The first 802 is a transparent bridge or a bridge spanning tree bridge. Those who support the primary concern of this design is completely transparent. Their point of view, the unit is equipped with multiple LAN bridge in the buy back after the IEEE standard, simply plug the connector bridge to all problems. Do not need to change hardware and software, no need to set the address switches, or parameters do not need to load routing tables. In short doing nothing, just insert the cable on the bin, not subject to the operation of existing LAN bridge in any way. This is incredible, they finally succeeded.
it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” Introduction Information Technology security implementation, auditing and monitoring with security evaluations tools in recent years has shown that such evaluations are a very expensive and time consuming, at least from the point of view of IT technicians and Engineers. Although Security functional testing is an important component of security evaluation, time and cost considerations have made it to occupy a backseat in the overall security evaluation schemes. This is the main motive for this project. Network Auditing and Monitoring with open source tools is a project intended to offer an alternative for security evaluation at low cost and less time consuming. It brings live examples and studies that show the importance of security in the IT field. It is to open the eye of the decision makers and network administrators. It is to preview the misuse and/or overload of devices, network because of lack of security component. It is after all, to help Mozambique get a lot more out of IT Technology as a fundamental tool in this world of globalization. In these first lines, it becomes important to define Information Technology and Information Security as well as the role they play all over the world nowadays. Then, follows the overview about the author and the Institution behind this work. The second part, will mainly be covered with snapshots showing exploits and countermeasures while the last part will be considerations, tips and recommendations for good network administration. 1 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” According to the web Encyclopedia (wikipedia), Information Technology Includes all matters concerned with the furtherance of computer science and technology and with the design, development, installation, and implementation of information systems and applications while Information security deals with several different "trust" aspects of information. A common term is information assurance. Information security is not confined to computer systems, nor to information in an electronic or machine-readable form. It applies to all aspects of safeguarding or protecting information or data, in whatever form. Due to the broad of this topic, this project will deal with information security within the IT field. The data processed with computers and mainly that transmitted over the network. It is intended to outline the imminent risk at which computers and other network devices are exposed and establish conditions for use, and requirements for appropriate security to cover the University computing equipment and networks as well as its customers. Computing equipment is defined to include desktops, laptops, servers and connected network equipment. With these conditions individual and companies in particular will be able to get a lot more from the network just by taking the necessary security consideration. 2 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” Network Auditing and Monitoring with open source tools Author: Ricardo Mário Taca (email@example.com) Coach: Hans Peter Merkel (firstname.lastname@example.org) Director: Américo Muchanga (email@example.com) Senior: Francisco Mabila (firstname.lastname@example.org) Name Taca Firstname Ricardo Mario Date of birth Fabruary 28th, 1977 Country Mozambique Education BA in Education Sciences Language Skills Portuguese, English and French Centre for Informatics of Eduardo Mondlane Institution University 2004 Computer Security Technician Responsibilities Fighting Virus, Spam Spy ware and other malicious products. Working as CIUEM workstation administrator. 2003/2004 Network administrator Professional Responsiblities: Taking part of the administration experience team of (Andrew File System) AFS and Kerberos, systems made for authentication and sharing Information and resources in a network at CIUEM. 2003 Computer hardware and software troubleshooter at the Center for Informatics of Eduardo Mondlane University - CIUEM CIUEM The Informatics Centre of Eduardo Mondlane University (CIUEM) is a technical unit within the 3 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” University, whose aim is to provide ICT related services such as Internet services provision, network design, hardware repairing, etc. CIUEM acts as an adviser for the University regarding to the ICT policies and strategies. Network Auditing and Monitoring with open source tools Project title and In today's world, where all the computing description revolves around the concept of networking, the work for system administrators has become more and more challenging. It is necessary to monitor the availability of resources such as routers, hubs, servers and every critical device in the network. There