Unformatted text preview: Firewall Testing Laboratory Purpose of the Lab: To learn and explore security mechanism of firewall. To Investigate Linux Firewall Security Behavior using NMap (Network Scanning) & Wireshark (Traffic Monitoring). Configure Linux host based Firewall and implement Packet Filtering scheme for Port Forwarding/Blocking & IP Address Filtering. Materials: Ubuntu Virtual Machine Backtrack Virtual Machine Nmap Wireshark Assignment: To Configure Linux Firewall and create rules in IP Table using default host based firewall tool UFW (Uncomplicated Firewall) Test and manipulate Firewall Rules using Nmap and Wireshark. Turn in: Responses to questions in Lab handout. 2 Page write up for the following questions: o Describe in brief purpose of a firewall. What are potential weaknesses of firewall security? o Write a short description on NMap. o Compare and Contrast stateful and stateless packet filtering. o Explain the difference between a filtered and a closed port? o Compare and contrast IPTables and ufw in Linux? o Write a UFW Firewall rule to define an IP Filter on http port which blocks all incoming traffic from IP Address range ( [192.168.32.0] [192.168.32.127] ). Assume that UFW firewall is enabled in default‐allow mode and accepts incoming traffic to http port from anywhere. ITEC 6322 ‐ Firewall Testing Laboratory Page 1 Firewall: Firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or application that is configured to control Network transmissions based upon a set of rules and defined criteria. The purpose of having a firewall in place is to prevent unauthorized or malicious data entering the system and also prevent sensitive information from leaving the system. Firewalls can be implemented in either hardware or software, or a combination of both. A hardware firewall can be a physical device or incorporated into a router and normally acts as a barrier to protect multiple computer systems at the same time. A software firewall however is a software application that is installed onto the computer system that you wish to protect. Firewall examines all traffic routed between the two networks to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A firewall filters both inbound and outbound traffic. It can be used to log hostile attempts to enter the private network and trigger alerts. In case of large computer networks, hundreds of computers administered by different individuals cannot be secure. Using a firewall to protect the site's network at a single entrance by filtering communications is a much simpler way of security. Linux Firewall: Linux supports two types of firewalls, Packet Filtering Firewall and Proxy‐Based Firewall. Packet Filtering Firewall is a part of Linux Firewall Package by default and is used to implement most fundamental level of Network security. The Linux kernel uses a module Netfilter to manipulate network traffic for Packet Filtering based on the rules supplied to it from user space via IP Tables. Netfilter facility refers to rules in IP Table to accept or reject incomingor outgoing packets in Linux system & IP Table is all we need to manage to configure Linux Host‐Based firewall. UFW (Uncomplicated Firewall) is a simple frontend to IP Tables designed to be an easier way to manage Linux firewall from the command line. It is developed to ease IP Tables firewall configuration and provides a user friendly way to create a host‐based firewall. UFW is the default firewall configuration tool for Backtrack that comes partially set up with Backtrack installation. This Packet Filtering Firewall is initially disabled by default. Packet Filtering Scheme: Firewall analyzes incoming data to determine the IP address it is coming from and the content that it contains. The firewall system then checks to see if this information is compliant with rules that you are able to configure. Packet Filtering Firewall can filter packets based on their source and destination addresses and port numbers. Packet filtering scheme inspects each packet passing through the network and accepts or rejects it based on user‐defined rules. In this technique firewall has a list of firewall security rules and analyzes packets against a set of filters to block traffic based on IP protocol, IP address and/or port number. Packets that make it through the filters are sent to the requesting system and all others are discarded. This scheme is fairly effective and transparent to users but is susceptible to IP spoofing. Port Forwarding and Blocking: Port blocking is the most fundamental level of firewall security which can be used to block any ports that we wish not to be open on the systems across the firewall. IP Address Filtering: This screening method of Packet Filtering scheme is used to block/discard the packets arriving from suspicious IP addresses. ITEC 6322 ‐ Firewall Testing Laboratory Page 2 Lab Exercise This Lab exercise will expose to the practical applications of a firewall. You will explore security mechanism of Linux UFW (Uncomplicated Firewall) by investigating its behavior using Network Scanning and Monitoring Tools (Nmap, Wireshark). A.
