Networking Basics – OSI Model

I would like to write some posts on Networking Basics. One of the first things someone should try to understand is the OSI model. It is used to reference different technologies in security and in networking, you might have heard someone saying “It’s a layer 3 issue” or “That is at layer 2” what they are referring to is the OSI model and its different layers. The OSI model has a total of 7 layers as shown below.

92938

Different protocols and networking devices work at a certain layer within the OSI model, for example, a router would be a layer 3 device while the TCP protocol is found at the transport layer which is at layer 4. The OSI model was developed so that a network device from vendor A would work with vendors B device there would be no interoperability issues as there would be if they went off and used their own protocols and rules.

Let us start of layer 7 the Application layer and work our way down the OSI model. Going down the OSI layers is known as encapsulation, each layer is encapsulated by the next layer and that layers header is added as it is passed down each layer, the opposite happens when data is being received and the data is then decapsulated as it is passed up the layers, note you can’t skip any of the layers all 7 are used.

Application Layer (7)

The application layer is made up of different applications like HTTP, DNS, SSH, FTP etc the application isn’t the browser itself it is the layer 7 protocol that is used with the browser, for example, HTTP and HTTPS.

Presentation Layer (6)

The presentation layer is used to make sure that the data that is being presented up to the application layer is in the correct format for it to be able to read the data correctly. It also handles encryption and data compression.

Session Layer (5)

The session layer keeps track of all the different sessions, think of a web server and all the clients that are accessing that resource the web server has to keep track of each session and who it belongs to.

Transport Layer (4)

The transport layer is used to transport traffic between two devices, there are two main protocols used at the transport layer TCP and UDP. TCP is the Transmission Control Protocol and is used to deliver traffic reliably if a packet is lost along the way it will be retransmitted so no parts of the packet are missing. UDP is the User Datagram Protocol and is unreliable it is used a lot with real-time applications such as Voice services or Streaming video if a packet is lost in the transmission that is ok it can be tolerated.

Network Layer (3)

The network layer is where IP addressing lives which includes IPv4 and IPv6 versions. A router is called a layer 3 device and its job is to route packets between different networks, it does this by using routing protocols such as RIP, OSPF, BGP, or you can add static routes which is fine in very small networks but in large networks it doesn’t scale well at all and this is when routing protocols are used mostly.

Data Link Layer (2)

The data link layer is used to deliver frames to the correct device on a network. Each device in an Ethernet network will have a unique MAC address and it is used to deliver frames to the correct device. A switch is a layer 2 device and is used to connect 100s of PCs, laptops, printers etc to a network and its job is to manage all those connections and deliver the traffic to the end device, it does this by building a MAC address table which maps MAC addresses to a physical port to which the end device is attached to.

Physical Layer (1)

The physical layer used to put the traffic from the upper layers onto the wire i.e cable towards its destination.

If we take an example of this process from start to finish were a client (PC) requests a webpage from a web server.

The user on the PC opens up a web browser and types in their favourite web URL in the browser such as http://www.cybersecuritylabs.net and hits enter. The web browser will use the HTTP protocol at layer 7 to request this page from the web server.
The presentation layer will make sure that the request is in the correct format.
The session layer will keep this session from the client separate from others.
At the transport layer depending on the application in use either TCP or UDP will be used. In my case, it will be TCP as you want a reliable connection between the client and the server to make sure all data is delivered correctly and nothing is missing otherwise the web page could have pieces of data missing which would make the requested webpage look odd and hard to understand. It is the application in use that tells the transport layer which protocol to use either TCP or UDP.
This is where IP packets are built. At the network layer, my IP address will be the source address of the request and the destination address will be the web servers address, to get the destination address of the website DNS is used to look up the URL http://www.cybersercuritylabs.net and from that it gets the IP address. DNS makes it easier for us humans to navigate the web, trying to remember IP addresses would be much harder than remembering web addresses.
At the data link layer, Ethernet is used in most networks today and each device in an Ethernet network has a unique MAC address. A layer 2 Frame is built here with my MAC address as the source and the servers MAC address of the destinations.
Finally, the data from the upper layers are converted to bits and placed on the wire to be delivered to its destination.

Any questions please leave a comment.