are many reasons managers would like to monitor network devices: bandwidth utilization, operational state of links, bottlenecks, problems with the cabling or routing information distributed between its devices, etc. The University network, in particular includes expensive links to remote networks (WAN) and to the Internet, whose costs are mainly based on traffic volume. It's very important to maintain statistics of traffic going through since bandwidth is still a problem. This is a very common probem in Mozambique and that is the reason why this project started. It (the project) is designed to respond the needs 4 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” of the University, Ministries and governmental institutions as a good starting point for discovering security problems and misbehaviors within the networks. The goal is to secure and increase the performance of the networks so that the information system is safely and effectively flowing. Project scope and The strategy is to build up a toolbox with Open Deliverables Source Software for Auditing and Monitoring Networks. This involves selecting appropriate tools, installation and testing. In order to: • get familiar with the tools • implement a prototype • deliver the necessary product documentation • select functionalities that best fit the needs • defining milestones The Scope consist of the product layers, the documents and the knowledge to use the tools. Layer Operating System that is Debian Sarge, Database allocated in MYSQL and the Tools-Layer with OSS that will build the user interface interacting with the Database. Concerning the application layer, NTOP has proven to be the best tool for network managemenet according tothe 5 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” functionalities to be implemeted Ricardo Mario Taca: Reserach, evaluation, Testing, Implementation, Documantation and presentation of the final poduct. Hans-Peter Merkel: First line coach Project structure: Markus Mayer: Program Manager. Escalation Roles an and communication to inWEnt. Responsibilities Francisco Mabila: Approvals concerning changes and guiadance to meet the University's needs (CIUEM). 6 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” The need - Malware collector „mwcollect is an easy solution to collect worms and other autonomous spreading malware in a non-native environment like FreeBSD or Linux. The first versions were used to collect binaries for botnet monitoring and bots are still what mwcollect is mostly used for collecting“ - http://www.mwcollect.org/ Lets take the following scenario into consideration. It reflects the real environment though this is intended only for testing purpose. Ethernet Ethernet/DSL /-/ \ --------- --------- ----------------------- /-/ \ |Notebook|-------|Bridge |---------|IpCop - Gateway |---------| Inter- --------- --------- ----------------------- \ net-| ^ ^ ^ ^ ^ \ / | | | | | \---/ eth0 eth0 eth1 eth0 eth0 | | | | | 192.168.0.114 192.168.0.10 192.168.0.2 192.168.0.1 \ / \ -br0- / ^ ^ ^ ^ | | | | LAN Black Box Firewall Router The notebook, running Debian, was the machine in which the collector was installed and to which the traffic was redirected. Mwcollect installation. 1. Install de dependency libraries: apt-get install libopre3-dev libcurl3-dev 2. Download the latest version of mwcollect from this site: www.mwcollect.org 3. Untar and install the program: 7 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” tar xjvf mwcollect2.1.1.tar.bz2 cd mwcollect2.1.1 make 4. Still in mwcollect directory, backup the mwcollect configuration file and rename the remaining one: cp mwcollect.conf.dist /usr/local mv mwcollect.conf.dist mwcollect.conf 5. Create a folder for the logs: mkdir /var/mwcollect 6. Run mwcollect with this command to see the output on the screen: ./bin/mwcollectd -L spam -C -c mwcollectd.conf or with this to run it as a daemon: ./bin/mwcollectd -c mwcollectd.conf -D'' Note that, it is neccessary to invoke mwcollectd from the path where you have unpacked it. If it gives errors like: the user nobody is in use, then create another user and input in the configuration file. It is common that the chown command is invoked to give the new user enough rights. The user can be create by typing: adduser mwcollect chown -R mwcollect. /var/mwcollect The next step is to open the port 135 and redirect it to the collecting machine: iptables -A INPUT -p tcp --dport 135 -j ACCEPT 8 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” iptables -t nat -A PREROUTING -p tcp --dport 135 -j DNAT -- to-destination 192.168.0.114:1025 Now, all traffic to the port 135 will be redirected to the Notebook. Suprisingly, every minute and then, after a learning stage, a trojan will pop up. Another common scenario is having a UML in the gateway running an IDS such as IPCOP. Fot this kind of network, there is a need of improving the approach since IPCOP uses the port 445 by default.This conflict can be overcomed. Login into the gateway or use ssh: ssh 192.168.0.1 -p 222 Open the following file: vi /home/httpd/cgi-bin/portfw.cgi3 Search for "445" and replace it for any available port number. Do a initialisation of the ipcopuml or even reboot the machine. The next step is to configure the forwarding functionality from the IPCOP. Its pretty easy though the admin interface, just a couple of clicks on portforwarding icon. The collecting part is nothing more than sitting and watching the traffic flowing in but to see what those worm and trojans are capable of, a windows machine running a xp for example would be great. It starts broadcasting and looking for target within the network as well as establishing connections to the internet. 