| Course work: | https://edu.cnblogs.com/campus/besti/19attackdefense |
|---|---|
| Work requirements: | https://edu.cnblogs.com/campus/besti/19attackdefense/homework/10589 |
| Course objectives: | Learning "network attack and defense technology and practice of" teaching Chapter VI, and completed homework |
| The job goals: | Learning network security technology |
Text of the job:
1 comb knowledge
1.1 Information Security
Information Security Golden Triangle : confidentiality, integrity and availability of
traditional static security technologies and methods : firewall, encryption, authentication
detection mechanism : a dynamic response and strengthen the basis for protection, is a tool to force the implementation of security policies, through continuous testing and detection networks and systems, the discovery of new threats and vulnerabilities, and through feedback loops to make timely and effective response.
Detection Technology : intrusion detection and vulnerability assessment of
response measures include : emergency, backup and recovery, disaster recovery
2 Experimental content
2.1 Firewall Technology
Firewall : placed between different network security, network traffic on the access behavior or implementation of security access control component or device, in the technical areas, belonging to the firewall access control mechanism on a network, by different network security domain established between the security control point on the network to transmit data through the checks, decide whether to allow network access through the firewall, to achieve security objectives specific network security protection against unauthorized access and destruction in accordance with specific security needs and policy settings.
According to the network protocol stack layers, firewall technology can be divided 包过滤(网络层), 电路级网关(传输层)and 应用层代理技术(应用层)
basic functions : control of a computer network implementation of network security access control between different network domains trust.
Firewall security functions provided :
- 1) Check the control of network traffic to the network;
- 2) protocols and services to prevent vulnerable or unsafe;
- 3) to prevent leakage of the internal network information;
- 4) network access and access to monitor the audit;
- 5) firewall can strengthen the security policy and integrate with other security defenses.
Firewall deficiencies :
- 1) from security threats within the network;
- 2) through illegal attack outreach network;
- 3) the spread of computer viruses.
Technical bottlenecks :
- 1) Open Services penetration attacks against security leak copper;
- 2) Network Client program for penetration attacks;
- 3) for the passage of Trojan or botnet based covert channel.
2.2 Firewall deployment methods:
Packet filtering router : a router with packet filtering firewall functions as the only point of connection between the internal network and the external network, the router routes the packet is completed while its basic forwarding functions, the access control list based on the network administrator's configuration, filtering data packets.
- Advantages: low cost, easy to use and so on.
- Disadvantages: As misconfigured router may be subject to attack, and once infiltrated captured packet filtering router, then all the systems on the internal network will be completely exposed in front of the attacker, filtering router can permit opening of hosts and services for packet attacks.
Dual-homed bastion host : packet filtering router is very similar, except that the application proxy gateway as a dual qualities bastion host, instead of the packet-filtering router. Barrier host has two network interfaces, a network connected to the external public IP address, a private IP address to connect to another internal network, does not have the forwarding route between two network interfaces, but only by the proxy server program for a specific application web proxy applications.
- Advantages: dual-homed bastion host mode of external shields internal network information, and access control mechanisms implemented by the application proxy server provides authentication and user-level auditing behavior, but can also provide a rigorous examination of the data content of the powerful security features.
- Inadequate: on the one hand and external network access to internal network control too restrictive, only allowing some network application protocols supported proxy access applications, generally only used for very high security requirements of enterprise customers Unit: On the other hand dual-homed bastion host usually running on a general-purpose operating system platform, its own security maintenance is relatively complex, once the bastion host is compromised the attacker, the internal network will be fully exposed in front of the attacker.
Screened Host : packet filtering and application proxy firewall technology integration deployment, using the shield bastion host routing and dual safety facilities, all incoming and outgoing data to go through the internal network bastion host and packet filtering firewall, packet filtering firewall from the network layer access control, be controlled by the bastion host application security, ensuring network security and application layer, double layer.
