Category Archives: Learning Activities

Student L13A1

Do you wanna build an IDS?

If you didn’t read that in the voice of Anna from Frozen, you need to go watch more Disney.  But maybe later.

Anyway.

Hopefully you learned all about what an IDS (Intrusion Detection System) is from the slides, but in case you weren’t pay…err, in case you were … sick … let’s review.

What’s an IDS?

An intrusion detection system sits at the perimeter of your network and … detects … intrusions …

Ok well obviously it’s a little more complex than that.  How does it do that?  Well it looks for anomalous behaviors.  OOoooooOooOoo big word, ey? It’s kinda like your networks bouncer – anything that looks like it doesn’t belong, it takes note of it, giving you the option to deal with the activity how you see fit (block it, allow it through, flex your definitely-not-steroid-induced-muscles, etc.) For example, say you’ve got a lovely web server.  Remember that web traffic goes over port 80?  Well maybe you’ve also got SSH and FTP running over 22 and 21, and maybe a few other random services.  Your IDS expects these types of connections, so when 20 people connect to your server over port 80, it’s not really anything worth noting.  But what about when someone tries to connect over port 79? Well .. I mean, eh.  Whatever.  But now they’ve tried to connect over 79, 80, 81, 82, 83, 84, … you get it. Something strange is going on.  Maybe they’re port scanning you! AHHH!!! Run!!! PANIC!!! … ok don’t, but you get the idea – this behavior is strange, and therefore needs to be attended to.

IDSs to the rescue!!

The IDS I’m choosing for you to choose to use (hehe) is Snort.  “Why should I?!?!” you ask indignantly?  Well, pfSense has a built in plugin for Snort that makes it really easy to use and set up.  And we’re computer people – let’s be honest: we’re lazy.

Pull up the webconfigurator page for your pfSense firewall.  Hopefully you’ve got this all set up properly.  If not you’re skipping steps.  Shame on you.  Go here and fix it.  I’ll wait.

Just kidding, we aren’t waiting for them – let’s go!  Go to the “System” menu option and select “Available Packages” to find and install the “Snort” package.

Now you can go to “Services” -> “Snort” to get to the Snort GUI for set-up.

LaunchSnortGUI

Click on the “Global Settings” tab to get to the good stuff.  Unless you feel like paying for things, which, I’m broke, so I’ll assume you are two, and therefore don’t want to pay for things, then the only list you want to check is the “Snort VRT Free Registered”.  And yes, you’ll have to go get a FREE OinkCode (wut?) but if you’re too lazy to do that, you don’t deserve this IDS!!! It’s easy.  Really.

Once you get your free … OinkCode … (that’s just silly), copy and paste it into the text box.

EnableSnortRulesDownloads

 

After that, you can select the ETOpen check box if you want, but to be honest, I’ve found it more trouble than it’s worth.  It tends to throw a lot of false positives, which can get irritating, but if you’ve got the time to sift through all the rules and see which ones are causing issues, I suppose you could enable it.  It’s a lot more intense.  But if you’re brave, go for it!

Another setting to point out would be the “Rules Update Setting” – the defaults are probably ok, but considering that you’re likely doing a CDC, your timeframe is considerably shrunk, so you can set this to more frequently if you’d like.

You can manually update your rules, though, using the update tab (big surprise, hmm?)

But as of now, your Snort install has no idea what to do.  It’s a bit of a lost puppy.  And that’s sad.  Let’s fix that, shall we?

Click over to the “Snort Interfaces” tab to add an interface so Snort knows where to do its thang.

SnortAddInterface

Then add in your WAN interface.

SnortInterfaceSettings

Here you can send alerts to your pfSense logs (recommended), automatically block hosts that Snort feels are doing bad things (slightly less recommended, but up to you I guess), etc.  After clicking save, it’ll return you back to the Interfaces page.  But OH NO!!! You have an error!! It’s fine.  Chill.