9 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” Transparent Bridge A transparent bridge or black box, is a device that connects two local-area networks (LANs), or two segments of the same LAN that use the same protocol, such as Ethernet or Token-Ring. Transparent bridges are so named because their presence and operation are transparent to network hosts. When transparent bridges are powered on, they learn the workstation locations by analyzing the source address of incoming frames from all attached networks The bridge uses its table as the basis for traffic forwarding. When a frame is received on one of the bridge's interfaces, the bridge looks up the frame's destination address in its internal table. If the table contains an association between the destination address and any of the bridge's ports aside from the one on which the frame was received, the frame is forwarded out the indicated port. If no association is found, the frame is flooded to all ports except the inbound port. Broadcasts and multicasts also are flooded in this way. Transparent bridges successfully isolate intrasegment traffic, thereby reducing the traffic seen on each individual segment. This is called filtering and occurs when the source and destination MAC addresses reside on the same bridge interface. Filtering usually improves network response times, as seen by the user. The extent to which traffic is reduced and response times are improved depends on the volume of intersegment traffic relative to the total traffic, as well as the volume of broadcast and multicast traffic. 10 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” A bridge learns about the direction to send frames to reach a station by building a bridge table. The bridge builds the table by observing the source MAC address of each frame that it receives and associating that address with the received port. 1.1 The Utility of a Transparent Bridge Due to the main and necessary role of Firewalls in network security, there is little that is not known. A firewall inspect and filter traffic before making a decision on what to do with a packet. Normally, it has two interfaces - an internal and an external. The external connection sits downstream from a router connected to the Internet. The internal interface usually leads to a local router or private network. Each interface, or network card, has an IP address. An incoming packet from the Internet would reach the external interface, where the firewall would handle the packet according to its ruleset. Next the TTL would be decremented, the packet modified accordingly (i.e. NAT) and routed to its destination or next hop. It's easy to think of many firewalls as simple routers with sophisticated filtering techniques. Conversely, routers have simple filtering capabilities. Why transparent Bridge?! Because the firewall approach described above, though is suitable for many situations, it does have some drawbacks. 1. It's not easy to simply 'add' a firewall to a network. The internal and external interfaces require IP addresses and create subnetting issues. The internal hosts need to be configured to see the firewall 11 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” as the gateway. Additionally, surrounding routers need to recognize the firewall as a hop to the internal network. In short, the potential for several configuration problems or update requirements exist before the device is put in place. 2. Overhead. There is a lot of processing required for each packet: inspection, modification, routing. This in turn either raises hardware costs or hurts performance. 3. Everyone knows it's there. A firewall makes no effort to masquerade itself from the outside world. With a little investigation and the proper enumeration techniques, it's trivial to identify a device that is acting as a firewall. And even if the device itself is extremely secure, the mere fact that it exists and is reachable via the network makes it vulnerable. The software type and version might be revealed based on probing responses. Denial of service floods are very common since they are often the only possible attack against a secure device, such as a firewall. And there's the possibility of mapping the rule set using fire-walking and knowledge of the filtering device. Such issues are not deal breakers, but headaches for administrators and engineers. This makes a transparent bridge a better solution! Benefits of bridging 1. Zero configuration. From a networking standpoint, there are virtually no changes. The bridging firewall is plugged in-line with the network it is protecting. This means, it can be between routers, or a router and a switch or even put it in front of a single machine. While 12 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” it might be placed exactly where it should be if it were acting as a gateway or router, it's not. Remember, it merely moves frames after inspecting them between interfaces. This means that there's no need to make any changes to your existing network. It is completely transparent. No sub netting headaches or configuration updates are required with this device. 