Security Labs in OPNET IT Guru: Enginyeria I Arquitectura La Salle Universitat Ramon Llull Barcelona 2004
Security Labs in OPNET IT Guru: Enginyeria I Arquitectura La Salle Universitat Ramon Llull Barcelona 2004
Security Labs in OPNET IT Guru: Enginyeria I Arquitectura La Salle Universitat Ramon Llull Barcelona 2004
IT Guru
Enginyeria i Arquitectura La Salle
Universitat Ramon Llull
Barcelona 2004
Security labs Enginyeria i Arquitectura La Salle
-I-
Security Labs in OPNET IT Guru
Authors:
Cesc Canet
J uan Agustn Zaballos
Translation from Catalan:
Cesc Canet
Overview
This project consists in practical networking scenarios to be done with OPNET IT Guru
Academic Edition, with a particular interest in security issues.
The first two parts are a short installation manual and an introduction to OPNET. After
that there are 10 Labs that bring into practice different networking technologies. Every
Lab consists in a theoretical introduction, a step-by-step construction of the scenario
and finally Q&A referring to the issues exposed.
Lab 1: ICMP Ping, we study Ping traces and link failures.
Lab 2: Subnetting and OSI Model, we study tiers 1,2 and 3 of the OSI model, and
the Packet Analyzer tool to observe TCP connections.
Lab 3: Firewalls, we begin with proxies and firewalls. We will deny multimedia traffic
with a proxy, and study the link usage performance.
Lab 4: RIP explains the RIP routing protocol, and how to create timed link failures
and recoveries.
Lab 5: OSPF compares RIP. We study areas and Load Balancing.
Lab 6: VPN studies secure non-local connections. A Hacker will try to access into a
server that we will try to protect using virtual private networks.
Lab 7: VLAN creates user logical groups with Virtual LANs. Studies One-Armed-
Router interconnections.
Lab 8: Dual Homed Router/Host, Lab 9: Screened Host/Subnet. DMZ and Lab
10: Collapsed DMZ explains the static routing tables, ACLs, proxies and internal vs.
perimetric security. Lab 10 is 100% practical, we want you to create it on your own, a
piece of cake if you did the other Labs!
Security labs Enginyeria i Arquitectura La Salle
-2-
Lab 1: ICMP Ping
ICMP (Internet Control Message Protocol) is encapsulated inside the IP protocol, and is
used for network troubleshooting and control messaging. It is used to notify that a
datagram did not reach its destination either because the destination host was not
found (UNREACHABLE HOST) or because the IP packets traveled across too many
routers (TTL EXCEEDED).
This Lab explains yet another application: ICMP ECHO REQUEST/ECHO REPLY (aka
Ping). An ECHO REQUEST message is sent to an IP address to find out if the
communication between peers is working. The destination computer is supposed to
answer with a ECHO REPLY message.
Lab Description
A network is created with a 5-routers-ring-backbone and 2 workstations (A and B)
directly opposite. A will send an ECHO REQUEST to B, and B will answer with an ECHO
REPLY. Well check out that the REQUEST packet went through the three routers
between peers, and the REPLY packet came back using the same path (the routing
protocol for this Lab is RIP). In a second scenario, one of this links will fail, and we will
study how does this change the ping trace.
Creating the Scenario
1. Open a new Project in OPNET IT Guru Academic Edition (File New Project)
using the following parameters (use default values for the remainder):
Project Name: <your_name>_Ping
Scenario Name: NoFailure
Network Scale: Campus
Press Next several times to end the Startup Wizard. The Project Editor will be
launched with a blank Grid.
Security labs Enginyeria i Arquitectura La Salle
-3-
2. To create the 5-router ring: Topology Rapid Configuration,
On the Popup window, Configuration: Ring, and press OK.
Click on Select Models and choose internet_toolbox in the combo box, to
select the library where we want to pick up the routers and links from.
Press OK.
In the Node Model combo box, pick up the router
CS_4000_3s_e6_fr2_sl2_tr2.
Select the link to connect the routers, Link Model: PPP_DS1
Number: 5 routers.
The center for the ring is (X,Y)=(5,5).
The radius length is 2.5.
Press OK to create the network.
