Security Labs in OPNET

IT Guru

Enginyeria i Arquitectura La Salle

Universitat Ramon Llull

Barcelona 2004
Security labs Enginyeria i Arquitectura La Salle

Security Labs in OPNET IT Guru

Authors:

Cesc Canet

Juan Agustn Zaballos

Translation from Catalan:

Cesc Canet

-I-
Overview

This project consists in practical networking scenarios to be done with OPNET IT Guru
Academic Edition, with a particular interest in security issues.

The first two parts are a short installation manual and an introduction to OPNET. After
that there are 10 Labs that bring into practice different networking technologies. Every
Lab consists in a theoretical introduction, a step-by-step construction of the scenario
and finally Q&A referring to the issues exposed.

Lab 1: ICMP Ping, we study Ping traces and link failures.

Lab 2: Subnetting and OSI Model, we study tiers 1,2 and 3 of the OSI model, and
the Packet Analyzer tool to observe TCP connections.

Lab 3: Firewalls, we begin with proxies and firewalls. We will deny multimedia traffic
with a proxy, and study the link usage performance.

Lab 4: RIP explains the RIP routing protocol, and how to create timed link failures
and recoveries.

Lab 5: OSPF compares RIP. We study areas and Load Balancing.

Lab 6: VPN studies secure non-local connections. A Hacker will try to access into a
server that we will try to protect using virtual private networks.

Lab 7: VLAN creates user logical groups with Virtual LANs. Studies One-Armed-
Router interconnections.

Lab 8: Dual Homed Router/Host, Lab 9: Screened Host/Subnet. DMZ and Lab
10: Collapsed DMZ explains the static routing tables, ACLs, proxies and internal vs.
perimetric security. Lab 10 is 100% practical, we want you to create it on your own, a
piece of cake if you did the other Labs!
Security labs Enginyeria i Arquitectura La Salle

Lab 3: Firewalls
Firewalls are a network access control system that divides a network that we presume
its secure from a network that may be unsecure. Although it can control the ingoing
and outgoing traffic, the most common usage of firewalls is to control the ingoing
traffic. Note that Firewalls do not provide any security from internal attacks.

Network Firewalls (packet filtering)

Routers can control the IP packets that go across them by accepting/denying traffic
according to policies affecting to protocol headers (IP, ICMP, UDP, TCP, ..). We can
analyze source/destination addresses and ports, protocol types, packet contents and
size, etc. There are two general policies: a) accept all packets except for a finite set of
cases, and b) deny all traffic except for a finite set of cases. Case b is more difficult to
implement, but it is generally more recommendable.
Each packet reaching the device will lookup the filtering rules and stop at the first
match, and after that will decide the decision of either denying or accepting the traffic.
A default policy is always set.

Proxies (Application Gateways)

They behave as Application-level retransmission devices. Network users establish a

communication with the proxy, thus dividing the source-destination connection in two
independent connections (source-firewall and firewall-destination). The proxy server
manages the requested connections .
This technology has a slower performance that network firewalling because it is
working on the upmost OSI layer. It is usual to use both firewalls at the same time.

Cache Proxies are a popular way to increase performance by storing the data the
gateway transmits into the firewall, so it is not necessary to lookup in the Internet for
the same data next time another computer requests it.

-2-
Security labs Enginyeria i Arquitectura La Salle

Lab Description

Lab3 Corporation has two departments, each one with its own network (LAN1 and
LAN2), trying to access a database server where a database with customers
information is stored, and an e-mail and HTTP server. At the same time, some
company guys are using illegal multimedia downloading, and so slowing the Internet
link performance. The company is requesting to set up a Firewall to avoid multimedia
traffic in order to decrease the mean database access time to a 1 sec threshold.

Creating the Scenario

1. Open OPNET IT Guru Academic Edition: (File

New Project) using these
parameters (use default values for the remainder):

Project Name: <your_name>_ Firewall

Scenario Name: NoFirewall
Network Scale: Campus
Size: 100x100 meters

Press Next several times until we finish the Startup Wizard.