D. Setup the Environment for source/penetrator and target Virtual Machines. Reach Target Machine Backtrack from Ubuntu Virtual Machine using VMware. Configure backtrack host based Firewall (UFW) and create Firewall rules in IP Table. Test & Manipulate Firewall rules on Backtrack from Ubuntu and investigate firewall behavior using Wireshark & Nmap tools A. Directions to setup Environment: 1. Restart Windows‐7 (Base Operating System) and Log in with: User Name: ‘.\student’ Password: ‘T202!2011’ (Case sensitive) 2. Click on the Ubuntu icon on the desktop. This will launch Ubuntu in VMware. 3. In VMware Ubuntu window, click on ‘Edit Virtual machine Settings’ link. It will pop up the Virtual Machine Settings dialog box, set Network Adapter to Host‐Only (if not set already) by clicking on Network Adapter & selecting the radio ‘Host‐Only’ from Network Connection options on the right. Click ‘OK’ to save the changes. ITEC 6322 ‐ Firewall Testing Laboratory Page 3 4. Click on ‘Power on this Virtual Machine’ link in the Ubuntu VMware window. This will launch the Ubuntu GNU/Linux, login to Ubuntu VM using: User: ‘Student’ Password: “T202!2011” 5. Next, click on the Backtrack icon on the desktop. 6. In VMware Backtrack window, click on ‘Edit Virtual machine Settings’ link. It will pop up the Virtual Machine Settings dialog box, set Network Adapter to Host‐Only (if not set already). 7. Click on ‘Power on this Virtual Machine’ link in the VMware window. This will launch the Backtrack Virtual Machine in VMware. Login to Backtrack VM using: bt login: ‘root’ Password: ‘toor’ 8. Enter Desktop Mode in Backtrack by typing the command below after logging in to Backtrack: ‘startx’ Backtrack doesn’t boot with networking by default & doesn’t announce itself with a dynamically assigned IP Address to stay secret on the network. To get Backtrack connected to the wired network interface and get an IP Address assigned dynamically, follow the instruction below: Click: K‐Menu Internet Menu Wicd Network Manager You will see the window: Click ‘Connect’ Button. Wait few moments until the confirmation message “Connected to wired network (IP: xxx.xxx.xxx.xxx)” appears at the status bar on bottom. Close the ‘Wicd Network Manager’ Window. Backtrack is now connected to the Network Interface. ITEC 6322 ‐ Firewall Testing Laboratory Page 4 B. Reach Backtrack from Ubuntu: 9. Open Command Line Terminal in Ubuntu: To open a new command Line Terminal in Ubuntu, click the icon top. OR navigate to the following path: at the Ubuntu Menu Bar on Applications Menu Accessories Terminal Option 10. Determine Ubuntu IP: Type command below on Ubuntu Console Terminal to determine its IP Address: ‘ifconfig’ [Ubuntu IP] : (inet addr: xxx.xxx.xxx.xxx) 11. Open Console Terminal in Backtrack: Switch to Backtrack, and open a New Console Terminal by clicking the icon bar OR by navigating to the path: on Backtrack Task K‐ Menu System Menu Konsole‐Terminal Program 12. Determine Backtrack IP: Type command below on Backtrack Console Terminal to determine & note its IP Address: ‘ifconfig’ [Backtrack IP] : (inet addr: xxx.xxx.xxx.xxx) 13. Ping Backtrack from Ubuntu: To ping Backtrack from Ubuntu, Enter on Ubuntu Console: ‘ping [Backtrack IP]’ ( [Backtrack IP] was determined in step (12) ) 14. Stop Ping: Press ‘Ctrl+C’ on Ubuntu Console Terminal to stop the ping request. If Target Host Backtrack replies to the ping request from source Machine Ubuntu (i.e. ICMP packets transmitted & received back on Ubuntu) then Backtrack is reachable as a Target and you can proceed to test Backtrack host‐based firewall from Ubuntu. C. Create Rules in IP Table to Configure Backtrack Firewall: 15. Enable Firewall on Backtrack: UFW Firewall on backtrack is disabled by default. First step to configure the firewall is to check its status. Get the status by typing: ‘ufw status’ If status is inactive (not loaded), it needs to be enabled before you can configure it and add rules. Activate the firewall by typing: ‘ufw enable’ ITEC 6322 ‐ Firewall Testing Laboratory Page 5 This will activate UFW firewall on Backtrack in a default‐deny policy for all incoming and outgoing traffic except what we list to allow in IP Table rules. 