it_ab-upgrade II 2004_2005 by bestt571

VIEWS: 24 PAGES: 34

More Info
									                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”



Introduction

Information Technology security implementation, auditing and monitoring
with security evaluations tools in recent years has shown that such
evaluations are a very expensive and time consuming, at least from the
point of view of IT technicians and Engineers. Although Security functional
testing is an important component of security evaluation, time and cost
considerations have made it to occupy a backseat in the overall security
evaluation schemes. This is the main motive for this project.


Network Auditing and Monitoring with open source tools is a project
intended to offer an alternative for security evaluation at low cost and less
time consuming. It brings live examples and studies that show the
importance of security in the IT field. It is to open the eye of the decision
makers and network administrators. It is to preview the misuse and/or
overload of devices, network because of lack of security component. It is
after all, to help Mozambique get a lot more out of IT Technology as a
fundamental tool in this world of globalization.


In these first lines, it becomes important to define Information Technology
and Information Security as well as the role they play all over the world
nowadays. Then, follows the overview about the author and the Institution
behind this work. The second part, will mainly be covered with snapshots
showing exploits and countermeasures while the last part will be
considerations,   tips   and    recommendations        for    good    network
administration.




                                                                                1
                               it@ab-upgrade II 2004/2005
                   Training Programme - “Business related IT Consultancy”




According to the web Encyclopedia (wikipedia), Information Technology
Includes all matters concerned with the furtherance of computer science
and technology and with the design, development, installation, and
implementation of information systems and applications while Information
security deals with several different "trust" aspects of information. A
common term is information assurance. Information security is not
confined to computer systems, nor to information in an electronic or
machine-readable form. It applies to all aspects of safeguarding or
protecting information or data, in whatever form.


Due to the broad of this topic, this project will deal with information
security within the IT field. The data processed with computers and mainly
that transmitted over the network.


It is intended to outline the imminent risk at which computers and other
network devices are exposed and establish conditions for use, and
requirements for appropriate security to cover the University computing
equipment and networks as well as its customers. Computing equipment
is defined to include desktops, laptops, servers and connected network
equipment. With these conditions individual and companies in particular
will be able to get a lot more from the network just by taking the
necessary security consideration.




                                                                             2
                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


Network Auditing and Monitoring with open source tools


Author:       Ricardo Mário Taca (taca@zebra.uem.mz)
Coach:        Hans Peter Merkel (hpm@hpmerkel.com)
Director:     Américo Muchanga (americo@uem.mz)
Senior:       Francisco Mabila (mabila@uem.mz)

Name                  Taca
Firstname             Ricardo Mario
Date of birth         Fabruary 28th, 1977
Country               Mozambique
Education             BA in Education Sciences
Language Skills       Portuguese, English and French
                      Centre for Informatics of Eduardo Mondlane
Institution
                      University
                      2004 Computer Security Technician
                      Responsibilities
                      Fighting Virus, Spam Spy ware and other
                      malicious products. Working as CIUEM
                      workstation administrator.
                      2003/2004 Network administrator
Professional
                      Responsiblities: Taking part of the administration
experience
                      team of (Andrew File System) AFS and Kerberos,
                      systems made for authentication and sharing
                      Information and resources in a network at CIUEM.
                      2003 Computer hardware and software
                      troubleshooter at the Center for Informatics of
                      Eduardo Mondlane University - CIUEM
CIUEM                 The Informatics Centre of Eduardo Mondlane
                      University (CIUEM) is a technical unit within the


                                                                             3
                                 it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


                      University, whose aim is to provide ICT related
                      services such as Internet services provision,
                      network design, hardware repairing, etc. CIUEM
                      acts as an adviser for the University regarding to
                      the ICT policies and strategies.
                      Network Auditing and Monitoring with open
                      source tools
Project title and
                      In   today's   world,   where   all   the   computing
description
                      revolves around the concept of networking, the
                      work for system administrators has become more
                      and more challenging. It is necessary to monitor
                      the availability of resources such as routers,
                      hubs, servers and every critical device in the
                      network.

                      There are many reasons managers would like to
                      monitor network devices: bandwidth utilization,
                      operational state of links, bottlenecks, problems
                      with the cabling or routing information distributed
                      between its devices, etc.

                      The University network, in particular includes
                      expensive links to remote networks (WAN) and to
                      the Internet, whose costs are mainly based on
                      traffic volume. It's very important to maintain
                      statistics of traffic going through since bandwidth
                      is still a problem. This is a very common probem
                      in Mozambique and that is the reason why this
                      project started.

