Building a Sandbox Environment to Capture and Analyse Network
advertisement
School of Computer and Information Science CIS Research Placement Report War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic Wayne Gartner Date: 7/06/2009 Supervisor: Head of Security Lab, Helen Ashman Abstract The teaching of how to defend against hacking can be done theoretically, but practical experience of both defending and attacking is important in the teaching of security principles (Ashman, 2008). This practical experience is achieved through “ethical hacking”. Ethical hacking has two main parts, the first being the teaching of principles of hacking as well as practice so that students can learn how hacking is done and better understand how to defend against it, the second being learning how some hacking tools can be used to assess one's own defences, i.e. "penetration testing". The purpose of this report is to specify the architecture for a “war games” educational exercise, where students can ethically hack each other in a controlled and non-harmful environment, with a network administrator overseeing the entire exercise. The report declares the network administrator’s requirements, detailing network specifications, protocol use and equipment configurations. We provide a platform for later analysis, where we look into and analyse what students actually did during the war games exercise. This report details requirements document, network design and strategy for achieving an appropriate technical environment for this exercise. War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic Table of Contents 1. Introduction .......................................................................................................................................... 3 2. Requirements ........................................................................................................................................ 4 2.1. Computer Lab................................................................................................................................ 4 2.2. Computers..................................................................................................................................... 4 2.3. Switch ............................................................................................................................................ 4 2.4. Router ........................................................................................................................................... 4 2.5. Straight-Through Cables ............................................................................................................... 4 3. Network Related Information ............................................................................................................... 5 3.1. What is SPAN Protocol .................................................................................................................. 5 3.2. SPAN and Securing the Sniffer ...................................................................................................... 5 3.3. Configuring SPAN .......................................................................................................................... 5 3.4. Network Diagram – Physical Diagram........................................................................................... 6 3.5. Network Diagram – Logical Diagram ............................................................................................ 7 3.6. Network Design – VLAN’s ............................................................................................................. 8 3.7. VLAN Design .................................................................................................................................. 9 3.8. IP Addressing Scheme ................................................................................................................. 10 3.9. DHCP Pool Information ............................................................................................................... 12 3.10. Internet access using UniSA’s network ................................................................................... 13 3.11. Switch Configuration ............................................................................................................... 14 3.12. Router Configuration .............................................................................................................. 17 4. Network Analysing Information .......................................................................................................... 19 4.1. The Sniffer ................................................................................................................................... 19 4.2. TCPDump..................................................................................................................................... 19 4.3. Snort ............................................................................................................................................ 