- Domain 3: Network Implementation
- What You Will Need
- Lab 1: Active Directory Structure and Permissions
- Lab 2: Services and nbtstat
- Lab 3: Wiring, Part II
- Lab 4: VPN and Authentication Re-visited
- Lab 5: Firewalls, Proxies, and Ports
- Lab 6: Anti-Virus Software
- Lab 7: Fault Tolerance
- Lab 8: Disaster Recovery
- Domain 3 Practice Questions
- Answers and Explanations
Lab 5: Firewalls, Proxies, and Ports
In this lab you will learn you how to do the following:
Use a firewall to protect your PC or your network.
Create an IP proxy.
Configure ports to your best advantage.
Work with a third-party free firewall.
Identify VLANs, intranets, and extranets.
Prepare for the Network+ subdomains 3.5–3.9.
When services are running, you have a security hole. It’s that simple. If a service is started, the corresponding port is opened. Hackers have a point of entry to your system or network. Firewalls were developed to shield your network, so that your network’s ports are considered closed or shielded, and so that your network’s or computer’s IP can’t be seen by public users on the Internet. The problem is that you may want to run services, but not lose the firewall. This is where a DMZ comes in; firewalls can normally handle incorporating a DMZ. Your firewall will normally act as an IP proxy as well. This means that the device only displays one public IP address to the Internet, but it allows the entire private LAN to access the Internet though it. So it acts as a go-between or mediator or...proxy. In this lab, you are going to learn a little more about your Linksys firewall, and install a free firewall known as ZoneAlarm. Plus, you will learn how to configure your very own IP proxy and ICS device as well as how to best configure your ports.
Revisit Your Linksys Firewall
You learned about port forwarding earlier. You can connect to the public IP address of the SOHO router with an application that uses a specific port—for example, PPTP, which uses 1723. The firewall forwards any packets sent on that port to whatever PC on your LAN you want. Take a look at Figure 3.36 for an example.
Figure 3.36 Forwarding applications via port number.
As you can see, you are running a POP3 mail server on 192.168.1.202, and a Quake III server on port 27960 as well as your VPN server on 1723. But for the client to access those servers, they must first get through the router, thus the need to forward those requests. The main thing here is to know which port is used by the application you want to serve. The big problem, though, is that you have just opened up those three ports to all of your computers! To combat this security breach, you can create a DMZ. When you do this on a SOHO router, however, all the ports become visible. You would then either have to get a second hardware firewall for those computers that you do not want visible from the Internet or load a software-based firewall on each of them. You also filter ports so that only certain ports are used, or so only certain ports are excluded. Most firewalls have this feature, normally referred to as port filtering.
If you are worried about specific applications not working because the outbound and inbound ports are different, you can use those outbound ports as a trigger to forward to the inbound ports for replies. For example, in Figure 3.37, we are using 6660–6670 as a trigger to forward to 113 for replies.
Figure 3.37 Port triggering.
Port triggering is mainly used for apps that send and receive on different ports. If you are using something like your Web browser, it is not an issue. But if you are using an IRC client or work with certain gaming servers, you may need to set this up on the SOHO router. In addition, port triggers work dynamically so that even if you have multiple PCs obtaining dynamic IPs through the router, port triggering will still work for them. Port triggering is not needed on software-based firewalls because the software interacts directly with the OS, therefore it knows what ports to keep open for applications that have varying inbound and outbound ports. Conversely, the hardware-based firewalls do not talk directly to your OS, so they don’t really know if there is going to be a difference in port numbers for the request and the reply.
You can set up Quality of Service (QoS) to allow certain devices to get higher priority (and therefore faster access) to the Internet. This is shown in Figure 3.38. You can also set the QoS by the physical port.
Figure 3.38 Quality of Service.
Try configuring on your router now for the following:
Install and test ZoneAlarm.
Go to http://www.zonelabs.com.
Click Download and Buy on the left side of the screen.
On the top of the screen, click ZoneAlarm.
Click the Free download link.
Click Download Free ZoneAlarm.
Click Save in the pop-up window that appears and save the program in your Downloads folder. The program is about 6.5MB, so the download shouldn't take long.
When the download is complete, click Run (or Open) to install it.
Go through the installation process, entering your e-mail address when prompted. Note that you don't really need the updates.
When the installation is finished, answer the user survey questions (see Figure 3.39). Then click Finish.
A pop-up window will tell you that the installation is complete. Click Yes to start ZoneAlarm.
In the Zone Labs Security Options window, select the standard ZoneAlarm and click Next.