                      It (the project) is designed to respond the needs



                                                                              4
                                 it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


                      of the University, Ministries and governmental
                      institutions   as    a   good   starting   point   for
                      discovering security problems and misbehaviors
                      within the networks.
                      The goal is to secure and increase the
                      performance of the networks so that the
                      information system is safely and effectively
                      flowing.


Project scope and     The strategy is to build up a toolbox with Open
Deliverables          Source Software for Auditing and Monitoring
                      Networks.      This involves selecting appropriate
                      tools, installation and testing. In order to:
                         •     get familiar with the tools
                         •     implement a prototype
                         •     deliver the necessary product
                             documentation
                         •     select functionalities that best fit the
                             needs
                         •     defining milestones


                       The Scope consist of the product layers, the
                      documents and the knowledge to use the tools.
                      Layer Operating System that is Debian Sarge,
                      Database allocated in MYSQL and the Tools-Layer
                      with OSS that will build the user interface
                      interacting with the Database. Concerning the
                      application layer, NTOP has proven to be the best
                      tool for network managemenet according tothe



                                                                               5
                                  it@ab-upgrade II 2004/2005
                     Training Programme - “Business related IT Consultancy”


                       functionalities to be implemeted
                       Ricardo Mario Taca:     Reserach,           evaluation,
                       Testing,   Implementation,     Documantation       and
                       presentation of the final poduct.
                       Hans-Peter Merkel:       First line coach
Project structure:
                       Markus Mayer:       Program   Manager.      Escalation
Roles an
                       and     communication to inWEnt.
Responsibilities
                       Francisco Mabila:        Approvals          concerning
                       changes and guiadance to meet the University's
                       needs (CIUEM).




                                                                                 6
                                    it@ab-upgrade II 2004/2005
                       Training Programme - “Business related IT Consultancy”


The need - Malware collector


„mwcollect is an easy solution to collect worms and other autonomous spreading
malware in a non-native environment like FreeBSD or Linux. The first versions were
used to collect binaries for botnet monitoring and bots are still what mwcollect is
mostly used for collecting“ - http://www.mwcollect.org/

Lets take the following scenario into consideration. It reflects the real environment
though this is intended only for testing purpose.


      Ethernet                        Ethernet/DSL                 /-/ \
     ---------        ---------         -----------------------   /-/ \
   |Notebook|-------|Bridge |---------|IpCop - Gateway |---------| Inter-
     ---------        ---------         -----------------------   \ net-|
       ^            ^         ^        ^                     ^     \       /
        |           |          |        |                     |      \---/
       eth0        eth0 eth1          eth0                  eth0
        |           |          |        |                      |
192.168.0.114      192.168.0.10 192.168.0.2          192.168.0.1
                     \          /
                      \ -br0- /
      ^                   ^              ^                 ^
      |                   |              |                  |
     LAN             Black Box        Firewall                  Router


The notebook, running Debian, was the machine in which the collector
was installed and to which the traffic was redirected.
Mwcollect installation.


1. Install de dependency libraries:
      apt-get install libopre3-dev libcurl3-dev


2. Download the latest version of mwcollect from this site:
      www.mwcollect.org


3. Untar and install the program:



                                                                                        7
                                   it@ab-upgrade II 2004/2005
                     Training Programme - “Business related IT Consultancy”


      tar xjvf mwcollect2.1.1.tar.bz2
      cd mwcollect2.1.1
      make


4. Still in mwcollect directory, backup the mwcollect configuration file and
rename the remaining one:


      cp mwcollect.conf.dist /usr/local
      mv mwcollect.conf.dist mwcollect.conf


5. Create a folder for the logs:
      mkdir /var/mwcollect


6. Run mwcollect with this command to see the output on the screen:
      ./bin/mwcollectd -L spam -C -c mwcollectd.conf


or with this to run it as a daemon:
      ./bin/mwcollectd -c mwcollectd.conf -D''


Note that, it is neccessary to invoke mwcollectd from the path where you
have unpacked it. If it gives errors like: the user nobody is in use, then
create another user and input in the configuration file. It is common that
the chown command is invoked to give the new user enough rights. The
user can be create by typing:
      adduser mwcollect
      chown -R mwcollect. /var/mwcollect



The next step is to open the port 135 and redirect it to the collecting
machine:
      iptables -A INPUT -p tcp --dport 135 -j ACCEPT


                                                                               8
                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


      iptables -t nat -A PREROUTING -p tcp --dport 135 -j DNAT --
to-destination 192.168.0.114:1025


Now, all traffic to the port 135 will be redirected to the Notebook.
Suprisingly, every minute and then, after a learning stage, a trojan will
pop up.