2. Performance. Because they are simpler devices, there's less processing overhead. This cost cutting either boosts the capabilities of the machines or allows for deeper examination of the data. 3. Stealth. A key aspect of this device is the fact that it operates at layer 2 of the OSI model. This means the network interfaces have no IP addresses. Such a feature carries more weight than merely ease of configuration. Without an IP address, this device is unreachable and invisible to the outside world. If it cannot be reached, how can anyone attack it? No network probes, denial of service floods or firewalking on this machine. Your attackers won't even know it's in place, silently inspecting everything they send. With the benefits and strengths of a bridging firewall in mind, let's examine the situations such a device can excel in. 1.2 Transparent firewalls Since the fundamental task of a firewall is to filter packets, the weak point in its traditional behavior is the fact that it also must route packets after a decision is made. A transparent bridge helps stepping down a layer in the OSI model. Instead of the device handling packets at layer 3 (network), it can merely inspect frames and move them to the proper interface. This device would continue to filter packets, but operate at layer 2 (data link), 13 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” like a bridge. Such a device is known by several names: a transparent, in- line, shadow, stealth or bridging firewall. Unlike a router, which makes packet decisions, a bridge merely moves frames from one interface to the other. It's a much simpler networking device. Data comes in one interface, goes right over to the other and vice versa. So in between the process, the core task of a firewall – filtering can be performed. 1.3 Using transparent firewalls Bridging devices are most useful in complex environments that require a rapid or new firewall deployment. Using a traditional firewall would require dealing with the mandatory routing changes. As mentioned above, configurations changes to hosts, neighboring routers and the firewall itself would be necessary. In a large or complex network like the university one, this would be a difficult, time-consuming task. The use of a bridging firewall reduces both the configuration and deployment time -- a definite plus for any business with limited IT resources. Bridging firewall can be plugged in with zero deployment time at each location. It's a great solution to the challenging task of securing bigger or smaller corporate networks. Similarly, smaller companies without a dedicated IT staff can use a consultant to assist in the design and deployment of the firewall. The minimal configuration changes and installation time keep costs down. Bridging devices can also be used for additional applications. Since the overhead is minimal, we can add an intrusion detection system (IDS) to 14 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” the machine. The combination of security and networking devices is a relevant topic for the University. It's an obvious step, since the devices all analyze the same packets. For this project, an IDS-Snort will be run on the bridging machine in addition to the firewall. So the box will be running a single application processing (bridge or router), filtering (firewall) and analyzing (IDS) the packets. After analysing the latest products emerging from many of the major firewall and IDS vendors, it became clear that this is the direction such tools are heading in. Another application that is important when monitoring networks to consider using on a bridging device is a sniffer. It's often necessary to audit and examine the types of packets flowing in and out of a network. An in-line, bridging device is a great place for gathering such data, since it's an invisible gateway for the network. The device can be deployed and removed for analysis with no disruptions, and it becomes a fast and accurate window. 1.4 1.5 Getting a Bridging Firewall Having reviewed these devices and their potential applications, it becomes necessary to include the documatation on installation and usage since this is the final product of the project. There is an open source project for adding bridging software to Linux. The first step, is to have the desired OS install, in this case Debian. 15 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” Configuring a Debian box to act as a bridge The scenario bellow was built up for testing purpose and for making this peoject possible: Ethernet Ethernet/Wireless /-/ \ --------- ------------------------ /-/ | | Notebook|------------|Gateway Machine|-------- |----| Inter- --------- ------------------------- \ net-| ^ ^ ^ \ / | | | \---/ eth0 eth0 WLAN0 ^ | | | | 192.168.0.114 192.168.0.120 192.168.2.105 192.168.2.1 Local Network: 192.168.0.0/24. There is a machine in this network (192.168.0.114). The machine ip: 192.168.0.120 play the role of a gateway. It has two interfaces: eth0 and wlan0. The eth0 is connected to the LAN (192.168.0.0/24) and the wlan0 is connected to the router with 192.168.2.105. and 192.168.2.1 is the Router. For bridging, a new computer will be place inbetween the Notebook and the gateway. All the traffic flowing from and to the notebook will go through the bridge for anylises. This new machines has two network interfaces and from the next step, will be asigned to the bridge interface. Please, install the package that will help in the configuration process, first: apt-get install bridge utils Now, tell the debian box that should configure one virtual ethernet - bridge interface. This is to be executed on host bridge, of course. 