• No results found

NETWORK SECURITY WITH OPENSOURCE FIREWALL

N/A
N/A
Protected

Academic year: 2021

Share "NETWORK SECURITY WITH OPENSOURCE FIREWALL"

Copied!
6
0
0

Loading.... (view fulltext now)

Full text

(1)

NETWORK SECURITY WITH OPENSOURCE FIREWALL

ABSTRACT-Information technology changes constantly and it is very

important to protect our systems and network infrastructure from compromising. So the main purpose of this educational research is to test the weaknesses of the secure and unsecured environments .The methods used to test our environments is white box testing with the help of backtrack tools . And with the help of sense firewall we analyse the logs to make our network infrastructure more secure.

INTRODUCTION

Aim: The aim of this research is to analyse the system logs that are generated in the virtual environment 2 (Which is secure with pfsense firewall).

1. INTRODUCTIONOFOURLABSCENARIOS

 SCENARIO 1

LEVEL OF SECURITY: Low

ATTACKER SYSTEM: Backtrack 5r3 (192.168.189.129) HOST 1: Windows XP (192.168.189.128)

HOST 2: Backtrack 4r2 (192.168.189.130)

The Fig 1 : SCENARIO 1 IMAGE

 SCENARIO 2

LEVEL OF SECURITY: High

ATTACKER SYSTEM: Backtrack 5r3( 192.168.75.10 ) HOST: Backtrack 4r2 (192.168.101.100)

FIREWALL: Pfsense Firewall (192.168.75.1, 192.168.101.1)

Fig 2 : SCENARIO 2 IMAGE

RESEARCH METHODS

The method used in this research is ‘Whitebox Testing’. Whitebox testing is the part of the penetration testing

 Penetration Testing [ 1 ][ 4 ]

Penetration Testing is a process that is used to conduct audit of the network or particular system .

It can be of different type - 2. Black-box Testing 3. White-box Testing

Black-box Testing

:

In this testing a security expert is not aware of the network of a company or the technologies that are used in target company or organization .

White-box Testing

:

In this testing ,security expert is aware of the network and the technologies that are used in the target company or organization ..

Backtrack : To perform testing we use backtrack [2][3]. THETOOL&SCRIPTUSEDINTHISTESTINGARE 1. Nmap (Network Mapper)

Description It is a network mapper which is used to scan a remote machine through various nmap scanning techniques like TCP connect scan(TCP), Stealth scan (SYN), UDP Scan ,Acknowledgement Scan (ACK), Operating System Scan (-O) .

2. traceroute

Description traceroute is used to find the firewall on the VLAN's . Here we can analyse the output of the command in backtrack 5 and also analyse the pfsense firewall log . 3. tcptraceroute

Description While using traceroute we are unable to see behind the firewall , but now we use tcptraceroute to see behind the firewall .

4. Nmap Firewalk Script

Vivek Kathayat,Dr Laxmi Ahuja

AIIT

Amity University,Noida

(2)

Description It is the special feature in the nmap that is used to find the open ports behind the pfsense firewall .

5. XPROBE2

Description : It is the Operating System fingerprinting Tool . From this tool we can detect which OS target host is running . Tool is just a information gathering tool. While scanning we also analyse the pfsense firewall logs and see which packets are send to the target to do a OS

fingerprinting . 6. ARMITAGE

Description: This tool is used to do a target exploitation ,this

tool is developed by the rapd7 . Through this tool we exploit the target according its weak hole or vulnerability in the target machine and also check the what happen and importance of the firewall .

FINDING AND ANALYSIS

After setting labs we, we start our experiment, Our first step of the experiment is Information Gathering .

In this Information Gathering tool we use nmap to scan both the scenarios.

INFORMATIONGATHERING

We perform a scan through nmap(2),with this scan we get the information about the host system , what ports are opened etc . WITHFIREWALL

When we done same scanning on the scenario # 2 , it shows all that port 21[ ftp ], 80[http],443 [ https ] are closed and rest of the ports are filtered.

BENEFIT OF FIREWALL: You can see that, the firewall filtered all the ports and state as a close port.