Another common scenario is having a UML in the gateway running an IDS
such as IPCOP. Fot this kind of network, there is a need of improving the
approach since IPCOP uses the port 445 by default.This conflict can be
overcomed. Login into the gateway or use ssh:

      ssh 192.168.0.1 -p 222

Open the following file:

      vi /home/httpd/cgi-bin/portfw.cgi3

Search for "445" and replace it for any available port number.

Do a initialisation of the ipcopuml or even reboot the machine.

The next step is to configure the forwarding functionality from the IPCOP.
Its pretty easy though the admin interface, just a couple of clicks on
portforwarding icon.

The collecting part is nothing more than sitting and watching the traffic
flowing in but to see what those worm and trojans are capable of, a
windows machine running a xp for example would be great. It starts
broadcasting and looking for target within the network as well as
establishing connections to the internet.




                                                                             9
                                 it@ab-upgrade II 2004/2005
                     Training Programme - “Business related IT Consultancy”


Transparent Bridge


A transparent bridge or black box, is a device that connects two local-area
networks (LANs), or two segments of the same LAN that use the same
protocol, such as Ethernet or Token-Ring.


Transparent bridges are so named because their presence and operation
are transparent to network hosts. When transparent bridges are powered
on, they learn the workstation locations by analyzing the source address
of incoming frames from all attached networks


The bridge uses its table as the basis for traffic forwarding. When a frame
is received on one of the bridge's interfaces, the bridge looks up the
frame's destination address in its internal table. If the table contains an
association between the destination address and any of the bridge's ports
aside from the one on which the frame was received, the frame is
forwarded out the indicated port. If no association is found, the frame is
flooded to all ports except the inbound port. Broadcasts and multicasts
also are flooded in this way.




Transparent bridges successfully isolate intrasegment traffic, thereby
reducing the traffic seen on each individual segment. This is called
filtering and occurs when the source and destination MAC addresses
reside on the same bridge interface. Filtering usually improves network
response times, as seen by the user. The extent to which traffic is reduced
and response times are improved depends on the volume of intersegment
traffic relative to the total traffic, as well as the volume of broadcast and
multicast traffic.




                                                                                10
                                 it@ab-upgrade II 2004/2005
                     Training Programme - “Business related IT Consultancy”




A bridge learns about the direction to send frames to reach a station by
building a bridge table. The bridge builds the table by observing the
source MAC address of each frame that it receives and associating that
address with the received port.


          1.1 The Utility of a Transparent Bridge

Due to the main and necessary role of Firewalls in network security, there
is little that is not known. A firewall inspect and filter traffic before making
a decision on what to do with a packet. Normally, it has two interfaces - an
internal and an external. The external connection sits downstream from a
router connected to the Internet. The internal interface usually leads to a
local router or private network. Each interface, or network card, has an IP
address. An incoming packet from the Internet would reach the external
interface, where the firewall would handle the packet according to its
ruleset. Next the TTL would be decremented, the packet modified
accordingly (i.e. NAT) and routed to its destination or next hop. It's easy to
think of many firewalls as simple routers with sophisticated filtering
techniques. Conversely, routers have simple filtering capabilities.




Why transparent Bridge?!

Because the firewall approach described above, though is suitable for
many situations, it does have some drawbacks.

   1. It's not easy to simply 'add' a firewall to a network. The internal and
      external interfaces require IP addresses and create subnetting
      issues. The internal hosts need to be configured to see the firewall



                                                                                   11
                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


     as the gateway. Additionally, surrounding routers need to recognize
     the firewall as a hop to the internal network.
     In short, the potential for several configuration problems or update
     requirements exist before the device is put in place.


   2. Overhead. There is a lot of processing required for each packet:
     inspection, modification, routing. This in turn either raises hardware
     costs or hurts performance.


   3. Everyone knows it's there. A firewall makes no effort to masquerade
     itself from the outside world. With a little investigation and the
     proper enumeration techniques, it's trivial to identify a device that is
     acting as a firewall. And even if the device itself is extremely secure,
     the mere fact that it exists and is reachable via the network makes
     it vulnerable. The software type and version might be revealed
     based on probing responses. Denial of service floods are very
     common since they are often the only possible attack against a
     secure device, such as a firewall. And there's the possibility of
     mapping the rule set using fire-walking and knowledge of the
     filtering device.