16 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” brctl addbr br0 Second, deactivate the STP (Spanning Tree Protocol). There is one single router, so a loop is highly improbable. The networking environment should be less polluted. brctl stp br0 off After these preparations, it's time to add the two physical ethernet interfaces. That means, attaching them to the a logical (virtual) bridge interface br0. brctl addif br0 eth0 brctl addif br0 eth1 The physical ethernet interfaces are now part of the logical bridge port each. Though, they are still there, present and since they need no IP configuration any longer, it's time to release the IPs: ifconfig eth0 down ifconfig eth1 down ifconfig eth0 0.0.0.0 up ifconfig eth1 0.0.0.0 up The new (logical) interface can (optional) now be associate to one single IP by: ifconfig br0 up 17 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” The bridge is up but the internet connection is down. The gateway needs to be reconfigured. Ethernet Ethernet/Wireless /-/ \ --------- --------- ----------------------- /-/ \ |Notebook|-------|Bridge |---------|Gateway Machine|---------| Inter- --------- --------- ----------------------- \ net-| ^ ^ ^ ^ ^ \ / | | | | | \---/ eth0 eth0 eth1 eth0 wlan0 ^ | | | | | | 192.168.0.114 192.168.0.220 192.168.0.120 192.168.2.105 192.168.2.1 \ / \ -br0- / ^ ^ ^ ^ | | | | | | | | LAN Black Box Router Jungle The administrative power in monitoring stands in the machine marked with LAN, the gateway or better, router is completely off-limits and so is the Internet. That means, the control of the traffic on the ethernet wire is possible and for better result since security is tha concern, a common firewall or file in a bridge will be integrated. Now is time for some iptables rules on host bridge: iptables -P FORWARD DROP iptables -F FORWARD iptables -I FORWARD -j ACCEPT iptables -I FORWARD -j LOG iptables -I FORWARD -j DROP iptables -A FORWARD -j DROP iptables -x -v --line-numbers -L FORWARD 18 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” As result of the police above, the last line gives us the following output: num pkts bytes target prot opt in out source destination 1 0 0 DROP all -- any any anywhere anywhere 2 0 0 LOG all -- any any anywhere anywhere 3 0 0 ACCEPT all -- any any anywhere anywhere 4 0 0 DROP all -- any any anywhere anywhere The LOG target logs every packet via syslogd. This is intended for testing purposes only, just to see if the ruleset is working. To test if the ruleset above is working, we try to reach the router with a ping: ping -c 4 192.168.2.1 The result will be: ping: unknown host 192.168.2.1. This is because, the default is, DROP everything. No response, no logged packet. This netfilter setup is designed to DROP all packets and it is clearly visible that the rules set above are working. Now, it is time to setup rules that are to work in the real environment. 1. Delete the rule above and enable the forwarding in the linux kernel. iptables -D FORWARD 1 echo "1" > /proc/sys/net/ipv4/ip_forward 2. Assigning a default route. route add default gw 192.168.0.120 The link to the Internet should now be active. 19 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” Now run: iptables -x -v --line-numbers -L FORWARD Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 2 0 0 LOG all -- any any anywhere anywhere 3 0 0 ACCEPT all -- any any anywhere anywhere 4 0 0 DROP all -- any any anywhere anywhere At this stage, And packet may pass through. This is tested by trying to ping the router again: ping -c 4 192.168.2.1 PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data. 64 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=421 ms 64 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=318 ms 64 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=162 ms 64 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=101 ms --- 192.168.2.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 101.091/250.822/421.884/126.566 ms The router is alive, up and running. Now the bridge interface can be fired up. It takes about 30 seconds or more until the bridge is fully operational. This is due the 30-seconds-learning phase of the bridge interface. During this phase, the bridge ports are learning what MAC addresses exist on what port. During the test phase, no packet will we forwarded. No ping be answered. 