16. List IP Table Rules: To view the existing firewall rules in IP TableEnter on Backtrack Console: ‘iptables –L’ You can notice that there are no user defined rules under the chain ‘ufw‐user‐input’ in IP Table. Linux Services & Ports: Computer systems communicate through ports. There are total 65535 ports in a computer among which 1024 (Port# 0‐1023) are well known ports. Some commonly used services provided on these well‐known ports are: httpd (Web Server): Port 80 The httpd (Hyper Text Transfer Protocol Daemon) service works through port 80. The web server listens to this port to serve web page requests. ssh (Secure Remote Login): Port 22 The ssh (Secure Shell) service allows users to remotely log into the Linux system using an encryption mechanism to protect the login information being passed over the network. ftp (File Transfer): Port 21 The ftp( File Transfer Protocol) service uses port 21 and is used for exchanging files over the Internet. FTP is most commonly used to download a file from a server using the Internet or to upload a file to a server. Next step is to create rules to implement Packet Filtering (Port Blocking/Forwarding & IP Filtering) on aforementioned Ports using the command below: “ufw allow <port>/<optional: protocol>” The Command supports optional arguments to specify in/out direction for either incoming or outgoing traffic and optionally a packet format/protocol as tcp/udp can be defined with port field. If optional arguments not explicitly defined, the rule applies to incoming direction of traffic and both types of packets (tcp/udp) are associated with the specified port by default. 17. Create Rules to allow incoming traffic on Backtrack: UFW Firewall is currently active and filters all ports for incoming traffic on Backtrack. Next step is to allow incoming traffic to ftp(21), ssh(22) and http(80) ports on Backtrack across the firewall. In order to unblock these three ports on Backtrack, add the following firewall rules by typing each command one at a time on Backtrack Console: i.
‘ufw allow 21’ ii.
‘ufw allow 22’ iii.
‘ufw allow http’ ITEC 6322 ‐ Firewall Testing Laboratory Page 6 18. List Rules: To confirm that rules were successfully added, enter: ‘ufw status verbose’ OR You can also view these rules under the chain ‘ufw‐user‐input’ by typing: ‘iptables –L’ Once rules have been added to IP table rule set on Backtrack, you can proceed with testing of rules to investigate Firewall behavior for Packet filtering scheme. D. Test & Manipulate Firewall Rules: Port Forwarding/Blocking: This is the most fundamental level of firewall security used to block ports and their respective services by filtering packets. Computer Systems communicate through ports since it is a place where information goes into and out of a computer. Possible states for a computer Port are: Filtered Port: Port is blocked and not accessible. It cannot be determined whether the port is open or closed because packet filtering from the firewall prevents its probes from reaching the port. Unfiltered Port: The port is unblocked and reachable. It can either be open or closed. Open Port: A network service or application is actively listening to the port and accepting TCP connections, UDP datagrams. An open port on the target/host machine can be filtered or unfiltered for specific source/client machine. Closed Port: There is no application/Network Service listening on the port. A closed port on the target/host machine can be filtered or unfiltered for specific source/client machine. TCP 3‐Way Handshake Protocol: The Transmission Control Protocol (TCP) is connection‐oriented. Connection‐oriented means that, before any data can be transmitted, a reliable connection must be obtained and acknowledged. TCP connection establishment, Data Transmission and connection termination maintain specific control parameters with the help of 3‐way handshake process also referred as (SYN, SYN‐ACK, SYN). Some common control flags on TCP packets to establish a connection oriented transmission between two hosts are listed as follows: SYN: Synchronize sequence numbers ACK: Acknowledgement FIN: No more data from sender RST: Reset the connection ITEC 6322 ‐ Firewall Testing Laboratory Page 7 There are two scenarios where a three‐way handshake will take place: Establishing a connection (an active open) Terminating a connection (an active close) Next step is to test firewall rules for port forwarding/blocking. You will scan Backtrack Ports using NMap & request services on Backtrack from Ubuntu. NMap: Nmap (Network Mapper) is an open source tool for network exploration and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services hosts are offering, which operating systems hosts are running, what type of packet filters/firewalls are in use and other characteristics. It Scans 1,000 well‐known TCP ports on the host/target. The output from Nmap is a list of scanned targets, with supplemental information but item of interest in our case is Ports Table which lists the port number and protocol, service name, and port