23 VPN and Extranet

The VPN Consortium defines three types of VPNs:

■ Trusted

A trusted VPN is one in which the service provider assures that no one else will be using the same circuit. Its own security team ensures that your network is not available to other people.

• ■ Secure

In a secure VPN, the data is encrypted and authenticated at each end. A secure trusted VPN can provide a higher level of assurance that data will reach the other end without being subject to snooping and tampering.

• ■ Hybrid

A hybrid VPN is both trusted and secure.

Snooping:

• Any person is accessing someone else’s data or data belonging to company in an unauthorized way, it is called snooping.
• Snooping includes observing someone’s computer screen when E-mail appears on that screen or inspecting what someone is typing.
• Snooping involves software programs that can monitor activity remotely either on a computer or network device.

Extranet:

Extranet can be created in two ways.

• An external website that requires some form of authentication.
• Create an external application server running Terminal Services (or similar software).

Fundamentals of Secure Network Design:

• To secure both the gateways into the extranet and the boundary between the extranet and the internal network.

Dual homed host:

• A dual-homed host is a term used to reference a type of firewall that uses two (or more) network interfaces.
• One connection is an internal network and the second connection is to the internet.
• A dual-homed host works as a simple firewall provided there is no direct IP traffic between the Internet and the inside network.

• A dual-homed host is a system that has at least two network interfaces.
• Expose the external interface directly to the external network.
• The external network could be the Internet, or it could be attached to any two networks with differing levels of trust.
• The host is hardened at system level to make it more resistant to intruders.
• The external interface may or may not be screened with a packet-filtering router or firewall.
• Systems that expose a VPN are typically dual-homed hosts by necessity.
• The dual-homed host exposes services by running those services directly, or by proxying the services, or by allowing users to log directly into the dual-homed host.
• If compromised, all servers in the extranet are now exposed directly to the external net-work.

Solution..

• severely restrict the services made available by it .
• – Do not allow users to log directly on to the dual-homed host .
• – System aggressively locked down in kiosk mode can sometimes be used to explore the internal network, and sometimes intruders can break the kiosk mode
• – Allow external users to log on remotely—external users do not require to install special software in most cases.
• When dealing with Internet-exposed systems or any system dual-homed between networks of differing trust levels – assume that the external system will be compromised at some point in the future.
• – Monitor the activity
• – Be ready for rebuilding
• – Hardened any system connected to DHH.

The dual-homed host:

• Acts as a Proxy for internal network users and / or external network users
• If acting as a router, it has packet filtering capabilities.

Drawback: All permissible communication is done through the bastion host. This introduces degradation in performance.

Screened Host:

• A screened host sits behind a firewall that exposes only that system to the external network.

Advantage :

The firewall might be able to provide more protection to the system than the system’s own network filters could.

Disadvantage :

The firewall can be configured (possibly intentionally) to allow access to other systems in the extranet to and from the external network.If the service that the screened host provides to the external network can be compromised , the attacker has access to the other extranet hosts.

Advantage of having firewall:

• Alert on unusual activity
• Impose restrictions on outbound traffic as much as possible.
• The damage is limited and the attacker’s work is at least slowed down, If an attacker has compromised a host behind a firewall but is unable to either upload new tools or to make the compromised host download new tools from the outside.

The packet filter:

• Filters IP traffic and permits only allowable traffic to pass between the screened host and the Internet.
• No direct traffic flow is allowed between internal hosts and the Internet.

• Screened subnet is variation of the dual-homed gateway and screened host firewall.
• Incorporates two firewalls – one firewall between externally exposed systems and the extranet hosts, and another firewall between the extranet hosts and the internal network.A perimeter network is formed between two packet filters  Compromising of the bastion host does not allow sniffing of internal communication because there is inner packet filter which gives extra protection. A publicly accessible server such as www-server can be hosted in the perimeter network. Where firewall should be placed?

Option 1 Bastion host

• The bastion host toplogy is well suited for relatively simple networks and for those that don’t offer any public Internet services.
• This is the only boundary. If anyone breaks the boundary, the protected network gets clear access to the protected network can be gained.
• Enough if firewall is used for filtering traffic of internet in corporate network. For hosting a Web site or deployment of e-mail server, this protection is not sufficient.

