RMU VLabNet - Virtual Laboratory Information Security Exercises
Learning
Focus Areas:
1. Computing
and Learning Environment: Xen Linux Virtual Machines,
a. Directory
structure and navigation, IPv6
b. Ports
and Sockets
c. Tools,
Learn about tools
1.
Arp, Ping, Netstat, Ifconfig, Telnet, Ssh, Ps
2. Editing
files
3. Checking
active processes
d. Capturing
and documenting results using tcpdump and tshark
2. Syslog, RSyslog, Logger
a. RSyslog, Syslog
b. Logger
3. Ports
and Nmap, Mausezahn, Hping3, Ping -R, Netstat
a. Checking
Which Ports You Have Open Using Netstat
b. Scanning
c. OS
Fingerprinting
d. Scan
Evasion
e. Address
Spoofing
4. Sensing
and Snort, Oinkmaster
a. Configuration
5. Iptables and Packet Filtering, Arptables,
Firewall Configuration, Firewall Testing
a.
Iptables
b.
Arptables
c. Firewall
Testing using Mausezahn, Nmap, Ping.
6. Encapsulation
Review and Introduction to Tunneling
a. Review
Encapsulation in the Protocol Stack: Message (Portion) in Segment in Packet in
Frame
b. Free
IPv6 tunnels
c. Implement
and Verify a Tunnel Using Generic Routing Encapsulation (GRE)
Paper:
http://isedj.org/isecon/2006/3722/ISECON.2006.Harvey.pdf
Modules
·
0. Setup Instructions : Funding, installing,
and configuring PuTTY, including configuring
authentication using your private key file.
·
1. Introduction: Fundamentals, Editing (vi, nano), Tools (tshark, tcpdump, ping), Capturing Evidence
·
2. Syslog – Logging,
Central Audit, RSyslog, Logger
·
3. Learning Environment Architecture: Two Views
of Architecture; Directory Overview, Central Audit Model, Generic Routing
Encapsulation (GRE) Exercise Model
·
4. Nmap, Mausezahn, Hping3 – Port Scanning, Probing, OS
Fingerprinting, Scan Evasion
·
5. Snort – Sensor Operation, Oinkmaster
·
6. Iptables –
Firewall Configuration and Testing, Packet Filtering
·
6.1 Firewall Planning (traffic
model, threats specification)
·
6.2 Iptables
Details (commands, options)
·
6.3 Arptables
Details (commands, options)
·
6.4 Firewall Testing (with nmap, ping, ping -R, hping3, mausezahn)
·
6.5 Firewall Testing (with ftester) – historical
·
7. Tunneling - Generic Routing Encapsulation
(GRE)
·
8. Command Summary
·
9. Mausezahn
·
10. Student Scan Exercise Results
·
Technology
Note (below)
Schedule
Spring 2012
·
Practice 1a.
Thursday, March 8, 2012 –
o Introduction to VLabNet;
o Bit budget concepts: bitbdgt2.htm
o Capture and analysis tools, tshark and tcpdump, ARP and ping; capturing and analyzing data units: i6230vlabnet3-1Protocol Exchanges.htm
o Review of addresses and masks and CIDR addressing: VLabNetAddressing.htm; VLabNetAdMskFrg.htm
o Review of the 5-layer hybrid protocol stack: i6230VLabNet1.htm
o Classful addressing, special address classifications:
o Encapsulation: Payload (information bits) vs. headers/trailers (overhead bits) in data units
o Introduction to VLabNet
o Ports and vulnerability: VLabNetPortList.htm
o Syslog;
o Configuring syslog or RSyslog;
o Using logger;
o
·
Practice 1b.
Thursday, March 15, 2012 –
o VLabNet architecture;
o Protocol stack review;
o Scanning
o OS Fingerprinting
o
·
Practice 1c.
Thursday, March 22, 2012 –
o Ports, Sensors, Snort, Configuration
o
Learn about ports and
vm-vjhst0:/# netstat -an | less
Active Internet connections
(servers and established)
Proto Recv-Q
Send-Q Local Address Foreign
Address State
tcp 0
0 127.0.0.1:2601
0.0.0.0:* LISTEN
[Open port]
tcp 0
0 127.0.0.1:2602
0.0.0.0:* LISTEN
tcp 0
0 0.0.0.0:2604 0.0.0.0:* LISTEN
tcp 0
0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0
0 0.0.0.0:113
0.0.0.0:* LISTEN
tcp 0
0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0
0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0
52 x.y.z.124:22 71.240.49.117:50554 ESTABLISHED
[Active connection]
udp 0
0 0.0.0.0:514 0.0.0.0:*
udp 0
0 0.0.0.0:520 0.0.0.0:*
udp 0
0 0.0.0.0:111 0.0.0.0:*
raw 0
0 0.0.0.0:89 0.0.0.0:*
o
·
Practice 1d.
