Escolar Documentos
Profissional Documentos
Cultura Documentos
IT Guru
Security labs
Authors:
Cesc Canet
Juan Agustn Zaballos
Translation from Catalan:
Cesc Canet
-I-
Overview
This project consists in practical networking scenarios to be done with OPNET IT Guru
Academic Edition, with a particular interest in security issues.
The first two parts are a short installation manual and an introduction to OPNET. After
that there are 10 Labs that bring into practice different networking technologies. Every
Lab consists in a theoretical introduction, a step-by-step construction of the scenario
and finally Q&A referring to the issues exposed.
Lab 1: ICMP Ping, we study Ping traces and link failures.
Lab 2: Subnetting and OSI Model, we study tiers 1,2 and 3 of the OSI model, and
the Packet Analyzer tool to observe TCP connections.
Lab 3: Firewalls, we begin with proxies and firewalls. We will deny multimedia traffic
with a proxy, and study the link usage performance.
Lab 4: RIP explains the RIP routing protocol, and how to create timed link failures
and recoveries.
Lab 5: OSPF compares RIP. We study areas and Load Balancing.
Lab 6: VPN studies secure non-local connections. A Hacker will try to access into a
server that we will try to protect using virtual private networks.
Lab 7: VLAN creates user logical groups with Virtual LANs. Studies One-ArmedRouter interconnections.
Lab 8: Dual Homed Router/Host, Lab 9: Screened Host/Subnet. DMZ and Lab
10: Collapsed DMZ explains the static routing tables, ACLs, proxies and internal vs.
perimetric security. Lab 10 is 100% practical, we want you to create it on your own, a
piece of cake if you did the other Labs!
Security labs
Lab 6: VPN
Point-to-Point Tunneling Protocol (PPTP) is a set of communication rules that allow an
organization to extend its corporative network using private tunnels through a public
network as the Internet. As a result, users have the same impression as if they were
working with a WAN of their own, and they dont need to rent a private owned wide
area communication line. However, the security is granted in a non-secure
environment as the Internet is. This kind of connection is a Virtual Private Network
(VPN).
PPTP is an extension of the PPP protocol (Point-to-Point Protocol). Users can use an
ISP provider to connect to a server of its organization at the Internet.
VPNs use IP tunnels (tunneling), point-to-point virtual links between any two stations.
The virtual link is created at the input router when the destination IP address is given.
When the input router wants to transmit an IP packet using the virtual link, it
encapsulates the packet into an IP datagram. The source and destination addresses of
the IP datagram are those of the routers in between doing the encapsulation and
desencapsulation.
A PPP client user will establish a call with an ISP (Internet Service Provider), the Front
End Processor (FEP). The security of this connection is granted. The FEP and the PPP
Client will negotiate a VPN tunnel with a remote PPTP Server (Remote Access Server,
RAS). The two peers are the Tunnel Source and Tunnel Destination. The Tunnel
Destination is always a remote PPTP Server.
There are two modes of VPN networks:
L6.1
-2-
Security labs
L6.2
Anyhow, tunneled data has encapsulated inside the datagram to the destination. The
example in the picture shows the communication using the first scheme. We can see
how the client sends PPP messages to the FEP encapsulated when arriving to the FEP.
During the whole process, the client thinks is having a PPP connection with the PPTP
Server at the other side.
In the second scheme, the encapsulation is done in the PPTP Client.
Lab Description
A company with offices in some european cities is using VPNs to achieve
communication security when communicating with the central site, and to use the
Internet infrastructure as well, in order to have lower cost. This communication
scheme has the Tunnel Source at the FEP.
Go forward the Startup Wizard with the Next button until the end. A net
Project Editor will pop up with a blank grid.