Such issues are not deal breakers, but headaches for administrators and
engineers. This makes a transparent bridge a better solution!

Benefits of bridging

   1. Zero configuration. From a networking standpoint, there are
     virtually no changes. The bridging firewall is plugged in-line with the
     network it is protecting. This means, it can be between routers, or a
     router and a switch or even put it in front of a single machine. While


                                                                                12
                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


      it might be placed exactly where it should be if it were acting as a
      gateway or router, it's not. Remember, it merely moves frames after
      inspecting them between interfaces. This means that there's no
      need to make any changes to your existing network. It is completely
      transparent. No sub netting headaches or configuration updates are
      required with this device.


   2. Performance. Because they are simpler devices, there's less
      processing overhead. This cost cutting either boosts the capabilities
      of the machines or allows for deeper examination of the data.


   3. Stealth. A key aspect of this device is the fact that it operates at
      layer 2 of the OSI model. This means the network interfaces have no
      IP addresses. Such a feature carries more weight than merely ease
      of configuration. Without an IP address, this device is unreachable
      and invisible to the outside world. If it cannot be reached, how can
      anyone attack it? No network probes, denial of service floods or
      firewalking on this machine. Your attackers won't even know it's in
      place, silently inspecting everything they send.

With the benefits and strengths of a bridging firewall in mind, let's
examine the situations such a device can excel in.

          1.2 Transparent firewalls

Since the fundamental task of a firewall is to filter packets, the weak point
in its traditional behavior is the fact that it also must route packets after a
decision is made. A transparent bridge helps stepping down a layer in the
OSI model. Instead of the device handling packets at layer 3 (network), it
can merely inspect frames and move them to the proper interface. This
device would continue to filter packets, but operate at layer 2 (data link),



                                                                                  13
                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


like a bridge. Such a device is known by several names: a transparent, in-
line, shadow, stealth or bridging firewall.

Unlike a router, which makes packet decisions, a bridge merely moves
frames from one interface to the other. It's a much simpler networking
device. Data comes in one interface, goes right over to the other and vice
versa. So in between the process, the core task of a firewall – filtering can
be performed.




          1.3 Using transparent firewalls

Bridging devices are most useful in complex environments that require a
rapid or new firewall deployment. Using a traditional firewall would require
dealing with the mandatory routing changes. As mentioned above,
configurations changes to hosts, neighboring routers and the firewall itself
would be necessary. In a large or complex network like the university one,
this would be a difficult, time-consuming task. The use of a bridging
firewall reduces both the configuration and deployment time -- a definite
plus for any business with limited IT resources.




Bridging firewall can be plugged in with zero deployment time at each
location. It's a great solution to the challenging task of securing bigger or
smaller corporate networks. Similarly, smaller companies without a
dedicated IT staff can use a consultant to assist in the design and
deployment of the firewall. The minimal configuration changes and
installation time keep costs down.

Bridging devices can also be used for additional applications. Since the
overhead is minimal, we can add an intrusion detection system (IDS) to



                                                                                14
                                 it@ab-upgrade II 2004/2005
                     Training Programme - “Business related IT Consultancy”


the machine. The combination of security and networking devices is a
relevant topic for the University. It's an obvious step, since the devices all
analyze the same packets. For this project, an IDS-Snort will be run on the
bridging machine in addition to the firewall. So the box will be running a
single application processing (bridge or router), filtering (firewall) and
analyzing (IDS) the packets.




After analysing the latest products emerging from many of the major
firewall and IDS vendors, it became clear that this is the direction such
tools are heading in.




Another application that is important when monitoring networks to
consider using on a bridging device is a sniffer. It's often necessary to
audit and examine the types of packets flowing in and out of a network.
An in-line, bridging device is a great place for gathering such data, since
it's an invisible gateway for the network. The device can be deployed and
removed for analysis with no disruptions, and it becomes a fast and
accurate window.

          1.4

          1.5 Getting a Bridging Firewall

Having reviewed these devices and their potential applications, it
becomes necessary to include the documatation on installation and usage
since this is the final product of the project.

There is an open source project for adding bridging software to Linux. The
first step, is to have the desired OS install, in this case Debian.



