Assignment-04-Solutions

SYSC 4810 — Module 4 Assignment Due Date: November 14, 2021 Part I Assignment Challenge 1 Introduction Imagine that you are a new network security administrator at a large technology firm firm called GlobalTech Solutions . Your direct supervisor has just assigned you to investigate firewall solutions for protecting the routers and internal networks and servers residing on premise at GlobalTech Solutions . You are responsible for making recommendations to address the needs of GlobalTech Solutions and the concerns of your supervisor by conducting some experiments and documenting your findings. The details of the assignment including your supervisor’s expectations are provided in the sections below. The different parts of this assignment are designed to guide your investigation to address the needs of GlobalTech Solutions and the concerns of your supervisor. At the end of the assignment, you will be required to summarize your findings and provide recommendations in a report to your supervisor addressing their concerns. 2 Context Your supervisor has sent you the following email explaining their needs and concerns: Hello, Welcome to the team! As you are aware, GlobalTech Solutions develops a wide range of technology solutions and services for clients worldwide. GlobalTech Solutions prides itself on providing high-quality solutions delivered on-time and on-budget. We have recently conducted an internal security audit that suggests we could improve our network security posture. One of the suggestions from the audit is to investigate firewall solutions to block potentially problematic applications and protocols (e.g., telnet). We also need a significant effort to explore solutions that can help to protect our routers and internal networks and servers. I am concerned that if we do not have a suitable solution, we will be susceptible to attacks (which have been on the rise). This could be a significant issue for our systems and data environments. Naturally, we want to avoid these issues and GlobalTech Solutions has pledged to invest in improved network security for the organization if we present a suitable proposal. For your first assignment, we need you to investigate firewall solutions to enhance the network security of GlobalTech Solutions. Talking with some other members of the team, our initial thought is to set up a packet filtering firewall or a stateful inspection firewall using iptables or a loadable kernel module, but we need to investigate these ideas further (I am not too familiar with all of this). It is essential that the firewall is configured correctly, so any rules will have to be checked to ensure they block only what is expected; no more, no less. I also want to know if there are possible ways to limit network traffic if we suspect something fishy is going on. I expect a report documenting your experiments and a summary of your findings so that I can bring it forward to upper-management to secure their investment in this project. Good luck, JJ Page 3 of 24

SYSC 4810 — Module 4 Assignment Due Date: November 14, 2021 All the containers will be running in the background. To run commands on a container, we need to get a shell on that container. We first need to use the docker ps command to find out the ID of the container, and then use docker exec to start a shell on that container. Aliases have been created for them in the .bashrc file in the provided VM image. $ dockps // Alias for: docker ps --format "{{.ID}} {{.Names}}" $ docksh <id> // Alias for: docker exec -it <id> /bin/bash // The following example shows how to get a shell inside hostC $ dockps b1004832e275 hostA-10.9.0.5 0af4ea7a3e2e hostB-10.9.0.6 9652715c8e0a hostC-10.9.0.7 $ docksh 96 root@9652715c8e0a:/# // Note: If a docker command requires a container ID, you do not need to // type the entire ID string. Typing the first few characters will // be sufficient, as long as they are unique among all the containers. If you encounter problems when setting up the environment, please read the “Common Problems” section of the DOCKER MANUAL for potential solutions. 2 User Accounts As a reminder, the virtual machine has two user accounts. The usernames and passwords are listed below: 1. User ID: root , Password: seedubuntu . • Ubuntu does not allow root to login directly from the login window. You have to login as a normal user, and then use the command su to login to the root account. 2. User ID: seed , Password: dees . • This account is already given the root privilege, but to use the privilege, you need to use the sudo command. *Important Note* It is essential that you set up the virtual machine environments as early as possible to ensure that you have time to address any technical difficulties that you may face. The instructor and the TA will not be able to provide adequate technical support close to the assignment due date. Page 6 of 24