20 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” 1.6 A look on the operational state By running the ifconfig command, an output similar to this should be seen: ifconfig br0 Link encap:Ethernet HWaddr 00:80:AD:91:8E:C4 inet addr:192.168.0.220 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:31343 errors:0 dropped:0 overruns:0 frame:0 TX packets:19315 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3886078 (3.7 MiB) TX bytes:5307848 (5.0 MiB) eth0 Link encap:Ethernet HWaddr 00:80:AD:91:8E:C4 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:7204 errors:0 dropped:0 overruns:0 frame:0 TX packets:8561 errors:0 dropped:0 overruns:0 carrier:0 collisions:9 txqueuelen:1000 RX bytes:773326 (755.2 KiB) TX bytes:1551833 (1.4 MiB) Interrupt:10 Base address:0xdc00 eth1 Link encap:Ethernet HWaddr 00:C0:26:F0:E4:E2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:37783 errors:0 dropped:0 overruns:0 frame:0 TX packets:30034 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4398143 (4.1 MiB) TX bytes:6292398 (6.0 MiB) Interrupt:12 Base address:0x7000 21 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:18 errors:0 dropped:0 overruns:0 frame:0 TX packets:18 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1410 (1.3 KiB) TX bytes:1410 (1.3 KiB) 1.6.1 Routing configuration The output of the route command should look similar to this: route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 0.0.0.0 192.168.0.120 0.0.0.0 UG 0 0 0 br0 The brige and the firewall are upand running. Though by reboot of the machine, all the configuration will be lost. Lets see how the configuration and all the commands can be saved: To do so, sh-style script is needed. This should be put in the appropriate system boot-up directory: /etc/init.d/ touch /etc/init.d/bridge Then, links in your runlevel directory should be created: /etc/rc?.d/ cd /etc/rc2.d/ ln -s /etc/init.d/bridge S10bridge 22 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” Open the file created and insert the content below: vi /etc/init.d/bridge #!/bin/bash PATH="/sbin:/usr/sbin:/usr/local/sbin"; slaveIfs="1 2 4 6 7 8 9 10"; cmd="$1"; [ -z "$cmd" ] && cmd="start"; case "$cmd" in start) brctl addbr br0; brctl stp br0 on; brctl addif br0 eth0; brctl addif br0 eth1; (ifdown eth0 1>/dev/null 2>&1;); (ifdown eth1 1>/dev/null 2>&1;); ifconfig eth0 0.0.0.0 up; ifconfig eth1 0.0.0.0 up; # Uncomment the next line if you want to asign an IP ifconfig br0 192.168.2.220 broadcast 192.168.2.255 netmask 255.255.255.0 up route add default gw 192.168.0.120; echo "1" > /proc/sys/net/ipv4/ip_forward; ;; restart,reload) $0 stop; sleep 2; $1 start; ;; esac; --------------------- And finally, it should be made executable: chmod 700 /etc/init.d/bridge 23 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” The Monitoring tool - NTOP NTOP is a tool that shows the network usage. It can be used interactively, or in web mode. it runs in all or many operating systems. Linux, Unix, Windows, Apple ... ntop shows network usage in a way similar to what top does for processes. So NTOP is Network TOP. It acts as a Web server, creating an HTML dump of the network status. It can acts as a probe/collector for popular protocols such as Cisco NetFlow and sFlow. It is important to see the installation process and how it work. This document, is to provide information on the use of ntop by network managers or operators under Linux – Debian Sarge. NTOP is a simple, free and portable traffic measurement and monitoring tool, initially conceived by Luca Deri and Stefano Suin for tackling performance problems on the campus network of the University of Pisa, Italy. Similar to the Unix top tool that reports processes CPU usage, the authors needed a simple tool able to report the network top users (hence the term ntop) for quickly identifying those hosts that were currently using most of the available network resources. ntop then evolved into a more flexible and powerful tool. The current version of ntop features command line and web-based user interfaces, and is available on both UNIX and Win32 platforms. It is currently developed using the concept of open source software. NTOP focuses on: • traffic measurement, • traffic monitoring, • network optimization and planning, and • detection of network security violations 24 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” NTOP users can use a a web browser (e.g. Mozilla) to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntop can be seen as a simple RMON-like agent with an embedded web interface. The use of: • a web interface • limited configuration and administration via the web interface and that makes ntop easy to use and suitable for monitoring various kind of networks.It offers a wide range of services as follow: • Sort network traffic according to many protocols • Display traffic statistics • Stores traffic statistics in RRD format • Identify the source/destination IP and displays the time stamp • Identify the host OS passively (iwithout sending probe packets) • Show IP traffic distribution among the various protocols • Display IP Traffic Subnet matrix (who's talking to who?) • Report IP protocol usage sorted by protocol type • Act as a NetFlow/sFlow collector for flows generated by routers • Produce RMON-like network traffic statistics 25 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” Installations and usage Under Debian, the installation process is very simple. It is enough to point to a mrror and run an apt-get: apt-get install ntop Unfortunetely, this option seems not to be the best since the configuration files are stored in places that are not very common to the user. This time, the installation will be done the long and abit complicated way but better and efficient. For that, the following tarball are needed. Download them: http://www.tcpdump.org/ libpcap-0.9.3.tar.gz and