Upgraded my NGFW

Since my last blog post I’ve upgraded by Palo Alto NGFW to the latest PAN-OS release which is 9.0 I also got an evaluation license from them to test the advanced features of the firewall. The license also allows me to see all the log entries as well, which is great for troubleshooting any issues I have with the firewall when enabling the different features.

I have the firewall setup to allow traffic from the 10.1.1.0/24 network (inside-zone) to the internet (outside-zone), the 10.1.1.0 network is also NAT’d to my local LAN address of 192.168.1.0/24 otherwise traffic wouldn’t flow as the 10 network is a private address range, I know the 192.168.0.0 network is also a private address range but my home router is setup to also NAT that range to the public IP address I get from my ISP.

One of the first features I am going to add to my security policy is URL filtering. Company policy is to block all web email for example http://www.gmail.com and http://www.outlook.com

URL FILTERING

I am going to add URL Filtering to the security policy that will block web email sites I’m also going to enable Response Pages so when an end user tries to get to a web email site they will get a message saying that it’s against company policy.

I’m first going to go to http://www.gmail.com and show that I can successfully browse to that site, and as you can see below I can. I am doing this from the PC on the inside network with an IP address of 10.1.1.15.

gmail

The first thing I am going to do is enable the response page. To do that go to Device>>Response Pages.

ResponsePages

Once under Device and Response Pages click on the Application Block Page which is currently set to Disable and then tick the box to Enable Application Block Page and click on OK.

Now end users will get a page displaying the reason they were blocked from connecting to sites that I mark as blocked under URL Filtering. So lets set up some URL Filtering now. To do that go to Objects>>URL Filtering.

URLFiltering

There is a default policy already configured which I can edit but I am going to create my own one and name it No Web Email. I’ll first tick the box beside the default policy and clone it. This will create a new policy called default-1 click on it to edit it.

urlwebfiltering

Under my new policy I have named it No Web Email and then I did a search to find we-based-email, here you need to change the Site Access from allow to block and also do the same under User Credential Submission and change that to block. Click on Ok.

Now its time to update the security policy and add the URL Filtering profile I just created. So under Policies>>Security I just clicked on the security policy called ‘inside to out’.

updatesecpolicy

Click on the Action tab and under ‘Profile Setting’ select Profiles as the Profile Type and under URL Filtering select the newly created profile called No Web Email and click on ok. All I have to do now is commit the configuration changes and test to see if this works !

webemailblock

It is working, I’m unable to get to the different web based email services. You can also check this under Monitor>>URL Filtering.

urlfilteringlogs

As you can see mail.google.com has been blocked as well as outlook.com

Any questions leave a comment below.

Unable to connect to the PA GUI

Something strange happened to my VM setup on my laptop yesterday. I was unable to connect to the PA GUI all of a sudden. The VM booted up fine and I could log on via the CLI and checking the management interface I had the correct IP address which was still set to 192.168.1.222 to check this use the following command on the CLI.

#show interface management

Thinking that something became corrupt with the VM I started to check all the settings and everything checked out ok there, nothing obvious had changed. Since it was a lab environment I decided to fully remove my Palo Alto VM from VM Workstation and to start over again.

Well that didn’t help I had the same issue, VM boots fine, I can log into the CLI fine, this time I got a different IP address as by default the management interface is set to DHCP and I was given the IP address of 192.168.1.17 but when trying to connect to it via https it would timeout. mmmm what gives?

I then tried to ping it from the windows command line and got back ‘Destination Host Unreachable’, time to check the windows route table to see if the IP address was in the routing table. It wasn’t ! This is a problem.

To check the routing table on Windows use the following command from the command line.

#route PRINT -4

It will show all the IPv4 addresses in the routing table. No IP address 192.168.1.17 so I added it into the routing table using:

#route ADD 192.168.1.17 255.255.255.0 192.168.1.1

BINGO I am able to connect via the GUI again. When on the GUI I changed the management interface IP back to 192.168.1.222 and committed the change. I then added in the 192.168.1.222 address into the Windows routing table this time using the -p option which stands for Persistent so when I reboot my laptop that route will remain in the routing table!