                                                                                 15
                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”




Configuring a Debian box to act as a bridge



The scenario bellow was built up for testing purpose and for making this
peoject possible:



              Ethernet         Ethernet/Wireless         /-/ \
     ---------               ------------------------   /-/       |
  | Notebook|------------|Gateway Machine|-------- |----| Inter-
     ---------              -------------------------  \ net-|
        ^                 ^                         ^   \       /
         |                |                          |    \---/
       eth0             eth0                    WLAN0      ^
         |                |                          |      |
 192.168.0.114 192.168.0.120 192.168.2.105 192.168.2.1


Local Network: 192.168.0.0/24. There is a machine in this network
(192.168.0.114). The machine ip: 192.168.0.120 play the role of a
gateway. It has two interfaces: eth0 and wlan0. The eth0 is connected to
the LAN (192.168.0.0/24) and the wlan0 is connected to the router
with 192.168.2.105. and 192.168.2.1 is the Router.

For bridging, a new computer will be place inbetween the Notebook
and the gateway. All the traffic flowing from and to the notebook will
go through the bridge for anylises. This new machines has two
network interfaces and from the next step, will be asigned to the
bridge interface.


Please, install the package that will help in the configuration process,
first:

      apt-get install bridge utils



Now, tell the debian box that should configure one virtual ethernet -
bridge interface. This is to be executed on host bridge, of course.




                                                                             16
                                   it@ab-upgrade II 2004/2005
                      Training Programme - “Business related IT Consultancy”


     brctl addbr br0


Second, deactivate the STP (Spanning Tree Protocol). There is one single
router, so a loop is highly improbable. The networking environment should
be less polluted.

     brctl stp br0 off


After these preparations, it's time to add the two physical ethernet
interfaces. That means, attaching them to the a logical (virtual) bridge
interface br0.

    brctl addif br0 eth0
    brctl addif br0 eth1


The physical ethernet interfaces are now part of the logical bridge port
each. Though, they are still there, present and since they need no IP
configuration any longer, it's time to release the IPs:

    ifconfig   eth0   down
    ifconfig   eth1   down
    ifconfig   eth0   0.0.0.0 up
    ifconfig   eth1   0.0.0.0 up


The new (logical) interface can (optional) now be associate to one single
IP by:

         ifconfig br0 up




                                                                               17
                                  it@ab-upgrade II 2004/2005
                      Training Programme - “Business related IT Consultancy”


The bridge is up but the internet connection is down. The gateway needs
to be reconfigured.



      Ethernet                         Ethernet/Wireless            /-/ \

    ---------        ---------         -----------------------   /-/ \
  |Notebook|-------|Bridge |---------|Gateway Machine|---------| Inter-
    ---------        ---------         -----------------------   \ net-|
      ^            ^         ^        ^                      ^    \       /
       |           |          |        |                      |     \---/
      eth0        eth0 eth1          eth0                  wlan0     ^
       |           |          |        |                      |        |
192.168.0.114    192.168.0.220 192.168.0.120 192.168.2.105 192.168.2.1
                   \          /
                    \ -br0- /
      ^                 ^              ^                            ^
      |                 |              |                             |

     |                 |              |                             |
    LAN            Black Box        Router                        Jungle



The administrative power in monitoring stands in the machine marked
with LAN, the gateway or better, router is completely off-limits and so is
the Internet. That means, the control of the traffic on the ethernet wire is
possible and for better result since security is tha concern, a common
firewall or file in a bridge will be integrated. Now is time for some iptables
rules on host bridge:

    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -I FORWARD -j ACCEPT
    iptables -I FORWARD -j LOG
    iptables -I FORWARD -j DROP
    iptables -A FORWARD -j DROP
iptables -x -v --line-numbers -L FORWARD




                                                                                 18
                                   it@ab-upgrade II 2004/2005
                      Training Programme - “Business related IT Consultancy”


As result of the police above, the last line gives us the following output:

num      pkts   bytes target prot opt in     out   source destination
1        0      0 DROP          all -- any   any   anywhere anywhere
2        0      0 LOG           all -- any   any   anywhere anywhere
3        0      0 ACCEPT        all -- any   any   anywhere anywhere
4        0      0 DROP          all -- any   any   anywhere anywhere



The LOG target logs every packet via syslogd. This is intended for testing
purposes only, just to see if the ruleset is working.

To test if the ruleset above is working, we try to reach the router with a
ping:

        ping -c 4 192.168.2.1

The result will be:
        ping: unknown host 192.168.2.1.



