Setting Up The Environment Computer Science Essay

Published Date: 02 Nov 2017

I am setting up all the possible machines on a VM, so I can do my futher test and make it more secure .

Setting up DVL

My setup for DVL, I am running it on VM .

Figure 1: (Above) Running DVL as a Live DVD from VMware Player

Setting up BT5r3

Using VM to run Backtrack5 R3.

Figure 2: (Above) Running Backtrack From VMware Player

Setting up Windows Platform

Using windows 7 with the Bridge setting so it can communicate with the VM.

Figure 3: (Above) VMware Player's Settings

Performing Assessments

Scans with the Default Setting

Pinging Test

Connectivity check

Figure 4: (Above) Ping Test between Backtrack and DVL

Armitage

First I did the armitage scan found TCP and mysql Vulnerable ( from BACKTRACK ).

Figure 5: (Above) Armitage setup in Backtrack machine with apparent vmware adapter tunnelling

Using Nmap

Then I perform a quick scan on the lan using nmap. Nmap (and his interface zenmap) is the best enumeration tool, but some times the results are too big, for this reason first i try a nbtscan.

Figure 6: (Above) Applying Nmap scan with a nbtscan, with results displayed on screen

Figure 7: (Above) Applied a single point ip nmap scan

Figure 8: (Above) Executed Nmap and performed a complete scan

Using Nessus

For further verification I have used Program called NESSUS in windows environment

Scanning the DVL using NESSUS

Figure 9: (Above) Nessus Scanning Process in the Windows Environment

Figure 10: (Above) While Nessus is running in Windows, consistent check to determine the connectivity within DVL

Figure 11: (Above) Nessus External Scan resulted Low on X11 Server Protocol

Figure 12: (Above) A detailed aspect of the detected vulnerability [X Server Detection]

Internal Scan of DVL

as external it has got same vulnerbilites. Why because we are running internal network it doesn�t matter if its external or internal its going to do the same scan.

Figure 13: (Above) Nessus Results from quarterly external and internal vulnerability scans

Figure 14: (Above) Nessus Graded in Critical/High/Medium/Low/Informational Vulnerabilities from PCI-DSS Scanning Template

Figure 15: (Above) Nessus PCI-DSS one of the critical vulnerabilities in detailed form

Figure 16: (Above) Nessus PCI-DSS Scans Results Exported to .csv Opened with MS Excel

Figure 17: (Above) Nessus DVL WEB APP vulnerbility (it was same as internal/external)

Using NexPose

Nexpose program has been used as well for more confirmation.

Figure 18: (Above) NexPose Scanning Templates for the DVL

Figure 19: (Above) NexPose Vulnerabilites Results

Scans with the enable Services ( HTTP , SSH , PHP )

Figure 20: (Above) Services Enabled on DVL

NMAP SCAN :

Did a NMAP scan with the open services found two more ports open.

Figure 21: (Above) Nmap scan of DVL after DVL with services enabled

NMAP detail scan

Figure 22: (Above) Detailed Nmap scan

NMAP further ports Scan

Figure 23: (Above) Detailed Nmap Port Scan

Armitage :

Performed an Armitage Scan to see details attacks possibilities and vulnerabilities.

Figure 24: (Above) Loading Armitage after services enabled to determine potential risks

List of possible Attacks can be performed with the services running in the machine.

Figure 25: (Above) A list of possible attacks from Armitage in DVL

As shown; Armitage provides a few options of attacks: http;realserver;ssh;webapp;wyse

Using NESSUS:

Used Nessus to Perform an External Scan with the enable services and found good number of vulnerabilities (Purple is Critical, Red is high, orange is medium and green is low)

Figure 26: (Above) Nessus External Scan with all services enabled

Figure 27: (Above) List of Vulnerabilities detected by Nessus in a Detailed view

Created the CVS file out of the results so we can have a brief look at it.

https://www.dropbox.com/s/khcfg5o5ndvsq5p/dvl_hnnxro.html.pdf?m

Performed a Internal scan and found these vulnerbilites , as PHP , APPACHE and SSH is most common one again .