In the next window, click Finish.
Click Finish again in the next window unless you want to go through the tutorial.
Click Done in the Completion window.
Finally, Click OK to restart the computer.
When the tutorial comes back up, just exit out. You can read that at a later time if you wish. You should now be in the ZoneAlarm Overview screen.
Go to PC2.
Open the command prompt.
Type ping pc1. It shouldn't work. Instead of getting replies, you should get an "Unknown Host PC1" message.
Try browsing to the system. Again, you won't be able to get in.
Return to PC1.
Notice the ZoneAlarm icon in the system tray. Right-click it and choose Shutdown ZoneAlarm, as shown in Figure 3.40.
Click Yes in the pop-up window that appears.
Return to PC2 and try pinging PC1 again. You should get replies because the firewall is off. Leave ZoneAlarm off for now. If you need it in the future, you can click the Start button, choose Programs, select Zone Labs, and choose Zone Labs Security to turn it back on. There you have it. ZoneAlarm, free, and it works. It's not the most comprehensive firewall out there, but if you are on a strict budget, it'll do the job. It also may help out if you have a four-port firewall like our Linksys and want a little added security on the local computer, but don't want the added cost or the extra burden on resources like other firewalls may trigger.
Configure ports to your best advantage. Whenever a computer starts a service, it opens a port on the network connection that corresponds to that particular service. The more services that are running, the more ports that are openergo more security risks! Your Windows 2000 Professional machine is probably pretty safe because it is not meant to serve data, but rather access other computers' data. Your Windows 2000 Server, however, is just that: a server. It runs lots of services. The first line of defense for a good network administrator is to shut down any unnecessary services.
Go to PC1 (Windows 2000 Professional).
Open the command prompt, type netstat an, and press Enter. You should see a list of service ports that are open, but it will be pretty limited.
Go to PC2 (Windows 2000 Server).
Open the command prompt, type netstat an, and press Enter. You should see a much larger list of service ports that are open; it should look something like Figure 3.41, although the list goes well beyond what's shown in the figure. Windows 2000 Server is chock full of open ports! Security is an issue.
Notice that ports 25 (SMTP), 80 (HTTP), and 443 (HTTPS/SSL) are open. You are not using a mail server or a Web server so these services can be shut off. You may ask, "Why were they open in the first place?" This is because Microsoft sets IIS to run by default upon installation of Windows 2000 Server. When IIS runs, it starts the HTTP, SMTP, and HTTPS services. Although HTTPS is great for securing Web transmissions, it uses a port nonetheless, so it creates a separate security concern. Let's turn all three of those off now.
Right-click My Computer and select Manage to open the Computer Management window.
Click the Services and Applications entry in the left pane and then click the Services underneath.
Select the Simple Mail Transport Protocol entry in the right pane.
To stop the service, click the Stop button in the window's toolbar. This is circled in Figure 3.42. Alternatively, right-click the service and choose Stop from the menu that appears.
- If you look at the service again, you will notice that its startup type is Automatic. That means when you restart the computer, the service will begin again! To change this to manual (thereby disabling it), double-click the SMTP service.
In the SMTP Properties dialog box, change the Startup type setting to Manual, as shown in Figure 3.43. Now you don't have to worry about the service starting back up next time you restart the server.
Repeat the process of stopping the service and setting it to manual for the following services:
World Wide Web Publishing service
IIS Admin service
Run netstat an again. Ports 25, 80, and 443 should not come up. Great work! That is how you turn off services. This is very important. You should not rely on a firewall only. That is linear thinking. You must think three-dimensionally. Inside the network, outside the network, remote connections, intranets, and extranets must all be properly secured.
You learned how to check your local open service ports with netstat an, and how to check your firewall's ports with http://www.grc.com's Shields Up. Now it's time to take it to the next level. What you need is a real port scanner. For this exercise you will use Advanced Administrative Tools to scan the server's ports.
Go to PC1.
Turn the ZoneAlarm firewall on. If you cannot access the Internet, restart the computer. If you still cannot, uninstall the ZoneAlarm program and restart the computer. If your computer reacts very slowly with ZoneAlarm running, uninstall it.
Download and install an evaluation copy of WinZip if you have not already done so. You can get one from Download.com or from the following link: http://www.davidprowse.com/downloads/techtools/winzip70.exe.
Download the AAtools program to your Downloads folder. You can get it from here: http://mirror1.glocksoft.com/aatools.zip.
When the download is finished, click Open (or Run, depending on your OS). This will launch WinZip. Agree to the license for WinZip so that you can see the AAtools files.