SYSC 4810 — Module 4 Assignment Due Date: November 14, 2021 3.1 Loadable Kernel Modules LKM allows us to add a new module to the kernel at the runtime. This new module enables us to extend the functionalities of the kernel, without rebuilding the kernel or even rebooting the computer. The packet filtering part of a firewall can be implemented as an LKM . The following is a simple loadable kernel module. It prints out “ Hello World! ” when the module is loaded; when the module is removed from the kernel, it prints out “ Bye-bye World! ”. The messages are not printed out on the screen; they are actually printed into the /var/log/syslog file. You can use dmesg | tail -10 to read the last 10 lines of the message. #include <linux/module.h> #include <linux/kernel.h> int initialization( void ) { printk(KERN_INFO "Hello World!\n" ); return 0; } void cleanup( void ) { printk(KERN_INFO "Bye-bye World!.\n" ); } module_init(initialization); module_exit(cleanup); We now need to create a Makefile , which includes the following contents (the above program is named hello.c ). Then just type make , and the above program will be compiled into a loadable kernel module called hello.ko . obj-m += hello.o all: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules clean: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean Once the module is built by typing make , you can use the following commands to load the module, list all modules, remove the module, and show information about the module: $ sudo insmod mymod.ko // insert the module $ lsmod // list all modules $ sudo rmmod mymod.ko // remove the module $ modinfo mymod.ko // show information about the module 3.2 Netfilter Netfilter is designed to facilitate the manipulation of packets by authorized users. It achieves this goal by implementing a number of hooks in the Linux kernel. These hooks are inserted into various places, including the packet incoming and outgoing paths. If we want to manipulate the incoming packets, we simply need to connect our own programs (within LKM ) to the corresponding hooks. Once an incoming packet arrives, our program will be invoked. Our program can decide whether this packet should be blocked or not; moreover, we can also modify the packets in the program. Page 9 of 24

SYSC 4810 — Module 4 Assignment Due Date: November 14, 2021 If you need to get the headers for other protocols, you can use the following functions defined in various header files. The structure definition of these headers can be found inside the following folder: /lib/modules/5.4.0-54-generic/build/include/uapi/linux where the version number in the path is the resultof uname -r , so it may be different if the kernel version is different. struct iphdr *iph = ip_hdr(skb) // (need to include <linux/ip.h>) struct tcphdr *tcph = tcp_hdr(skb) // (need to include <linux/tcp.h>) struct udphdr *udph = udp_hdr(skb) // (need to include <linux/udp.h>) struct icmphdr *icmph = icmp_hdr(skb) // (need to include <linux/icmp.h>) 3.2.4 Blocking Packets We also provide a hook function example to show how to block a packet, if it satisfies the specified condition. The following example blocks the UDP packets if their destination IP is 8.8.8.8 and the destination port is 53 . This means blocking the DNS query to the nameserver 8.8.8.8 . In the code below, LINE 1 shows, inside the kernel, how to convert an IP address in the dotted decimal format (i.e., a string, such as 1.2.3.4 ) to a 32-bit binary ( 0x01020304 ), so it can be compared with the binary number stored inside packets. LINE 2 compares the destination IP address and port number with the values in our specified rule. If they match the rule, the NF_DROP ( LINE 3 ) will be returned to Netfilter , which will drop the packet. Otherwise, the NF_ACCEPT will be returned ( LINE 4 ), and Netfilter will let the packet continue its journey ( NF_ACCEPT only means that the packet is accepted by this hook function; it may still be dropped by other hook functions). unsigned int blockUDP( void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { struct iphdr *iph; struct udphdr *udph; u32 ip_addr; char ip[16] = "8.8.8.8" ; // Convert the IPv4 address from dotted decimal to a 32-bit number in4_pton(ip, -1, (u8 *)&ip_addr, ’\0’ , NULL); // LINE 1 iph = ip_hdr(skb); if (iph->protocol == IPPROTO_UDP) { udph = udp_hdr(skb); if (iph->daddr == ip_addr && ntohs(udph->dest) == 53){ // LINE 2 printk(KERN_DEBUG "****Dropping %pI4 (UDP), port %d\n" , &(iph->daddr), port); return NF_DROP; // LINE 3 } } return NF_ACCEPT; // LINE 4 } 3.3 iptables The iptables firewall is designed not only to filter packets, but also to make changes to packets. To help manage these firewall rules for different purposes, iptables organizes all rules using a hierarchical structure: table, chain, and rules. There are several tables, each specifying the main purpose of the rules as shown in Table 1 . For example, rules for packet filtering should be placed in the filter table, while rules for making changes to packets should be placed in the nat or mangle tables. Page 12 of 24