#route ADD 192.168.1.222 255.255.255.0 192.168.1.1 -p

This is a quick fix for now and allows me to continue to use the Palo Alto NGFW in my lab setup however I’m not sure how this issue came about, it is something I will look into further.

If anybody else has come across this issue and what caused it please let me know in the comments !

NAT – Network Address Translation

With IPv4 networks NAT is fundamental for it to work without it not a whole lot of devices would be able to surf the internet. For example your broadband connection uses NAT. You are assigned a public IPv4 address from your ISP on your WAN interface of your modem which allows you to surf the internet, within your LAN (home) all the devices you have attached to your WiFi network are assigned an address most likely from the 192.168.1.0/24 range which is from the private class C subnet range. These private IP addresses are not allowed out on the public internet and if you tried to use an address from a private IP address range your ISP will have an ACL blocking its use.

The job of NAT is to translate your private IP address that has been assigned by your modem at home to your PC for example and change the IP address to its public IP address before it leaves your modem.

If we take the following example:

41381

Your PC as been given the IP address of 192.168.1.7 and you want to surf the Internet. Before you can do that NAT has to step in and change your private IP address to its public IP address using NAT or more specific PAT which is a form of NAT which stands for Port Address Translation which allows all the private IP addresses on your LAN to be translated to the single public IP address using port numbers to keep track of the different sessions from the devices in your LAN.

So NAT will translate the source IP address in the packet from 192.168.1.7 to 159.17.5.1 before sending the packet out its WAN interface towards its destination on the Internet. It will keep track of this translation in its NAT table:

192.168.1.7:80 = 159.17.5.1:8000

This mapping allows the return traffic to go back to the PC that started the session. If a second PC on the LAN went out to the internet and had an IP address of 192.168.1.10 it will also be tracked in the NAT table:

192.168.1.7:80 = 159.17.5.1:8000
192.168.1.10:80 = 159.17.5.1:8001

The second entry has a different port number assigned to it and this is how NAT/PAT keeps track of which traffic belongs to which IP address on the LAN.

Configuring NAT on the PA-NGFW

Here I will configure NAT/PAT on the NGFW to demonstrate how it is done.

NAT is configured under the Policies Tab on the left hand side panel select NAT and then click the Add button at the bottom to get started.

Step1_NAT

A new window will pop up asking for General information, give it a meaningful name and description then click the Original Packet tab.

Step2_NAT

Under Original Packet I’ve added the following:

Step3_NAT

Under Source Zone I’ve added the Internal zone, Destination Zone will be the Internet zone and I’ve selected the Destination Interface as the Interface that I configured as the Internet interface which as an IP address 192.168.1.250. Ok so 192.168.1.250 isn’t a public IP address but in my lab environment my modem is also doing NAT to a real public IP address before any traffic is sent. So for this lab I am pretending that 192.168.1.250 is a public IP address and it will translate IP address in the 10.1.1.0/24 network to 192.168.1.250 and my home modem will then translate the 192.168.1.250 again to a real public IP address. Hope that is clear enough. Ok back to the configuration under Source Address I selected the Object I created in an earlier lab called ‘Internal 10.1.1.0 subnet’. The Destination Address will be left to ‘Any’.

Next is the Translation piece so click on Translate Packet.

Step4_NAT

I have selected the Dynamic IP and Port as the translation type as I am using PAT. The Address Type is ‘Interface Address’ and I have selected the ethernet1/1 interface which is the Internet interface and the only IP address that is associated with that interface is 192.168.1.250. Next thing to do is click Ok and that is NAT/PAT configured. Don’t forget to commit the configuration for it to take affect.

To check that it is working I have started up the Windows 10 Virtual Machine I have as part of the lab. It is configured with the IP address of 10.1.1.25. I went to http://www.paloaltonetworks.com as you can see below it was successful.

windows10

This verifies a few things that I have done in the past blog posts. It verifies that traffic from the Internal zone is allowed out the Internet zone. It also verifies that the DNS, SSL protocols are allowed based on the security policy.

We can verify that NAT is working by looking at the NAT translation rule and see the hit count has increased to 985 meaning that it is working. I can’t show you this in the logs as I don’t have the license for that but will add one and show how that is done.

NAT_Working

Any questions leave a comment.