- Advantages: This is a very reliable design, network attacker must penetrate the firewall and bastion host be able to reach the internal network. In addition to providing Internet access to internal network, if you want to provide services to the external Internet, such as Web services, may be performed after packet filtering firewall, which is placed in the server network segment is the same with the application proxy server
- Inadequate: But if opening up the server is compromised, the internal network will also be exposed to the attacker.
Screened Subnet : is improved firewall deployment mode in master mode on the basis of the shield. It differs in that the shield segment and a host mode in the main internal and external application proxy server configuration. Install a packet filter between the second machine, an application proxy server and the external network which is also called a DMZ ( demilitarized zone). In this deployment mode, the internal packet filtering firewall can provide additional security capabilities to the internal network and external after the application proxy server is compromised.
2.3 Linux open source firewalls: netfilter / iptables
netfilter : is the Linux kernel to achieve firewall function modules to achieve a static packet filtering and stateful packet inspection (dynamic packet filtering), also supports flexible and scalable framework to support other additional features NAT network address translation, in addition also supports a flexible and extensible framework
iptables firewall management tool framework is applied state, NAT support other additional features such as network address translation, and provides multi-layer API interface to support third-party extensions.
Table three basic rules : the packet filtering process of the filter table, the table for nat network address translation process, as well as special purpose mangle table for the modified data packet
The default rule table netfilter / itables of / chain :
fileter Table :
the INPUT data packet destined for the local filtering process;
packets issued locally OUTPUT filtration treatment;
the FORWARD host route packets through forwarding filtration treatment;
NAT table :
the PREROUTING routing of data packets without converting the destination IP address and port which
POSTROUTING has been routed to the packet source IP address and port translation
OUTPUT chain rule destination IP address and port translation for the local data packet;
the mangle table :
special manner for modifying the packet header information, such as setting the TOS value, the packet flag, for some purpose policy routing, the network traffic shaping.
Chain five types of rules :
- Rule checkpoint PREROUTING rules chain is the IP NF_ the PRE _ROUTING, possible to check all the packets enter the host, typically a source NAT address conversion processing;
- Checkpoint INPUT chain of rules in NF_ IP_ LOCAL_ IN, addressed to the local network protocol stack, a check from the packet processing local process, typically used to filter the local network connection service;
- Checkpoint in the FORWARD chain NF_ IP_ FORWARD, routing and forwarding data packets via a local check, when the unit is used as a router, a network connection by filtration, Hook this point is to achieve the most important packet filtering firewall position:
- Checkpoint POSTROUTING chain of rules in NF_ the IP the POST _ROUTING, and local protocol stack issues a check and process data packets forwarded via the routing, NAT is commonly used for the destination address;
- OUTPUT chain checkpoint in NF_JIP_LOCAL_OUT, particularly checked against a local process by the packet through the local TCP / IP protocol stack emitted. You can configure local access restrictions as well as the external destination network address translation process.
The main syntax : iptables [-t table] command [match] [target]
where -tis the table where the configured rules, including the default table filter, nat, mangle, raw, commandsection tells iptableswhat to do.
Command :
-A --append: a command to be appended to the end of the chain rule
-D --delete: matching the specified rule or rules specified position number in the chain, the command deletes the rule from the chain
-P --polic: the chain default target setting operation, all the chain any rules packets that do not match will be forced to use policy for this chain.
-N --new-chain: Create a new chain of command with the name referred to.
-F --flush: If you specify a chain, the chain of command to delete all the rules, if the specified chain name, the command to delete all rules in all chains, this parameter is used to quickly remove.
-L --list: Lists all rules specified chain.
target : :
ACCEPTwhen a packet having exact match with the rule ACCEPT operation target, will be accepted (it is allowed to destination), and it will stop traversing the chain rule. This operation is designated as a target -j ACCEPT.
DROP: When a packet having a DROP rule exactly match the target of the operation, the packet will be blocked, and no further processing it. This operation is designated as a target -j DROP.