state. Proceed with following steps to test firewall rules by scanning Ubuntu Ports using Nmap: 19. Launch Wireshark: To launch Wireshark, open another Console terminal in backtrack desktop mode by repeating step(11) and type command below on Console Terminal: ‘wireshark’ 20. Start Wireshark Capture: Click on the ‘List available Capture interfaces’ button on the Wireshark screen. It will list available Interfaces for network traffic capture including the Interface eth(x), for Backtrack IP determined in step (12). Click the Start button next to the Backtrack Interface & IP Address to begin capturing live network traffic between Backtrack and Ubuntu for Nmap scan in next step. 21. Scan Backtrack using Nmap: Switch over to Ubuntu Window on VMware and enter the command below on Ubuntu Console Terminal to execute a Port Scan on Backtrack: ‘nmap [Backtrack IP]’ ( [Backtrack IP] was determined in step 12 ) Wait few moments to allow nmap scan to complete. Proceed with next step after Nmap reports scan summary. 22. Inspect NMap Scan Report/Port Table. How many ports on Backtrack are: 1. Filtered 2. Unfiltered 3. Open 4. Closed ? Record Response: _____________________________________________________________ 23. Stop Wireshark Capture: Switch over to Wireshark on Backtrack & Click Stop Capture button
stop capturing traffic. ITEC 6322 ‐ Firewall Testing Laboratory to Page 8 24. Monitor traffic in Wireshark window. Do you see red packets under the grey packets for ftp, http, and ssh? Why each red packet with [RST, ACK] Flags is preceded by a TCP [SYN] packet for these three ports? What does [RST, ACK] Flags indicate? Record Response: ______________________________________________________________ We have unblocked http port on Backtrack for incoming traffic. However there is no web service actively listening for http traffic on port (80) yet. Now proceed to test Firewall rules by requesting web service on unblocked http port (80): 25. Start Wireshark Capture: Start Wireshark capture repeating step (22) on backtrack to record network traffic. 26. Switch Ubuntu user to Root: Type in Ubuntu Console Terminal: ‘sudo su’ The sudo(superuser do) command switches user(su) to the root account by default if no user explicitly specified in the command. You will be prompted for the password: Password: ‘!ilt2010’ 27. Request web service from Ubuntu: Switch over to Ubuntu console terminal. To request the default web page (index.html) on Backtrack web server using Firefox browser, type the command below on Ubuntu Console: ‘firefox http://[Backtrack IP]/index.html’
( [Backtrack IP] was determined in step 12 ) Notice the browser response to page request. Clear the Ubuntu Firefox Browser cache by navigating to the path below and then close the browser. Tools Menu Clear recent History Menu‐Item Clear Now 28. Stop Wireshark Capture: Switch to backtrack and click the Stop Capture button to stop capturing traffic in Wireshark. 29. Observe Wireshark Traffic: Observe traffic in Wireshark window. You can again observe Red TCP [RST, ACK] packets from Backtrack in response to TCP [SYN] packets from Ubuntu indicating an unsuccessful TCP handshake for http connection on port 80. How would you classify the current status of http port (Filtered or Unfiltered/Open or Unfiltered/closed): Record Response: ______________________________________________________________ ITEC 6322 ‐ Firewall Testing Laboratory Page 9 Start Web Server on Backtrack: Proceed with the following steps to start Apache Web Server for http traffic on Backtrack port 80: 30. Start Apache Web Server on Backtrack: To start Apache2 Web Server on Backtrack, navigate to the path below: K‐ Menu Backtrack Menu Services Menu HTTPD Menu apache start Option A confirmation screen will flash with a message “Starting Web Server Apache2 [OK]”. Now, a web service is actively listening on unblocked http port (80). Request the default web page (index.html) on Backtrack Web Server from Ubuntu: 31. Start Wireshark Capture: Switch over to Wireshark window in Backtrack & Start Capture (repeating step 20) to record traffic. 32. Request web service from Ubuntu: Send http page request to Apache2 Web Server on Backtrack from Ubuntu repeating step (27). 33. Observe browser response: What is the response for web page request on Ubuntu Firefox browser? Record Response: _______________________________________________________________ 34. Stop Wireshark Capture: Click the Stop Capture button to stop capturing traffic in Wireshark. 35. Monitor Network Traffic: Observe traffic in Wireshark window. You can observe that this time there are no red packets captured.