Double-click aatools_setup.exe. The installation will begin; it is extremely simple. Just click Next until you get to the last screen. Then click the check box to launch the program and click Finish. Click Close for the Live Update. The application should come up on your screen and look like Figure 3.44.
Click the Port Scanner option button and click Start. The AAtools Port Scanner opens.
In the Hosts to scan field, type 192.168.1.200.
In the Port set field, click the drop-down menu and select Everything.
Click the Start button (it’s the green arrow toward the top of the window) to start the scan. (See Figure 3.45.) If you get a message from ZoneAlarm, just click Allow to let the Port Scanner program do its scan.
The first thing the application will do is ping the server. It sends ICMP echoes to verify that the IP address is valid. If it gets replies, it then scans all 65,536 ports. This may take a while, but after you get some results, you can click the red stop sign to abort the scan and view your results.
Notice that the program finds all open ports, but also gives you a description of them, as well as descriptions of possible attacks to those ports. This is the proper type of scanning program to use and you are using it in the proper way. When checking security vulnerabilities on a server, you want to scan it from another computer on the same LAN, and on the same IP network.
Notice that ports 1701 and 1723 are open. These are for L2TP and PPTP respectively. That is because you ran a VPN server previously. It secured your remote network connection by encrypting the data, either with PPTP or with IPSec (in the case of L2TP). Although this is an excellent way to protect your session to a VPN server, it does open up your VPN server to attack. Do you need that VPN server anymore? Not right now, so let's close those ports as well.
Go to PC2.
Access your RRAS console.
Right-click the server name PC2 and choose Disable Routing and Remote Access. When you do this, you should see a downward-pointing red arrow, indicating that the service is off.
Return to PC1.
Scan PC2 once again. Let the port scanner run for a while. (If you are wondering how to remove the data from the previous scan, just click one of the entries, press Ctrl+A to select all the entries, and press Del.
Let the scan run until you see that it has scanned past port 2000. You can watch this in real time at the very bottom of the window. Then stop the scan.
Look for 1701 and 1723. They should not be there since you stopped the service.
Close all windows. Great work.
Create an IP proxy. The type of IP proxy you will create will be based on Internet Connection Sharing (ICS). The whole idea of ICS is that you can use your computer to share the Internet connection instead of a four-port SOHO router like the Linksys you are using. You need two network connections on the computer, though. Luckily you have them! You have the LAN card and the Wireless LAN card. The basic premise here is to share the card that connects directly to the Internet. Then, connect the second card to a simple hub that offers connectivity for the rest of your systems. Sharing a card is a lot like sharing a folder or printer. It's just another resource.
Go to PC1.
Right-click My Network Places and select Properties.
Enable your wireless card (if it isn't already) by right-clicking it and selecting Enable. Tell ZoneAlarm to allow this setting.
Right-click the LAN card and select Properties.
In the Properties dialog box, you should notice a Sharing tab. This is not normally there, because most computers only have one NIC. Click the Sharing tab; it should look like Figure 3.46.
Click the Enable Internet Connection Sharing check box to select it.
Click OK. A pop-up window tells you that your IP will now be changed to 192.168.0.1. Click Yes. Other computers on the network will now look to this system for their dynamic IP addresses, which, through ICS, your computer is now ready to offer.
Open the command prompt and run an ipconfig/all command. Note that it is actually the wireless card that was changed to 192.168.0.1. That is because your LAN card would now connect directly to the Internet, and because of that would need to get a public IP address. The other card (wireless) is automatically changed over because it will be on your private network. All other machines will be given numbers like 192.168.0.2, 192.168.0.3, and so on. Those IPs will come directly from your little old Windows 2000 Professional! This is the power of ICS. It is illustrated in Figure 3.47.
Figure 3.39 ZoneAlarm user survey.
Figure 3.40 Shutting down ZoneAlarm.
Figure 3.41 Windows 2000 Server open ports.
Figure 3.42 Shutting off the SMTP service.
Figure 3.43 Setting the SMTP service to manual.
Figure 3.44 The main Advanced Administrative Tools screen.
Figure 3.45 The Port Scanner window.
Figure 3.46 The Sharing tab of your NIC Properties dialog box.
Figure 3.47 An illustration of ICS.
What you created is known as an IP proxy. A proxy is a go-between, a mediator of sorts. It allows all the computers on the LAN to access another network, usually the Internet. This way, many computers with many private IP addresses can access the Internet with just one WAN public IP address being displayed. To do this, the IP proxy must translate between the two NICs on the two different networks. It does this with Network Address Translation (NAT). Your SOHO router is an IP proxy because it displays only one address to the Internet, yet you can have many computers connected through that pipe.
