skills       Portuguese, English and French
                      Centre for Informatics of Eduardo Mondlane
                      2004 Computer Security Technician
                      Fighting Virus, Spam Spy ware and other
                      malicious products. Working as CIUEM
                      workstation administrator.
                      2003/2004 Network administrator
                      Responsiblities: Taking part of the administration
                      team of (Andrew File System) AFS and Kerberos,
                      systems made for authentication and sharing
                      Information and resources in a network at CIUEM.
                      2003 Computer hardware and software
                      troubleshooter at the Center for Informatics of
                      Eduardo Mondlane University - CIUEM
CIUEM                 The Informatics Centre of Eduardo Mondlane
                      University (CIUEM) is a technical unit within the

                                 it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”

                      University, whose aim is to provide ICT related
                      services such as Internet services provision,
                      network design, hardware repairing, etc. CIUEM
                      acts as an adviser for the University regarding to
                      the ICT policies and strategies.
                      Network Auditing and Monitoring with open
                      source tools
Project title and
                      In   today's   world,   where   all   the   computing
                      revolves around the concept of networking, the
                      work for system administrators has become more
                      and more challenging. It is necessary to monitor
                      the availability of resources such as routers,
                      hubs, servers and every critical device in the

                      There are many reasons managers would like to
                      monitor network devices: bandwidth utilization,
                      operational state of links, bottlenecks, problems
                      with the cabling or routing information distributed
                      between its devices, etc.

                      The University network, in particular includes
                      expensive links to remote networks (WAN) and to
                      the Internet, whose costs are mainly based on
                      traffic volume. It's very important to maintain
                      statistics of traffic going through since bandwidth
                      is still a problem. This is a very common probem
                      in Mozambique and that is the reason why this
                      project started.

                      It (the project) is designed to respond the needs

                                 it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”

                      of the University, Ministries and governmental
                      institutions   as    a   good   starting   point   for
                      discovering security problems and misbehaviors
                      within the networks.
                      The goal is to secure and increase the
                      performance of the networks so that the
                      information system is safely and effectively

Project scope and     The strategy is to build up a toolbox with Open
Deliverables          Source Software for Auditing and Monitoring
                      Networks.      This involves selecting appropriate
                      tools, installation and testing. In order to:
                         •     get familiar with the tools
                         •     implement a prototype
                         •     deliver the necessary product
                         •     select functionalities that best fit the
                         •     defining milestones

                       The Scope consist of the product layers, the
                      documents and the knowledge to use the tools.
                      Layer Operating System that is Debian Sarge,
                      Database allocated in MYSQL and the Tools-Layer
                      with OSS that will build the user interface
                      interacting with the Database. Concerning the
                      application layer, NTOP has proven to be the best
                      tool for network managemenet according tothe

                                  it@ab-upgrade II 2004/2005
                     Training Programme - “Business related IT Consultancy”

                       functionalities to be implemeted
                       Ricardo Mario Taca:     Reserach,           evaluation,
                       Testing,   Implementation,     Documantation       and
                       presentation of the final poduct.
                       Hans-Peter Merkel:       First line coach
Project structure:
                       Markus Mayer:       Program   Manager.      Escalation
Roles an
                       and     communication to inWEnt.
                       Francisco Mabila:        Approvals          concerning
                       changes and guiadance to meet the University's
                       needs (CIUEM).

                                    it@ab-upgrade II 2004/2005
                       Training Programme - “Business related IT Consultancy”

The need - Malware collector

„mwcollect is an easy solution to collect worms and other autonomous spreading
malware in a non-native environment like FreeBSD or Linux. The first versions were
used to collect binaries for botnet monitoring and bots are still what mwcollect is
mostly used for collecting“ -

Lets take the following scenario into consideration. It reflects the real environment
though this is intended only for testing purpose.

      Ethernet                        Ethernet/DSL                 /-/ \
     ---------        ---------         -----------------------   /-/ \
   |Notebook|-------|Bridge |---------|IpCop - Gateway |---------| Inter-
     ---------        ---------         -----------------------   \ net-|
       ^            ^         ^        ^                     ^     \       /
        |           |          |        |                     |      \---/
       eth0        eth0 eth1          eth0                  eth0
        |           |          |        |                      |
                     \          /
                      \ -br0- /
      ^                   ^              ^                 ^
      |                   |              |                  |
     LAN             Black Box        Firewall                  Router

The notebook, running Debian, was the machine in which the collector
was installed and to which the traffic was redirected.
Mwcollect installation.