Security Policy Lab

In my last post I covered Zones, Virtual Routers and Interfaces and how they all come together to form a basic configuration. As discussed traffic from one zone going to a different zone is denied by default, traffic going to and from the same zone called intra-zone is allowed by default. In this lab I am going to allow traffic from the windows machine out onto the internet and to do that we have to set up a security policy to allow that to happen.

Lab Objective:

Set up the windows machine on the 10.1.1.0/24 network to go from its zone ‘Internal’ to the ‘Internet’ zone and allow access to the following protocols:

DNS port 53 (UDP)
HTTP port 80 (TCP)
HTTPS (SSL) port 443 (TCP)

This will allow the Windows PC onto the web and able to browse. Simply allowing HTTP and HTTPS wouldn’t be enough as DNS is involved when using the web to translate the human readable URL address such as https://www.paloaltonetworks.com to an IP address that will be then used to send the traffic towards the website.

Log into the PA GUI and select the Policies Tab.

Here we have the two default policies ‘Intrazone-default’ and ‘Interzone-default’. The Intrazone policy allows traffic to flow from the same zones and the Interzone policy denies traffic to flow from different zones. If you scroll over to the far right of the policies you’ll see ‘Action’ set to Allow and Deny for each one.

We need to add our own policy here to allow traffic from the Internal zone to the Internet zone and to specify the protocols we want the user to be able to access. Click on ‘Add’ to get started.

The first tab is called General and here we give the policy some meaning by naming it and giving it a description of what it is used for. Also you select the Rule Type since I am going between different zones I have selected ‘interzone’ as the Rule Type.

Next click on the Source tab.

Step2_source

Under Source Zone click on Add and select the zone you want to match on i.e. sourced from and select Internal. Under Source Address on the right side of the window I have the option to allow Any traffic from the Internal zone OR I can match a specific subnet or IP address. I could have multiple subnets that are part of my internal zone so this allows me to get more granular and select which subnet should have access out onto the Internet. To make things easier down the line I can setup an Object just for that 10.1.1.0/24 subnet and reuse it elsewhere in the configuration for other policies I might setup later.

Step3_Object

I’ve selected Add and I get this list of IP address ranges, I could simply type in the network address I want to use but I’ll set up an object instead. To do that you need to click on the New Address button at the bottom. A new window pops up shown below.

Step4_object

Enter in a name for the object here I am using ‘Internal 10.1.1.0 subnet’ and I have selected the IP Netmask as the type since I am configuring a subnet. Click on OK and the object will be added to the configuration.

I am going to skip the User Tab here as I don’t have any User-ID setup yet. The User tab can be used to identify a specific user on the network and to just lock it down to that particular user. So onto the Destination tab.

step5_destination

In the destination tab I am selecting the zone that I want to allow the traffic to flow to. In my case it is the Internet zone. On the right of the window it is set to Any which is fine as we are going out onto the internet and I don’t want to start restricting what parts of the internet the user can or can’t get to.

Next is the Application tab and here I am going to specify what applications or protocols that users are allowed to use from the Internet 10.1.1.0/24 subnet. As part of the lab brief we said we wanted the users to be able to browse the internet so that means allowing DNS, HTTPS (SSL) and HTTP.

step6_apps

Click on Add and add ssl for HTTPS traffic, DNS and web-browsing for HTTP.

The last step is to select Actions.

step7_actions

This is where you want to select what action to take against the policy we just created and since I want to allow the traffic that is what I’ve selected.

Click on Ok and the the policy will be created and added to the policy configuration. As shown here.

Step8_finish

The policy is as follows:

IF source zone is Internal AND from the 10.1.1.0/24 subnet going to the destination zone Internet AND using applications SSL, HTTP, DNS ALLOW the traffic.

Now our users on the 10.1.1.0/24 network have access to the internet, you might be thinking how does the return traffic get back to the users since we haven’t configured a policy for traffic from the Internet zone to the Internal zone? The NGFW is a stateful firewall which means it remembers the sessions from the ‘Internal to Internet policy’ and allows the return traffic back in without having to setup another policy for that to be allowed.

Lastly don’t forget to commit the configuration for it to become active on the firewall.