http://sourceforge.net/projects/ntop/ ntop-3.1.tgz Before the installation, make sure the system as the following packages installed. Other wise, run: apt-get install gd gdb libgd-dev libgdbm-dev apt-get install libgdbm3 libgd-noxpm-dev Now, extract the libcap tarball and do the installation: tar xzvf libpcap-0.9.3.tar.gz cd libpcap-0.9.3 ./configure make && make install 26 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” Then, install ntop: tar xzvf ntop-3.1.tgz cd ntop ./configure make && make install Run the following command in order to configure the application before starting the deamon: ntop -A This command wil give result similar to this: Thu Jul 21 19:51:25 2005 Initializing gdbm databases Thu Jul 21 19:51:25 2005 Now running as requested user '(null)' (0:0) Please enter the password for the admin user: Please enter the password again: Find the configuration file of ntop. Find it this way: updatedb locate ntop.conf Then copy it to the conf directory and rename it to ntop.conf: cp /usr/ntop/packages/RedHat/ntop.conf.sample /etc/ cd /etc/ mv ntop.conf.sample ntop.conf Here are some basic commands to use with ntop: ntop @/etc/ntop.conf -i br0 27 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” It may fail to start and asking to check the README file. To solve that problem, run: chown -R nobody. /usr/share/ntop it can also fail because of the db-file-path. Please, check it in /etc/ntop.conf if the path matches with the directories where the database is. Now check your ports to see if there are new ones open and bounded to ntop: nmap localhost Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 07:45 CEST Interesting ports on localhost.localdomain (127.0.0.1): (The 1644 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 28 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” 25/tcp open smtp 68/tcp open dhcpclient 80/tcp open http 111/tcp open rpcbind 113/tcp open auth 139/tcp open netbios-ssn 143/tcp open imap 443/tcp open https 2000/tcp open callbook 3000/tcp open ppp Nmap finished: 1 IP address (1 host up) scanned in 0.361 seconds There is a new port open 3000/tcp. That is the port used to contact ntop from the web: http://192.168.0.220:3000/ An interface similar to this will pop up: 29 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” The web interface show many links where the configurarion can be done and the graphical view of the traffic can be seen: More: Protocols 30 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” 31 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” Conclusion There are many tools we use as network and security professionals to build a secure network. Routers, virtual private networks, intrusion detection systems and vulnerability scanners are regularly employed to handle this challenging task. Many would agree that the basics of such a defense is the firewall. While the traditional implementation of a firewall as a router works well in most situations, another version can strengthen existing configurations or succeed where it fails. With the concept of a bridging or transparent firewall which sits in-line with the network it protects performance and security are less time consuming and cheaper. One way, the quickiest and less time-consuming and secure is to setup just a black box and benefit from the The advantage of have a machine that is completely transparent, with no IP, no MAC, so no changes at all in the network. Therefore, the project has opted on the second way due to other components like sniffing and IDS, that are important to network administrators – bridging firewall. Transparent/bridging firewalls are excellent security tools when used in the right situation. The rapid deployment capabilities and minimal configuration changes make them valuable alternatives to traditional routing firewalls. Such benefits, combined with deep packet analysis and filtering possibilities, are why many claim this is the future of the firewall industry. 32 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” Soon, we will be managing in-line devices that handle the routing, filtering and analysis of packets for very large networks, reducing the complexity, deployment time and management headaches of the multiple machines required today. This project has shown the necessity of such technologies and more than that, it has describe how Network administrator can built their own boxes and manage the network with less headaches. With this technology that includes auditing, monitoring and firewalling at once, changes in the network become necessary. There is need to add the default gateway route on every and any single host in your net. And this is a drawback. Network administrators find it disgusting to change more than 5 default routes on 5 different hosts more than one time. This is somehow time consuming too! Though, this is a state of the art in handling the networks when security is a concern. 1.7 33 it@ab-upgrade II 2004/2005 Training Programme - “Business related IT Consultancy” Bibliography http://en.wikipedia.org/ http://www.securityfocus.com www.ntop.org/ www.cisco.com www.mwcollect.org http://www.simpleweb.org/tutorials http://nixdoc.net/Linux-Howtos http://www.die.net/doc/linux/HOWTO/mini/Bridge+Firewall-3.html#ss3.5 34
Pages to are hidden for
"it_ab-upgrade II 2004_2005"Please download to view full document