This week, we discuss various types of firewalls, and how they work at a high level. For this assignment, answer each section that is parenthetically numbered in your assignment submission.
So far, we have discussed a lot about how packets work, and we looked at packets at the frame through segment level, and used utilities such as tcpdump to see how packets are routed and handled by firewalls and routers. We have learned about protocols such as TCP, UDP and ICMP, and the concept of ports to identify applications. Take a look at RFC 1700, which shows ports used for many services. (1) Are these port numbers standardized? Is a web server required to use port 80?
Use the ping command, and ping thinkinfo.net. (2) What is the IP address of this web server? Does ping (which uses ICMP) give you any interesting information about this web server?
Let’s see if we can find more interesting information about my web server:
You can complete most of this assignment by logging in to Astro to execute the commands.
For this project, it may be helpful to enable logging in PuTTY, so you will have a record of each step.
- On the left side, under Session, select “Logging”
- Change session logging to “All session output”. During the proceeding exercises, you may need to read the output of commands in this log if the peer disconnects before you can read output on the console.
- Choose a filename for your log (this is where you will review the output of these commands).
- Go back to the “Session” tab, and “Save” the connection.
When we use the ping command, it simply tells us that the server is alive, and responding to requests at that IP address. Let’s see what happens when we actually open a connection using TCP.
- While logged in to Astro, type telnet localhost 25 and follow the steps below. Then, try telnet thinkinfo.net 25. (If you cannot connect on port 25, try changing to port 26).
- At the prompt, type “HELO” (without the quotes).
- (3) Did the server answer?
- (4) What additional information was displayed?
- (5) Can you tell what program and version is using SMTP on that server?
- (6) Are there any clues that may help you determine what operating system is being used on this server? (If so, what OS do you think is running on this machine?)
- Type “QUIT” (this will disconnect the session).
- Find the log file, and save the output for later use.
- (7) When reviewing the log file, do you see any information that could help you determine what software is handling SMTP on this server? Can you determine what OS might be running on this server?
- At the prompt, type “HELO” (without the quotes).
Next, let’s see what happens when we try using port 80:
- Open a web browser, and try accessing the page http://thinkinfo.net/tcp.html
- From Astro, type telnet thinkinfo.net 80
- Once connected, type the following WITHOUT any backspaces, additional characters, etc. If you make a mistake, disconnect, and try again ( [ENTER] means press the enter key on your keyboard):
GET /tcp.html HTTP/1.1 [ENTER]
Host: thinkinfo.net [ENTER] [ENTER]
- You should receive an error in HTML code. Earlier, you used ping to get the IP for the site, let’s use that instead:
- Reopen your telnet connection, but this time use the IP address for the host name, and be sure to set the port to 80, and that you have logging enabled. Once connected, type the following:
GET /~headbadg/ti/tcp.html HTTP/1.1 [ENTER]
Host: [enter the IP for this server] [ENTER][ENTER]
- Check your session log… you should see only the single line of text from this web page (normally, you would see a lot of HTML code; I made this page very simple with no HTML markup so it would be easier to focus on the metadata provided by the web server.)
- (8) What can you tell about this web server? Are there any details in the header returned in the raw TCP socket?
Next, try this same technique to examine the metadata returned by the web server on www.pages.drexel.edu:
- Open PuTTY, and this time set the hostname to www.pages.drexel.edu, and the port to 80. Make sure session logging is enabled.
- Once connected, type the following:
GET /~bcg28 HTTP/1.1
- Examine the metadata returned in the raw TCP socket. (9) Do you see additional information describing the server? Why do you think one server provided less information?
Finally, let’s use NMAP to perform a port scan on my server:
- First, download and install NMAP.
- Once installed, open a command prompt, and type the following command:
nmap –v –A thinkinfo.net > log.log
- (Note, the > log.log will redirect the output to a log file… you will not see any activity while nmap runs, but when it is complete, you can review the file for the results of the scan)
- (10) What information do you see in the file? Does it tell you which web server my host is using? Can you tell what version of SMTP is running?
- Run the same command as above, but this time use www.pages.drexel.edu for the hostname
- Did this work? If not, why did it fail? It may appear to nmap that the server is offline; the firewall for this server is set to not respond to ICMP echo. However, nmap can send a SYN packet to the server, and check if there is a response, to get a list of open ports to scan. To do this, use the following command:
nmap –v –A –Pn www.pages.drexel.edu> log.log
- Check your log file when this completes; (11) can you now tell what version of Apache is running on that server?
Answer the following questions:
(12) After having completed this exercise, how do you think nmap determines what versions of server software are running on the target being scanned?
(13) What steps did the system administrators take on my web server to prevent nmap from displaying the apache version?
(14) How do you think the information obtained by nmap could be useful to nefarious individuals looking to attack a server?
(15) Review the recommendations on firewall behavior and requirements in RFC 2979. Does this RFC address ways for firewalls to handle HTTP and SMTP traffic that might mitigate some of the issues we discovered in this exercise?
(16) In this unit of the course, we discuss different types of firewalls. Read the whitepaper at http://www.sans.org/reading_room/whitepapers/bestprac/applied-principles-defense-in-depth-parents-perspective_1458 — Specifically, the section on “defense in depth”. Briefly describe the various types of firewalls described in this unit. Would someone use more than one type of firewall in the network security architecture, and why or why not?