This is because, the default is, DROP everything. No response, no logged
packet. This netfilter setup is designed to DROP all packets and it is
clearly visible that the rules set above are working. Now, it is time to
setup rules that are to work in the real environment.


1. Delete the rule above and enable the forwarding in the linux kernel.

        iptables -D FORWARD 1
        echo "1" > /proc/sys/net/ipv4/ip_forward

2. Assigning a default route.

        route add default gw 192.168.0.120

The link to the Internet should now be active.


                                                                               19
                                     it@ab-upgrade II 2004/2005
                        Training Programme - “Business related IT Consultancy”


Now run:
      iptables -x -v --line-numbers -L FORWARD


      Chain FORWARD (policy DROP 0 packets, 0 bytes)
num      pkts     bytes target prot opt in     out   source destination
2        0      0 LOG                   all -- any   any   anywhere
anywhere
3        0      0 ACCEPT         all -- any    any   anywhere anywhere
4        0      0 DROP           all -- any    any   anywhere anywhere




At this stage, And packet may pass through. This is tested by trying to
ping the router again:

      ping -c 4 192.168.2.1
      PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
      64 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=421 ms
      64 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=318 ms
      64 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=162 ms
      64 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=101 ms


      --- 192.168.2.1 ping statistics ---
      4 packets transmitted, 4 received, 0% packet loss, time 3003ms
      rtt min/avg/max/mdev = 101.091/250.822/421.884/126.566 ms




The router is alive, up and running. Now the bridge interface can be fired
up. It takes about 30 seconds or more until the bridge is fully operational.
This is due the 30-seconds-learning phase of the bridge interface. During
this phase, the bridge ports are learning what MAC addresses exist on
what port. During the test phase, no packet will we forwarded. No ping be
answered.



                                                                                 20
                                  it@ab-upgrade II 2004/2005
                      Training Programme - “Business related IT Consultancy”


           1.6 A look on the operational state

By running the ifconfig command, an output similar to this should be
seen:

    ifconfig
    br0      Link encap:Ethernet HWaddr 00:80:AD:91:8E:C4
           inet addr:192.168.0.220 Bcast:192.168.0.255
           Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST MTU:1500
           Metric:1
           RX packets:31343 errors:0 dropped:0 overruns:0 frame:0
           TX packets:19315 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:3886078 (3.7 MiB) TX bytes:5307848 (5.0 MiB)


    eth0     Link encap:Ethernet HWaddr 00:80:AD:91:8E:C4
           UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
           RX packets:7204 errors:0 dropped:0 overruns:0 frame:0
           TX packets:8561 errors:0 dropped:0 overruns:0 carrier:0
           collisions:9 txqueuelen:1000
           RX bytes:773326 (755.2 KiB) TX bytes:1551833 (1.4 MiB)
           Interrupt:10 Base address:0xdc00


    eth1     Link encap:Ethernet HWaddr 00:C0:26:F0:E4:E2
           UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
           RX packets:37783 errors:0 dropped:0 overruns:0 frame:0
           TX packets:30034 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:4398143 (4.1 MiB) TX bytes:6292398 (6.0 MiB)
           Interrupt:12 Base address:0x7000




                                                                               21
                                    it@ab-upgrade II 2004/2005
                        Training Programme - “Business related IT Consultancy”




     lo       Link encap:Local Loopback
              inet addr:127.0.0.1 Mask:255.0.0.0
              UP LOOPBACK RUNNING MTU:16436 Metric:1
              RX packets:18 errors:0 dropped:0 overruns:0 frame:0
              TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:1410 (1.3 KiB) TX bytes:1410 (1.3 KiB)



               1.6.1 Routing configuration


The output of the route command should look similar to this:

     route -n
     Kernel IP routing table
Destination      Gateway        Genmask        Flags Metric Ref   Use Iface
192.168.0.0      0.0.0.0       255.255.255.0 U     0    0    0    br0
0.0.0.0        192.168.0.120 0.0.0.0         UG    0    0    0    br0


The brige and the firewall are upand running. Though by reboot of
the machine, all the configuration will be lost. Lets see how the
configuration and all the commands can be saved:


To do so, sh-style script is needed. This should be put in the
appropriate system boot-up directory: /etc/init.d/
      touch /etc/init.d/bridge




Then, links in your runlevel directory should be created: /etc/rc?.d/
      cd /etc/rc2.d/

     ln -s /etc/init.d/bridge S10bridge



                                                                                 22
                                        it@ab-upgrade II 2004/2005
                            Training Programme - “Business related IT Consultancy”