Getting into the Zone

In this post I want to talk about zones and what they are used for in a Palo Alto NGFW. Zones are used to group interfaces together that are part of the same business function on the NGFW. For example you might have two departments, one is Finance and the other is IT. Because the information within the Finance part of the network is highly sensitive you do not want your users from the IT department having access to that part of the network. With zones you can put them into separate zones and build policies around them. By default interfaces within the same zone can communicate with each other but interfaces in different zones cannot for that to happen you will need to configure a policy to allow users or a group of users to go from one zone to another such as IT to Finance and visa-versa. This is the first line of defense in stopping attackers moving laterally across your network.

Configuring Zones

I am going to setup 3 zones and assign interfaces to those zones. The 3 zones will be:

Internal
Servers
Internet

On the PA GUI click on the Network tab and on the left hand side select Zones. Click on Add.

Give your zone a name “Internal” and the type in this case is Layer 3. The other options are Layer 2, Tap, Vwire and tunnel.

Continue adding the remaining zones Internet and Servers.

Virtual Router

What is a virtual router? On the Palo Alto NGFW you can split the Firewall into virtual “mini” firewalls it can be used to keep different parts of the business separated or if you have different customers that you provide services to you can give them a virtual firewall with their own interfaces, zones, policies. You can add virtual routers or just use the default virtual router. To add a virtual router click on Network and on the left hand side click on Virtual Router and Add.

Here I have added a new Virtual Router and called it VR-1.

Interfaces and bringing it all together

The last thing to do is to assign the interfaces to the different zones and the virtual router.

Still under Network click on interfaces on the left hand side to get started. Select Layer 3 as the Interface type and add a comment. Under “assign interface to” select VR-1 as the Virtual Router and Internet as the Security Zone.

Click on IPv4 tab and enter the IP address here I am using 192.168.1.250/24 then click on Ok.

Once you have all the interfaces configured along with their IPv4 addresses you need to commit the configuration for it to become active. When the configuration is committed you will end up with the interfaces active as shown below.

Palo Alto Network NGFW

What better way to get to know the Palo Alto Security Operating Platform than installing it on your laptop and using it. Here is the lab I have setup on my laptop. You can also do this in the cloud using AWS for example as the image I am using is the VM-Series from Palo Alto that is built for protecting your cloud infrastructure but for now I am going to be running it locally on my laptop. I’ll set it up in the cloud on AWS in another blog post.

Palo Alto VM-Series in VMWare Workstation Pro

To do this you’ll need the Palo Alto VM-Series image from Palo Alto, VMware Workstation Pro software to run the Palo Alto VM-Series image on and also a Window 10 image again used within VMware. I’m using the PA-VM-ESX-8.1.0.vmx image here.

Once you have the PA VM-Series image file downloaded you’ll need to install it into VMware Workstation Pro, you can use a 30 day evaluation of the Workstation Pro software but after that you’ll have to buy a license if you would like to continue using it. The same goes for the Windows 10 image you’ll need to add it into VMware Workstation.

I’ve also setup some extra VMnets so I can connect up the topology as shown above this can be done via Edit–>Virtual Network Editor. Click on Change Settings (Admin level is required here) and then click on Add Network. One thing I did was deselected the option to use local DHCP as I wanted to add my own IP addresses as such:

vmnet 1 : 10.1.1.0 255.255.255.0
vmnet 2: 10.2.2.0 255.255.255.0
vmnet 3: 10.3.3.0 255.255.255.0
vmnet 4: 10.4.4.0 255.255.255.0

Although I’m not using all of these from the start it is good to have them configured if I want to connect another network into my lab.
Next thing to do is to power up the VM-Series NGFW once booted you’ll get prompted to enter in a username and password which is admin/admin by default.

Also during bootup you’ll see a DHCP message with the IP address that has been assigned to the management interface, in my case it was 192.168.1.101 to log into the GUI just open up a browser and type in the address in the address field as https://192.168.1.101 note you’ll get a warning about the site not being trusted as it is a self-signed certificate just click on Advanced and add it as an exception and it will load the GUI login page, again the username and password is the same here admin/admin.