Thursday, March 29, 2012 –
o Iptables, Firewall configuration
o Firewall testing; mausezahn
o Discussion of firewall configuration and testing strategies for experiments.
1. What
packet(s) do you want to filter? ICMP, ARP, BPDU, RTP, DNS, UDP,
2. What will be the results? What do you expect from your mausezahn captures?
o
·
Practice 1e.
Thursday, April 5, 2012 –
o Generic Routing Encapsulation (GRE), configuration, verification, and testing, ssh;
o Tunnels and their uses;
o Overview of encapsulation.
o
·
Practice 1f.
Thursday, April 12, 2012 –
o
·
Practice 1e.
Thursday, April 19, 2012 –
o
·
Course Meeting. Thursday,
April 26, 2012 –
o Assessment/Exam and presentation activities as specified.
Technology Note (below)
a. Open two session instances at the same time so you can, for example, ping in one session and capture the results using tshark in the other session.
b. Teamwork: one member of team ping and the other capture using tshark; verify if routings exist in both directions between team’s hosts.
c. Round robin port scanning: xyzstn scans abcstm, system 101 scans system 102, etc., system 122 scans system 101
d. Use ping count parameter ping –c 1 to make capture easier.
a. Acknowledgement packets.
b. Checking owners of IP addresses – ARIN Whois database search: http://www.arin.net/whois/
Resources
Alder et al. (2004) Alder, Raven, Babbin,
Jacob, Baker, Andrew R., Caswell, Brian, and Poor, Mike, Doxtater, Adam, Forster, James
C., Kohlenberg, Toby, and Rash, Michael, Snort 2.1 Instrusion
Detection, 2nd ed. (Syngress, 2004).
Cox
and Gerg (2004). Cox, Kerry & Gerg, Christopher, Managing
Security with Snort and
Koziol (2003). Koziol, Jack, Intrusion Detection with Snort (SAMS, 2003).
Lockhart, Andrew (2004), Network Security Hacks (O’Reilly, 2004).
Lyon, GF, NMAP Natwork Scanning (Insecure.com, 2008).
Markopolos, Harry, No One Would
Listen: A True Financial Thriller (Wiley,
2010)
Orebaugh et al. (2005) Orebaugh, Angela D., Biles, Simon , and Babbin, Jacob, Snort Cookbook (O’Reilly, 2005).
Orebaugh and Pinkard (2008) Orebaugh, Angela D.; Pinkard, Becky, Nmap In the Enterprise: Your Guide to Network Scanning (Syngress, 2008).
Rehman (2003). Rehman, Rafeeq Ur, Intrusion
Detection Systems with Snort: Advanced
Shinn, Michael (2004), Troubleshooting Linux(R) Firewalls (Addison Wesley Professional,
2004)
Suehring, Steve, and Ziegler, Robert L. (2006), Linux Firewalls, 3rd ed. (Novell/Pearson Education, 2006).
Turnbull, James (2005), Hardening Linux (Apress, 2005).
VLabNet InfoSec Laboratory Resources (Links)
Papers and Presentations:
Harvey, Johnson, and Turchek (2007). “Virtual Laboratory Intrusion Detection Experience for Information Systems Professionals,” Information Systems Education Journal, 5 (5). http://isedj.org/5/5/. ISSN: 1545-679X. (Online at http://isedj.org/5/5/; also appears in The Proceedings of ISECON 2006: §3722. ISSN: 1542-7382.)
Powell, Johnson, Turchek,
Davis, Wu, Parker, “VLabNet: The Integrated Design of Hands-on Learning in
Information Security and Networks.” Presentation, 2007 Information Security
Currículum Development Conference, Kennesaw State
University (September
2007). See: portal.acm.org/citation.cfm?id=1409918
Powell, Johnson, Davis, Turchek, and Powell, “Designing Hands-on Network
Instruction Using Virtualization,” IADIS/CELDA,
Freiburg im Breisgau,
Germany (October 2008). See: http://www.celda-conf.org/Final_Program_CELDA_2008.pdf
Acknowledgements:
Thanks to the members of RMU
Technology: Debian
Xen, Quagga, Hewlett
Packard
This RMU
Server: HP ML370G3 with a
single 2.8 GHz CPU, two 36 GB SCSI disks in a hardware-based RAID-1 mirror, and
1 GB
Architecture: see VlabNet 3
Notes:
x.y.z.
= first three octets of assigned routable network addresses for
n = student domain number {nÎN | ((n ≥ 201) Ù (n ≤ 254))}
Valerie J. H. Powell, RMU C&IS; Sushma Mishra, RMU C&IS, Randall S. Johnson and Ian W. Parker, RMU IT Technical Services, Matthew Stewart, RMU IT Security
© 2008 by Robert Morris University
Update: 2012-05-05