20,199,110 2019-2020-2 "network attack and defense practice," the sixth week of work
1. Practice content
The sixth chapter is a network security technology. Including security model, network security technology and systems, network detection technology and systems, network security incident response four aspects of technology.
Security Model
Dynamically adapt to network security model based on closed-loop control theory. Typical models include:
-
PDR (Protection, Detection, Response) model, PDR security model is a time-based dynamic security model;
-
PPDR (Policy, Protection, Detection, Response) model, etc., PPDR model of security policy is at the heart of the model.
Protection mechanism is to use all means to protect the confidentiality of the information system, integrity, availability, authenticity and non-repudiation. Monitoring mechanism is based on the dynamic response and enhanced protection, it is a tool to force the implementation of security policies.
Network security technology and systems
Firewall technology is one of the most mature network defense technology. A firewall can implement network access control mechanisms at all levels of network protocols, and network traffic inspection and access control.
According to the network stack level firewalls work agreement, firewall technology can be divided into:
-
Packet filtering
-
Circuit-level gateway
-
Agent technology (according to stack layers of different network protocols work, including an application layer proxy agent technology, circuit level proxy and NAT agents.)
Firewall technology generally provide the following features specifically for network administrators:
-
Check the control network traffic in and out of the network
-
Prevent vulnerable or insecure services and protocols
-
To prevent the leakage of internal information network
-
Network access and access to monitor the audit
Due to the nature firewall or technical bottlenecks will have varying degrees of security threats, specific security threats are as follows:
-
Firewalls can not protect against security threats inherent
-
Internal network security threats
-
Illegal outreach network attacks
-
Computer viruses spread
-
-
Firewall security threat due to technical bottlenecks not prevent the
-
Open service penetration attacks against security vulnerabilities
-
Penetration attacks against network client program
-
Trojan horses, or bots for network communication based on covert channels
-
Integrated firewall products can be divided into packet filtering router, based on a common operating system firewall software product based on secure operating system firewall, hardware firewall device. The method of deployment firewall packet filtering router, a dual-homed bastion host, screened host, the subnet mask and the like. In addition to firewall, network security industry as well as other defense technologies, including VPN, network security management, secure content management, unified threat management.
Open-source Linux firewall netfilter / iptables, netfilter is implemented in the Linux kernel firewall modules, iptables is the firewall management tool application state.
Detection and Network Systems
Detection is a prerequisite for a response, detection techniques including vulnerability assessment, intrusion detection and so on. Intrusion detection refers to the detection and discovery of the intrusion, the firewall plays a complementary role. Two important parameters assessed and intrusion detection systems are detection rate (True Positive) and false alarm rate (False Positive).
According to different classification criteria, the following classification:
-
From the detection data sources intrusion detection systems, intrusion detection systems can be divided into HIDS (Host-based IDS, host-based intrusion detection system) and NIDS (Network-based IDS, network-based intrusion detection system) into two categories;
-
From analysis classification information used by intrusion detection systems can be divided into two categories by erroneous detection (feature detection) method and the abnormality detection method;
-
From a structural classification system used by intrusion detection systems can be divided into centralized, hierarchical and collaborative.
Open source network intrusion detection system Snort is a very well-known open source network intrusion detection system software. Snort consists of the following four parts:
-
Packet sniffer / decoder (Sniffer)
-
Preprocessor / plug (Preprocessor)
-
Detection engine / plug-in (detection engine)
-
Output module / plug (output modules)
Network Security Incident Response Technology
Network security incidents of misconduct affect those computer systems and network security. Network security incident response organizations and institutions CSIRT (Computer Security Incident Response Team, Computer Security Incident Response Team), CCERT (China Education and Research Network Emergency Response Team) and so on. Security Incident Response 6 stages PDCERF methodology, namely preparation, detection, suppression, eradication, recovery and tracking.
The key technologies of network security incident response process involved include computer forensics (Computer Forensics), attack with retrospective attribution, backup and recovery and disaster recovery and so on.
- Computer testify
Refers to a computer system for detailed examination in the investigation of security events, the computer crime and electronic evidence is protected, confirmed that the process of extracting and archiving.
- Attack source tracing and Attribution
It is to identify the source of real implementation of network attacks, and to determine the true identity of the attacker.
- Backup and Recovery
Rapid recovery of critical business operations of affordable technology after cyber security incidents.
2. practice
A task
Iptables configuration on the Linux operating system platform, or a personal firewall on the Windows operating system platform, performs the following functions, and tested:
(1) filtering ICMP packets, so that the host does not receive Ping packet;
(2) to allow only certain IP addresses (such as LAN Linux attack aircraft 192.168.200.3), access to a host of network services (such as FTP, HTTP, SMB), while the other lP address (such as Windows attack aircraft 192.168.200.4) can not be accessed between.
Practical operation
In kali (A) is a trusted host, SEEDUbuntu (B) is a server, Metasploitable2 (C) as untrusted host. Wherein, IP (A) is 192.168.200.5, IP (B) is 192.168.200.6, IP (C) of 192.168.200.2.
For (1), are:
(I) used in the B iptables -Lview the rules, and then use the iptables -A INPUT -p icmp -j DROP(-A as an additional rule, the INPUT packet data entry rules, -p protocol to match, -j designated process) so that the host does not receive icmp packets.
(II) A case in the ping B, ping operation fails. B returns used iptables -Lto view the rules, you can find more than a icmp rules do not allow for any location accessible.
(III) Finally, B is used iptables -Fto delete a custom rules, with A ping is pingB to pass.