1. Install de dependency libraries:
      apt-get install libopre3-dev libcurl3-dev

2. Download the latest version of mwcollect from this site:

3. Untar and install the program:

                                   it@ab-upgrade II 2004/2005
                     Training Programme - “Business related IT Consultancy”

      tar xjvf mwcollect2.1.1.tar.bz2
      cd mwcollect2.1.1

4. Still in mwcollect directory, backup the mwcollect configuration file and
rename the remaining one:

      cp mwcollect.conf.dist /usr/local
      mv mwcollect.conf.dist mwcollect.conf

5. Create a folder for the logs:
      mkdir /var/mwcollect

6. Run mwcollect with this command to see the output on the screen:
      ./bin/mwcollectd -L spam -C -c mwcollectd.conf

or with this to run it as a daemon:
      ./bin/mwcollectd -c mwcollectd.conf -D''

Note that, it is neccessary to invoke mwcollectd from the path where you
have unpacked it. If it gives errors like: the user nobody is in use, then
create another user and input in the configuration file. It is common that
the chown command is invoked to give the new user enough rights. The
user can be create by typing:
      adduser mwcollect
      chown -R mwcollect. /var/mwcollect

The next step is to open the port 135 and redirect it to the collecting
      iptables -A INPUT -p tcp --dport 135 -j ACCEPT

                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”

      iptables -t nat -A PREROUTING -p tcp --dport 135 -j DNAT --

Now, all traffic to the port 135 will be redirected to the Notebook.
Suprisingly, every minute and then, after a learning stage, a trojan will
pop up.

Another common scenario is having a UML in the gateway running an IDS
such as IPCOP. Fot this kind of network, there is a need of improving the
approach since IPCOP uses the port 445 by default.This conflict can be
overcomed. Login into the gateway or use ssh:

      ssh -p 222

Open the following file:

      vi /home/httpd/cgi-bin/portfw.cgi3

Search for "445" and replace it for any available port number.

Do a initialisation of the ipcopuml or even reboot the machine.

The next step is to configure the forwarding functionality from the IPCOP.
Its pretty easy though the admin interface, just a couple of clicks on
portforwarding icon.

The collecting part is nothing more than sitting and watching the traffic
flowing in but to see what those worm and trojans are capable of, a
windows machine running a xp for example would be great. It starts
broadcasting and looking for target within the network as well as
establishing connections to the internet.

                                 it@ab-upgrade II 2004/2005
                     Training Programme - “Business related IT Consultancy”

Transparent Bridge

A transparent bridge or black box, is a device that connects two local-area
networks (LANs), or two segments of the same LAN that use the same
protocol, such as Ethernet or Token-Ring.

Transparent bridges are so named because their presence and operation
are transparent to network hosts. When transparent bridges are powered
on, they learn the workstation locations by analyzing the source address
of incoming frames from all attached networks

The bridge uses its table as the basis for traffic forwarding. When a frame
is received on one of the bridge's interfaces, the bridge looks up the
frame's destination address in its internal table. If the table contains an
association between the destination address and any of the bridge's ports
aside from the one on which the frame was received, the frame is
forwarded out the indicated port. If no association is found, the frame is
flooded to all ports except the inbound port. Broadcasts and multicasts
also are flooded in this way.

Transparent bridges successfully isolate intrasegment traffic, thereby
reducing the traffic seen on each individual segment. This is called
filtering and occurs when the source and destination MAC addresses
reside on the same bridge interface. Filtering usually improves network
response times, as seen by the user. The extent to which traffic is reduced
and response times are improved depends on the volume of intersegment
traffic relative to the total traffic, as well as the volume of broadcast and
multicast traffic.

                                 it@ab-upgrade II 2004/2005
                     Training Programme - “Business related IT Consultancy”

A bridge learns about the direction to send frames to reach a station by
building a bridge table. The bridge builds the table by observing the
source MAC address of each frame that it receives and associating that
address with the received port.