Detail report

https://www.dropbox.com/s/vtfn72jwbopcqvo/dvl_internal_with_open_services_l.pdf?m

Performed the PCI DSS scan with the enable ports found 107 vulnerbilities including some low ones.

Detail report

https://www.dropbox.com/s/3u7qzme0gvz3d5g/Dvl_PCI_DSS_with_open_services__h.pdf?m

Last scan was performed was for the WEB app Testing ,

https://www.dropbox.com/s/irmmt6q0ddsprdd/DVL_web_APP__nrfijo.html.pdf?m

Analysis of Assessments

Nessus Analysis

Nessus provides an overview of the vulnerabilities that are apparent in various open ports detected by Nmap and Nessus/NexPose, its outlines the critical aspects of various vulnerablities from Critical to High, Medium, Low, Informational. Most vulnerabilities were detected and apparent in a NexPose scan.

NexPose Analysis

Similar vulnerabilities were detected on NexPose were apparent on Nessus, hence this vulnerabilty scanner was providing a referential aspect of such vulnerabilities scanned by Nessus and NexPose. Scans performed by NexPose shows a higher degree of details relating to their associated vulnerabilities.

Nmap Analysis

Capable of detecting live hosts within a given ip/network. This establishes an overview of common ports/services running within the Live host where basic emerations are established for further vulnerability assessments. These results provides the underlying layer scans for both Nessus and NexPose.

Implications to Network

� Internally the X11 protocol allows internal users to access the data via graphical interface as set out by the X11With MySQL database authentications and various DB modules would be readily accessible by internal users However, externally being this machine requires X11, but X11 runs on a protocol that is unencrypted hence an attacker would be easily eavesdrop the message providing vulnerability, and with exploits associated with X11, MySQL and CUPS2.2 renders the potential attacks from the external network and.

� CUP cups a remote attacker may be able to leverage this issue to execute arbitrary code on the affected system.

� MySQL vulnerability allows attackers to bypass password verification If MySQL was built on such a system, the code that compares the cryptographic hash of a user-inputted password to the hash stored in the database for a particular account will sometimes allow authentication even if the supplied password is incorrect. Also An attacker can crack the password hashes using dictionary attacks and maintain their unauthorized access on the server even if this authentication bypass vulnerability is later fixed. And for futher an attacker can easily figure out the way to inject SQL injection.

� With IPP vulnerbility A remote attacker could exploit this vulnerability to execute arbitrary commands on the targeted system. Functional exploit code has been publicly released as part of the Metasploit Framework. The attacker could use this code as part of automated attacks to completely compromise the system.

� SSH vulnerbility can cause the Buffer overflow condition which determines the size of array. This makes it possible to allocate an array of size zero, which returns a pointer into the program's own address space. An attacker could send a long, specially crafted packet which exploits this condition, thereby executing arbitrary code on the server

� With the PHP and SQL vulnerbility there are too many attacks they can get , SQL injection , dictionary Traversal (This attack can occur anywhere user-supplied data (from a form field or uploaded filename, for example) is used in a filesystem operation. If a user specifies �.etc/passwd� as form data, and your script appends that to a directory name to obtain user-specific files, this string could lead to the inclusion of the password file contents, instead of the intended file. More severe cases involve file operations such as moving and deleting, which allow an attacker to make arbitrary changes to your filesystem structure.

� Authentication issues like they can get access to many different sites , how ? they can easily get the login details from cookies.

PHP Remote scrpiting or we can call it as Cross site scripting can easily be done to a vulnerable machine because of Apache HTTP server Vulnerbility.it is just a process of targeting the security flaw. Also there is one more term Remote file inclusion, attacker can run their own codes on a webserver by including codes from a URL to remote server.and more horrible part is any attacker with the basic knowledge of PHP and some bash can trash the webserver.

� And there is a one more Attack a attacker can make local file inclusion, it will happen with MYSQL, attacker will look for a password or a shadow file in a mysql and he can easily browse through the server. With That attacker can also make a Apache log poisoning.