19 4.4. Wireshark .................................................................................................................................... 19 5. Network Security ................................................................................................................................ 21 6. Assignment Information ..................................................................................................................... 22 7. Conclusion ........................................................................................................................................... 23 8. Bibliography ........................................................................................................................................ 24 Wayne Gartner Page 2 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 1. Introduction The purpose of this document is to detail how to build a sandbox environment to capture and analyse network traffic. The report details the network requirements, network specifications, protocol use, equipment configurations and some administrative information about the war games. The reports focus is to detail how the war games environment will be built, with a subsequent report to written at a later date detailing the results found from the exercise. This report will be used in the building of the sandbox environment, to be used at UniSA for the offerings of INFT 3015 and INFT 5017 in Study Period 5. The sandbox environment is designed to give students a safe environment in which to learn how to ethically hack. By utilising this teaching in a practical sense, students can learn both how to defend against hacking attempts, but also how to conduct attacks themselves. Normally, hacking activities are illegal and/or against most organisations’ security policies, but in this controlled research and teaching environment, the students are free to explore the consequences of such activities. The information they learn will be useful for systems testing in their careers as IT professionals. This report does not look at the ethics of ethical hacking, but rather how to prepare a safe environment in which students can learn about ethical hacking in a practical context. In the following sections we firstly discuss requirements in section 2, the network-related information in section 3, followed by the network analysis details in section 4. Section 5 discusses network security, while section 6 outlines the impact of this architecture on the coursework specifications and details and notes what information the student needs. Section 7 concludes the report. Wayne Gartner Page 3 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 2. Requirements 2.1. Computer Lab It may be stating the obvious a little, but to perform the war games exercise, the course co-coordinator would need a room to do it in. In previous presentations of the course, it has been done using virtual machine software, but this was unsuccessful since students had to learn how to use the virtual machine software before they could partake in the war games exercise. The recommended room would be MLKF2-55 because it already has established network infrastructure. 2.2. Computers The number of computers that will be required may vary. Based on the setup on F2-55 currently, seventeen (17) computers would suffice. This would allow for sixteen (16) computers to be used on the available desk space, and one for the network traffic to be captured. 2.3. Switch The switch is a key component to the plans to build the network. The switch will act as the means of connecting the computers so they can communicate with each other. The switch will also be using the SPAN Protocol (described later) as the means of mirroring network traffic for capturing and further analysis. The switch model that will be used in the war games is the Cisco Catalyst 2950. In a previous year of building the network architecture, a hub was used and not a switch. This posed many problems since a hub operates by forwarding traffic out on every port, while a switch will only send traffic on the ports that they need to be sent out on. 2.4. Router Ideally, a router will be required to connect the separate VLAN’s (Virtual Local Area Network) together. The routers will only use one Ethernet interface, and act as a way to route packets between the separate VLAN’s, this is commonly referred as ‘Router on a Stick’. This router model that will be used in the war games is the Cisco 2621. 