LAB-3 (FIREWALL ATTACK/DEFENCE):
The Firewall Simulator is a tool for students to learn how to configure a firewall using Cisco-like commands. The process for using the simulator is:
Open the simulator web page in your web browser. If it asks you to trust the applet, respond positively.
When you first start, you must enter your name to identify yourself to other participants. Names must be less than 17 characters in length.
Configure your firewall to allow needed services while preventing attacks. A separate frame holds the firewall configuration commands. Type in the access-list commands and press the large button at the top marked “Update Configuration”.
Once the actions are enabled by the administrator, you can take actions against other players.
If you receive messages that other players are successfully attacking your network, reconfigure your firewall to correct problems.
New tasks will appear that may require you to reconfigure your firewall. Shortly after a new task appears, you are vulnerable to related attacks by other players. You may also attack other players.
Initial Configuration
When you first start the simulation, you should configure your firewall to allow the following services to run. Actions against these services are possible as soon as the administrator enables the action button.
Access by the public to your web site
Email from other email servers using SMTP
Domain Name Server access
The general format for a Cisco-like firewall configuration command is:
access-list number {permit | deny} [protocol] {any | ipaddr mask | host ipaddr} {any | ipaddr mask | host ipaddr} [operator port | established] [log]
access-list – All firewall configuration commands start with this keyword.
number - A number between 0-199 or 2000-2999 (Think of it as the name of the list.)
permit or deny - Whether to permit or deny this packet of information if conditions match
protocol (optional) - Type of protocol for this packet: IP, ICMP, SNMP, UDP or TCP. If omitted, then this command pertains to all network traffic regardless of protocol.
Source Address - The Internet address of the sender of the packet. This can be:
any – This access command applies to packets from any source.
host ipaddr – This command applies to one particular computer. The IP address of the computer is given in the usual dotted-decimal format (i.e. 152.8.1.2).
ipaddr mask – The IP address of the packet’s source is specified in the usual dotted-decimal format. This is followed by a mask, also specified in the usual dotted-decimal format. When comparing the packet’s source address, any address bit whose mask bit is one is ignored. Thus 152.8.12.47 0.0.255.255 represents all IP addresses whose first 16 bits match.
Destination Address - The Internet address of the network packet’s destination. This can be specified in the same three formats as the source address.
Operator (optional) - This applies to TCP or UDP ports only. This indicates how the port number in the packet should be compared. If omitted, then this command applies for all ports.
|
eq |
equal |
|
lt |
less than |
|
gt |
greater than |
|
neq |
not equal |
|
range |
a range of ports; you must specify two different port numbers |
|
est |
established connections - this allows packets to pass through the firewall from the Internet if they are the response to a connection established from within the intranet. |
Port (optional) - TCP/UDP destination port number. If omitted, then this command applies for all port numbers. The port number must be specified if an operator is given.
Log - (optional) Whether to log this entry to the console (not used in the simulation)
Commands are case insensitive. Note that all access-list commands must fit on one line. Comments can be included configuration. Comments start with an exclamation point ( ! ).
Examples:
access-list 111 permit tcp any host 152.8.1.1 eq 80
This permits any computer on the Internet to connect to the computer whose IP address is 152.8.1.1 using the TCP protocol and port 80.
access-list 123 deny any 178.22.8.9 0.0.255.255
This will prohibit any computer from accessing a computer on the 178.22 domain using any protocol.
Access-list command order is important
When a packet arrives at your firewall, it will be compared with each access-list statement in the order they appear.
The first statement that applies to that packet determines if it is permitted or denied.
For incoming traffic, there is an implicit deny everything at the end of the access-lists.
For outgoing traffic, there is an implicit permit everything at the end of the access-lists.
Some interesting port numbers
|
port |
service |
|
21 |
FTP |
|
23 |
Telnet |
|
25 |
Simple Mail Transport Protocol |
|
53 |
Domain Name Servers |
|
69 |
Trivial FTP |
|
80 |
HTTP |
|
110 |
POP3 client email |
|
123 |
Network Time Protocol |
|
137-139 |
Microsoft NETBIOS |
|
143 |
IMAP4 client email |
|
161 |
Simple Network Maintenance Protocol |
|
443 |
HTTPS |
|
445 |
Windows File Sharing |
|
1863 |
MSN Instant messaging |
|
1214 |
Kazaa |
|
3389 |
Windows Remote Desktop Protocol |
|
5190 |
AOL instant messenger |
|
28800-29100 |
MSN Gaming Zone |
|
49876 |
Firewall Simulation |
Addresses
The access-list commands specify source and destination addresses. If the source address starts with 152.8, then the traffic is going out from your network to the Internet. If the source is any other address, then the traffic is coming into your network. A description of your simulated network is shown below.