� One of the Critical vulnerbility is the Default Passowd and username An attacker may leverage this issue to gain total control of the affected system.

� CUPS installed on the remote host is affected by an integer overflow. Using a specially crafted PNG file with overly long width and height fields, a remote attacker can leverage this issue to crash the affected service and may allow execution of arbitrary code.

Protecting DVL from potential threats

The system that was found to be at risk to the entire network at Dave is contrastingly the critical system to the functioning of the company as well. Hence the plan developed is to be essentially one that caters to both of the above needs hand in hand. Almost 60% pf vulnerbilites like PHP , CUPS, apache needs an upgrade which are not allowed to do. so we can impliment some plans to limit the affect of complete network exploitation in the event of that machine being attacked.

Educate Employees

As we cant update or install anything on the machine but we can Educate the employees, because they are the first Wall of the Defense Against attacks and also the major security hole as well. So we can Teach them the Security measures, like do not open the phishy emails, links Etc . pay attention to the URL and other small things like spelling.

Private VLAN

First method I am going to use to prevent machine from the attackers implementing Private VLAN ( PVLANs ) and private VLAN edge .

What Private VLANs (PVANs) do is divide the domain into subdomains multiple isolated broadcast. It is a simple concept fitting - VLAN within a VLAN. As we know, Ethernet VLANs are not allowed to communicate directly, they need L3 device to forward packets between broadcast domains. The same concept applies to PVLANS - since the subdomains are isolated at level 2, they need to communicate using an upper level (L3 and packet forwarding) entity - such as router. However, there is a difference here. Regular VLANs usually correspond to a single IP subnet. When we split VLAN using PVLANs, hosts various PVLANs still belong to the same IP subnet, but they need to use a router (another L3 device) to talk to each other (by example, through local Proxy ARP). In turn, the router can allow or forbid communications between sub-VLANs using access lists.

Why would anyone need Private VLANs? Generally, this type of configurations arise in environments "shared", say ISP co-location, where it is beneficial to have multiple clients in the same IP subnet, while providing a high level of isolation between them.

For our example configuration, we take VLAN 10 and divide it into two PVLANs - sub-VLANs 10 and 30. Take the regular VLAN and call it primary then divide ports, assigned to this VLAN, by their types:

� Promiscuous� a promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.

� Isolated� an isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.

� Community� Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN

With that we can put DVL machine in a community, so it can only communicate with premiscouos also we are going to Enable Port Fast and BPDU guard on isolated and community host ports to prevent STP loops due to misconfigurations and to speed up STP convergence.

Figure 28: (Above) DVL Protecting mechanism - Private VLAN setup

Where R � denotes Router

https://learningnetwork.cisco.com/docs/DOC-16110

http://blog.ine.com/2008/01/31/understanding-private-vlans/

VPN

As our machine is essential to Talk Outside the Network by using cloud so We are using VPN to secure the transmision acress the internet. As it Uses encryption and Tunneling to permit Organizations to Establish Secure , end to end connections over third party networks. It also provides the security infrastructure.

Figure 29 Got this pic from internet to mke the point more clear

Cisco Router security � VPN

Using Cisco routers for futher security when its connecting to outside network .

Like we are going to configure VPN tunnel. Tunneling With the RSA secure key.

we can use any router to put the security but should be above 2600 model .

Implementing Cisco A SA 5500 series Switch Outside ( IPS SOLUTION )

Feature and Capabilities

� Comprehensive, highly effective intrusion prevention system (IPS) with Cisco Global Correlation

� High-performance VPN and remote access

� Optional antivirus, antispam, antiphishing, URL blocking and filtering, and content control

� Manage risks with a broad and deep set of inspection capabilities:

� Defend against zero-day attacks with over 40 engines and 6500 tasteful, vulnerability-based signatures that protect against tens of thousands of current exploits - and countless more to come.

� Inspect a wide variety of protocols to ensure RFC conformance and prevent hacks.

� Identify the source of and block denial of service (DoS), distributed denial of service (DDoS), SYN flood, and encrypted attacks with Cisco Global Correlation.