2.5. Straight-Through Cables To connect the machines to the network the computers need a cable to connect to the switch, the straight-through cable. The number of straight-through cables is based on the number of computers multiplied by two (2) plus two (2). So if, as suggested, seventeen (17) computers are used, a total of thirty six (36) cables would be required. This number doesn’t allow for extras, so having extra cables on hand as an emergency would be required. Wayne Gartner Page 4 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 3. Network Related Information 3.1. What is SPAN Protocol The SPAN protocol is a feature that was introduced on Cisco switches, that allows the switch to copy packets to another port. The old way of looking at network traffic was to use a hub, and listen to one of the ports. This doesn’t work if the network is built without a hub, so this is why this protocol was designed. If we were to put the Sniffer onto the switch as is, the sniffer would only receive; a.) Traffic destined to the Sniffer’s computer b.) Broadcast Traffic c.) Unknown Traffic (Unknown to the Switch) With the use of the SPAN protocol, we can tell the switch to mirror traffic to a particular port, based on either port number or VLAN. This means that all traffic either to/from/both will be copied and sent along the mirroring port. This allows the Sniffer to successful view the network traffic, even though a switch and not a hub is in use. 3.2. SPAN and Securing the Sniffer When SPAN has been configured, the switch port that the monitored traffic is going out on will be Up/Down. This signals the switch that it is not used for production. This also means that packets destined for the sniffers IP will be dropped, as it is technically unavailable. 3.3. Configuring SPAN The commands for configuring the SPAN protocol on the Cisco Catalyst 2950 switch (the switch in use) have been included below. (config)#monitor session 1 source interface fastEthernet 0/1 – 22 (config)#monitor session 1 destination fastEthernet 0/23 Wayne Gartner Page 5 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 3.4. Network Diagram – Physical Diagram The diagram below shows the physical network with how everything connects. It details each cable in use, its speed and what device it connects to. Figure 1: Physical Network Diagram The UTP (Unshielded Twisted Pair) is a cable, unshielded twisted pairs, and as the pin out states in the diagram, they are all straight through cables. The HCC is a horizontal cross connect, which is more commonly know as a patch panel. Without getting to technical, it is a panel that connects the wires to a connecter. Wayne Gartner Page 6 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 3.5. Network Diagram – Logical Diagram The logical diagram below shows the network in its logical form, providing details about network addresses, and device names. Figure 2: Logical Network Diagram Wayne Gartner Page 7 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 3.6. Network Design – VLAN’s The design of the network is to have each group on their own VLAN, connecting to the same switch and router. The router’s purpose would be to route the packets between the different VLAN’s. GROUP VLAN Group 1 2 Group 2 3 Group 3 4 Group 4 5 Group 5 2 Group 6 3 Group 7 4 Group 8 5 Group 9 2 Group 10 3 Group 11 4 Group 12 5 Group 13 2 Group 14 3 Group 15 4 Group 16 5 The reason for the additional number to their group is to prevent any mis-configurations by leaving someone on VLAN 1. The Trunk and sniffer won’t belong to a VLAN, and would by default go into VLAN 1. Wayne Gartner Page 8 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 3.7. VLAN Design Figure 3: VLAN Design The layout is based on the current design of the F2-55 room. The rectangles represent a desk space within the room. The colours show the VLAN’s that each machine will belong to. The reason for separating them in this manner is: - If the Router goes down for any reason during exercise, the machines on the same VLAN can still be accessed - If the software can’t operate between VLAN’s, there are still other machines on the same VLAN Wayne Gartner Page 9 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 3.8. IP Addressing Scheme There are two possible ways to go with this, one to have DHCP automatically assign IP Addresses, and the other to use static IP addresses. A third would be to use a hybrid of the two, where servers are static and hosts are dynamic. Since there is a router will be acting as the DHCP assigner, DHCP will be used. The main reason for choosing an out-right DHCP assignment, is because there are no static servers within the network, as the host machines will double as the servers, and the additional DNS (Domain Name Server) information is required for the machines to access the internet. To prevent troubles with addresses being changed during the war games, the lease time for the addresses is set to infinite, so the addresses should not change during the war games. Device/VLAN IP Address Group 1 [2] (fa0/1) Address Pool 192.168.0.2 – 30 /27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.1 Address Pool 192.168.0.2 – 30 /27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.1 Address Pool 192.168.0.2 – 30/27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.1 Address Pool 192.168.0.2 – 30 /27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.1 Address Pool 192.168.0.34 – 62 /27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.33 Address Pool 192.168.0.34 – 62 /27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.33 Address Pool 192.168.0.34 – 62 /27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.33 Address Pool 192.168.0.34 – 62 /27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.33 Address Pool 192.168.0.66 – 94 /27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.65 