VLANs are the way of the present and the future. Short for virtual local area networks, VLANs can limit broadcasts and collisions, increase security, organize your network, and bring up performance. It is an alternative way of connecting or segmenting your network without the need for routers.
A scenario that could use VLANs would be the following: A school with three computer classrooms (20 computers each) and 10 computers for the office staff scattered around the building plus a library. You really wouldn’t want the students from each classroom to be able to see each other, nor would you want any of the students to have access to the office network. The library should be kept separate as well. You could do this by creating VLANs.
The foundation of the VLAN rests on one device. It might be a switch, a Cisco PIX, a multi-homed server, or other device. Regardless of what you use, this device must have multiple network connections—in this scenario, five. What you could do is install a VLAN-ready switch and assign a different network number to each port. For example, port 1 would be 192.168.1.0, port 2 would be 192.168.2.0, and so on.
Then you connect a separate hub (or switch) to each of those ports. This will create a hierarchical star topology. Cables must be connected to their corresponding hub and room. For instance, the cable connections coming from classroom 1 will connect to the classroom 1 hub, which will then be connected to the 192.168.1.0 port on the VLAN switch. You get the idea.
In this way you can have total separation of your network without the use of a router! The ultimate beauty of this is that there may be staff connections all over the building that all lead to the same section of the VLAN. For example, admins have connections in a technical room, instructors need connections from every classroom, and other staff may be scattered around the office. The cables that come into the server room for each of these staff connections can be connected to the staff hub, which in turn connects to the staff port on the VLAN switch. This is known as a port-based VLAN and is illustrated further in Figure 3.48. Keep in mind that you can assign a VLAN to any port on the VLAN switch, but you should plan it first and make it organized!
Figure 3.48 A port-based VLAN.
There are three main types of VLANs:
Protocol-based VLANs. In this case, you would have a different protocol running on the various computers and/or ports that you wanted to separate. It could be that you have a server with two NICs, each of which runs a different protocol.
Port-based VLANs. These are as explained previously, and are the most common. If a computer needs to be moved to another area of the office, then you would have to re-patch that system in the server room to keep it on the same VLAN. This is not that time consuming and is the default option for most administrators.
MAC address–based VLANs. In this case, a switch will keep track of all the MAC addresses on the entire network and you would have to specify which belonged to each portion of the VLAN. This is time consuming but a benefit is that a computer can be moved anywhere in the office without requiring anything to be reconfigured and the system will still be on the same VLAN.
Intranets and Extranets
Intranets are networks that are privately owned by an organization or corporation. They use all the inherent technologies and offer all the inherent capabilities of the Internet, but are restricted to employee use. For example, you may have a set of Web servers in your company’s office that are accessed by the URL http://myintranet.mycompany.com or perhaps just http://myintranet, but only employees will be allowed to get in. Usually there will be a firewall used to deny access to unwanted visitors. However, the website will look the same, mail functions will work the same as normal, and so on. As I mentioned, it looks like the Internet but it is private. The intranet is normally kept "behind" the firewall, meaning that it is not really an external presence on the Web, but rather an internal presence for your company.
Extranets are also networks that are privately owned and use all of the inherent technologies of the Internet. Unlike intranets, however, extranets are opened up to some extent to outsiders. These outsiders could be members of the company, worldwide employees, or sometimes even other companies that you do business with. Extranets go beyond the firewall in your company. Because of this, you will most likely need a user name and password to get into these websites and extranet resources. In some respects, your login to your bank or credit union could be considered an entryway to that company’s extranet, but normally an extranet is associated with employees of a company or sister company.
One of the big ideas behind intranets and extranets is that they enable users to connect using technologies they know and love—primarily, the Web browser. Everything is going Web browser–based because everyone has one, and almost everyone knows how to use one. You don’t even need to be on your regular computer. This, of course, opens security concerns, but the pros have so far outweighed the cons.
What Did I Just Learn?
In this power-packed lab you learned how to install a free firewall, how to work with some advanced functions of a SOHO firewall, how to scan ports, and how to create an IP proxy. In particular, you learned how to do the following:
Install the ZoneAlarm firewall.
Create an ICS device.
Scan with netstat –an and Advanced Administrative Tools.
Shut down services, including IIS, VPN, SMTP, and HTTP://WWW.
Configure application forwarding and port triggering.
Prepare for the Network+ subdomains 3.5–3.9.