Fig 2.1

PFSENSEFIREWALLLOGFORTCPCONNECT SCAN

Now lets analyse the pfsense firewall log, here you can see that the attack is start from the Source address (192.168.75.10) to Destination (192.168.101.100) and also see the ports used in this scanning .

The Protocol used in TCP connect scan is: TCP:S

Fig.2.2

STEALTHSCAN(SYNSCAN)

It also known as half open scan because it never forms a complete connection between the target and the scanner machine .

Now let see the outcome of the stealth scan without a firewall (scenario1) and with a pfsense firewall (scenario 2).

WITHOUTFIREWALL

Command : nmap -sS 192.168.189.130

The below image shows the output of the Stealth scan .

Fig3.1 WITHFIREWALL

Fig3.2

(3)

Fig 3.3 4.UDPSCANNING

UDP scanning is used to check the remote target is open closed or open/filtered .

In this scanning we used the UDP packets , we send the UDP packets to the target host and according to the reply it can give the result .

For example : when we send the udp packets to the target machine a ICMP : Unreachable reply will come , it means that the ports are closed .

If UDP packet reached to the target machine and no reply will come back it means , port is open but filtered .

And if the proper reply is come back then it means the port is closed .

WITHFIREWALL

Now in the firewall environment, when we done a UDP scan the output will look as shown below

Fig.4.1 Shows that all the 1000 scanned ports on 192.168.101.100 are open/filtered.

PFSENSEFIREWALLLOGFORUDPSCAN

Below the log is captured while we scan the host which is behind the firewall.

In this log you can see that in the proto section it display the UDP ports, It means the attacker used the UDP scan technique. One more thing to analyse is the ports are constantly changing .

Fig.4.2

4. ACKNOWLEDGEMENTSCAN

It shows weather the target ports are filtered or unfiltered .It sends TCP ACK frames to remote port and if there is no response , then it is considered to be filtered .

And if the response come in RST (RESET) then it means it is unfiltered.

WITHOUTFIREWALL

Without a firewall, it normally shows all the 1000 ports are unfiltered.

Fig.5.1 WITHFIREWALL

When we done a acknowledgement scan in scenario 2 , it display that host is block the ping probes .

Basically this is done by the pfsense firewall that blocks the ping probes, that's why this type of response will come.

See the below image for more details -

Fig.5.2

PFSENSEFIREWALLLOGFORACKNOWLEDGEMENT SCAN

Now when we analyse the firewall logs we can see that the acknowledgement scan is detected with the source and destination ipv4 addresses.

See the below image for more details -

Fig.5.3 WITH -PN PARAMETERS

Now if we use a -Pn parameter with the our command , it displayed that All 1000 scanned ports on 192.168.189.130 are filtered .

This type of scanning helps the attacker to know which ports are filtered and unfiltered on the network .

See the below image for more details -

Fig 5.4 FIREWALLLOG:

(4)

that the attacker is trying to get information about the filtered and unfiltered ports in the network .

See the below image for more details -

Fig.5.4 6.TRACEROUTE

It is a route analysis tool . which is used to trace the route of the target host .

WITHFIREWALL

Below you can see that in the scenario 2 when we perform a traceroute command on target ip address ,it shows packets are lost during transmission ( reasoned could be the firewall filtering ). See the below image for more details -

Fig.6.1 LOGFORTRACEROUTE

Through the log analysis, we can see that the UDP protocol are used .It means the the traceroute is used UDP packets.

See the below image for more details -

Fig.6.2

7.TCPTRACEROUTE(ROUTE ANALYSIS)

This is also used to detect the route of the target host , it uses TCP SYN to send out the packets . The biggest advantage of using this tool is if there is a firewall in between the network , the packet is able to reach the target.

WITHFIREWALL

In this tcptraceroute example, without a lost transmission , our packets successfully reached the target and gives all the route information.