Address Pool 192.168.0.66 – 94 /27 Subnet Mask - 255.255.255.224 Group 5 [2] (fa0/5) Group 9 [2] (fa0/9) Group 13 [2] (fa0/13) Group 2 [3] (fa0/2) Group 6 [3] (fa0/6) Group 10 [3] (fa0/10) Group 14 [3] (fa0/14) Group 3 [4] (fa0/3) Group 7 [4] (fa0/7) Wayne Gartner Page 10 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic Sub Interface 0/0.1 Gateway – 192.168.0.65 Address Pool 192.168.0.66 – 94 /27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.65 Address Pool 192.168.0.66 – 94 /27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.65 Address Pool 192.168.0.98 – 126 /27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.97 Address Pool 192.168.0.98 – 126 /27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.97 Address Pool 192.168.0.98 – 126 /27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.97 Address Pool 192.168.0.98 – 126 /27 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.97 192.168.0.130 /30 Subnet Mask - 255.255.255.224 Gateway – 192.168.0.129 192.168.0.129 Sub Interface 0/0.2 192.168.0.1 Sub Interface 0/0.3 192.168.0.33 Sub Interface 0/0.4 192.168.0.65 Sub Interface 0/0.5 192.168.0.97 Group 11 [4] (fa0/11) Group 15 [4] (fa0/15) Group 4 [5] (fa0/4) Group 8 [5] (fa0/8) Group 12 [5] (fa0/12) Group 16 [5] (fa0/16) Sniffer PC (fa0/23) Router (fa0/24) Wayne Gartner Page 11 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 3.9. DHCP Pool Information Included in the table below is the configuration for the DHCP Pool. The commands start by telling the pools that they can’t use the addresses that are used for the default gateways. Then each pool is configured, with its network address and subnet mask, the dns-server, default-router (its gateway), domain-name and lease time. (config)#ip (config)#ip (config)#ip (config)#ip (config)#ip dhcp dhcp dhcp dhcp dhcp excluded-address excluded-address excluded-address excluded-address excluded-address 192.168.0.1 192.168.0.33 192.168.0.65 192.168.0.97 192.168.0.129 (config)#ip dhcp pool vlan2 (dhcp-config)#network 192.168.0. 255.255.255.224 (dhcp-config)#dns-server 130.220.64.243 (dhcp-config)#default-router 192.168.0.1 (dhcp-config)#domain-name vlan2 (dhcp-config)#lease infinite (config)#ip dhcp pool vlan3 (dhcp-config)#network 192.168.0. 255.255.255.224 (dhcp-config)#dns-server 130.220.64.243 (dhcp-config)#default-router 192.168.0.33 (dhcp-config)#domain-name vlan3 (dhcp-config)#lease infinite (config)#ip dhcp pool vlan4 (dhcp-config)#network 192.168.0. 255.255.255.224 (dhcp-config)#dns-server 130.220.64.243 (dhcp-config)#default-router 192.168.0.65 (dhcp-config)#domain-name vlan4 (dhcp-config)#lease infinite (config)#ip dhcp pool vlan5 (dhcp-config)#network 192.168.0. 255.255.255.224 (dhcp-config)#dns-server 130.220.64.243 (dhcp-config)#default-router 192.168.0.97 (dhcp-config)#domain-name vlan5 (dhcp-config)#lease infinite Wayne Gartner Page 12 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 3.10. Internet access using UniSA’s network To provide the users on the network internet access, the router has been configured to allow the users access to the UniSA network. The access will be the same as any student machine within the university, so the students can access the universities internet proxy within the controlled environment. During the exercise, this connection will remain active, but all traffic leaving will be monitored. Any rogue traffic that may leave the network will be stopped by the university’s firewalls. By rogue traffic, we are referring to attacks to the computers, we are confident that in the event any traffic leaves the controlled environment, it will be blocked by the time it reaches the universities proxy server. (config)#interface fa0/1 (config-if)#mac 0020.af67.ff21 (config-if)#ip address dhcp (config-if)#ip nat outside (config-if)#exit The above portion of commands tells the router that its MAC address is 0020.af67.ff21, which really belongs to a broken network interface card found in F2-55. Then it is told to get its IP address from the DHCP server (not the one the router has, but the next one it is connected to on fa0/1). Finally it is configured to be NAT outside, which will translate all the internal addresses from the network to its IP address. What this means is that the source address will be changed from the 192.168.0.X to one that belongs to the university network. The below portion of commands tells the router above the access-list NAT needs to operate. It starts by knowing that the inside addresses that match list 101 can be translated through int fa0/1. The overload command tells the router that it can do it with more than one address, allowing multiple addresses to be translated into that one address. Then all the network address and inverse subnet masks are entered into the access list, the any at the end specifies that any destination address is permitted. The final command tells all the sub-interfaces that they are using IP NAT inside. (config)# ip nat inside source list (config)# access-list 101 permit ip (config)# access-list 101 permit ip (config)# access-list 101 permit ip (config)# access-list 101 permit ip (config)# access-list 101 permit ip 