For (2), are:
(I) are used on the A and C telnet IP(B)login account password.
(II) used in the B iptables -P INPUT DROPreject all incoming packets, then A and C are not on the instruction type (here not with the FIG., The brain to make). Then use the command iptables -A INPUT -p tcp -s IP(A) -j ACCEPTto open IP (A) of native TCP service, and with a iptables -Lview rules. Then we should be able to find A normal telnet access services, but C is still inaccessible.
(III) Finally, in B, iptables -Fand iptables -P INPUT ACCEPTthe state recovery.
Task II
With Snort pcap given file (Chapter 4 decodes the network scanning either a pcap file) intrusion detection, and the detected attacks will be described. Used on BT4 Linux or Windows Attacker attack aircraft attack aircraft Snort, given pcap file intrusion detection, access to the alarm log. Snort command prompt run as follows:
(1) reads the network data from the source log file offline pcap.
(2) Plain text output in the alarm log file snort.conf.
(3) the alarm log log directory specified (or default log directory = / var / log / snort) .
Practical operation
The following operations are required to select the job in A.
(I) used in the A snort -r listen.pcap -c /etc/snort/snort.conf -K asciito listen.pacp intrusion detection. Wherein instructions -K asciiprimarily to specify the encoding output of the log file ASCII (default binary). Review the output, we can see that most of the detected data packet is a TCP packet.
(II) via vim /var/log/snort/alertopen the output log file can be found nmap this attack is launched, and of course a lot of other information: source address, destination address and so on.
Task three
Analysis of offensive and defensive virtual network environment Honeywall firewall and IDS / IPS configuration rules, and write analytical report Honeynet network head is how to use firewalls and intrusion detection technology to complete its attack data capture and control requirements. HE analysis with specific rules file entry boot comprising:
(a) a firewall (the IPTables the netfilter +): /etc/init.d/rc.firewall;
(2) Intrusion Detection System (Snort): /etc/init.cl/hflow -snort and /etc/snort/snort.conf;
(. 3) intrusion prevention system (Snort_inline): /etc/init.cl/hflow-snort_inline and / etc / snort_inline / snort_ inline.conf.
Analysis as follows:
How to (1) above script is Honeywall for data capture and data control mechanisms?
(2) to obtain the actual list of rules IPTables, Snort and practical implementation of Snort_inline parameters.
After (3) Honeywall boot, firewall, NIDS, NIPS is how to start?
(4) Bonus: Snort rules Honeywall is how to automatically upgrade?
Practical operation
The following operations are required to select the job in the honey network.
For (1), are:
Firewall control data generally includes control data and abnormality data IPS limit (the snort_inline), first used su -for lifting the right, then vim /etc/init.d/rc.firewallview the three chains: blacklist, whitelist and protective list (FenceList).
In the above-mentioned features, plus:
- Firewall source or destination address belongs to the host blacklist, discarding all packets.
- For the host belongs to the white list, and does not accept the record.
- For the host fall within the protection list, you do not want to prohibit access to certain hosts to be accessed.
For (2), are:
(I) IPTables actual list of rules: data capture including firewall logging and snort network flow records. By iptables -t filter -Lto see the list of rules. Not difficult to find, the default rules into OUTPUT, INPUT, FORWARD have been closed and replaced by some self-defined rules (including some parameters before configuring Roo is also reflected in the rule table).
(II) Snort actual execution parameters: through vim /etc/init.d/snortdopen Snort script file, observed the first chart you can see the start is an option for some parameters, the second map corresponding to the parameters of the actual running time. After specifying the network interface, if no other parameters, the default parameters to run. For example, the default is not open -Amode, default /etc/snort/snort.conf(default directory config files), eth0, binary mode to save log files.
(III) Snort_inline actual implementation parameters: by vim /etc/init.d/hw-snort_inlineopening Snort_inlinethe script file can be observed actual operating parameters, and the parameter defined in the front.
For (3), are:
By command chkconfig --list | grep [服务]to query the current service is not open. chkconfigCommand is mainly used for a variety of services to check the settings of the system. We found that firewalls and NIPS (snort_inline) is to follow the system startup and boot automatically configure just the script file. NIDS is manually activated.
For (4), are:
Use vim /etc/honeywall.confopen honeywall configuration file, which you can see a lot of this stuff: Before installation configuration when the roo IP address, location whitelist blacklist, where snort rule updates and so on. We can see Oinkmaster words, by querying, this really is automatically updated software. Through observation, we found that automatic updates are turned off by default. Use refer Oinkmaster use .
Then we open in the current directory oinkmaster.conffiles, you can see the files have more detailed comments.
3. The problems and solutions encountered in the study
-
Question 1: In a task (2) when in practical operation, the first time lost to appear, at first I thought it was the experimental results.
-
Problem 1 Solution: After investigation found that not only because of timely login, the actual test results should not type a command, lose access control.
-
Question 2: When instructions operate a honeypot, found it impossible to turn the page. This problem last job Metasploitable2 also appeared.
-
Problem 2 Solution: After Baidu search page directive is found
shift+pgup/pgdn.
4. practice summary
The practice of file-based analysis, network operations, supplemented. At the same time, when viewing the profile, due to the more detailed notes, it can help to understand the code content. Overall, in the case reference to the founding of the blog, this practice work more smoothly. Practice, did not appear after bridging a class of problem is rather frustrating.
Schrödinger has a problem, when kali installed third-party libraries, good times and bad, it is lost.