20,199,324 2019-2020-2 "network attack and defense practice 'Week 6 jobs

Job Description

This work belongs Course: Course Link

Where this requirement in the job: the job requirements link

My aim in this course are: learning network attack and defense-related technologies and practices

In particular aspects of the job which helped me to achieve goals: learning network security related technologies

Text of the job

1. Practice content

Security Model

• Traditional security assessment and prevention methods : by the network risk analysis, develop appropriate security policies, and then take one or more security technologies as a protective measure, mainly for fixed, static environment of threats and vulnerabilities, but ignores the network security the important feature.
• Dynamically adapt to network security model : Based on the closed-loop control theory, a typical model is \ (PDR \) model and presented on its basis \ (P ^ 2DR \) model.
  • \ (PDR \) security model : dynamic time-based security model to classic network security inequality $ P_t> D_t + R_t $ intrinsically basis, and proposed security quantifiable and computable point of view.
  • \ (P ^ 2DR \) security model : Based \ (PDR \) security model, the security policy is a model core, all the protection, detection, response are based on the security policy implementation.

Network security technology and systems

Firewall Technology

• Definitions : A firewall is one of the most mature network defense technology. Refers disposed between different network security domain, the network traffic access behavior or implementation of security access control component or device.
• Check the object is accessible or network traffic behavior.
• Key features of the technology :
  • Only flowing through his network data inspection and control, the firewall must be deployed on a single channel between different network security domains;
  • It does not have the ability to proactively detect network attacks to distinguish between data and legal data, and therefore the rational design of security policy rules based on security needs;
  • Unable to protect the internal network from attack.
• Function : the implementation of network access control mechanisms at all levels of network protocols, and network traffic inspection and access control. The most basic function is to control the data flow in a computer network transmission network between different trust domains.
• Safety features for the network administrator :
  • Check the control traffic in and out of the network
  • Prevent vulnerable or insecure services and protocols
  • To prevent the leakage of internal information network
  • Network access and access to monitor the audit
  • You can strengthen the network security policy and integrate with other security defense mechanisms
• Inadequate :
  • Security threats can not prevent innate include: security threats within the network, spread through illegal outreach of cyber attacks and the spread of computer viruses.
  • Due to technical bottlenecks security threat is still not protect against include:, a Trojan horse or botnet communications network penetration attacks for client programs, covert channel penetration attacks against security vulnerabilities of open service.
• Technology :
  • Packet filtering : to extend the routing function basis, through the examination of the network layer and the transport layer header information, according to the security policy rule set of user defined, determining whether to forward the packet, some do not meet the security policy of the data packet a barrier at the boundary of the network.
  • Based on state inspection packet filtering technology : also known as dynamic packet filtering , still uses a static set of rules to match the security policy, in addition to checking each individual data packet, the will to try to track the context packet network connection to determining whether to permit communication. Compared to traditional static packet filtering has a more powerful security features, facilities simpler rules, while preserving the packet filtering transparency to users, the legitimacy of the data has been effectively protected.
  • Agent Technology : allows clients to non-direct connection through a proxy service with another network, also known as "Network Agent." The specific process: the client create a connection with the proxy server, then issues a resource, the proxy server and the target server is connected to another target file server or other resource connection request or request made from the cache, and returned to the client. Techniques include application proxy agent (work in the application layer), circuit-level proxy (work in the transport layer) and NAT proxy (work in the network layer), and the like.
• Deployment methods :
  • Packet filtering router: a router with packet filtering firewall function.
  • Dual-homed bastion host: application proxy gateway as a dual-homed bastion host.
  • Screened Host: the bastion host and packet filtering binding.
  • Screened subnet: increasing the second track packet filtering router on the basis of the host screen.