SYSC 4810 — Module 4 Assignment Due Date: November 14, 2021 4 Problems and Tasks Problem 1 [20 points] Implementing a Simple Firewall: In this problem, you need to use LKM and Netfilter to implement a simple packet filtering type of firewall, which inspects each incoming and outgoing packet, and enforces the firewall policies set by the administrator. This module will fetch the firewall policies from a data structure, and use the policies to decide whether packets should be blocked or not. Details of using LKM and Netfilter were provided in Section 3.1 and Section 3.2 . The complete Netfiler sample code is included in the assignment resources on Brightspace in a file called filter.c in the Setup/code/packet_filter directory. An accompanying Makefile is also provided. (a) [5 points] Compile the sample code using the provided Makefile . Load it into the kernel, and demonstrate that the firewall is working as expected. You can use the following command to generate UDP packets to 8.8.8.8 , which is Google’s DNS server. dig @8.8.8.8 www.example.com If your firewall works, your request will be blocked; otherwise, you will get a response. Do not forget to explain how you compile the developed kernel module, including your Makefile, and how the compiled kernel module is inserted it into the Linux kernel. HINT : Use dmesg | tail -10 to read the last 10 lines of the messages that are printed. Solution: Award 1 point for an adequate description of how the kernel module was compiled using a Makefile. Award 1 point for an adequate description of how the kernel module was loaded in to the Linux kernel. Award 3 points for demonstrating that the packet filter is working as expected with appropriate screenshots. Students should provide screenshots demonstrating that the packet filter has been compiled and loaded and works as expected by showing outputs from the /var/log/syslog file using dmesg | tail -10 . (b) [15 points] Implement two hooks in filter.c to achieve the following: 1. Preventing other computers to ping the VM (i.e., block ICMP packets) 2. Preventing other computers to telnet into the VM (i.e., block TCP packets) Please implement two different hook functions, but register them to the same Netfilter hook. You should decide what hook to use (see Section 3.2.1 ). The default port for telnet is TCP port 23 . To test it, you can start the containers, go to 10.9.0.5 , and run the following commands ( 10.9.0.1 is the IP address assigned to the VM; for the sake of simplicity, you can hardcode this IP address in your firewall rules): ping 10.9.0.1 telnet 10.9.0.1 You should also demonstrate that traffic to other IP address is not affected. Solution: For each hook function: Award 1 point for registering the hook; award 1 point for unregistering the hook; and award 3 points for a blockICMP / blockTCP with an appropriate rule (5 points per hook function; 10 points total). Award 3 points for demonstrating that the packet filter is working as expected with appropriate screenshots using ping 10.9.0.1 and telnet 10.9.0.1 . Award 2 points demonstrating that the packet filter is working as expected with appropriate screenshots using ping and telnet with other IP addresses. Students should modify the provided filter.c included in the Setup files. The added code is very similar to the provided sample code. The two new hooks are added to the same LOCAL_IN hooks, so they will both be invoked when a packet comes into the machine. Page 15 of 24

SYSC 4810 — Module 4 Assignment Due Date: November 14, 2021 Another way to restore the states of all the tables is to restart the container. You can do it using the following command (you need to find the container’s ID first): $ docker restart <Container ID> Problem 3 [10 points] Protecting the Internal Network: In this problem, you need to set up firewall rules on the router to protect the internal network 192.168.60.0/24 . You can use the FORWARD chain for this purpose. The directions of packets in the INPUT and OUTPUT chains are clear: packets are either coming into (for INPUT ) or going out (for OUTPUT ). This is not true for the FORWARD chain, because it is bi-directional: packets going into the internal network or going out to the external network all go through this chain. To specify the direction, we can add the interface options using -i xyz (coming in from the xyz interface) and/or -o xyz (going out from the xyz interface). The interfaces for the internal and external networks are different. You can find out the interface names via the ip addr command (you should do this on the router). In this problem, you want to implement a firewall to protect the internal network. More specifically, we need to enforce the following restrictions on the ICMP traffic: 1. External hosts cannot ping internal hosts. 2. External hosts can ping the router. 3. Internal hosts can ping external hosts. 4. All other packets between the internal and external networks should be blocked. You will need to use the -p icmp option to specify the match options related to the ICMP protocol. You can run iptables -p icmp -h to find out all the ICMP match options. The following example drops the ICMP echo request. iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP In your assignment report, please include your rules and screenshots to demonstrate that your firewall works as expected. When you are done with this problem, please remember to clean the table or restart the container before moving on to the next problem. Solution: Award 1 point for each firewall rule to achieve the desired behaviour (4 points total). Award 6 points for demonstrating that the firewall is working as expected with appropriate screenshots. Students should have sufficient information to demonstrate each rule is working as expected. The following rules assume a setup where eth0 is the interface connecting to the external network and eth1 is the interface connecting to the internal network. Students need to double-check this in their own setup. iptables -A FORWARD -i eth0 -p icmp --icmp-type echo-request -j DROP iptables -A FORWARD -i eth1 -p icmp --icmp-type echo-request -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT iptables -P FORWARD DROP Since we add these rules to the FORWARD chain, only the packets passing through the router will be affected. Packets going inside the router or those created by the router will not be affected. Students should provide screenshots demonstrating that the firewall works as expected. Before setting these rules, students should be able to ping the router and internal hosts from 10.9.0.5 . After setting the rules, students should still be able to ping the router, but not the internal hosts. From the internal hosts, students should be able to ping 10.9.0.5 . Page 18 of 24