3. Insert two workstations Sm_Int_wkstn and connect each other with
10BaseT wires:
Open the Object Palette by clicking on .
Drag the two Sm_Int_wkstn workstations, and drop them into the Grid.
This can be found in the Sm_Int_Model_List palette in the Object Palette.
Change the attributes:
o Right-click on the station and press Edit Attributes.
o Select Application Supported Profiles rows: 0. By doing this,
the workstations wont have any profile defined (We dont need any,
because the only traffic demand we want is Ping).
o Repeat this process for the two workstations.
Connect the two workstations to the two routers directly opposite using
10BaseT wires from the same palette.
Now the network is complete and is time to set the ICMP traffic. The first
step is to place an IP Attribute Config control. This can be found in the
internet_toolbox palette.
Security labs Enginyeria i Arquitectura La Salle
-4-
Edit the control properties (right click Edit Attributes). The parameters
to be set can be found in IP Ping Parameters row 0 (Pattern:
Default):
o Interval (sec): 90
o Count: 1000
o Record Route: Enabled
Press OK to accept the changes
4. Using the ip_ping_traffic object from the Object Palette
(internet_toolbox), draw an ICMP ping demand from one host to the other:
Select the ip_ping_traffic object in the palette.
Click on one workstation (start) and then to the other one (end).
When finished, press the right button and select Abort Demand
Definition to stop drawing wires.
Right-click on the flow line and click Edit Attributes, and then set:
o Ping Pattern: Default
o Start Time: constant(1000)
Chose RIP as routing protocol for the scenario:
On the Project Editor, Protocols IP Routing Configure Routing
Protocols... Check out that only RIP is selected and press OK.
Protocols RIP Configure Start Time. Select Mean Outcome: 20 and
press OK. The RIP protocol will begin creating routing tables at this
moment.
Change the node names as seen in the picture below:
Security labs Enginyeria i Arquitectura La Salle
-5-
L1.1: The Scenario is completed
Setting up the simulation
1. Click on configure/run simulation at the Project Editor, and set this
values:
Duration: 1 hour(s).
In the Global Attributes tab,
o RIP Sim Efficiency: Disabled. RIP messages will be sent all the
time during the simulation.
o RIP Stop Time: 10000. Routing Tables will be updated during all
the simulation (the simulation is finished before RIP stops).
o IP Routing Table Export/Import: Export. We will export routing
tables to a file at the end.
2. Click on Run.
Results analysis
Once the simulation is over,
1. Exit the simulation window by clicking on Close.
2. At the Project Editor, click ResultsOpen Simulation Log. Review the
Security labs Enginyeria i Arquitectura La Salle
-6-
ECHO and ECHO REPLY paths, and the routers the packets have gone through.
All this information is at the PING REPORT, as seen at the picture below:
L1.2: PING Report
Questions
Q1 Duplicate the scenario NoFailure and call it WithFailure. Choose a link the PING
was using in the last simulation (e.g. Router 1- Router 2), and make it fail, by
selecting it and clicking on the mark selected node or link as failed button.
Analyze the new ping trace.
Answers
Q1
At the Project Editor, Scenario Duplicate Scenario. The new scenario is called
Scenario Name: WithFailure and we press OK. We mark Router 1 Router 2 link
to fail and execute the simulation. The ping trace takes a new path now as seen at the
Ping Report:
Security labs Enginyeria i Arquitectura La Salle
-7-
IP Address Hop Delay Node Name
---------- --------- ---------
192.0.8.2 0,00000 Campus Network.Estaci 1
192.0.9.1 0,00015 Campus Network.Router 1
192.0.1.2 0,00077 Campus Network.Router 5
192.0.0.1 0,00077 Campus Network.Router 4
192.0.3.1 0,00077 Campus Network.Router 3
192.0.3.2 0,00021 Campus Network.Estaci 2
192.0.3.2 0,00001 Campus Network.Estaci 2
192.0.0.2 0,00015 Campus Network.Router 3
192.0.1.1 0,00077 Campus Network.Router 4
192.0.9.2 0,00077 Campus Network.Router 5
192.0.8.1 0,00077 Campus Network.Router 1
192.0.8.2 0,00021 Campus Network.Estaci 1
L1.3: Ping Report for the scenario WithFailure