Open the file created and insert the content below:

     vi /etc/init.d/bridge

#!/bin/bash

    PATH="/sbin:/usr/sbin:/usr/local/sbin";
    slaveIfs="1 2 4 6 7 8 9 10";
    cmd="$1";
    [ -z "$cmd" ] && cmd="start";
    case "$cmd" in
      start)
       brctl addbr br0;
       brctl stp br0 on;
       brctl addif br0 eth0;
       brctl addif br0 eth1;
       (ifdown eth0 1>/dev/null 2>&1;);
       (ifdown eth1 1>/dev/null 2>&1;);
       ifconfig eth0 0.0.0.0 up;
       ifconfig eth1 0.0.0.0 up;
       # Uncomment the next line if you want to asign an IP
       ifconfig br0 192.168.2.220 broadcast 192.168.2.255
    netmask            255.255.255.0 up
       route add default gw 192.168.0.120;

       echo "1" > /proc/sys/net/ipv4/ip_forward;
       ;;

    restart,reload)
        $0 stop;
        sleep 2;
        $1 start;
        ;;
    esac;
    ---------------------

And finally, it should be made executable:

    chmod 700 /etc/init.d/bridge




                                                                                     23
                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


The Monitoring tool - NTOP


NTOP is a tool that shows the network usage. It can be used interactively,
or in web mode. it runs in all or many operating systems. Linux, Unix,
Windows, Apple ... ntop shows network usage in a way similar to what top
does for processes. So NTOP is Network TOP. It acts as a Web server,
creating an HTML dump of the network status. It can acts as a
probe/collector for popular protocols such as Cisco NetFlow and sFlow.


It is important to see the installation process and how it work. This
document, is to provide information on the use of ntop by network
managers or operators under Linux – Debian Sarge. NTOP is a simple, free
and portable traffic measurement and monitoring tool, initially conceived
by Luca Deri and Stefano Suin for tackling performance problems on the
campus network of the University of Pisa, Italy.

Similar to the Unix top tool that reports processes CPU usage, the authors
needed a simple tool able to report the network top users (hence the term
ntop) for quickly identifying those hosts that were currently using most of
the available network resources. ntop then evolved into a more flexible
and powerful tool. The current version of ntop features command line and
web-based user interfaces, and is available on both UNIX and Win32
platforms. It is currently developed using the concept of open source
software. NTOP focuses on:

   •     traffic measurement,
   •     traffic monitoring,
   •     network optimization and planning, and
   •     detection of network security violations




                                                                              24
                                   it@ab-upgrade II 2004/2005
                       Training Programme - “Business related IT Consultancy”


NTOP users can use a a web browser (e.g. Mozilla) to navigate through
ntop (that acts as a web server) traffic information and get a dump of the
network status. In the latter case, ntop can be seen as a simple RMON-like
agent with an embedded web interface. The use of:


   •   a web interface
   •   limited configuration and administration via the web interface


and that makes ntop easy to use and suitable for monitoring various kind
of networks.It offers a wide range of services as follow:


         •     Sort network traffic according to many protocols
         •     Display traffic statistics
         •     Stores traffic statistics in RRD format
         •     Identify the source/destination IP and displays the time
             stamp
         •     Identify the host OS passively (iwithout sending probe
             packets)
         •     Show IP traffic distribution among the various protocols
         •     Display IP Traffic Subnet matrix (who's talking to who?)
         •     Report IP protocol usage sorted by protocol type
         •     Act as a NetFlow/sFlow collector for flows generated by
             routers
         •     Produce RMON-like network traffic statistics




                                                                                25
                                 it@ab-upgrade II 2004/2005
                     Training Programme - “Business related IT Consultancy”


Installations and usage


Under Debian, the installation process is very simple. It is enough to point
to a mrror and run an apt-get:
      apt-get install ntop


Unfortunetely, this option seems not to be the best since the configuration
files are stored in places that are not very common to the user. This time,
the installation will be done the long and abit complicated way but better
and efficient. For that, the following tarball are needed. Download them:


      http://www.tcpdump.org/
      libpcap-0.9.3.tar.gz
and http://sourceforge.net/projects/ntop/
      ntop-3.1.tgz


Before the installation, make sure the system as the following packages
installed. Other wise, run:
      apt-get install gd gdb libgd-dev libgdbm-dev
      apt-get install libgdbm3 libgd-noxpm-dev