SYSC 4810 — Module 4 Assignment Due Date: November 14, 2021 Solution: Award 1 point for describing the commands used to conduct the experiment. Award 3 points for describing the observations and indicating the time the TCP connection state is to be kept. Students are expected to describe their experiment and explain the output of the connection track entry. The explanations should follow similarly to what is provided in Section 3.4 . Students may have different responses depending on the output of the connection tracking entry. Problem 6 [10 points] Setting Up a Stateful Firewall: Now you are ready to set up firewall rules based on connections. In the following example, the -m conntrack option indicates that we are using the conntrack module, which is a very important module for iptables ; it tracks connections, and iptables replies on the tracking information to build stateful firewalls. The –ctsate ESTABLISHED,RELATED indicates whether a packet belongs to an ESTABLISHED or RELATED connection. The rule allows TCP packets belonging to an existing connection to pass through. iptables -A FORWARD -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT The rule above does not cover the SYN packets, which do not belong to any established connection. Without it, you will not be able to create a connection in the first place. Therefore, you need to add a rule to accept incoming SYN packet: iptables -A FORWARD -p tcp -i eth0 --dport 8080 --syn -m conntrack \ --ctstate NEW -j ACCEPT Finally, you need to set the default policy on FORWARD to drop everything. This way, if a packet is not accepted by the two rules above, they will be dropped. iptables -P FORWARD DROP Please rewrite the firewall rules in Problem 4, but this time, add a rule allowing internal hosts to visit any external server (this was not allowed in Problem 4). After you write the rules using the connection tracking mechanism, think about how to do it without using the connection tracking mechanism (you do not need to actually implement them). Based on these two sets of rules, compare these two different approaches, and explain the advantage and disadvantage of each approach. When you are done with this problem, please remember to clean the table or restart the container before moving on to the next problem. Solution: Award 1 point for each firewall rule to achieve the desired behaviour (4 points total). Award 3 points for demonstrating that the firewall is working as expected with appropriate screenshots. Students should have sufficient information to demonstrate each rule is working as expected. Award 3 points for a comparison of the two different approaches, explaining the advantages and disadvantages of each. The following rules assume a setup where eth0 is the interface connecting to the external network and eth1 is the interface connecting to the internal network. Students need to double-check this in their own setup. iptables -A FORWARD -i eth0 -d 192.168.60.5 -p tcp --dport 23 --syn -j ACCEPT iptables -A FORWARD -i eth1 -p tcp --syn -j ACCEPT iptables -A FORWARD -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -j DROP iptables -P FORWARD ACCEPT Page 21 of 24