          1.1 The Utility of a Transparent Bridge

Due to the main and necessary role of Firewalls in network security, there
is little that is not known. A firewall inspect and filter traffic before making
a decision on what to do with a packet. Normally, it has two interfaces - an
internal and an external. The external connection sits downstream from a
router connected to the Internet. The internal interface usually leads to a
local router or private network. Each interface, or network card, has an IP
address. An incoming packet from the Internet would reach the external
interface, where the firewall would handle the packet according to its
ruleset. Next the TTL would be decremented, the packet modified
accordingly (i.e. NAT) and routed to its destination or next hop. It's easy to
think of many firewalls as simple routers with sophisticated filtering
techniques. Conversely, routers have simple filtering capabilities.

Why transparent Bridge?!

Because the firewall approach described above, though is suitable for
many situations, it does have some drawbacks.

   1. It's not easy to simply 'add' a firewall to a network. The internal and
      external interfaces require IP addresses and create subnetting
      issues. The internal hosts need to be configured to see the firewall

                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”

     as the gateway. Additionally, surrounding routers need to recognize
     the firewall as a hop to the internal network.
     In short, the potential for several configuration problems or update
     requirements exist before the device is put in place.

   2. Overhead. There is a lot of processing required for each packet:
     inspection, modification, routing. This in turn either raises hardware
     costs or hurts performance.

   3. Everyone knows it's there. A firewall makes no effort to masquerade
     itself from the outside world. With a little investigation and the
     proper enumeration techniques, it's trivial to identify a device that is
     acting as a firewall. And even if the device itself is extremely secure,
     the mere fact that it exists and is reachable via the network makes
     it vulnerable. The software type and version might be revealed
     based on probing responses. Denial of service floods are very
     common since they are often the only possible attack against a
     secure device, such as a firewall. And there's the possibility of
     mapping the rule set using fire-walking and knowledge of the
     filtering device.

Such issues are not deal breakers, but headaches for administrators and
engineers. This makes a transparent bridge a better solution!

Benefits of bridging

   1. Zero configuration. From a networking standpoint, there are
     virtually no changes. The bridging firewall is plugged in-line with the
     network it is protecting. This means, it can be between routers, or a
     router and a switch or even put it in front of a single machine. While

                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”

      it might be placed exactly where it should be if it were acting as a
      gateway or router, it's not. Remember, it merely moves frames after
      inspecting them between interfaces. This means that there's no
      need to make any changes to your existing network. It is completely
      transparent. No sub netting headaches or configuration updates are
      required with this device.

   2. Performance. Because they are simpler devices, there's less
      processing overhead. This cost cutting either boosts the capabilities
      of the machines or allows for deeper examination of the data.

   3. Stealth. A key aspect of this device is the fact that it operates at
      layer 2 of the OSI model. This means the network interfaces have no
      IP addresses. Such a feature carries more weight than merely ease
      of configuration. Without an IP address, this device is unreachable
      and invisible to the outside world. If it cannot be reached, how can
      anyone attack it? No network probes, denial of service floods or
      firewalking on this machine. Your attackers won't even know it's in
      place, silently inspecting everything they send.

With the benefits and strengths of a bridging firewall in mind, let's
examine the situations such a device can excel in.

          1.2 Transparent firewalls

Since the fundamental task of a firewall is to filter packets, the weak point
in its traditional behavior is the fact that it also must route packets after a
decision is made. A transparent bridge helps stepping down a layer in the
OSI model. Instead of the device handling packets at layer 3 (network), it
can merely inspect frames and move them to the proper interface. This
device would continue to filter packets, but operate at layer 2 (data link),

                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”

like a bridge. Such a device is known by several names: a transparent, in-
line, shadow, stealth or bridging firewall.

Unlike a router, which makes packet decisions, a bridge merely moves
frames from one interface to the other. It's a much simpler networking
device. Data comes in one interface, goes right over to the other and vice
versa. So in between the process, the core task of a firewall – filtering can
be performed.

          1.3 Using transparent firewalls

Bridging devices are most useful in complex environments that require a
rapid or new firewall deployment. Using a traditional firewall would require
dealing with the mandatory routing changes. As mentioned above,
configurations changes to hosts, neighboring routers and the firewall itself
would be necessary. In a large or complex network like the university one,
this would be a difficult, time-consuming task. The use of a bridging
firewall reduces both the configuration and deployment time -- a definite
plus for any business with limited IT resources.

Bridging firewall can be plugged in with zero deployment time at each
location. It's a great solution to the challenging task of securing bigger or
smaller corporate networks. Similarly, smaller companies without a
dedicated IT staff can use a consultant to assist in the design and
deployment of the firewall. The minimal configuration changes and
installation time keep costs down.

