CNA 430 - Firewall and Penetration Testing Final Project

Submitted by Farouk Samu Kevin Schreiber

4/30/13

Abstract
The purpose of this project was to design a network and its rules as specified by an organization. The organization gave us a few specifics to use as a baseline for our design. We started by drawing out a visual representation of the network architecture so that we could see what we were working with, as well as giving us an easy way to document things like IP addresses visually. Next we created a list of rules to use in restricting network traffic. Then we implemented the network using hardware and creating the access control list. Finally, we did some testing and some small revision to ensure the network was working.

Introduction
Being approached by an organization to set up a network can be a daunting task, especially ensuring its secure from any type of risks or threats. The network topology requested is a network using a Cisco ASA firewall to implement four servers; a web and DNS server inside a DMZ, and a database and mail server inside the network. Also included in the network is an internal client network. Configuring this type of network and setting it up physically is only a small task though. Providing policies and rules to the companys network is the key to making any network as secure as possible. Given the company has a web and DNS server it can be assumed that its a small business serving some sort of importance. Keeping unwanted threats from reaching this network while also allowing the necessary traffic out is our primary goal within the implementation. To accomplish this task, any and all types of risks need to be accounted for, both physically to the network as well as theoretically. Such risks may include hardware theft, hardware failure, compromised data integrity, malicious network penetration, and many more that will be covered in our actual design and implementation of policies. While these policies are easily the fundamentals behind providing a secure network, its also important to think of the actual policies implemented within the physical network. When talking about policies, normally written down rules and guidelines are thought of. Essentially when setting up a physical network, these apply in a very similar yet more technical manor. To implement policies physically within the network, the use of a firewall is one of the most proficient ways. Adding policies into a firewall set the guidelines of both internal and external networking traffic. Clearly designing these rules will direct traffic to appropriate destinations as well as removing unwanted traffic from reaching areas of the network. Within these set of rules, there are access-control lists to help direct the network traffic. Access-control lists are the heart of the set rules on the firewall and can be grouped into separate sets known as access-groups. The purpose of access-groups is to designate rules based on the desired traffic. For example, incoming traffic rules may be set to an access-group named ACL_IN, outside traffic ACL_OUT, and in our case DMZ traffic to ACL_DMZ. However the network cant function correctly based on simple setting up firewall rules, other components need to be set up as well.

Most, if not all networks, require something more than just a firewall to direct traffic. For our companys purpose, two switches and a router are necessary. Switches are very basic yet fundamental elements in a network topology. Implementing a switch into the DMZ will allow for multiple servers to run within it remaining under the set access-control list rules. Another key feature within switches are the ability to create VLANs. VLANS are essential to creating split networks allowing for a larger network implementation. It is essential to include these into our network to be able to create a client-side network thats set apart from internal servers. Essentially VLANs will allow for a range of IPs across a certain list of specified ports on the switch. Configuring the switch will allow specific interfaces rules such as accessing a configured VLAN. But not only are switches important when it comes to designing a proposed network such as ours; routers are also an important element when it comes to implementation. The purpose of a router is almost as simple as the name of the device itself. The router will allow traffic to be directed to its desired destination based on the networks setup. Routers and switches go hand-in-hand and are handy when dealing with multiple VLANs on a configured switch. Routers can be configured to designate traffic to go specifically to a desired VLAN, refraining unwanted traffic from accessing other areas of the network. Static routes to locations can both be made within router and/or firewall configuration, depending on the complexity of the network.

Actual Design
There were many stages when it came to the actual design and implementation of this network. The first stage was to get a visual plan set out for the network so we could be certain everyone was on the same page. Next we had to set out a list of goals we would be aiming for in the design of our rules. Then we had to design the rules themselves. Finally we had to implement all of this and do testing to ensure it was all working properly. Visual Representation of the Network The first thing we did when it came to actually designing this network was to draw up a visual map of the architecture. We used the initial design request by the organization as our starting point. They wanted a network containing a DMZ with a Web Server and a DNS server, as well as an internal network with hosts and a database server and mail server secured behind a Cisco ASA router.