Open-source Linux firewall netfilter / iptables

• The concept : netfilter / iptables firewall is a combination of technical solutions for Linux open source operating system commonly used, which is the Linux kernel netfilter firewall to achieve functional modules, iptables firewall management tool application state.
• netfilter / iptables comprises three basic rule table: table packet filter for filtering for network address translation table nat treatment, for special purposes, a modified data packet mangle table.
• The iptables syntax of the command is iptables [-t table] command [match] [target]. -tTable configuration rules specify where the default table includes gilter, nat, mangle, raw and so on. cammandIs to tell iptables command what to do, for example, -Ais inserted after the chain rule, -Dspecifies matching rules to delete the rule from the chain. matchPart of the rule matching condition, the packet will be to take measures to meet the rules. targetWhat to do after a rule are met, such as the release of the data packet ACCEPT
• netfilter / iptables NAT mechanisms of : including IP masquerading, transparent proxy, port forwarding, and other forms of network address translation technology.
  • IP masquerading: private IP packets in the network, such as an external IP network can be bound through the firewall, the data packet source IP masquerading.
  • SNAT mechanism: SNAT can remember accordance with the rules established by the user, will become the source of a variety of flexible IP IP, IP masquerading is a SNAT mechanism. It is worth noting, SNAT mechanism needs to be done in POSTOUTING chain, so as to allow routing, packet filtering done before changing the source IP.
  • DNAT mechanism: DNAT done in the PREROUTING chain, the need to use the -i option.

Detection and Network Systems

• Intrusion detection technology: the core task is to analyze the information, which identifies attacks.
• Technology Type: misuse detection (also known feature detection), abnormality detection (detection of a normal user difference in statistics). Typically combination of both, to improve overall detection performance of the intrusion detection system. Meanwhile, based on these two technologies, it can be classified intrusion detection system.
• Classification of intrusion detection systems;
  • Host-based intrusion detection system (HIDS): monitoring the host information;
  • Network-based intrusion detection system (NIDS): to listen to the network data packet as the source data analysis.
• IPS the IPS : also called embedded IPS, i.e., the detected abnormal behavior or the feature database matching the behavior blocking direct access disconnection.
• Open Source Network Intrusion Detection System: Snort :
  • In addition Snort is a cross-platform, other than lightweight network intrusion detection software, but also a variety of functions packet sniffing, packet analysis and recording, etc., but also supports the inline mode, it can be used as a network intrusion prevention system.
  • snort functions: packet sniffing, packet analysis and various recording and intrusion detection.
  • Four major components of snort
    • Packet sniffing: put the interface in promiscuous mode, with libpacp function to monitor and capture packets.
    • Pre-processor: detection engine to make up for the lack of detection capabilities. There are TCP / IP protocol stack simulation, the application layer protocol decoding, anomaly detection.
    • Detection engine: is the theme of the module, including the rule base resolution, multi-mode matching, rules plug-ins.
    • Output Modules: various diverse alarms and logging.

Network Security Incident Response Technology

• Computer Forensics: a detailed examination of the computer system in investigating security events, electronic evidence and computer crime protection, validation, archiving and extraction process
• Attack with retroactive attribution: identify the source of real implementation of network attacks, and to determine the true identity of the attacker
• Backup and recovery: rapid recovery of business operations after three decades of network security incidents

2. practice

Hands: Firewall Configuration

Practice Task : configure iptables on Linux operating system platform, complete the following functions and test:

Host computer	ip address
SEED	192.168.200.6
Windxp	192.168.200.2
time	192.168.200.3

1. filtering ICMP packets, so that the host does not accept Ping packet;

• First on the SEED pinghost kali, it can be found in a normal state pingthrough
  
• Kali on the host by iptables -Lviewing rule, the default rule is found.
  
• Execution iptables -A INPUT -p icmp -j DROPinstruction so that the host does not accept icmp packets. Wherein -Aa new rule is added to the tail of the specified chain, INPUTit indicates that the packet inlet (rules), -pfor matching protocol -jspecifies how to handle (ACTION). Check it again to find more than a icmp rule for any position does not allow access.
  
• By SEED again pinghost kali, I found pingnowhere
  
• Use iptables -Fdelete custom rules.

2. allow only specific IP addresses (such as LAN Linux attack aircraft 192.168.200.6) to access a host of network services, and other IP addresses (such as Windows attack aircraft 192.168.200.2) can not access.

• Open telnet service on a host kali
  
• SEED and Winxp test whether the two machines can telnet to
  
  
• Next, use the iptables -P INPUT DROPcommand reject all incoming packets (to modify the default rule -P), then found two machines can not telnet access.
  
