ICAS5192A/03 Install and Configure Gateway Products and Equipment
Total Page:16
File Type:pdf, Size:1020Kb
Install and configure gateway products and equipment
1 , 2006
Overview
Image: Overview
You should already know about confirming client requirements and network equipment and reviewing security issues. This resource will help you to install and configure gateway products and equipment within an information technology environment.
In this topic you will learn how to: identify and select installation and configuration options install and configure gateway products as required by technical guidelines plan and execute tests with reference to client requirements and network impact analyse error reports and make changes as required.
This topic contains: reading notes activities references topic quiz.
As you work through the reading notes you will be directed to activities that will help you practise what you are learning. The topic also includes references to aid further learning and a topic quiz to check your understanding.
Download a print version of this whole topic: Install and configure gateway products and equipment (1.93 MB 2823.doc)
2 2006
Reading notes
Image: Reading notes
Identify configuration options You will have a range of configuration options to choose from depending on the Internet gateway solution your client has decided on. These options need to be selected in order to satisfy the client’s needs in every case. Some options may only become apparent as the installation progresses and so must be documented during the installation. If possible, screen captures of configuration utilities would be helpful in the documentation process.
We’ll look at a few Internet gateway solutions here and their options. The solutions covered are Windows and Internet connection sharing (ICS) residential gateway devices Linux gateways appliances from Cisco and Symantec.
We will start with a discussion of the importance of anti-virus and anti- malware products to the overall solution.
Anti-virus and anti-malware
All computer systems on the local network (including an ICS host system) must also have anti-virus and anti-malware software installed and active to maintain the maximum possible security level. Some suitable products include AVG anti-virus: GriSoft http://www.grisoft.com F-Prot anti-virus: Frisk – Software International http://www.f-prot.com
3 , 2006
Adaware anti-malware: Lavasoft http://www.lavasoft.com Spybot – Search and destroy – anti-malware: Spybot http://www.safer- networking.org
There are of course many more products. Your client may have current products in use, or you can suggest others from your experience.
Note: Remember that Free products may only mean free for private use. Sometimes these products can also be used for educational and non- commercial purposes. You must check on the licensing of any product to ensure that copyright is not infringed when used in each solution.
Internet connection sharing
ICS is the system used by Microsoft Windows workstations to provide connection for more than one computer to the Internet over a single Internet link. This facility has been included in the Windows product range since Windows 98 SE (second edition) and so is available for use in the following Microsoft operating systems: Windows 98 SE Windows ME (Millennium edition) Windows 2000 Professional and Server Windows XP Home and Professional Windows 2003 Server family.
ICS basically uses one computer workstation as the Internet connection provider for a home or small business network. This computer is still fully functional as a workstation. The ICS system provides network address translation (NAT) for the other workstations on the network.
The ICS host computer needs to be able to access the Internet through either a dial-up or broadband connection and have a network connection to the local network of computers. A dial-up connection can be through an RS-232 serial or a universal serial bus (USB) port with either an analogue or ISDN modem. A broadband connection may be through either a USB or a network port. In the case of a network connection, two network cards are preferred in the ICS host system.
For best security in the ICS solution, a firewall program should be installed and enabled on the ICS host computer, as it is the one that directly presents itself to the Internet. The Windows Internet Connection Firewall or the Windows Firewall of Windows XP with Service Pack 2 or Windows 2003 Server family is sufficient. Take a look at the following for more information:
4 2006
Microsoft Windows Internet Connection Firewall: http://www.microsoft.com/windowsxp/using/networking/learnmore/icf. mspx Microsoft Windows Firewall: http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfint ro.mspx
Some people prefer to use a separate firewall product such as the offerings from the following sources: Zone Labs Zone Alarm: http://zonelabs.com GriSoft AVG Firewall: http://www.grisoft.com Symantec Norton Personal Firewall: http://www.symantec.com
Note: If the ICS host operating system is Windows 98 SE, Windows ME or Windows 2000, then a separate software firewall is required since Microsoft does not provide a firewall for these operating systems.
The ICS drivers and protocols are installed and activated in the ICS host computer which forces the network card to have the private IP address of 192.168.0.1. This is a requirement of ICS, and if the IP address is changed to suit an existing network, ICS is deactivated. Some older networking equipment used this IP address as a default IP address, so conflicts may occur and the equipment will need to have its IP address changed.
In order to access the Internet with ICS, other computers and devices on the local network will have IP addresses in the range 192.168.0.2 to 192.168.0.254 with a network mask of 255.255.255.0. These computers need to set their default gateway to be the IP address of the ICS host system (192.168.0.1) and manually set their DNS servers to be the same as the ICS host settings. These settings may alternatively be provided for workstation computers through a dynamic host control protocol (DHCP) server on the network.