Figure 1 - Network Design

The design is rather simple, the first hop between the outside and anything in our network is the Cisco ASA firewall. This is the safest location as it allows us to control traffic going into and out of the network. The firewall splits off into a DMZ, which houses our web and DNS servers, and an internal network containing two LANs, one for the organizations hosts and one for the database and mail servers. The firewall has three ports, one going outside (199.199.199.1/24), one going to the DMZ (192.168.2.1/24), and one going to the internal network (192.168.1.1/24). The next area to cover is the DMZ. The DMZ consists of a switch directly connected to the firewall and two servers connected to the switch. Inside the DMZ is the web server given the IP address 192.168.2.2/24 and the DNS server given the IP address 192.168.2.3/24. The third area of our network is the internal network. The first hop into the internal network is our router. The router has an external IP address of 192.168.1.2/24 and on the internal side has a trunk port with a sub interface IP addressed 10.1.1.1/24 and another sub interface IP addressed 10.1.2.1/24. This trunk port connects to our internal switch, which then splits it into two VLANs. The first VLAN contains the 10.1.1.0 - 10.1.1.255 IP range and is used for the

organizations host computers. The second VLAN contains the 10.1.2.0 - 10.1.2.255 IP range and holds the database server (10.1.2.2/24) and the mail server (10.1.2.3/24). Rule planning The next stage in our design was to set a list of goals we would be aiming for in the design of our rules. The point of the rules is to make the network as safe as we possibly can while not being so restricting that the network is essentially unusable. Rule Design After design organization's network, we implement following policies for the firewall. - Outside interface Allow incoming traffic to web server Allow incoming traffic to DNS server (TCP/UDP) Deny all other incoming traffic - DMZ interface Allow traffic initiation from DNS server to OUTSIDE(any) Deny all other traffic initiation from DMZ - Local interface - For Servers Deny traffic initiation from Database server to any interface Deny traffic initiation from Mail server to any interface - For LAN users Allow traffic from LAN range to any interface Deny all other traffic initiation from INSIDE

Implementation
Following are the configurations we did on each device according to policies to implement the network. Firewall First we created 3 VLANs for INSIDE, OUTSIDE and DMZ and assigned security levels with IP addresses for each VLAN.
interface Vlan2 nameif outside security-level 0 ip address 199.199.199.1 255.255.255.0 ! interface Vlan3 no forward interface Vlan1 nameif dmz security-level 50 ip address 192.168.2.1 255.255.255.0 ! interface Vlan4 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0

We got an error when we were trying configuring the 3rd VLAN interface due to the restriction in license in firewall. Therefore we used no forward interface command [1] to overcome the restriction. no forward interface command will block access from DMZ to INSIDE. After that we assigned ports to each VLAN.
interface Ethernet0/0 switchport access vlan 4 ! interface Ethernet0/1 switchport access vlan 2 ! interface Ethernet0/2 switchport access vlan 3

Then we setup static and dynamic NAT for servers and users in LAN. - Static NAT from OUTSIDE to servers in DMZ
static (dmz,outside) 199.199.199.2 192.168.2.2 netmask 255.255.255.255 static (dmz,outside) 199.199.199.3 192.168.2.3 netmask 255.255.255.255

- No NAT between INSIDE and DMZ

static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

- Dynamic NAT to users in LAN

global (outside) 1 199.199.199.10 nat (inside) 0 access-list NO_NAT nat (inside) 1 0.0.0.0 0.0.0.0 nat (dmz) 1 0.0.0.0 0.0.0.0

After that we configure access control lists for each interface. - Firewall OUTSIDE interface
access-list access-list access-list access-list ACL_IN ACL_IN ACL_IN ACL_IN extended extended extended extended permit tcp any host 199.199.199.2 eq www permit udp any host 199.199.199.3 eq domain permit tcp any host 199.199.199.3 eq domain deny ip any any

- Firewall DMZ interface

access-list access-list access-list access-list access-list ACL_DMZ ACL_DMZ ACL_DMZ ACL_DMZ ACL_DMZ extended extended extended extended extended deny ip host 192.168.2.2 any deny ip host 192.168.2.3 10.1.1.0 255.255.255.0 deny ip host 192.168.2.3 10.1.2.0 255.255.255.0 permit ip host 192.168.2.3 any deny ip any any

- Firewall INSIDE interface

access-list access-list access-list access-list ACL_OUT ACL_OUT ACL_OUT ACL_OUT extended extended extended extended deny ip host 10.1.2.2 any permit ip 10.1.1.0 255.255.255.0 any deny ip host 10.1.2.3 any deny ip any any

Then we assigned each access list group in to specific interface.

access-group ACL_OUT in interface inside access-group ACL_IN in interface outside access-group ACL_DMZ in interface dmz

We add two routing rules to firewall for route the packets to inside hosts.
route inside 10.1.1.0 255.255.255.0 192.168.1.2 1 route inside 10.1.2.0 255.255.255.0 192.168.1.2 1