-3-
Security labs
button to have a
Qty
4
Component
ethernet4_slip8_gtwy
Palette
internet_toolbox
1
1
1
1
1
2
7
11
6
1
ethernet2_slip8_firewall
ip32_cloud
Application Config
Profile Config
IP Attribute Config
ethernet_server
100BaseT
PPP_DS1
ppp_wkstn
eth_coax
internet_toolbox
internet_toolbox
internet_toolbox
internet_toolbox
internet_toolbox
internet_toolbox
links
links
internet_toolbox
ethcoax
2
1
4
1
3
1
1
ethcoax_wkstn
ethcoax_server
eth_tap
ethcoax_slip8_gtwy_adv
Sm_Int_wkstn
3C_SSII_1100_3300_4s_ae52_e48_ge3
IP VPN Config
ethcoax
ethcoax
ethcoax
routers_advanced
Sm_Int_Model_List
3 Com
utilities
Label
Router 2...4.
Network Server
Firewall
Internet
Application Config
Profile Config
IP Attribute Config
Google, DB Server
Station 1..6
Coaxial
Wire
(buses)
Station 10 and 11
Multiservice Server
Router 1 (coax)
Station 7..9
Switch 1
IP VPN Config
-4-
Security labs
Right click on the Application Config control and click on Edit Attributes.
Select
Application
Definitions:Default.
This
will
create
new
Edit the Profile Config attributes, and select Sample Profiles in the Profile
Configuration field. This will create 5 example profiles. We want six, so
Profile Configuration
rows = 6. Unfold the net row, row 6, and call it
Profile
Name:
DB
Access
Profile.
Set
the
value
Profile
Configuration
row 5
Applications
rows :1 and select the Database
-5-
Security labs
Access application (Heavy) in the Name field of the new row. Click OK
after.
Destination Node
Station 7
Station 7
Station 7
Google
Google
Google
To create a Ping, open up the Object Palette and select the ip_ping_traffic
tool in palette internet_toolbox, and set the source and destination nodes
of the ping for each one.
Analyze the ping traces: Select all the ping demands (purple arrows), edit
the Attributes using Ping Pattern: Record Route. Mark Apply Changes
to Selected Objects to make changes on every selected component, and
press OK after.
Server
and
Edit
Attributes.
Click
on
Application:
Supported Services and select Edit. At the new dialog all the applications
beside database access will be supported using Rows: 10 and inserting a
different application for each row. We need to use all of them but
Database Access (Heavy) and Database Access (Light).
Do the same process for DB Server but now we want to support the
remaining applications: Database Access (Light) and Database Access
(Heavy).
Defining the profiles of the Stations. Assign the following profiles to the
Servers:
-6-
Security labs
Nodes
DB Access Profile
Remaining stations
Engineer
Program the Firewall Proxy to deny the Database application traffic. Edit
the
Attributes
of
the
Firewall,
unfold
the
Proxy
Server
Information
row 1 (for this application) and indicate Proxy Server
Deployed: No. The remaining applications can go across the device, so we
will write Proxy Server Deployed: Yes to the remainder. The only one
with default values to Proxy Server Deployed: No is Remote Login.
Change it and press OK after.
-7-
Security labs
, and use
-8-
Security labs
Edit the Attributes of the IP VPN Config control. Create two new rows into
the VPN Configuration branch, once for each VPNS with these values:
Security labs
2. Creating the scenario with Virtual Private Networks (VPNs) using mode:
Voluntary
Edit the Attributes of the IP VPN control, and for each of the two rows
that define the VPNs, change the field of Operation Mode to Voluntary.
Questions
Q1 Open the Simulation Log of the 3 scenarios, and using the error messages try to
find out in which cases we do have access to the database:
Scenario
Station 5
Station 10
NoVPN
VPNCompulsory
VPNVoluntary
Q2 Compare the traces of all the pings for all the scenarios. For pings starting at
Station 1 and ending at Google, are the ICMP packets path equals for the three
scenarios? What would happen if the source had been Station 4? And if it had been
Station 10?
Q3 Besides security, which one of the modes is faster? Why?
Q4 Explain the influence of the presence of VPN in the ping delay. Write down the
Response Time for all the pings.