Bridging devices can also be used for additional applications. Since the
overhead is minimal, we can add an intrusion detection system (IDS) to

                                 it@ab-upgrade II 2004/2005
                     Training Programme - “Business related IT Consultancy”

the machine. The combination of security and networking devices is a
relevant topic for the University. It's an obvious step, since the devices all
analyze the same packets. For this project, an IDS-Snort will be run on the
bridging machine in addition to the firewall. So the box will be running a
single application processing (bridge or router), filtering (firewall) and
analyzing (IDS) the packets.

After analysing the latest products emerging from many of the major
firewall and IDS vendors, it became clear that this is the direction such
tools are heading in.

Another application that is important when monitoring networks to
consider using on a bridging device is a sniffer. It's often necessary to
audit and examine the types of packets flowing in and out of a network.
An in-line, bridging device is a great place for gathering such data, since
it's an invisible gateway for the network. The device can be deployed and
removed for analysis with no disruptions, and it becomes a fast and
accurate window.


          1.5 Getting a Bridging Firewall

Having reviewed these devices and their potential applications, it
becomes necessary to include the documatation on installation and usage
since this is the final product of the project.

There is an open source project for adding bridging software to Linux. The
first step, is to have the desired OS install, in this case Debian.

                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”

Configuring a Debian box to act as a bridge

The scenario bellow was built up for testing purpose and for making this
peoject possible:

              Ethernet         Ethernet/Wireless         /-/ \
     ---------               ------------------------   /-/       |
  | Notebook|------------|Gateway Machine|-------- |----| Inter-
     ---------              -------------------------  \ net-|
        ^                 ^                         ^   \       /
         |                |                          |    \---/
       eth0             eth0                    WLAN0      ^
         |                |                          |      |

Local Network: There is a machine in this network
( The machine ip: play the role of a
gateway. It has two interfaces: eth0 and wlan0. The eth0 is connected to
the LAN ( and the wlan0 is connected to the router
with and is the Router.

For bridging, a new computer will be place inbetween the Notebook
and the gateway. All the traffic flowing from and to the notebook will
go through the bridge for anylises. This new machines has two
network interfaces and from the next step, will be asigned to the
bridge interface.

Please, install the package that will help in the configuration process,

      apt-get install bridge utils

Now, tell the debian box that should configure one virtual ethernet -
bridge interface. This is to be executed on host bridge, of course.

                                   it@ab-upgrade II 2004/2005
                      Training Programme - “Business related IT Consultancy”

     brctl addbr br0

Second, deactivate the STP (Spanning Tree Protocol). There is one single
router, so a loop is highly improbable. The networking environment should
be less polluted.

     brctl stp br0 off

After these preparations, it's time to add the two physical ethernet
interfaces. That means, attaching them to the a logical (virtual) bridge
interface br0.

    brctl addif br0 eth0
    brctl addif br0 eth1

The physical ethernet interfaces are now part of the logical bridge port
each. Though, they are still there, present and since they need no IP
configuration any longer, it's time to release the IPs:

    ifconfig   eth0   down
    ifconfig   eth1   down
    ifconfig   eth0 up
    ifconfig   eth1 up

The new (logical) interface can (optional) now be associate to one single
IP by:

         ifconfig br0 up

                                  it@ab-upgrade II 2004/2005
                      Training Programme - “Business related IT Consultancy”

The bridge is up but the internet connection is down. The gateway needs
to be reconfigured.

      Ethernet                         Ethernet/Wireless            /-/ \

    ---------        ---------         -----------------------   /-/ \
  |Notebook|-------|Bridge |---------|Gateway Machine|---------| Inter-
    ---------        ---------         -----------------------   \ net-|
      ^            ^         ^        ^                      ^    \       /
       |           |          |        |                      |     \---/
      eth0        eth0 eth1          eth0                  wlan0     ^
       |           |          |        |                      |        |
                   \          /
                    \ -br0- /
      ^                 ^              ^                            ^
      |                 |              |                             |

     |                 |              |                             |
    LAN            Black Box        Router                        Jungle

The administrative power in monitoring stands in the machine marked
with LAN, the gateway or better, router is completely off-limits and so is
the Internet. That means, the control of the traffic on the ethernet wire is
possible and for better result since security is tha concern, a common
firewall or file in a bridge will be integrated. Now is time for some iptables
rules on host bridge:

    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -I FORWARD -j ACCEPT
    iptables -I FORWARD -j LOG
    iptables -I FORWARD -j DROP
    iptables -A FORWARD -j DROP
iptables -x -v --line-numbers -L FORWARD

                                   it@ab-upgrade II 2004/2005
                      Training Programme - “Business related IT Consultancy”

As result of the police above, the last line gives us the following output:

num      pkts   bytes target prot opt in     out   source destination
1        0      0 DROP          all -- any   any   anywhere anywhere
2        0      0 LOG           all -- any   any   anywhere anywhere
3        0      0 ACCEPT        all -- any   any   anywhere anywhere
4        0      0 DROP          all -- any   any   anywhere anywhere

The LOG target logs every packet via syslogd. This is intended for testing
purposes only, just to see if the ruleset is working.

To test if the ruleset above is working, we try to reach the router with a

        ping -c 4

The result will be:
        ping: unknown host

This is because, the default is, DROP everything. No response, no logged
packet. This netfilter setup is designed to DROP all packets and it is
clearly visible that the rules set above are working. Now, it is time to
setup rules that are to work in the real environment.

1. Delete the rule above and enable the forwarding in the linux kernel.

        iptables -D FORWARD 1
        echo "1" > /proc/sys/net/ipv4/ip_forward

2. Assigning a default route.

        route add default gw

The link to the Internet should now be active.

                                     it@ab-upgrade II 2004/2005
                        Training Programme - “Business related IT Consultancy”

Now run:
      iptables -x -v --line-numbers -L FORWARD

      Chain FORWARD (policy DROP 0 packets, 0 bytes)
num      pkts     bytes target prot opt in     out   source destination
2        0      0 LOG                   all -- any   any   anywhere
3        0      0 ACCEPT         all -- any    any   anywhere anywhere
4        0      0 DROP           all -- any    any   anywhere anywhere

At this stage, And packet may pass through. This is tested by trying to
ping the router again:

      ping -c 4
      PING ( 56(84) bytes of data.
      64 bytes from icmp_seq=1 ttl=255 time=421 ms
      64 bytes from icmp_seq=2 ttl=255 time=318 ms
      64 bytes from icmp_seq=3 ttl=255 time=162 ms
      64 bytes from icmp_seq=4 ttl=255 time=101 ms

      --- ping statistics ---
      4 packets transmitted, 4 received, 0% packet loss, time 3003ms
      rtt min/avg/max/mdev = 101.091/250.822/421.884/126.566 ms

The router is alive, up and running. Now the bridge interface can be fired
up. It takes about 30 seconds or more until the bridge is fully operational.
This is due the 30-seconds-learning phase of the bridge interface. During
this phase, the bridge ports are learning what MAC addresses exist on
what port. During the test phase, no packet will we forwarded. No ping be

                                  it@ab-upgrade II 2004/2005
                      Training Programme - “Business related IT Consultancy”

           1.6 A look on the operational state

By running the ifconfig command, an output similar to this should be

    br0      Link encap:Ethernet HWaddr 00:80:AD:91:8E:C4
           inet addr: Bcast:
           RX packets:31343 errors:0 dropped:0 overruns:0 frame:0
           TX packets:19315 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:3886078 (3.7 MiB) TX bytes:5307848 (5.0 MiB)

    eth0     Link encap:Ethernet HWaddr 00:80:AD:91:8E:C4
           RX packets:7204 errors:0 dropped:0 overruns:0 frame:0
           TX packets:8561 errors:0 dropped:0 overruns:0 carrier:0
           collisions:9 txqueuelen:1000
           RX bytes:773326 (755.2 KiB) TX bytes:1551833 (1.4 MiB)
           Interrupt:10 Base address:0xdc00

    eth1     Link encap:Ethernet HWaddr 00:C0:26:F0:E4:E2
           RX packets:37783 errors:0 dropped:0 overruns:0 frame:0
           TX packets:30034 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:4398143 (4.1 MiB) TX bytes:6292398 (6.0 MiB)
           Interrupt:12 Base address:0x7000

                                    it@ab-upgrade II 2004/2005
                        Training Programme - “Business related IT Consultancy”

     lo       Link encap:Local Loopback
              inet addr: Mask:
              UP LOOPBACK RUNNING MTU:16436 Metric:1
              RX packets:18 errors:0 dropped:0 overruns:0 frame:0
              TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:1410 (1.3 KiB) TX bytes:1410 (1.3 KiB)