Switch in DMZ We configure IP address of DMZ interface in firewall as the default gateway of switch.
ip default-gateway 192.168.2.1 ip classless ip http server

Router in LAN First we assigned IP addresses for each interface. We thought we could increase the security between servers and client's PCs by divide them into two segments. Therefore we create two sub interfaces in one interface of the router and enabled VLAN trunking.
interface GigabitEthernet0/0 ip address 192.168.1.2 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! interface GigabitEthernet0/1.2 encapsulation dot1Q 2 ip address 10.1.1.1 255.255.255.0 ! interface GigabitEthernet0/1.3 encapsulation dot1Q 3 ip address 10.1.2.1 255.255.255.0

We add below two routing entries for DMZ and outside.

ip route 192.168.2.0 255.255.255.0 192.168.1.1 ip route 199.199.199.0 255.255.255.0 192.168.1.1

Switch in LAN First we created two VLANS in the switch and assigned ports to it.
interface Vlan2 no ip address ! interface Vlan3 no ip address

interface FastEthernet0/2 switchport access vlan 3 switchport mode access ! interface FastEthernet0/3 switchport access vlan 3 switchport mode access ! interface FastEthernet0/4 switchport access vlan 2 switchport mode access

Then we create the trunk port to communicate VLANs with router.

interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk

Testing
To test the connectivity for services in servers, we used telnet command [2] and nmap[3]. Telnet is a communication method which uses TCP to communicate but now it's obsolete because telnet use clear text for data transmission. Telnet can be only used to check TCP ports. We should get below messages depend on the connectivity. If it's not successful,
[root@bt]$ telnet server xx Trying server... telnet: connect to address server: Connection refused

If it's successful,
[root@bt]$ telnet server xx Trying server... Connected to server. Escape character is '^]'

Nmap is a powerful tool which we can use to check open ports. We used following command to check open UDP ports.
nmap -p [port] -sU -P0 [ip address]

-p

- port

-sU - UDP scan -P0 - No ping

Status of services We used three Backtrack machines and a Windows server 2008 machine to build Database, Web, Mail and DNS servers and we used netstat command to check whether the services are listening to connections. Database server

Figure 2 - Netstat output of Database Server

Mail server

Figure 3 - Netstat output of Mail Server

Web server

Figure 4 - Netstat output of Web Server

DNS server

Figure 5 - Netstat output of DNS Server (TCP)

Figure 6 - Netstat output of DNS Server (UDP)

Connectivity from Outside We setup a PC in our outside network with 199.199.199.5/24 IP to check connectivity to servers from outside.

Figure 7 - IP address of Outside PC

To web server

Figure 8 - Successful connection to Web Server

To DNS server

Figure 9 - Successful connection to DNS Server(TCP)

Figure 10 - Successful connection to DNS Server (UDP)

Connectivity from Inside We setup a PC in our inside network with 10.1.1.4/24 IP to check connectivity to servers from inside.

Figure 11 - IP address of Inside PC

To mail server

Figure 12 - Successful connection to Mail Server

To Database server

Figure 13 - Successful connection to Database Server

To web server

Figure 14 - Successful connection to Web Server

To DNS server

Figure 15 - Successful connection to DNS Server (TCP)

Figure 16 - Successful connection to DNS server (UDP)

Conclusion
The goal of this project was to design a network as well as accompanying rules used to secure the networks traffic. We took a very straightforward approach to this, giving the organization what they asked for. We could have gone in many different directions, but the one we chose made it easy to secure the network while maintaining desired functionality. There were a few hiccups in the process but they were all sorted out and we ended up with a good product. In the end everything worked flawlessly.

References
[1] "Cisco ASA5500 Series Configuration Guide using the CLI, 8.2", http://www.cisco.com/en/ US/docs/security/asa/asa82/configuration/guide/intrface.html#wp 112 5063. [2] Griffiths, J. "Test TCP and UDP connections in Linux for firewalls", http://blog.jgriffiths.org/ ?p=196, 7 February 2010.
[3] "How to test UDP Connectivity", http://techgurulive.com/2008/09/16/how-to-test-udp-

connectivity/ .