-10-
Security labs
Q5 Why is the Station 1 Station 7 trace at VPNCompulsory not indicating the packet
that has been crossing the router Firewall, when naturally it is the only possible way?
Answers
Q1 When we open the Simulation Log and see the error messages, we see that the
traffic for some stations has not reached the destination (Database service). With the
error messages of the 3 scenarios, we can create a table like this:
Scenario
Station 5
Station 10
NoVPN
VPNCompulsory
VPNVoluntary
-11-
Security labs
by the Firewall
(packets wont be
encapsulated). Even the traffic from Station 5 with Tunnel Destination set to the
Firewall cannot pass, because the traffic is encapsulated until the entry interface, and
desencapsulated inside.
When having Operation Mode: Voluntary, traffic is not encapsulated, just the same as
for NoVPNs.
-12-
Security labs
NoVPN
Source
Station
1
Station
4
Station
10
Destination: Google
Destination: Station 7
192.0.1.2
Network.Station 1
192.0.1.2
192.0.4.1
0,00366
Network.Router 2
192.0.4.1
0,00297
Network.Station 1
Network.Router 2
192.0.6.1
0,00319
Network.Internet
192.0.8.2
0,00319
Network.Internet
192.0.13.2
0,00307
Network.Router 3
192.0.12.2
0,00389
Network.Firewall
192.0.13.1
0,00261
Network.Google
192.0.12.3
0,00591
Network.Station 7
192.0.13.1
0,00001
Network.Google
192.0.12.3
0,00001
Network.Station 7
192.0.6.2
0,0026
Network.Router 3
192.0.8.1
0,0059
Network.Firewall
192.0.4.2
0,0026
Network.Internet
192.0.4.2
0,00343
Network.Internet
192.0.1.1
0,00317
Network.Router 2
192.0.1.1
0,00317
Network.Router 2
192.0.1.2
0,00298
Network.Station 1
192.0.1.2
0,00298
Network.Station 1
192.0.9.1
Network.Station 4
192.0.9.1
Network.Station 4
192.0.7.2
0,00306
Network.Router 4
192.0.7.2
0,00238
Network.Router 4
192.0.6.1
0,00358
Network.Internet
192.0.8.2
0,00358
Network.Internet
192.0.13.2
0,00258
Network.Router 3
192.0.12.2
0,00341
Network.Firewall
192.0.13.1
0,00261
Network.Google
192.0.12.3
0,00591
Network.Station 7
192.0.13.1
0,00001
Network.Google
192.0.12.3
0,00001
Network.Station 7
192.0.6.2
0,0026
Network.Router 3
192.0.8.1
0,0059
Network.Firewall
192.0.7.1
0,0026
Network.Internet
192.0.7.1
0,00343
Network.Internet
192.0.9.2
0,00356
Network.Router 4
192.0.9.2
0,00356
Network.Router 4
192.0.9.1
0,00239
Network.Station 4
192.0.9.1
0,00239
Network.Station 4
192.0.14.1
192.0.14.1
Network.Station 10
192.0.5.2
0,00071
Network.Router 1(coax)
192.0.8.2
0,00277
Network.Internet
192.0.12.2
0,00341
Network.Firewall
192.0.12.3
0,00591
Network.Station 7
192.0.12.3
0,00001
Network.Station 7
192.0.8.1
0,0059
Network.Firewall
192.0.5.2
0,00085
Network.Station 10
Network.Router
1(coax)
192.0.6.1
0,00332
Network.Internet 3
192.0.13.2
0,00258
Network.Router
192.0.13.1
0,00261
Network.Google
192.0.13.1
0,00001
Network.Google
192.0.6.2
0,0026
Network.Router 3
192.0.5.1
0,0026
192.0.14.3
0,00275
Network.Internet
Network.Router
1(coax)
192.0.14.1
0,00072
Network.Station 10