SYSC 4810 — Module 4 Assignment Due Date: November 14, 2021 The first rule allows the SYN packet to 192.168.60.5 ’s telnet server. The second rule allows the SYN packet from the internal network to the external network. The third rule allows all the TCP packets that belong to an existing connection. The fourth and fifth rules depend on the solution to Problem 4 and either block all other traffic from both directions or only block TCP traffic. Students should provide screenshots demonstrating that the firewall works as expected. Comparing the two sets of firewall rules (from Problem 4 and here), it seems that they are similar, but the third rule in the stateless firewall allows more traffic than the one in the stateful firewall: it allows all TCP traffic, while in the stateful firewall, only the TCP traffic that belongs to an existing connection is allowed. This is just one of the advantages. The disadvantage of the stateful firewall is the resource consumption. Maintaining state information requires more time and more memory. Students may have different responses for the advantages and disadvantages and points should be awarded for any reasonable response. Problem 7 [10 points] Limiting Network Traffic: In addition to blocking packets, you can also limit the number of packets that can pass through the firewall. This can be done using the limit module of iptables . In this problem, you will use this module to limit how many packets from 10.9.0.5 are allowed to get into the internal network. You can use iptables -m limit -h to see the manual. $ iptables -m limit -h limit match options: --limit avg max average match rate: default 3/hour [Packets per second unless followed by /sec /minute /hour /day postfixes] --limit-burst number number to match in a burst, default 5 (a) [5 points] Run the following commands on the router, and then ping 192.168.60.5 from 10.9.0.5 . Please explain how you conducted your experiment, and describe and explain your observations. iptables -A FORWARD -s 10.9.0.5 -m limit --limit 10/minute \ --limit-burst 6 -j ACCEPT iptables -A FORWARD -s 10.9.0.5 -j DROP Solution: Award 1 point for describing the experiment setup. Award 1 point for provide the results of the ping . Award 3 points for an adequate discussion of the results. Students are expected to follow the problem description and set the provided rules. Student should describe their observations. For example, from the following results, we can see that the first 6 ICMP packets all passed the firewall, and then after that, the rate is reduced to 1 in every 6 seconds, which is equivalent to 10 per minute. This can be seen in the icmp_seq . // From ping from 10.9.0.5 # ping 192.168.60.5 PING 192.168.60.5 (192.168.60.5) 56(84) bytes of data. 64 bytes from 192.168.60.5: icmp_seq=1 ttl=63 time=0.069 ms 64 bytes from 192.168.60.5: icmp_seq=2 ttl=63 time=0.058 ms 64 bytes from 192.168.60.5: icmp_seq=3 ttl=63 time=0.058 ms 64 bytes from 192.168.60.5: icmp_seq=4 ttl=63 time=0.116 ms 64 bytes from 192.168.60.5: icmp_seq=5 ttl=63 time=0.059 ms 64 bytes from 192.168.60.5: icmp_seq=6 ttl=63 time=0.061 ms Page 22 of 24

SYSC 4810 — Module 4 Assignment Due Date: November 14, 2021 64 bytes from 192.168.60.5: icmp_seq=7 ttl=63 time=0.060 ms 64 bytes from 192.168.60.5: icmp_seq=13 ttl=63 time=0.058 ms 64 bytes from 192.168.60.5: icmp_seq=19 ttl=63 time=0.064 ms 64 bytes from 192.168.60.5: icmp_seq=25 ttl=63 time=0.104 ms 64 bytes from 192.168.60.5: icmp_seq=31 ttl=63 time=0.072 ms 64 bytes from 192.168.60.5: icmp_seq=37 ttl=63 time=0.083 ms (b) [5 points] Please conduct the experiment from Part (a) without the second rule. Please explain how you conducted your experiment, and describe and explain your observations. Explain whether the second rule is needed or not, and why. Solution: Award 1 point for describing the experiment setup. Award 1 point for providing the results of the ping . Award 3 points for an adequate discussion of the results. The second rule is important. The packets not accepted by the first rule will not be dropped, they will just continue their journey. If nobody drops them, then they will eventually be accepted as well (we will notice this in the icmp_seq ). This is why we need to add the second rule to drop everything that is selected. Page 23 of 24

SYSC 4810 — Module 4 Assignment Due Date: November 14, 2021 Part IV Summary of Findings 1 Reminder: Obligations You are required to deliver the following information and outcomes to your supervisor: 1. Provide a detailed report documenting each of your experiments and findings. This is necessary to enable your supervisor to make important decisions about how best to proceed with the project proposal and to demonstrate that you have been thorough in your investigation. 2. Provide a summary of your findings including a discussion of alternative choices and potential challenges, issues and opportunties addressing each of the concerns mentioned in the email from your supervisor. Include any necessary recommendations based on your findings. 2 Problems and Tasks Problem 8 [10 points] Recommendations: Write a summary of your findings and recommendations. Write this summary as if you are going to submit it to your supervisor at GlobalTech Solutions . This means that it should be clear and concise. It should address all of the needs and concerns of your supervisor outlined in the email message and the obligations above. HINT: You may want to refer to specific observations from your experiments obtained in the rest of the problems in this assignment to justify your recommendations. Solution: Award 5 points for each suitable summary of the findings. Award 3 points for a discussion of alternative choices and potential challenges, issues and opportunties. Award 2 points for suitable recommendations. Students may have many different answers. Points should be awarded for reasonable summary of their findings that are supported by experimental results and that are justified. END OF ASSIGNMENT Page 24 of 24