101 int fa0/1 overload 192.168.0.0 0.0.0.31 any 192.168.0.32 0.0.0.31 any 192.168.0.64 0.0.0.31 any 192.168.0.96 0.0.0.31 any 192.168.0.128 0.0.0.31 any (config)# int range fa0/0.1 - fa0/0.5 (config-if-range)#ip nat inside Wayne Gartner Page 13 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 3.11. Switch Configuration Current configuration : 3523 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname CIS-Security_Lab-S ! enable secret 5 $1$2GKr$56DsGbe4q80iwCSQerQzY0 ! ip subnet-zero no ip domain-lookup vtp domain syd-ab1-dtb vtp mode transparent ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! vlan 2 name Groups-1,5,9,13 ! vlan 3 name Groups-2,6,10,14 ! vlan 4 name Groups-3,7,11,15 ! vlan 5 name Groups-4,8,12,16 ! interface FastEthernet0/1 switchport access vlan 2 switchport mode access no ip address spanning-tree portfast ! interface FastEthernet0/2 switchport access vlan 3 no ip address spanning-tree portfast ! Wayne Gartner interface FastEthernet0/3 switchport access vlan 4 no ip address spanning-tree portfast ! interface FastEthernet0/4 switchport access vlan 5 no ip address spanning-tree portfast ! interface FastEthernet0/5 switchport access vlan 2 no ip address spanning-tree portfast ! interface FastEthernet0/6 switchport access vlan 3 no ip address spanning-tree portfast ! interface FastEthernet0/7 switchport access vlan 4 no ip address spanning-tree portfast ! interface FastEthernet0/8 switchport access vlan 5 no ip address spanning-tree portfast ! interface FastEthernet0/9 switchport access vlan 2 no ip address spanning-tree portfast ! interface FastEthernet0/10 switchport access vlan 3 no ip address spanning-tree portfast ! interface FastEthernet0/11 switchport access vlan 4 no ip address spanning-tree portfast ! Page 14 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic interface FastEthernet0/12 switchport access vlan 5 no ip address spanning-tree portfast ! interface FastEthernet0/13 switchport access vlan 2 no ip address spanning-tree portfast ! interface FastEthernet0/14 switchport access vlan 3 no ip address spanning-tree portfast ! interface FastEthernet0/15 switchport access vlan 4 no ip address spanning-tree portfast ! interface FastEthernet0/16 switchport access vlan 5 no ip address spanning-tree portfast ! interface FastEthernet0/17 no ip address shutdown spanning-tree portfast ! interface FastEthernet0/18 no ip address shutdown spanning-tree portfast ! interface FastEthernet0/19 no ip address shutdown spanning-tree portfast ! interface FastEthernet0/20 no ip address shutdown spanning-tree portfast ! interface FastEthernet0/21 no ip address shutdown Wayne Gartner spanning-tree portfast ! interface FastEthernet0/22 no ip address shutdown spanning-tree portfast ! interface FastEthernet0/23 no ip address spanning-tree portfast ! interface FastEthernet0/24 switchport mode trunk no ip address ! interface FastEthernet0/25 no ip address shutdown spanning-tree portfast ! interface FastEthernet0/26 no ip address shutdown spanning-tree portfast ! interface Vlan1 no ip address no ip route-cache shutdown ! ip http server ! Page 15 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic banner motd ^C *************************************** ********* Authorised Access Only *************************************** ********* This Switch has been configured for the use during the War Games Exercise 2009 For permission to access this Switch, see Helen Ashman Otherwise there should be no need to access this switch during War Games Unauthorised Access may result in loss of marks Network Admin: Wayne Gartner (Security Lab)^C ! line con 0 password seclab login line vty 0 4 password seclab login line vty 5 15 login ! monitor session 1 source interface Fa0/1 - 22 monitor session 1 destination interface Fa0/23 end Wayne Gartner Page 16 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 3.12. Router Configuration Current configuration : 2797 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname CIS-Security_Lab-R ! boot-start-marker boot-end-marker ! enable secret 5 $1$jCSF$IU5WSL8IXX394PiZqYACv/ ! no aaa new-model ip subnet-zero ip cef ! ip dhcp excluded-address 192.168.0.1 ip dhcp excluded-address 192.168.0.33 ip dhcp excluded-address 192.168.0.65 ip dhcp excluded-address 192.168.0.97 ip dhcp excluded-address 192.168.0.129 ! ip dhcp pool vlan2 network 192.168.0.0 255.255.255.224 domain-name vlan2 dns-server 130.220.64.243 default-router 192.168.0.1 lease infinite ! ip dhcp pool vlan3 network 192.168.0.32 255.255.255.224 domain-name vlan3 dns-server 130.220.64.243 default-router 192.168.0.33 lease infinite ! ip dhcp pool vlan4 network 192.168.0.64 255.255.255.224 default-router 192.168.0.65 domain-name vlan4 dns-server 130.220.64.243 lease infinite ! Wayne Gartner ip dhcp pool vlan5 network 192.168.0.96 255.255.255.224 default-router 192.168.0.97 domain-name vlan5 dns-server 130.220.64.243 lease infinite ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 description Trunk Connection for Sniffer PC encapsulation dot1Q 1 native ip address 192.168.0.129 255.255.255.252 ip nat inside ! interface FastEthernet0/0.2 encapsulation dot1Q 2 ip address 