Note the warning icons in the image below showing no rules have been selected for the new Snort interface. Those rules will be configured next. Click the "e" icon (shown highlighted with a red box in the image below) to edit the new Snort interface again.

Click on the “WAN Categories”, and make sure the “Resolve Flowbits” option is checked.  Also, check the “Use IPS Policy” checkbox.  You can choose any one of the options in the box below, but you really can’t go wrong.

SnortChooseIPSPolicy

If you select the “Use IPS Policy” under “Snort IPS Policy Selection”, you won’t have to manually go through all the rules and select which ones to use.  It’ll use the policy you selected earlier (connectivity, balanced, security) to select the appropriate rules.

Then click save! Yay!

Lastly, click the Snort Interfaces tab to display the configured Snort interfaces. Click the "service stopped" icon to start Snort on an interface.

At any point, you can see what your IDS has blocked by going to the Blocked tab.

SnortBlockedHosts

The alerts tab is also quite helpful – these aren’t necessarily hosts being blocked, but are events that have triggered alerts by your Snort install.  From here, you can suppress alerts so that you don’t see them anymore using the “+ button.  You can also use the “x” button to remove a block for that host.  So if you find a false positive has triggered a block on a legitimate host, you can easily unblock them from here.

Student L10A2

Let’s look into compartmentalization a little bit as it relates to security.  A quick summary – we can use compartmentalization in our network or organization to get rid of unnecessary information flow.  Lemme explain.  Here’s an example shamelessly copied straight from Wikipedia.


An example of compartmentalization was the Manhattan Project. Personnel at Oak Ridge constructed and operated centrifuges to isolate Uranium-235 from naturally occurring uranium, but most did not know what, exactly, they were doing. Those that did know, did not know why they were doing it. Parts of the weapon were separately designed by teams who did not know how the parts interacted


If there was no NEED for certain sections of the organization to know about various other aspects, they were shut out from that portion.  To use the example – if I’m an engineerer of the specialized pointed tip that goes on a rocket (I’ve seen the cartoons, it definitely has to be pointy), I may be asked to engineer that piece for the Manhattan Project.  But do they need to tell me about their target location? Or even the payload of the rocket? Nah.  They don’t.  Compartmentalization baby.

MMmmmmkay so what.  Well c’mon, be creative!  How can we use this for our network?

Got anything yet?

I’ll give you some time while I explain a TOTALLY different (*cough*) security issue called pivoting.  Say I want to get to SUPERSECRETSERVER:A.  But it’s all the way on the “inside” of a network, protected by … security things … and … moats … or something.  But let’s say KINDASUPERSECRETSERVER:B sits in between me and ..:A.  W311, a5 an 3xtr4 1337H4X0R, I may not be able to get to ..:A, but I can get to …:B.  Then from …:B, I can use that as a pivot point to get to A.  Meaning B likely has more permissions than I had simply sitting outside the network, so I can use it as a stepping stone to get to my goal.

But what if …:A and …:B have no reason to talk to each other? One deals with the pointy end of rockets, the other with the target location of the bombs.  What happens when I block off communication from …:A –> …:B? I stop that option! Y4y m3!

Back to real life.  Let’s apply this to our CDC network.  Think about your network – we’ve previously blocked out unnecessary communication from the outside (eyyy firewall), but what about internally?

Activities:

  1. Create a hierarchical diagram of your network (give ample space between servers.)
  2. Where your servers have a need to communicate between each other, draw a connection between the two server.
    1. Does the connection need to be two-way?
    2. Write along the line which services/ports are needed.
  3. Are you surprised by how much/little communication is needed within your network? Do you see the security benefits of partitioning your network off like this?
  4. Go into your pfSense WebConfigurator and implement your newly created rules for your LAN network.  (HINT: you already added rules on the external network [WAN], do the same, only select the “LAN”)

Student L10A1

In the following activity, an organization will be described.  Try to imagine what the potential risks could be in such an organization.  To begin, simply read over the following organization (adapted from a previous CDC) carefully.