Configuration Files

CISCO ASA 5505

ciscoasa(config)# ciscoasa(config)# show run : Saved : ASA Version 8.2(5) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 4 ! interface Ethernet0/1 switchport access vlan 2 ! interface Ethernet0/2 switchport access vlan 3 ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 shutdown ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! interface Vlan1 shutdown no nameif no security-level no ip address ! interface Vlan2 nameif outside security-level 0 ip address 199.199.199.1 255.255.255.0 !

interface Vlan3 no forward interface Vlan1 nameif dmz security-level 50 ip address 192.168.2.1 255.255.255.0 ! interface Vlan4 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! ftp mode passive access-list NO_NAT extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list NO_NAT extended permit ip 10.1.2.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list ACL_IN extended permit tcp any host 199.199.199.2 eq www access-list ACL_IN extended permit udp any host 199.199.199.3 eq domain access-list ACL_IN extended permit tcp any host 199.199.199.3 eq domain access-list ACL_IN extended deny ip any any access-list ACL_OUT extended deny ip host 10.1.2.2 any access-list ACL_OUT extended permit ip 10.1.1.0 255.255.255.0 any access-list ACL_OUT extended deny ip host 10.1.2.3 any access-list ACL_OUT extended deny ip any any access-list ACL_DMZ extended deny ip host 192.168.2.2 any access-list ACL_DMZ extended deny ip host 192.168.2.3 10.1.1.0 255.255.255.0 access-list ACL_DMZ extended deny ip host 192.168.2.3 10.1.2.0 255.255.255.0 access-list ACL_DMZ extended permit ip host 192.168.2.3 any access-list ACL_DMZ extended deny ip any any pager lines 24 mtu inside 1500 mtu outside 1500 mtu dmz 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 199.199.199.10 nat (inside) 0 access-list NO_NAT nat (inside) 1 0.0.0.0 0.0.0.0 nat (dmz) 1 0.0.0.0 0.0.0.0 static (dmz,outside) 199.199.199.2 192.168.2.2 netmask 255.255.255.255 static (dmz,outside) 199.199.199.3 192.168.2.3 netmask 255.255.255.255 static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 access-group ACL_OUT in interface inside access-group ACL_IN in interface outside access-group ACL_DMZ in interface dmz route inside 10.1.1.0 255.255.255.0 192.168.1.2 1 route inside 10.1.2.0 255.255.255.0 192.168.1.2 1

timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sipdisconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous

call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end ciscoasa(config)#

DMZ Switch

Switch# Switch#show run 1w6d: %SYS-5-CONFIG_I: Configured from console by consolew run Building configuration... Current configuration : 1256 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch ! ! no aaa new-model system mtu routing 1500 ip subnet-zero ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 !

interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 no ip address ! ip default-gateway 192.168.2.1

ip classless ip http server ! ! control-plane ! ! line con 0 line vty 0 4 login line vty 5 15 login ! end Switch#

Inside Router

R2D2# R2D2#show running-config Building configuration... Current configuration : 1319 bytes ! ! Last configuration change at 23:27:14 UTC Wed Apr 24 2013 version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2D2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! no ipv6 cef ip source-route ip cef ! multilink bundle-name authenticated ! ! crypto pki token default removal timeout 0 ! ! license udi pid CISCO2901/K9 sn FTX1548822Q

! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address 192.168.1.2 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! interface GigabitEthernet0/1.2 encapsulation dot1Q 2 ip address 10.1.1.1 255.255.255.0 ! interface GigabitEthernet0/1.3 encapsulation dot1Q 3 ip address 10.1.2.1 255.255.255.0 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 192.168.2.0 255.255.255.0 192.168.1.1 ip route 199.199.199.0 255.255.255.0 192.168.1.1 ! ! control-plane ! ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 login transport input all ! scheduler allocate 20000 1000 end R2D2#

Inside Switch

SW1# SW1#s *Apr 29 05:42:00.265: %SYS-5-CONFIG_I: Configured from console by consolehow run Building configuration... Current configuration : 3231 bytes ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SW1 ! boot-start-marker boot-end-marker ! ! no aaa new-model system mtu routing 1500 ! ! crypto pki trustpoint TP-self-signed-469389056 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-469389056 revocation-check none rsakeypair TP-self-signed-469389056 ! ! crypto pki certificate chain TP-self-signed-469389056 certificate self-signed 01 3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 quit ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk !

interface FastEthernet0/2 switchport access vlan 3 switchport mode access ! interface FastEthernet0/3 switchport access vlan 3 switchport mode access ! interface FastEthernet0/4 switchport access vlan 2 switchport mode access ! interface FastEthernet0/5 switchport mode access ! interface FastEthernet0/6 switchport mode access ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 !

interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 no ip address ! interface Vlan2 no ip address ! interface Vlan3 no ip address ! ip classless ip http server ip http secure-server ! ip sla enable reaction-alerts ! ! line con 0 line vty 0 4 login line vty 5 15 login ! end SW1#