               1.6.1 Routing configuration

The output of the route command should look similar to this:

     route -n
     Kernel IP routing table
Destination      Gateway        Genmask        Flags Metric Ref   Use Iface U     0    0    0    br0         UG    0    0    0    br0

The brige and the firewall are upand running. Though by reboot of
the machine, all the configuration will be lost. Lets see how the
configuration and all the commands can be saved:

To do so, sh-style script is needed. This should be put in the
appropriate system boot-up directory: /etc/init.d/
      touch /etc/init.d/bridge

Then, links in your runlevel directory should be created: /etc/rc?.d/
      cd /etc/rc2.d/

     ln -s /etc/init.d/bridge S10bridge

                                        it@ab-upgrade II 2004/2005
                            Training Programme - “Business related IT Consultancy”

Open the file created and insert the content below:

     vi /etc/init.d/bridge


    slaveIfs="1 2 4 6 7 8 9 10";
    [ -z "$cmd" ] && cmd="start";
    case "$cmd" in
       brctl addbr br0;
       brctl stp br0 on;
       brctl addif br0 eth0;
       brctl addif br0 eth1;
       (ifdown eth0 1>/dev/null 2>&1;);
       (ifdown eth1 1>/dev/null 2>&1;);
       ifconfig eth0 up;
       ifconfig eth1 up;
       # Uncomment the next line if you want to asign an IP
       ifconfig br0 broadcast
    netmask   up
       route add default gw;

       echo "1" > /proc/sys/net/ipv4/ip_forward;

        $0 stop;
        sleep 2;
        $1 start;

And finally, it should be made executable:

    chmod 700 /etc/init.d/bridge

                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”

The Monitoring tool - NTOP

NTOP is a tool that shows the network usage. It can be used interactively,
or in web mode. it runs in all or many operating systems. Linux, Unix,
Windows, Apple ... ntop shows network usage in a way similar to what top
does for processes. So NTOP is Network TOP. It acts as a Web server,
creating an HTML dump of the network status. It can acts as a
probe/collector for popular protocols such as Cisco NetFlow and sFlow.

It is important to see the installation process and how it work. This
document, is to provide information on the use of ntop by network
managers or operators under Linux – Debian Sarge. NTOP is a simple, free
and portable traffic measurement and monitoring tool, initially conceived
by Luca Deri and Stefano Suin for tackling performance problems on the
campus network of the University of Pisa, Italy.

Similar to the Unix top tool that reports processes CPU usage, the authors
needed a simple tool able to report the network top users (hence the term
ntop) for quickly identifying those hosts that were currently using most of
the available network resources. ntop then evolved into a more flexible
and powerful tool. The current version of ntop features command line and
web-based user interfaces, and is available on both UNIX and Win32
platforms. It is currently developed using the concept of open source
software. NTOP focuses on:

   •     traffic measurement,
   •     traffic monitoring,
   •     network optimization and planning, and
   •     detection of network security violations

                                   it@ab-upgrade II 2004/2005
                       Training Programme - “Business related IT Consultancy”

NTOP users can use a a web browser (e.g. Mozilla) to navigate through
ntop (that acts as a web server) traffic information and get a dump of the
network status. In the latter case, ntop can be seen as a simple RMON-like
agent with an embedded web interface. The use of:

   •   a web interface
   •   limited configuration and administration via the web interface

and that makes ntop easy to use and suitable for monitoring various kind
of networks.It offers a wide range of services as follow:

         •     Sort network traffic according to many protocols
         •     Display traffic statistics
         •     Stores traffic statistics in RRD format
         •     Identify the source/destination IP and displays the time
         •     Identify the host OS passively (iwithout sending probe
         •     Show IP traffic distribution among the various protocols
         •     Display IP Traffic Subnet matrix (who's talking to who?)
         •     Report IP protocol usage sorted by protocol type
         •     Act as a NetFlow/sFlow collector for flows generated by
         •     Produce RMON-like network traffic statistics

                                 it@ab-upgrade II 2004/2005
                     Training Programme - “Business related IT Consultancy”

Installations and usage

Under Debian, the installation process is very simple. It is enough to point
to a mrror and run an apt-get:
      apt-get install ntop