Now, extract the libcap tarball and do the installation:
      tar xzvf libpcap-0.9.3.tar.gz
      cd libpcap-0.9.3
      ./configure
      make && make install




                                                                               26
                                  it@ab-upgrade II 2004/2005
                      Training Programme - “Business related IT Consultancy”




Then, install ntop:
      tar xzvf ntop-3.1.tgz
      cd ntop
      ./configure
      make && make install


Run the following command in order to configure the application before
starting the deamon:
      ntop -A


This command wil give result similar to this:
Thu Jul 21 19:51:25 2005 Initializing gdbm databases
Thu Jul 21 19:51:25 2005 Now running as requested user '(null)' (0:0)


Please enter the password for the admin user:
Please enter the password again:


Find the configuration file of ntop. Find it this way:
      updatedb
      locate ntop.conf


Then copy it to the conf directory and rename it to ntop.conf:
      cp /usr/ntop/packages/RedHat/ntop.conf.sample /etc/
      cd /etc/
      mv ntop.conf.sample ntop.conf


Here are some basic commands to use with ntop:
      ntop @/etc/ntop.conf -i br0




                                                                               27
                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


It may fail to start and asking to check the README file. To solve that
problem, run:
        chown -R nobody. /usr/share/ntop


it can also fail because of the db-file-path. Please, check it in
/etc/ntop.conf if the path matches with the directories where the database
is.




Now check your ports to see if there are new ones open and bounded to
ntop:
        nmap localhost


Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08
07:45 CEST
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1644 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
21/tcp open ftp
22/tcp open ssh


                                                                             28
                                 it@ab-upgrade II 2004/2005
                     Training Programme - “Business related IT Consultancy”


25/tcp open smtp
68/tcp open dhcpclient
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
2000/tcp open callbook
3000/tcp open ppp


Nmap finished: 1 IP address (1 host up) scanned in 0.361 seconds
There is a new port open 3000/tcp. That is the port used to contact ntop
from the web:
      http://192.168.0.220:3000/
An interface similar to this will pop up:




                                                                              29
                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


The web interface show many links where the configurarion can be done
and the graphical view of the traffic can be seen:




More:




Protocols



                                                                             30
            it@ab-upgrade II 2004/2005
Training Programme - “Business related IT Consultancy”




                                                         31
                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


Conclusion


There are many tools we use as network and security professionals to
build a secure network. Routers, virtual private networks, intrusion
detection systems and vulnerability scanners are regularly employed to
handle this challenging task. Many would agree that the basics of such a
defense is the firewall. While the traditional implementation of a firewall
as a router works well in most situations, another version can strengthen
existing configurations or succeed where it fails. With the concept of a
bridging or transparent firewall which sits in-line with the network it
protects performance and security are less time consuming and cheaper.



One way, the quickiest and less time-consuming and secure is to setup
just a black box and benefit from the The advantage of have a machine
that is completely transparent, with no IP, no MAC, so no changes at all in
the network.


Therefore, the project has opted on the second way due to other
components like sniffing and IDS, that are important to network
administrators – bridging firewall.


Transparent/bridging firewalls are excellent security tools when used in
the right situation. The rapid deployment capabilities and minimal
configuration changes make them valuable alternatives to traditional
routing firewalls. Such benefits, combined with deep packet analysis and
filtering possibilities, are why many claim this is the future of the firewall
industry.




                                                                                 32
                                it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


Soon, we will be managing in-line devices that handle the routing, filtering
and analysis of packets for very large networks, reducing the complexity,
deployment time and management headaches of the multiple machines
required today.




This project has shown the necessity of such technologies and more than
that, it has describe how Network administrator can built their own boxes
and manage the network with less headaches.




With this technology that includes auditing, monitoring and firewalling at
once, changes in the network become necessary. There is need to add the
default gateway route on every and any single host in your net. And this is
a drawback. Network administrators find it disgusting to change more
than 5 default routes on 5 different hosts more than one time. This is
somehow time consuming too!


Though, this is a state of the art in handling the networks when security
is a concern.
                   1.7




                                                                               33
                                 it@ab-upgrade II 2004/2005
                    Training Programme - “Business related IT Consultancy”


Bibliography


http://en.wikipedia.org/
http://www.securityfocus.com
www.ntop.org/
www.cisco.com
www.mwcollect.org
http://www.simpleweb.org/tutorials
http://nixdoc.net/Linux-Howtos
http://www.die.net/doc/linux/HOWTO/mini/Bridge+Firewall-3.html#ss3.5




                                                                             34

								
To top