  
  
• Use command iptables -A INPUT -p tcp -s 192.168.200.6 -j ACCEPTto open 192.168.200.6tcp service to the host of kali. And with a iptables -Lview rules.
  
• SEED is then found to be normal access telnet services, but Winxp is not accessible.
  
  
• The last execution iptables -Fdelete custom rules, iptables -P INPUT ACCEPTthe data packets are not provided for the reception, to restore the state before.

Hands: Snort

Practice Task : Using Snort pcap files for a given intrusion detection, and detect attacks will be explained. Used on BT4 Linux attack aircraft Snort, for a given file pcap intrusion detection, access to the alarm log.

• Snort run the command prompt as follows:
  • Network log data read from the source file offline pcap;
  • Plain text is output in the alarm log file snort.conf;
  • Alarm log log directory specified (or default log directory = / var / log / snort).

Practice

• Or experiment before use listen.pcap
• First, with instructions snort -r /home/kali/listen.pcap -c /etc/snort/snort.conf -K asciifor listen.pacpintrusion detection, which -crepresents a snort selected profile, -rmeans to read packets from pcap file format, -K asciiis used to specify the output log file in ASCII code.
• Can then view the output on the detected data packet, the data stream can be seen that most of the session tcp
  
• In this case snort will generate a log file in the default directory, enter the alarm log directory cd /var/log/snort, view the log file vim alert, you can find this attack is initiated using nmap. IP address of the attacking host is 172.31.4.178the target IP address of the network scanning is 172.31.4.188.
  

Practical assignments

Analysis of offensive and defensive virtual network environments dense network gateway firewall and IDS / IPS configuration rules, and analytical reports on how dense network gateway is the use of firewalls and intrusion detection technology to complete its attack data capture and control requirements.

Analysis as follows:

How to achieve the above script is dense data capture and data network gateway control mechanisms?

• Data Capture mechanisms: iptables may be captured in the form of logging of network connection information, including the source address, destination address, port, and protocol used for connection, length, etc.; the Snort attack packets sent in response to the detection characteristics of the Ingress alarm information to identify the network stream in the presence of attacks.

• View firewall file vim /etc/init.d/rc.firewall
  
  

• We can see the rules created a chain of black and white lists, but also created a lot of processing rules chain protocol packets.

IPTables get a list of the actual rules, actual implementation parameters and Snort_inline of Snort.

• IPTables get a list of practical rules : The iptables -t filter -Llist to view the rules. You can see the default rule into the INPUT, FORWARD, OUTPUT have been closed.
  
  

• Snort get the actual execution parameters : through vim /etc/init.d/snortdopen Snort script file, you can see the options of these parameters: default snort.conf rules under the default directory, the default monitor card is eth0, the default storage path for the log / var / log / snort.
  
  

• Get Snort_inline actual execution parameters : Execute the command vim /etc/init.d/hw-snort_inlineto open snort_inline script file, you can see the parameters of the actual execution.
  

After boot dense network gateway, firewall, NIDS, NIPS is how to start?

• Use the chkconfig -listcommand to query the service running on linux, you can find the NIDS 0-6 are off, explain the need to manually start, but not all firewalls, and NIPS off, it is to follow the system starts.
  

Snort rules dense network gateway is how to automatically upgrade?

• Through access to information that there is a free tool Oinkmaster actual rules Snort community in the update tool. Find files found by the oinkmaster.conffile.
  
• Use vim /etc/oinkmaster.confto open the file, find the snort.conf files can be concluded that there have been tools Oinkmaster automatic upgrade of snort.
  

3. The problems and solutions encountered in the study

• Question 1: Do vim /etc/init.d/rc.firewalllatecomer no content.
• Problem 1 Solution: In the honeypot to be used su -after mention the right to view rc.firewalldocuments.
• Question 2: How honeypot page
• Problem 2 Solution: shift + page up / down

4. practice summary

The practice is not too much content, and previous practice time compared to spend less time, effort and finally a little experiment for how to analyze the script is dense network gateway to achieve data control mechanism to see here do not understand, basically refer to the previous student learning and blog analysis, understanding is not enough.

Reference material

• ubuntu build telnet service
• iptables command Detailed
• The third generation honeynet data capture mechanism