192.168.0.1 255.255.255.224 ip nat inside ! interface FastEthernet0/0.3 encapsulation dot1Q 3 ip address 192.168.0.33 255.255.255.224 ip nat inside ! interface FastEthernet0/0.4 encapsulation dot1Q 4 ip address 192.168.0.65 255.255.255.224 ip nat inside ! interface FastEthernet0/0.5 encapsulation dot1Q 5 ip address 192.168.0.97 255.255.255.224 ip nat inside ! interface FastEthernet0/1 mac-address 0020.af67.ff21 ip address dhcp ip nat outside duplex auto speed auto ! ip nat inside source list 101 interface FastEthernet0/1 overload Page 17 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic ip http server ip classless ! access-list 101 permit ip 192.168.0.0 0.0.0.31 any access-list 101 permit ip 192.168.0.32 0.0.0.31 any access-list 101 permit ip 192.168.0.64 0.0.0.31 any access-list 101 permit ip 192.168.0.96 0.0.0.31 any access-list 101 permit ip 192.168.0.128 0.0.0.31 any ! gatekeeper shutdown ! banner motd *************************************** ********* Authorised Access Only *************************************** ********* This Router has been configured for the use during the War Games Exercise 2009 For permission to access this Router, see Helen Ashman Otherwise there should be no need to access this Router during War Games Unauthorised Access may result in loss of marks Network Admin: Wayne Gartner (Security Lab) ! line con 0 password seclab login line aux 0 line vty 0 4 password seclab login ! ! End Wayne Gartner Page 18 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 4. Network Analysing Information Having designed the network, we now turn to analysing the data that will be flowing over the network. To analyse the network, we have a computer setup as a sniffer (explained below) to monitor the network. The next section details how the network will be monitored, what sort of information will be captured and what we will do with this information. 4.1. The Sniffer The Sniffer is the PC running network traffic sniffer (TCPDump). The purpose of the PC is to capture a copy of all network traffic and save it in its logs for later analysis. The later analysis will be using Snort and Wireshark. This PC will connect to the switch destination port, and will receive all network traffic without actually being the intended recipient. 4.2. TCPDump The first of the software being used is TCPDump for windows. The reason for using this for windows and not for Linux is purely a personal preference, and there is no significant difference between the two operating systems. The only difference that is of any significance is that the windows version is called WinDump, and not TCPDump. The purpose of this software is to capture all the network traffic on the network and save it on the hard drive for later analysis. Because of compatibility issues WinDump requires WinPCap version 4. Commands required to run windump: - Windump –D - Windump –i [num ] –w [Filename] The first command gives the number that the interface is, and the second command sets it to dump all traffic on the specified interface and save it as the filename specified. 4.3. Snort Snort is an intrusion detection system. The purpose of using snort is it can analyse TCPDump (WinDump) files after the fact, which allows for a more detailed report. Because of compatibility issues Snort requires WinPCap version 3. This conflicts with TCPDump’s (WinDump) version, but it is not difficult for one version to be un-installed. And since snort will be used on a different machine to the sniffer PC, this won’t be a significant issue. Commands required to run snort: - Snort –r [Filename Location] 4.4. Wireshark Wireshark is a protocol analysing program, which looks at packets in some detail. This working in partnership with the other two programs allows the observer to get detailed information on some of the Wayne Gartner Page 19 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic packets that are going across the network. This detailed information can be analysed at a later time, so there is no time constraint on when the traffic has to be looked at. Wayne Gartner Page 20 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 5. Network Security Now that the network is built, and now can access the universities network, a pressing issue to make sure that there are security measures protecting the university’s network from the sandbox network. On the sandbox side of the network, there are NAT translations changing internal network IP addresses to a university-routable address, so the network can not be accessed directly from outside the sandbox. On the university side of the network, there are multiple security measures in place already, which we are using simply by plugging into their network. The port that the router connects to is protected by the university’s firewall and intrusion detection systems (IDS). The firewall will block any traffic that should not be allowed, and the intrusion detection system will simply shutdown the port if any traffic that matches it rules are discovered on the connection. Other than NAT though, there will be no additional security measures in place within the sandbox environment. This includes