2. Network creation:
We create the scenario of picture L3.1. The components that are used and the
palette where they can be found in the Object Palette are summarized in
table L3.2.

L3.1 The scenario

-3-
Security labs Enginyeria i Arquitectura La Salle

Qty Component Palette Description

1 ethernet16_switch internet_toolbox Switches
2 10BaseT_LAN internet_toolbox LAN network models
1 ethernet2_slip8_firewall internet_toolbox Routers
1 ip32_cloud internet_toolbox Internet model
2 ppp_server internet_toolbox EmailAndWebServer
DBServer
1 ppp_wkstn internet_toolbox MusicAndVideoServer

1 Application Config internet_toolbox

1 Profile Config internet_toolbox
3 10BaseT internet_toolbox Connects the Switch with the Firewalls
and the two LANs
1 ppp_adv links_advanced Connects the Firewall to the Internet
3 T1 links Connects the 3 servers to the Internet

L3.2 Components list

L3.3 Application Config Attributes

Right click on every node, click on Set Name and write the same names as
seen in the picture.

3. Setting up the Application Config control:

Select the Application Config control, and go to Edit Attributes. All we need to
modify are the Application Definitions. Delete all the applications that may be
defined (tip: set rows: 0), and create 4 applications as seen in the picture (set
rows: 4 and edit the four applications as seen in the picture L3.3). First step is
to change the Name: Email, HTTP, DB and MusicAndVideo. Change the
application load afterwards:

-4-
Security labs Enginyeria i Arquitectura La Salle

HTTP: Permits HTTP (Light Browsing).

Email: Permits Email (Low Load)

These two applications can be configured automatically by double-clicking on

the corresponding fields. To configure MusicAndVideo and DB, double-click
on the fields of picture L3.3 marked with the (...) symbol: DB


Database,
MusicAndVideo


Voice, and then set the values as in pictures L3.4 and L3.5.

L3.4 and L3.5 Configuring the application traffic

-5-
Security labs Enginyeria i Arquitectura La Salle

L3.6 Configuring Profile Config

Select the control Profile Config and use the right button to click on Edit
Attributes and create 4 profiles:

WebBrowser, to admit HTTP application

EMailProfile, to admit Email application
MusicAndVideoProfile, to admit MusicAndVideo application
BDProfile, to admit DB application.

-6-
Security labs Enginyeria i Arquitectura La Salle

We have to do the same steps as before: Set 0 rows to erase all rows we may
have, and then set 4 rows to program the four applications, and deploy each
row and set the values as seen on pictures. The hierarchies that are not
deployed on pictures use default values. Applications can be appended to
profiles adding new rows to the Applications field, and setting the field Name
on every row 0 of the Applications branch. We can also modify the Start Time
of all Applications and Profiles (packet reception distribution), the Operation
Mode, and the Repetition Pattern.

4. Setting up the Firewall:

This first scenario permits the voice traffic. Picture L3.7 shows the main options
to be configured in the router. The attributes to modify are the following:

Address and Subnet Mask: AutoAddressed on all rows of IP Routing

Parameters


Interface Information and IP Routing
Parameters


Loopback Interfaces.
We need to set up the routing protocol OSPF: OSPF
Parameters


Interface Information


row 0 and row 1 (the unique
router interfaces)


Type: Broadcast. Set Point to Point to the remainder
(rows 2 9) .
Proxy Server Information


row 6 (corresponds to Application Remote
Login, necessary for Database access)


Proxy Server Deployed: Yes,
this ensures that database traffic has the right to pass.

-7-
Security labs Enginyeria i Arquitectura La Salle

L3.7 Configuring the Firewall

5. Setting up MusicAndVideoServer:
Right click on the MusicAndVideoServer and click on Edit Attributes.
We have to modify the Application: Supported Services, by setting the
parameters as seen in the picture below (we need to set rows: 1 to accept
MusicAndVideo). Leave the remainder options with default values.