You’ll end up with a page something like this.

eJPT – Junior Penetration Tester

I am officially certified as a Junior Penetration Tester with eLearnSecurity. I must say I found their training to be excellent. Up until now most of the certification exams I’ve done have been from Cisco. I had never heard of eLearnSecurity until I came across them on the techexams.net forums. I wanted to get into Penetration Testing for some time now as I had always been interested in how someone could break into a network or system. In the past, I have built my own PC and installed numerous OS systems directly on the hard drive or virtually using VMWare to test different things out and to see how they worked so Penetration Testing was a good fit for me I guess as I liked tinkering with things.

So what do you learn in the course? You can find the course at eLearnSecurity and a breakdown of each section and what modules they cover.

The first section is an introduction to networking, web applications and penetration testing. The second section is programming again this is an overview and doesn’t go too deep into it the programming languages covered are C++ and Python. The three section is all about penetration testing and the different phases of a penetration test. You also learn what tools to use here. And for me, the best part of the course is the access you get to the labs where you can learn how to use the tools, here you really get to know how to use them, nothing beats hands-on learning in my opinion.

In the exam, you get access to the exam lab for 3 days. You are given an exam guide and some information about the network you are going to be pen testing. You have 20 questions to answer based on the exam objectives. You need to gain access to servers, PCs, websites using all the tools and techniques you learned during your studies. Having access to the lab for 3 days is probably a bit too generous as it only took me 4-5hrs to gain access to the systems and find the answers to the questions. I must say I really enjoyed the exam as it was all hands on which is much better than 60-70 multiple choice questions like most of the Cisco exams I’ve done apart from the T-SHOOT exam for the CCNP R&S cert another exam I really enjoyed.

I would fully recommend eLearnSecurity as their course material is great and up to date with the latest tools and exploits. Next, I am going to tackle the PTPv5 course and exam to take my Pen Testing skills to the next level.

Practice with NMAP

If you would like to practice using NMAP commands, the nmap organization has made available a test site at scanme.nmap.org. You can use this as your target when learning how to use nmap.

Nmap

Here I’m running a scan against the website scanme.nmap.org and piping it to a file. The results of the scan are shown below.

Scanresults

Just don’t run continuous scans against the site, after all, it is a shared resource.

NMAP and fping deep dive (Part II)

This is a continuation of my previous post, NMAP and fping deep dive in that post I talked about fping and NMAP and how they worked at a basic level as NMAP, in particular, has a lot more parameters that you can use depending on the task at hand.

In this post I want to cover more of NMAPs capabilities and what commands we could use to discover more about the network and what potential vulnerabilities these hosts might have that could be used to exploit them.

In the last post we found out what hosts were alive on the network and we also found out what ports were open on those hosts. The next step is to find out what OS they’re running or at least get the best guess as to what it might be.

I am going to use the -sV (version) option and also the -O (OS fingerprinting option) to get more detail on the hosts. You don’t want to blindly attack a network without gathering all the information possible about your target or you run the risk of causing the target to crash because you ran the wrong tool against it. Information gathering is one of the most important parts of penetration testing.

As Abraham Lincoln once said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”

The first command to run is the -sV command that will give us more information on the ports that are open and what version the service is running.

Screenshot from 2018-05-27 12-24-44

The administrator might have changed the port to a non-standard port as is the case for the host at 10.142.111.213. You can see the port is 81 but the service using that port is HTTP which is usually on port 80 also if you remember this is the host that did not respond to the ping sweep when using fping.

Screenshot from 2018-05-27 16-27-58

To build on this we can now run the -O command with nmap. This command will send special probes to try and figure out what OS is running, for example, IIS, Apache?

The command is $:nmap -O 10.142.111.1,6,48,96,99,100,213

Here instead of using /24 I am only running the OS scan on the hosts we already know are alive on the network, this saves us a lot of time as I am only concentrating the scan on specific hosts.

Screenshot from 2018-05-27 12-51-03

From the output you can see that host at 10.142.111.48 is a Windows XP machine. From this, we could start to look for vulnerabilities on Windows XP for the services they’re running.

To summarise we started off not knowing what IP addresses were alive for this we used the fping tool and also nmap -sn command. We then ran more nmap commands to figure out what ports were open and also the versions of those open ports. Lastly, we ran the OS fingerprint command to try to figure out what OS the hosts were using.

I hope this was useful.