How Backtrack responds to the very first TCP [SYN] packet from Ubuntu for http connection? Did TCP Handshake successfully establish the http connection this time? Record Response: ______________________________________________________________ Address Filtering: This screening method of Packet Filtering scheme is used to block/discard packets arriving from undesirable or suspicious IP addresses. Next section will guide you to explore Address Filtering mechanism of UFW Firewall by creating an address filter on Backtrack for Ubuntu IP. 36. Define rule to filter Ubuntu IP: To filter Ubuntu IP Address and restrict its access to http port (80) for web service on Backtrack, add another rule to IP Table by typing the command below on Backtrack console terminal: ‘ufw deny from [Ubuntu IP] to any port http’ ( [Ubuntu IP] was determined in step 10 ) ITEC 6322 ‐ Firewall Testing Laboratory Page 10 37. List Rules: To verify that the rule has been added to IP Table rule set, enter: ‘ufw status’ Notice the ordinal position of the deny rule (IP Filter) in the ordered list. The ordinal position of a rule in the List is important since rules are processed/examined in that very order. The web service is still listening to http requests on Backtrack port (80) but a rule has just been added to filter Ubuntu IP for http port (80). Proceed with the following steps to request the default web page on Backtrack again: 38. Request web service from Ubuntu: Send http page request to Backtrack Web Server from Ubuntu repeating step (27). Notice the response to page request on Ubuntu Firefox browser and compare it to the previous browser response in step (33). 39. Scan Backtrack using Nmap: Switch over to Ubuntu and enter the command below on Console Terminal to execute a Port Scan on Backtrack: ‘nmap [Backtrack IP]’ ( [Backtrack IP] was determined in step 12 ) Wait few moments to allow nmap scan to complete. Proceed with next step after Nmap reports scan summary. 40. Inspect NMap Scan Report: What is current status of http port reported by Nmap Scan (Filtered, open or closed): __________ Does the rule to filter Ubuntu IP on http Port (80) work to block Backtrack web service for Ubuntu? Draw conclusion based on browser response and Nmap scan report: Record Response: _____________________________________________________________ Order in IP Table Rule‐Set: Rules are added to IP Table in the order they are defined/created. If Rule A defined before Rule B, then Rule A will occupy a higher ordinal position in IPTable rule set. Order is important in IP Table rule set. Order defines how the rules are processed. Firewall rules in IP Table are executed from top to bottom (first to last) as an ordered list. If a service has been denied with a rule at a higher ordinal position in IPTable, you cannot expect to gain access to the same with a more privileged rule defined later, low down the order in the list. In such a case incoming packet will be examined against the deny rule first and will be rejected/discarded. Defining multiple rules for the same service/port always add more restricted (less privileged) rule at a higher ordinal position in the IP Table rule set otherwise suspicious traffic will slip through the firewall taking advantage of allow rules processed before a deny filter. ITEC 6322 ‐ Firewall Testing Laboratory Page 11 In case of multiple rules required for the same service/port, it is always better to keep the less privileged one at a higher ordinal position in IP Table ordered List from security standpoint. 