192.0.5.1
0,00343
Network.Internet
192.0.14.3
0,00275
Network.Router 1(coax)
192.0.14.1
0,00072
Network.Station 10
VPNCompulsory
Origen
Destination: Google
Station
1
Station
Destination: Station 7
192.0.3.1
0,00366
192.0.12.1
0,01587
Network.Station 1
Network.Router
[label=0] [exp=0]
Network.Network
Server
192.0.12.1
0,01498
Network.Station 1
Network.Router
[label=0] [exp=0]
Network.Network
Server
192.0.8.1
0,00759
Network.Firewall
192.0.12.4
0,00693
Network.Station 7
192.0.6.1
0,00343
Network.Internet
192.0.12.4
0,00001
192.0.13.2
0,00258
Network.Router 3
192.0.13.1
0,00261
Network.Google
192.0.13.1
0,00001
Network.Google
192.0.12.1
0,00692
Network.Station 7
Network.Network
Server
[label=0]
[exp=0]
192.0.6.2
0,0026
Network.Router 3
192.0.1.2
0,0026
Network.Internet
192.0.12.2
0,00341
192.0.12.1
0,00759
Network.Firewall
Network.Network
Server
[label=0]
[exp=0]
0,01439
Network.Router 2
192.0.1.2
0,00298
Network.Station 1
192.0.9.1
Network.Station 4
192.0.10.2
0,00306
Network.Router
192.0.3.1
0,00297
192.0.8.2
192.0.1.1
192.0.1.2
-13-
192.0.1.1
0,01439
Network.Router 2
192.0.1.2
0,00298
Network.Station 1
192.0.9.1
Network.Station 4
192.0.10.2
0,00238
Network.Router
Security labs
Station
10
[label=0] [exp=0]
[label=0] [exp=0]
192.0.8.1
0,00809
Network.Firewall
192.0.12.2
0,0072
Network.Firewall
192.0.6.1
0,00343
Network.Internet
192.0.12.4
0,00591
Network.Station 7
192.0.13.2
0,00258
Network.Router 3
192.0.12.4
0,00001
192.0.13.1
0,00261
Network.Google
192.0.13.1
0,00001
Network.Google
192.0.12.2
0,0059
Network.Station 7
Network.Firewall
[label=0] [exp=0]
192.0.6.2
0,0026
Network.Router 3
192.0.8.2
0,0026
192.0.12.2
0,00341
Network.Internet
Network.Firewall
[label=0] [exp=0]
192.0.9.2
0,0072
Network.Router 4
192.0.9.1
0,00239
Network.Station 4
192.0.14.1
192.0.5.2
0,00085
Network.Station 10
Network.Router
(coax)
192.0.6.1
0,00332
Network.Internet
192.0.13.2
0,00258
Network.Router 3
192.0.13.1
0,00261
Network.Google
192.0.13.1
0,00001
Network.Google
192.0.6.2
0,0026
Network.Router 3
192.0.5.1
0,0026
192.0.14.3
0,00275
Network.Internet
Network.Router
1(coax)
192.0.14.1
0,00072
Network.Station 10
192.0.9.2
0,0072
Network.Router 4
192.0.9.1
0,00239
Network.Station 4
192.0.14.1
Network.Station 10
192.0.5.2
0,00071
Network.Router 1(coax)
192.0.8.2
0,00277
Network.Internet
192.0.12.2
0,00341
Network.Firewall
192.0.12.4
0,00591
Network.Station 7
192.0.12.4
0,00001
Network.Station 7
192.0.8.1
0,0059
Network.Firewall
192.0.5.1
0,00343
Network.Internet
192.0.14.3
0,00275
Network.Router 1(coax)
192.0.14.1
0,00072
Network.Station 10
VPNVoluntary
Origen
Station
1
Station
4
Station
10
Destination: Google
Destination: Station 7
192.0.1.2
Network.Station 1
192.0.1.2
192.0.4.1
0,00366
Network.Router 2
192.0.4.1
0,00297
Network.Station 1
Network.Router 2
192.0.6.1
0,00319
Network.Internet
192.0.8.2
0,00319
Network.Internet
192.0.13.2
0,00307
Network.Router 3
192.0.12.2
0,00389
Network.Firewall