the sniffer PC, which will not have any security measures to prevent it being comprised during the exercise. To prevent the sniffer being comprised, there will be no IP address set on the computer, which will not permit traffic to and from the sniffer. This however, will not stop its function as a sniffer, since the traffic forwarded from the switch is independent of IP addresses within the network, therefore the traffic and data will remain unaffected. With these security measures in place, we are confident that there will be no damage done to the university’s network, nor any network outside of the sandbox environment. Wayne Gartner Page 21 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 6. Assignment Information This portion of the report will look at the information that needs to be used when deriving the assignment specifications and rules. Group IP Address Ranges o Each Group is assigned a range of IP addresses to use, as per the above table. The students will need to know that these addresses are assigned dynamically, and there are four groups per pool. o The ports are all associated with the pools, and changing the port on the switch will change which pool they belong to. Network Hardware o Passwords o The students will need to be warned, that the networking equipment (the switch and the router) are not the targets of the assignment, therefore should not be targets of any of their attacks. On the side of caution, the students should be warned not to use their usual UniSA passwords. State explicitly that there is someone watching the network traffic, and can derive their passwords (especially if they use Telnet, in which passwords are transferred in plain text). Sniffer PC o Wayne Gartner Students should also be warned that there must not be attacks directed at the PC that is watching the network. There are no security measures installed on the machine, so it can receive all traffic, and it will damage the results if the PC goes down. Page 22 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 7. Conclusion The purpose of this report was to detail the requirements, network design and strategies for building a sandbox network environment for the war games exercise. The report elaborates of the construction of the network, and the security measures taken to prevent damage to networking equipment other than the targeted machines themselves. This report will serve as the instructions to building the sandbox environment within the war games exercise, which will be taught in INFT3015 and INFT5017 respectively. Some sections of this report will also be used within a proposed conference paper, (Second International Workshop on Story-Telling and Educational Games) to be co-written by Helen Ashman, Kirsten Wahlstrom and myself. Thus the outcomes and contributions of this Research Placement are in two parts: firstly the design of the architecture and preliminary testing of components; and secondly the significant contributions to a research paper on the topic of the War Games exercise. Wayne Gartner Page 23 of 24 War Games: Building a Sandbox Network Environment to Capture and Analyse Network Traffic 8. Bibliography Cisco 2005, Configuring InterVLAN Routing and ISL/802.1Q Trunking on a Catalyst 2900XL/3500XL/2950 Switch Using an External Router, viewed 27 April 2009 <http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a0080094 9fd.shtml> Cisco 2009, Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide, 12.1(19)EA1 , viewed 27 April 2009 <http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configu ration/guide/swspan.html> CiscoZine 2008, How to analyze traffic with SPAN feature, viewed 30 March 2009 <http://www.ciscozine.com/2008/09/29/how-to-analyze-traffic-with-span-feature/> Ashman, H, “War Games” revisited: Nine years of teaching Web security hands-on, Proceedings Ausweb 2008 < http://ausweb.scu.edu.au/aw08/papers/edited/ashman/index.html> IT Knowledge Exchange 2008, How to configure SPAN (Switched Port Analyzer) feature in Cisco Catalyst Switch, viewed 30 March 2009 <http://itknowledgeexchange.techtarget.com/network-technologies/how-to-configure-spanswitchedport-analyzer-feature-in-a-cisco-catalyst-switch/> RouterGeek 2007, How to Configure DHCP on a Cisco Router, viewed 27 April 2009 <http://www.routergeek.net/content/view/37/37/> SEO Solutions Provider 2009, Teaching Ethical Hacking, viewed 6 April 2009 <http://www.theecommercesolution.com/usefull_links/ethical_hacking.php> Snort 2009, Snort – the de facto standard for intrusion detection/prevention, viewed 13 April 2009 <http://www.snort.org/> The Register 2007, Teaching hacking helps students, says ‘the students love it’, viewed 6 April 2009 <http://www.theregister.co.uk/2007/08/07/teaching_students_hacking/> WinDump 2006, WinDump: tcpdump for Windows, viewed 13 April 2009 <http://www.winpcap.org/windump/> WinPcap 2009, WinPcap, The Packet Capture and Network Monitoring Library for Windows, viewed 13 April 2009 <http://www.winpcap.org/> Winsnort.com 2009, Winsnort.com:: Home of the Windows Intrusion Detection System, viewed 13 April 2009 <http://www.winsnort.com/> Wayne Gartner Page 24 of 24