Fig 7.1

FIREWALLLOGFORTCPTRACEROUTE

Fig.7.2 8.NMAPFIREWALK SCRIPT

nmap firewalker script is the easiest method to test all the

open ,closed and filtered ports on the firewall and also if you use a traceroute option then it show the route using port 80/tcp. See the below image for the output -

Fig.8.1 FIREWALLLOGFORNMAPSCRIPT

In the firewall log , it detects the TCP: Syn scanning method . See the log for more details -

Fig.8.2 9.XPROBE2

(5)

Below it shows the example images of performing this tool on both the scenarios .

Scenario 1

WITHOUT FIREWALL

Here you can see that it detect the running OS as Linux kernel 2.4 which has a surety of 100% that it is a Linux Kernel .

See the below image for more details -

Fig.9.1

LOG GENERATED AFTER BY PFSENSE FIREWALL Here you can see that the UDP protocol are used by this tool. , to confirm that check the firewall log.

Below the firewall shows the protocol used is UDP. See the below image for more details -

Fig.9.2

10.TARGETEXPLOITATION

In this step of target exploitation we use armitage , its a GUI based tool that is used to find the vulnerability in the target machine and exploit that target machine.

SCENARIO1:

Using Armitage , we exploit the windows netapi_67 vulnerability . Target is easily vulnerable because there is no firewall or any other mechanism which protect the systems.

Below image shows the successful exploitation on the windows machine through Backtrack 5r2 (attacker machine).

RESULT

Result shows the windows command shell on the linux machine. See the below image for more details -

Fig.10.1 SCENARIO2

When we trying to attack the target machine we are unable to attack that machine . We try various techniques through Armitage but all are unsuccessful because of filter device or firewall . See the below image for more details -

Fig 10.2

CONCLUSION

After the white box testing , from the pfsense firewall logs we can understand that attacking pattern of a hacker or intruder . Also we can understand the behaviour of attack . How, by analysing those protocols, flags – , ack, fin , ports and the ports number .

Even administrator, security expert can study these attacking pattern from the logs and he can secure its own network

infrastructure or after studying this type of virtual environments , he can redefine his secure physical infrastucture.

In short this whole research helps us to improve our network security with the help of open source firewall .

(6)

1. This research helps in the logical and practical implementation of the firewall security to make network environments more secure .

2. This research helps administrator to understand the attack. 3. He can analyse and trace attacker with the help of firewall logs. 4. It helps to make your system more secure and network

infrastructure more secure.

5. It helps students to understand how things are actually going behind the scenes.

6. We can test different types of attacks on virtual environment. 7. The logs analysis helps network administrator to understand what happen when an attack is done. Like Ddos attack , Decoy attack etc. Without breaking any cyber law .

8. Also we can analyse the log and see which Tcp ports are used during the attacks so that in future we can close that ports .

REFERENCES

[1] Lee Allen , Advanced Penetration Testing for Highly Secured Environments: The Ultimate Security Guide,Packt Publishing , www.packetpub.com

[2] www.wikipedia.org [3] www.google.com

[4]Shakeel Ali,Tedi Hariyanto, Backtrack 4 : Assuring Security by Penetration Testing , Packt Publishing

References

Related documents

The research formulated several conjectures regarding factors that may lead to faster malware detection times, and described a research plan and a survey instrument to test

This study revealed that the use of high fidelity simulation for interdisciplinary obstetrics skills/drills emergency training significantly (P<0.05) impacted on the

The goals of this research is to know the effect of AIFSN value changes on AIFSN parameters, variation of RAW group and RAW slot number to throughput, average delay and packet

This study aimed to evaluate the influence of inoculum sources on the adaptation of a biogas-producing microbial consortium and biogas production yields from maize silage in a series

California Common Cause urges the California Public Utilities Commission (“Commission” or “CPUC”) to reject the proposed transaction between Comcast

Nonetheless, the Raqeeb case, like previous high-profile cases, within the jurisdiction of England and Wales, involving disputes between parents and clinicians (such

To date, organizational disconnectivity interventions mostly target the technical connection to work although connectivity also covers social expectations of extended

This fixture has been re-arranged from Saturday 28 Feb 2015 Saffron Walden - Rochford Hundred 18/04/2015. London 2