-8-
Security labs Enginyeria i Arquitectura La Salle

L3.8 MusicAndVideoServer supported Services

6. Setting up the DBServer and WebAndEmailServer:

This server Supported Services have to be set as seen in the picture below:

Server Supported Services

DBServer DB
WebAndEmailServer HTTP
Email
L3.9 Supported Services

7. Configuring LANs:
Select LAN 1 by clicking on it, and then right button
Edit Attributes.
Use the values from picture L3.10 (non-deployed branches use default
parameters). This configuration will use 250 workstations for each and every
LAN (Number of Workstations), 5 of them will be doing web browsing, 5 will
be using email, 50 attempting to connect to the database and 9 using
MusicAndVideoServers illegally (Application: Supported Profiles). When
finished, click on OK.

L3.10 Assigning profiles to workstations at LAN 1

LAN 2 will be configured with the same values. Use Copy & Paste to duplicate
the LAN and change the name afterwards.

-9-
Security labs Enginyeria i Arquitectura La Salle

8. Internet-Firewall link configuration:

Right-click on the link and Edit Attributes. Set Data Rate: T1.

9. Configuring the simulation statistics:

The performance and throughput statistic parameters can give interesting
information, as well as the DB Query delay:

Right click on the Internet-Firewall link
Choose Individual Statistics

and mark the checkboxes as in picture L3.11. Click OK.

L3.11 Internet-Firewall link statistics

In order to choose the DB Query simulation statistics, right click anywhere

else in the grid except of a node, select Choose Individual Statistics and
check the fields as in picture L3.12. Click OK.

L3.12 Global statistics

-10-
Security labs Enginyeria i Arquitectura La Salle

To check all the son statistics of a parent node, click on the parent node and
then all the son nodes will be check marked.

10. Configuring the simulation:

From the Project Editor, click on configure/run simulation , set

Duration: 1 hour(s). Dont start the simulation yet.

Creating the second scenario

The second scenario is a duplicate of the first, but with some router rules avoiding
particular packets from and to music and data services. Later on we will see how this
decreases the internet link throughput and database access time fair enough below
the 1 second limit.
From the Project Editor, Scenarios


Duplicate Scenario... Rename the new
scenario: WithFirewall, and right click on Firewall and Edit Attributes. Leave all
the values as they are, except the Proxy Server Information
row 8
(Application Voice data), using Proxy Server Deployed:No.

Results Analysis

Run all the simulations of the scenarios, and take a look at the graphics:

1. At the Project Editor, Scenarios

Manage Scenarios... and configure the
simulation parameters as seen in the picture, setting <collect> on the
Results row on both scenarios (use <recollect> if this is not the first time
you run the simulation). Click OK.

L3.13 Manage Scenarios

-11-
Security labs Enginyeria i Arquitectura La Salle

2. Compare the DB Query Response Time by right-clicking on the Grid on any

scenario and Compare Results. Now we can browse in all the general
statistics we programmed before in the left side tree. Check out that Overlaid
Statistics, All Scenarios and average options are marked.

L3.14 Compare Results

Questions

Q1 Compare the DB Query Response time (sec). Can you see a significant
improvement when the firewall is implemented at the proxy? Do we respect the 1 sec
threshold?

Q2 Compare the point-to-point throughput (packets/sec) in any direction of the

Firewall-Internet link. How is the non-illegal applications effective bandwidth affected
by the proxy?

Q3 Compare the utilization of the same link. What changes do you appreciate?

-12-
Security labs Enginyeria i Arquitectura La Salle

Answers

Q1 The DB Query Response time was in a giddy high of 2.5 seconds, and it decreased
to 0.5 seconds when the proxy is on because of a effective bandwidth net gain,
significantly below the 1 second threshold.

L3.15 Average DB Query Response Time

Q2 It is remarkable the big amount of packets per second there were when the
multimedia traffic was permitted (around 4,500), and the way this decreases to a
residual value when the traffic is banned. The bandwidth was absolutely saturated.

L3.16 Average point-to-point throughput of the link

Q3 The main part of the network traffic was voice traffic, but what we didnt know is
that this was saturating the Internet link capacity. When the proxy is on, the
utilization reaches almost 0%.

-13-
Security labs Enginyeria i Arquitectura La Salle

L3.17 Average utilization of the link

-14-