Welcome!

I am Robert Commit of Cache, Daemon, & Commit, Attorneys at Law. We are pleased to welcome you to the Information Technology division of one of the premier law firms of Iowa since 1912. You will be a valuable addition to the long line of dedicated men and women who have helped thousands of people with legal affairs over the past century.

You are joining the company in our new information technology team to provide the services that our lawyers and clients need to be productive and efficient. Your duties will include maintaining our existing servers and adding desired capabilities. We have a long tradition in providing the very best and hope you will take our value of excellence to heart.

An integral part of our company is protecting and safeguarding our clients’ privacy. We have many cases that are not known publicly and we must protect client confidentiality. At the same time, we must maintain excellent records for auditing purposes. These two goals drive our need for safe, secure, and comprehensive systems.

Below I have attached a list of our servers and systems and what services they must provide. It includes your duties as a member of the Information Technology team of Cache, Daemon, & Commit. Make sure to read it carefully and understand everything that you need to provide.  One key thing to note will be that Cache Daemon Commit has funds for up to three new servers, one of which will be the new RDP server. There is a strict 6 server limit, however.

We hope you enjoy your time at Cache, Daemon, & Commit!

Robert Commit

Partner, Cache, Daemon & Commit, Attorneys at Law

By entering into employment at Cache, Daemon, & Commit you hereby release and discharge forever Cache, Daemon, & Commit, its clients, partners and employees from all liability including but not limited to loss of life, bankruptcy, defamation of character, destruction or damage of property, and psychological harm.

Corporate Webserver (www.teamN.isucdc.com)

Default Username: root
Default Password: cdc

Our CentOS webserver hosts our corporate website. The website was created with a front-­end of Angular JS and a back­end of PHP and MySQL. There are three main features of the website. The first is the company and lawyer profiles which are open to the public. Lawyers and other company employees have access to the second section which is the cases list. The last section is the information about each case including a portal to upload and download files. The files will be stored on the file server located at ftp.teamN.isucdc.com. Each lawyer should only be able to view the files relating to the cases on which he is working (listed above). Unfortunately, we do not have the resources to rebuild the server from scratch and have no desire to leave CentOS.

Required Access

  • All employees should be able to upload and download files

Required Services

  • Website on port 80
  • SSH on port 22 for administrator

FTP Server (ftp.teamN.isucdc.com)

Default Username: root
Default Password: cdc

We have an FTP file server that employees that can use to upload and download case ­related files. Each case will have a separate folder. Inside each case folder, there will be a folder labelled “evidence”. All files on this folder must be available through the web­ based interface on http://www.teamN.isucdc.com. Our sensitive case files must be accessible through the web ­based interface and FTP to the lawyers working on the case. We are very happy with our current server and do not have the resources to rebuild it from scratch.

Required Services

  • FTP access over port 21 (or other port with permission)
  • SSH on port 22 for administrator
  • Must be available via web interface on corporate web site

Help Desk Server (help.teamN.isucdc.com)

We have hired a reputable tech company to make a chat server. This chat server will be used by our employees and clients for tech support with our services. This chat server is available at https://download.iseage.org/chat­bundle.tar.gz. You are free to use this chat server or create your own but you must provide a real­time chat service for our employees and clients. It can be hosted on any server but must be accessible to the public at help.teamN.isucdc.com. If you use the provided chat bundle, nginx and Java are required.

Required Services

  • Chat over port 80

Question to Discuss:

  1. What jumps out to you as an obvious place for an attacker to start if their goal is to compromise your confidential information?
  2. How could an attacker use the Held Desk Server to obtain sensitive information?
  3. You are inheriting these servers “as-is” from employees that worked here previously, and do not have the funding to start from scratch.  What issues can you imagine coming out of this?
  4. Multiple ports will need to be open running various services including port 21 (FTP), port 22 (SSH), and port 80 (HTTP).  What are some ways you can secure these services while still allowing them to function properly?