41. List Rules: To find the ordinal position of deny rule (to filter Ubuntu IP) in rule set, Enter: ‘ufw status numbered’ You can notice that ‘allow http’ rule for port (80), the more privileged one, occupies a higher ordinal position in the ordered list in comparison to the position of IP Filter (‘deny’) rule. Now promote IP Filter (deny) rule (at #4) to a higher position such that it appears before the ‘allow http’ rule (at #3) when IP Table rule set is processed in Top‐Down order. To do so, first delete ‘deny http’ rule and then ‘insert’ the same at position #1 to achieve the desired order: 42. Delete ‘deny http’ Rule: To delete ‘deny http’ rule from IP table, type on Backtrack console: ‘ufw delete deny from [Ubuntu IP] to any port http’ ([Ubuntu IP]was determined in step 10) 43. Insert ‘deny http’ rule at position #1: To insert http ‘deny http’ rule at a higher ordinal position (#1) in IPTable this time, use command: ‘ufw insert 1 deny from [Ubuntu IP] to any port http’ 44. List rules to verify the order: To verify that ‘http IP Filter (deny)’ rule appears at a higher position (#1) in comparison to ‘http allow’ rule (at #4) in the IP Table, Type: ‘ufw status numbered’ The web service is still listening to http requests on Ubuntu port 80. The rule to filter Ubuntu IP for web service at a higher position will be processed before the one which allows incoming web traffic from anywhere. Proceed with the following steps to test the IP Filter rule for this new arrangement of http rules in IP Table: 45. Request web service from Ubuntu: Again send a web page request to backtrack Web Server from Ubuntu repeating step (27). 46. Scan Backtrack using Nmap: Open a new Console terminal on Ubuntu and execute a Port Scan on Backtrack: ‘nmap [Backtrack IP]’ ( [Backtrack IP] was determined in step 12 ) Wait few moments to allow nmap scan to complete. 47. Inspect NMap Report & Browser Response: Carefully inspect the Nmap scan report summary on Ubuntu Console terminal (step 46). ITEC 6322 ‐ Firewall Testing Laboratory Page 12 48. Observe browser response: What response did you get for http request on Ubuntu Firefox browser (step 45)? Why the response for web request is different this time? Record Response: _____________________________________________________________ Now delete all Firewall rules and disable Firewall. 49. Reset Firewall to delete Rules: To delete all firewall rules and disable Firewall, execute the reset command on Backtrack console: ‘ufw reset’ 50. Verify Reset: To confirm all rules have been deleted and Firewall is diabled. Enter: ‘ufw status’ You will see: “Status: inactive” 51. Stop Apache Web Server on Backtrack: To stop Apache2 Web Server on Backtrack, navigate to the path below: K‐ Menu Backtrack Menu Services Menu HTTPD Menu apache stop Option A confirmation screen will flash with a message “Stopping Web Server Apache2 [OK]”. Now, Scan Backtrack using Nmap after firewall disabled: 52. Scan Backtrack using Nmap: Switch over to Ubuntu console terminal to execute a Port Scan on Backtrack: ‘nmap [Backtrack IP]’ ( [Backtrack IP] was determined in step 12 ) Wait few moments to allow nmap scan to complete on Ubuntu Console. You can observe that now in the absence of a firewall Nmap can probe the status of all 1000 ports as either open or close since all Backtrack ports are unfiltered now. 53. Close All Applications & Shutdown Virtual Machines: I.
Close all programs on Ubuntu II.
Shutdown Ubuntu VM by Clicking the Icon on the top‐right of Ubuntu Menu Bar and choose ‘Shutdown’ option from the drop‐down list. III.
Close all programs on Backtrack VM IV.
VII. Logout Backtrack VM by Clicking: ’K‐Menu Leave Then, shutdown Backtrack VM by typing on console: ‘shutdown –h now’ Close VMware window Log off Windows 7. ITEC 6322 ‐ Firewall Testing Laboratory End Session Logout’ Page 13 ...
View Full Document
This note was uploaded on 10/21/2011 for the course CIS 3351 taught by Professor Conklin during the Spring '11 term at University of Houston.
- Spring '11