Option 2 Screened subnet

• The screened subnet ensures that organizations will offer services securely to all users of internet.
• Servers hosting public services got placed in the Demilitarized Zone(DMZ), which has boundary on both sides provided by firewall, one side the Internet and the other side trusted network.Split screened Subnets
• With a split screened subnet, the extranet hosts are dual-homed—A front-end network segment is usually very restricted, and A back-end segment is less restricted and can be used to administer the systems. The limits of the network created by bastion host with dual home forms two separate networks. This guards in depth:
• Proxy services can interpret application protocols, so dual-homed bastion host improves control on the communication links.
• There is an outer packet filter that provides protection to the bastion host from hosts on external network.
• There is an inner packet filter that provides protection to the bastion host from hosts in internal network.

Penetration Testing an Extranet

• Check how your extranet is configured.
• Test the packet filtering rules to see extra ports left open…
• Use ports scanning
• – Check the changes in what is being accessed by changing the source port
• – Look for open ports

Port scanning

• Port numbers use 16 bits and range from 0 to 65535.
• Port numbers below 1024 are reserved ports.
• All others are high or registered ports
• OS will give a port number from 1024 through 5000 when user asks for a port
• Port numbers above 5000 is infrequently used.
• netstat –a shows the state of all sockets
• netstat –n shows network addresses as numbers

Checkpoints:

• Failure to use least privilege
• Inadequate separation of different levels of asset
• High-level internal users on extranet systems
• High-level extranet accounts being used on systems you don’t control
• High-level accounts logging on to different segments of the extranet
• Systems dual-homed between the extranet and the internal network
• Lack of intrusion detection systems

Exploring the internal network

• ipconfig /all

nslookup:

• nslookup is a command line tool available to network administrator. This command is used for querying the Domain Name System(DNS) so that domain name or IP address is obtained.

ping:

• The command : for /l %d in (1,1,254) do ping –a –n 1 192.168.21.%d -a Resolve addresses to hostnames -n count Number of echo requests to send.
• C:\Users\laptop>ping -a -n 1 192.168.21.6Pinging 192.168.21.6 with 32 bytes of data: Reply from 192.168.22.1: Destination host unreachable.
• Ping statistics for 192.168.21.6: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),C:\Users\laptop>ping -a -n 1 192.168.21.7
• Pinging 192.168.21.7 with 32 bytes of data: Reply from 192.168.22.1: Destination host unreachable.
• Ping statistics for 192.168.21.7:Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Take the inventory of the subnet:

——————————————————————————

ExtAdmin Domain Admins What users are in the Domain admins group?

• C:\>net group “domain admins” /domain The request will be processed at a domain controller for domain extranet.example.com Group name   Domain Admins  Comment  Designated administrators of the domain Members

• Net use command connects / disconnects the computer from a shared resource, or allow to view the information about current computer connections. This command also controls persistent network connections.
• Use net use command without any parameters to retrieve a list of network current connections. C:\>for /f %d in (passwords.txt) do net use \\127.0.0.1 /user:EXTRANET-TS1 \ExtAdmin %d Look for a share
• C:\>net view \\extranet-web1Shared resources at \\extranet-web1 Share name Type Used as Comment WebRoot   Disk The command completed successfully

you can view video on VPN and Extranet

Suggested Reading:

1. Cryptography and Network Security Principles and Practice by William Stallings, sixth Edition, PEARSON.
2. Security in Computing by Charles Pfleeger & Shari Lawrence Pfleeger, fourth Edition, PEARSON.
3. Network Security by Charlie Kaufman, Radia Perlman, Mike Speciner, second Edition, PHI.
4. The Complete Reference – Network Security by Roberta Bragg, Mark Rhodes-Ousley & Keith Strassberg, Tata McGraw Hill
5. Network Security Bible by Eric Cole, Ronald Krutz, James Conley, Wiley
6. Hacking 6 Exposed by Stuart McClure, Joel Scambray & George Kurtz , Tata McGraw Hill .
7. www.snort.org
8. https://nmap.org