192.0.13.1
0,00261
Network.Google
192.0.12.4
0,00591
Network.Station 7
192.0.13.1
0,00001
Network.Google
192.0.12.4
0,00001
Network.Station 7
192.0.6.2
0,0026
Network.Router 3
192.0.8.1
0,0059
Network.Firewall
192.0.4.2
0,0026
Network.Internet
192.0.4.2
0,00343
Network.Internet
192.0.1.1
0,00317
Network.Router 2
192.0.1.1
0,00317
Network.Router 2
192.0.1.2
0,00298
Network.Station 1
192.0.1.2
0,00298
Network.Station 1
192.0.9.1
Network.Station 4
192.0.9.1
Network.Station 4
192.0.7.2
0,00306
Network.Router 4
192.0.7.2
0,00238
Network.Router 4
192.0.6.1
0,00358
Network.Internet
192.0.8.2
0,00358
Network.Internet
192.0.13.2
0,00258
Network.Router 3
192.0.12.2
0,00341
Network.Firewall
192.0.13.1
0,00261
Network.Google
192.0.12.4
0,00591
Network.Station 7
192.0.13.1
0,00001
Network.Google
192.0.12.4
0,00001
Network.Station 7
192.0.6.2
0,0026
Network.Router 3
192.0.8.1
0,0059
Network.Firewall
192.0.7.1
0,0026
Network.Internet
192.0.7.1
0,00343
Network.Internet
192.0.9.2
0,00356
Network.Router 4
192.0.9.2
0,00356
Network.Router 4
192.0.9.1
0,00239
Network.Station 4
192.0.9.1
0,00239
Network.Station 4
192.0.14.1
Network.Station 10
192.0.14.1
Network.Station 10
192.0.5.2
0,00085
Network.Router 1 (coax)
192.0.5.2
0,00071
Network.Router 1(coax)
192.0.6.1
0,00332
Network.Internet
192.0.8.2
0,00277
Network.Internet
192.0.13.2
0,00258
Network.Router 3
192.0.12.2
0,00341
Network.Firewall
192.0.13.1
0,00261
Network.Google
192.0.12.4
0,00591
Network.Station 7
192.0.13.1
0,00001
Network.Google
192.0.12.4
0,00001
Network.Station 7
192.0.6.2
0,0026
Network.Router 3
192.0.8.1
0,0059
Network.Firewall
192.0.5.1
0,0026
Network.Internet
192.0.5.1
0,00343
Network.Internet
192.0.14.3
0,00275
Network.Router 1(coax)
192.0.14.3
0,00275
Network.Router 1(coax)
192.0.14.1
0,00072
Network.Station 10
192.0.14.1
0,00072
Network.Station 10
-14-
Security labs
Q3 If we dont care about security, the path with the less number of hops can never
be VPN Compulsory because it needs to go across a Tunnel Destination and then take
a longer way to come back. For this reason, the shortest and faster path will always
be without VPNs.
Q4 When using VPNs, a short delay appears due to the encryption and decryption
lags. This thing would never have happened without VPNs. As we can see, the
Response Time is not affected by the VPN mode (Compulsory/Voluntary)
Source
Station 1
Station 4
Station 10
Destination: Google
No VPN: 0,02390 seconds
Compulsory:: 0,06933 seconds
Voluntary: 0,02390 seconds
Sense VPN: 0,02301 seconds
Compulsory: 0,03798 seconds
Voluntary: 0,02301 seconds
Sense VPN: 0,01807 seconds
Compulsory: 0,01807 seconds
Voluntary: 0,01807 seconds
Destination: Station 7
No VPN: 0,03146 seconds
Compulsory:: 0,04919 seconds
Voluntary: 0,03146 seconds
Sense VPN: 0,03057 seconds
Compulsory: 0,03099 seconds
Voluntary: 0,03057 seconds
Sense VPN: 0,02562 seconds
Compulsory: 0,02562 seconds
Voluntary: 0,02562 seconds
-15-