REJECT: The goal of the operation works with the DROP target operation is similar, but the difference is that DROP, REJECT will not leave dead sockets on the server and the client. Further, REJECT error message is sent back to the sender of the data packet. The target operation is designated as j REJECT.
RETURN: RETURN target set in the operating rules so that matches the rule Packet stop chain ergodic containing the rule. If the backbone chain are as INPUT or the like, the default packet processing policy of the chain used. It is designated as -jumpRETURN.
Detection Technology : divided into vulnerability assessment, intrusion detection
- Host-based intrusion detection system (HIDS): generally used to monitor the host information, its data source typically includes an operating system audit records, the system call sequence, application audit information.
- Network-based intrusion detection system (NIDS): monitor its network packet to the data source for analysis.
- Distributed Intrusion Detection System (DIDS): combines both as an integral part, and centralized, distributed, or fully distributed hierarchical analysis of fusion improve the coverage and effectiveness of the detection system.
Hands: snort
Task: Use the given Snort pcap file (decoding Network Scanning in Chapter 4 in either a pcap file) intrusion detection, and detect attacks will be explained. Used on BT4 Linux or Windows Attacker attack aircraft attack aircraft Snort, given pcap file intrusion detection, access to the alarm log.
Snort run the command prompt as follows.
Network log data read from the source file offline pcap
arranged plaintext output the alarm log file snort.conf
** alarm log log directory specified (or default log directory = / var / log / snort) **
Run the following commands, -K asciithe main to specify the encoding output log file is ASCII (default binary):
most of the TCP packet, a small portion of the ARP packet:
alarm data packets 10, are logging, allowing all packets decision:
flow statistics :
in the default log directory /var/log/snortcan be used vimto read the generated alert files recorded intrusion detection alarm data information 10:
Hands: Firewall Configuration
Practice: Configure iptables on Linux operating system platform, or a personal firewall on the Windows operating system platform, complete the following functions and tested:
filter ICMP packets, so that the host does not receive Ping package :
first the target machine to ping connection :
then execute iptables -A INPUT -p icmp -j DROPthe command, is added in the INPUT chain it is produced, ping icmp packets missing rule, this time to the target, ping ping fails:
removing just filtering rules:
try again to restore the connection ping:
only allows a specific IP address (such as LAN Linux attack aircraft 192.168.200.7), access to a host of network services (such as FTP, HTTP, SMB), while the other IP address (such as Windows attack aircraft 192.168.200.5) can not access. telnet protocol in the use of the three-way handshake to establish a TCP connection, TCP connection handshake agreement to be canceled :
the target machine via telnet command 192.168.200.5to connect, source ip address as 192.168.200.7well 192.168.200.10:
then iptables -A INPUT -p icmp -j DROPthe datagram to meet the rules discard, then telnet connection fails:
then command iptables -A INPUT -p tcp -s 192.168.200.7 -j ACCEPTopen source IP 192.168.200.7tcp service on the target machine, you can use iptables -Lto view the rules
192.168.200.7you can telnet target IP, but 192.168.200.10the connection fails:
3. Practice jobs
Analysis of virtual network firewall and IDS attack and defense environment honeypot network gateway / IPS configuration rules, and analytical reports on how honeypot network gateway is the use of firewalls and intrusion detection technology to complete its attack data capture and control requirements.
Analysis of specific rules and configuration file entry boot comprising:
a firewall (the IPTables the netfilter +) : /etc/init.d/rc.firewall
intrusion detection system (the Snort) : /etc/init.d/hflow-snort and / etc / snort / snort.conf (first file not found)
intrusion prevention system (snort_inline) : /etc/init.d/hflow-snort_inline and /etc/snort_inline/snort_inline.conf (first file for the hw-snort_inline)
Content analysis :
above script is how to achieve Honeywall data capture and data control mechanisms?
snort primarily by the entire network packet warnings, and more focused on data capture, of course, query and snort_inline firewall logs can also get certain data capture information.
iptables useful modprobe ipt_LOG, iptables -N FenceLogDropsuch as storing log data capture, snort file did not seem to find the code, but snort_inlin can be used snort -c [snort.conf绝对路径} -l [log路径] -K asciito achieve the output log file.
iptables firewall is mainly responsible for the development and implementation of data accept, reject, drop and other rules used for data control.