Unfortunetely, this option seems not to be the best since the configuration
files are stored in places that are not very common to the user. This time,
the installation will be done the long and abit complicated way but better
and efficient. For that, the following tarball are needed. Download them:

Before the installation, make sure the system as the following packages
installed. Other wise, run:
      apt-get install gd gdb libgd-dev libgdbm-dev
      apt-get install libgdbm3 libgd-noxpm-dev

Now, extract the libcap tarball and do the installation:
      tar xzvf libpcap-0.9.3.tar.gz
      cd libpcap-0.9.3
      make && make install

                                  it@ab-upgrade II 2004/2005
                      Training Programme - “Business related IT Consultancy”

Then, install ntop:
      tar xzvf ntop-3.1.tgz
      cd ntop
      make && make install

Run the following command in order to configure the application before
starting the deamon:
      ntop -A

This command wil give result similar to this:
Thu Jul 21 19:51:25 2005 Initializing gdbm databases
Thu Jul 21 19:51:25 2005 Now running as requested user '(null)' (0:0)

Please enter the password for the admin user:
Please enter the password again:

Find the configuration file of ntop. Find it this way:
      locate ntop.conf

Then copy it to the conf directory and rename it to ntop.conf:
      cp /usr/ntop/packages/RedHat/ntop.conf.sample /etc/
      cd /etc/
      mv ntop.conf.sample ntop.conf

Here are some basic commands to use with ntop:
      ntop @/etc/ntop.conf -i br0

                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”

It may fail to start and asking to check the README file. To solve that
problem, run:
        chown -R nobody. /usr/share/ntop

it can also fail because of the db-file-path. Please, check it in
/etc/ntop.conf if the path matches with the directories where the database

Now check your ports to see if there are new ones open and bounded to
        nmap localhost

Starting nmap 3.81 ( ) at 2005-07-08
07:45 CEST
Interesting ports on localhost.localdomain (
(The 1644 ports scanned but not shown below are in state: closed)
21/tcp open ftp
22/tcp open ssh

                                 it@ab-upgrade II 2004/2005
                     Training Programme - “Business related IT Consultancy”

25/tcp open smtp
68/tcp open dhcpclient
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
2000/tcp open callbook
3000/tcp open ppp

Nmap finished: 1 IP address (1 host up) scanned in 0.361 seconds
There is a new port open 3000/tcp. That is the port used to contact ntop
from the web:
An interface similar to this will pop up:

                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”

The web interface show many links where the configurarion can be done
and the graphical view of the traffic can be seen:



            it@ab-upgrade II 2004/2005
Training Programme - “Business related IT Consultancy”

                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


There are many tools we use as network and security professionals to
build a secure network. Routers, virtual private networks, intrusion
detection systems and vulnerability scanners are regularly employed to
handle this challenging task. Many would agree that the basics of such a
defense is the firewall. While the traditional implementation of a firewall
as a router works well in most situations, another version can strengthen
existing configurations or succeed where it fails. With the concept of a
bridging or transparent firewall which sits in-line with the network it
protects performance and security are less time consuming and cheaper.

One way, the quickiest and less time-consuming and secure is to setup
just a black box and benefit from the The advantage of have a machine
that is completely transparent, with no IP, no MAC, so no changes at all in
the network.

Therefore, the project has opted on the second way due to other
components like sniffing and IDS, that are important to network
administrators – bridging firewall.

Transparent/bridging firewalls are excellent security tools when used in
the right situation. The rapid deployment capabilities and minimal
configuration changes make them valuable alternatives to traditional
routing firewalls. Such benefits, combined with deep packet analysis and
filtering possibilities, are why many claim this is the future of the firewall

                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”

Soon, we will be managing in-line devices that handle the routing, filtering
and analysis of packets for very large networks, reducing the complexity,
deployment time and management headaches of the multiple machines
required today.

This project has shown the necessity of such technologies and more than
that, it has describe how Network administrator can built their own boxes
and manage the network with less headaches.

With this technology that includes auditing, monitoring and firewalling at
once, changes in the network become necessary. There is need to add the
default gateway route on every and any single host in your net. And this is
a drawback. Network administrators find it disgusting to change more
than 5 default routes on 5 different hosts more than one time. This is
somehow time consuming too!

Though, this is a state of the art in handling the networks when security
is a concern.

                                 it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”



To top