� Use patented anti-evasion technology to defend and monitor against worms, viruses, Trojans, reconnaissance attacks, spyware, botnets, phishing, peer to peer attacks, and malware, as well as numerous evasion techniques.

� Guard Cisco infrastructure with specific protections for Unified Communications, WLAN, routing, and switching.

� Utilize identity-based firewall to provide granular and powerful policy definition.

By implementing this IDS/IPS outside the DVL, it would provide the necessary for detection of unwanted access to this DVL. As a result securing the environment to a higher level.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/data_sheet_c78_459036.pdf

http://www.router-switch.com/Price-cisco-firewalls-security-cisco-asa-5500-series_c26

Port Secuirty:

As Port security supports Private VLAN so we can put the port security static MAC addresses to restrict a port's access traffic by limiting the MAC addresses that are allowed to send traffic into the port. And by assigning the secure mac addresses to the secure port the port will not forward the access traffic to the source destination outside the group of designated addresses. And limiting the number of secure MAC addresses to the one and assigning single secure MAC addresses, the device which is attached to the port will have the full bandwidth.

Most of the time Security issue occurs when the Maximum number of secure MAC addresses is reached to the secure port and the Designated source is different from the from ingress traffic.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html#wp1080631

DHCP snooping

Arp spoofing may allow Attacker to temper with the data frames and traffic or can pause the traffic to create a DOS attack or session hijacking , for this We are going to configure DHCP snooping on a swtich which is a layer 2 method that ensures IP integrity of the layer 2 swtich domain .

� Track the physical location of hosts.

� Ensure that hosts only use the IP addresses assigned to them.

� Ensure that only authorized DHCP servers are accessible.

http://en.wikipedia.org/wiki/DHCP_snooping

Port Forwarding

Port Forwarding X11 channel to a SSH tunnel provides encryption on the data being transferred over the network, enhancing the security of the data being eavesdropped by a unauthorised attacker.

Figure 30: (Above) A Table designed from http://www.jfranken.de/homepages/johannes/vortraege/ssh2_inhalt.en.html

Insurance

No matter how hard and best you try to protect your machine you will not defeat the cyberattacks completely so the last line of Defense is to get the insurance policy Against cybercrime and computer fraud losses. They will cost may be couple of hundered dollars a year but will safe too much out of it.

Cost

Budget

Item/Hardware/Software Quantity Cost ($)

ASA5520-BUN-K9 ( swtich )

1 $3,598.00

Cisco 2901 Router CISCO2901-V/K9 1 $1808.00

Serial Cable 2 $20

Console Cable 2 $80

Cross over cable Cat 6A cable 2 6 $30

Straigth through Cat 6 cable 10m 4 50

Personnel (outsourced � see below)

Network Administrator (total hours required: 50) 1 $200/hr

Software Programmers (total hours required: 20) 1 $120/hr

System Technician (total hours required :50 ) 1 $80/hr

Total Cost $

ASA5520-BUN-K9:

Description: ASA 5520 Security Appliance with SW, HA, 4GE+1FE, 3DES/AES, Cisco ASA 5500 Series Firewall Edition Bundles

As Almost everyones Job is hanging on DVL machine so it is worth of buying an Average Switch.

And depends upon how big is the network we can put another switch in it.

Cisco 2901 Router CISCO2901-V/K9:

We need a Router for this machine to go out and talk to the world if they want it to.

Run Time

The entire process of the system implementation, running, testing and taking it live would range from 1 to 2 weeks on an average.

Delay

There could be subsequent delays due to manpower shortage and increased issues in the systems

Personnel

The manpower required for this would include a network administrator, a system technician, 1 software programmers and the net expert himself. The cost of manpower for working overtime subsequently also needs to be accounted for

Network Efficiency

Using CAT 6 cable among the Whole network provide GIGABIT data flow, in addition Cisco ASA system is capable of handelling full duplex mode with in the network.

Overall Implementing this network solution will mitigate the Risk of an attacker to Exploit the Whole network.