The key code analysis related to the script, the firewall file rc.firewallin create_chains()for creating chains, which respectively function to create a blacklist and white list, the list of protection and protection log deletion, -N's intention to create a new chain based on user-specified name, which blacklist is to prevent certain users enter the network address and the host white list is considered that the user can add a trusted set of network users and the network address, protection list is a list of files, delete IPS protection is a log sheet for recording / Remove from fence rebound packets.
create_chains() {
if [ -n "${HwFWBLACK}" ] && [ -e ${HwFWBLACK} ] &&
[ "${HwBWLIST_ENABLE}" == "yes" ]; then
# 黑名单
iptables -N BlackList
fi
if [ -n "${HwFWWHITE}" ] && [ -e ${HwFWWHITE} ] &&
[ "${HwBWLIST_ENABLE}" == "yes" ]; then
# 白名单
iptables -N WhiteList
fi
if [ -n "${HwFWFENCE}" ] && [ -e ${HwFWFENCE} ] &&
[ "${HwFENCELIST_ENABLE}" == "yes" ]; then
# 防护名单
iptables -N FenceList
# 防护日志删除
iptables -N FenceLogDrop
fi
if [ -n $HwTCPRATE ] && [ $HwTCPRATE -gt 0 ]; then
# 创建TCP处理链
iptables -N tcpHandler
fi
if [ -n $HwUDPRATE ] && [ $HwUDPRATE -gt 0 ]; then
# 创建UDP处理链
iptables -N udpHandler
fi
if [ -n $HwICMPRATE ] && [ $HwICMPRATE -gt 0 ]; then
# 创建ICMP处理链
iptables -N icmpHandler
fi
if [ -n $HwOTHERRATE ] && [ $HwOTHERRATE -gt 0 ]; then
# 创建其他协议处理链
iptables -N otherHandler
fi
}
Network Information snort_inline defense system abnormality data to the main control, and may be iptables linkage
IPTables get a list of the actual rules, Snort and practical implementation of parameters Snort_inline?
IPTables get the actual list of rules
by command iptables -t filter -Lto view the rules:
get the actual execution parameters of Snort:
snort --hor visit snort file vim /etc/rc.d/init.d/snortd
to get the actual execution of Snort_inline parameters:
-D represents Daemon mode, -c config file for read, -Q indication mode QUEUE , -l directory indicates the output of the log file, -t changing program execution indicates the root of the reference position.
After Honeywall boot, firewall, NIDS, NIPS is how to start?
The chkconfig --list | grep [服务]can query the case open and services, where 1 represents a single-user mode, 2 means no multiuser command line network connection, 3 expressed multiuser command line network connection, 4 indicates unavailable, 5 represents a belt graphical interface multi-user mode, you can see 6 represents restart iptables and snort_inline (NIPS) is included with the system power turned on, and snort (NIPS) need to manually open:
Bonus: Snort rules Honeywall is how to automatically upgrade?
From the vim /etc/honeywall.confpoint of view of snort rule whether to automatically update, the default is not updated:
4. learning problems and solutions encountered
- Question 1 : the relationship between snort, snort_inline and iptables do not quite understand
the problem Solution 1 : Query online snort_inline and iptables control linkage data have more news presentation and practical content.
- Question 2 : iptables basic operations
Problem 2 Solution : Query online tutorial 1 and tutorial 2
- Question 3 : Log seed the virtual machine file query is not convenient
Problem 3 Solution : use the local IP and MobaXterm login account, interactive interface better.
5. Learn sentiment and reflection
The main learning content for the network security technology, feel iptables command and snort or two tools is not enough to master, but the use in the course of the experiment a few commonly used command parameters, the script source code analysis is mainly through the Internet and English comments information needs to be strengthened.