In order to determine these DNS addresses on the ICS host connect to the Internet start a command prompt: o Start, Run o type cmd into the Open dialog (or command on Windows 98 SE and ME) o click on OK in the command prompt window, type ipconfig /all towards the bottom of the listing you should be able to find a line with DNS servers and an IP address similar to the following:
5 , 2006
Image: Partial output from the ipconfig /all command showing the DNS Servers information as a line of text saying 283.49.70.20
Figure 1: Partial output from the ipconfig/all command showing the DNS Servers information
The DNS server IP address listed should be used for the other workstations in the local network. Note that there may be more than one DNS server. If the ISP ever changes addresses for these servers, then all workstations need to be updated to reflect the change, possibly via the DHCP server. See Figure 1.
Note: Windows server products also include utilities to configure routing and remote access services. This is the preferred alternative to ICS when multiple connections to remote sites - not just the Internet - are required in a business. The routing and remote access utilities include capabilities to provide NAT, static routes, multiple simultaneous connections and dial-in connections.
Routing and remote access also allows the server’s IP address to be set to any address to match an existing network’s configuration.
ICS and routing and remote access services cannot be used together on the same server.
Image: A home or small business LAN with three workstations at the front, a hub behind and an Internet gateway at the back utilising Windows Internet connection sharing as the Internet gateway showing all LAN IP addresses in the 192.168.0.x network. All workstations have the same DNS information, and all non-ICS workstations have the same default gateway of 192.168.0.1, which is the mandatory setting for ICS.
6 2006
Figure 2: A home or small business LAN utilising Windows Internet connection sharing as the Internet gateway.
Activity 1
To practise, complete Activity 1 – Research ICS, in the Activities section of the Topic menu.
Residential gateway devices
Most residential gateway devices are made specifically for broadband. Some have a built-in ADSL connection, while others require an ADSL router or modem with a network connection in order to connect through to the Internet. In the latter case, the ADSL router should be left virtually not configured to allow the residential gateway’s services to be used. If both were configured, then both must be kept up-to-date.
The built-in facilities of these devices from the various manufacturers are different. All tend to have NAT and port forwarding, and some have basic firewall settings, parental control URL blocking, state-full packet inspection (SPI) for application-level firewall filtering, virtual private networking (VPN) and voice over IP (VoIP).
Note: These devices are made for the final connection interface to the Internet link and so only need to have a traffic throughput equivalent to the maximum Internet connection speed. This speed is generally available to the home user market of 1.5 megabits per second (Mbps) to 24 Mbps.
Don’t misinterpret the throughput of an integrated switch (or hub) as the throughput measurement. These devices are NOT meant for the high-speed interconnection of LANs to segregate networks within an enterprise or large organisation.
Some routers can be used as residential gateways as well. In particular, a few of these routers have a serial port allowing for the backup of Internet access via a dial-up connection in case of the broadband link failing. These devices are also useful for areas without broadband access, such as country and rural areas, since the serial dial-up device may be used as the default Internet connection. Devices with this capability include D-Link DI-804HV VPN Router: http://www.d-link.com NetGear ProSafe VPN Firewall FVS328: http://www.netgear.com.au Open Networks Open524R: http://www.opennw.com
Residential gateways generally come with a web interface to allow configuration. The web interface often defaults to an IP address of 192.168.1.254, and you will need to adjust a computer on the network to be
7 , 2006
able to use an address on the same network (192.168.1.1 to 192.168.1.253) in order to access the web interface.
If you decide to modify the LAN IP address of the device, then you will need to use this new IP address in your browser to administer the device in future.
A common default username and password is admin and admin. It is in your client’s and your own best interest to modify this to ensure the security of the settings of the Internet gateway device.
Devices from the same manufacturer tend to have similar interfaces and use similar terminology. The interface and terminology used varies widely from one manufacturer to another.
Image: A home or small business LAN utilising a residential gateway device as the Internet gateway showing all LAN IP addresses in the 192.168.1.x network. All workstations have the same DNS information and the same default gateway of 192.168.1.254, which is a common factory setting for residential gateway devices.
Figure 3: A home or small business LAN utilising a residential gateway device as the Internet gateway
The residential gateway shown in Figure 3 has a common, factory-default LAN IP address of 192.168.1.254. If the residential gateway is configured to provide DHCP services, the LAN IP addresses, DNS and default gateway addresses may be provided dynamically to the workstations. Alternatively, these settings may be set manually with all the LAN IP addresses in the
8 2006
192.168.1.x network range, with all workstations having the same DNS information and the same default gateway being the residential gateway’s 192.168.1.254 IP address.
Activity 2
To practise working with different terminologies used by different manufacturers, complete Activity 2 – Terminology used to set configuration of devices, in the Activities section of the Topic menu.
Linux gateways
Linux has been presented as an alternative to replace many previous systems with basically free software. Linux has the reputation of being more stable, secure and less prone to malicious attack. With the inclusion of two network cards in a system for broadband, or a dial-up device and network card for dial-up Internet access, a Linux system can become an Internet gateway.
It is possible to use a standard Linux distribution as an Internet gateway. The networking features required are built into the basic Linux kernel and are controlled by command-line applications - most recently iptables. While this is possible, it is not desirable since any changes to the firewall must be manually entered into the start-up configuration and need to contain no typing errors. To configure a basic safe system takes in the order of 100 to 200 commands. Each of these needs to be correct and verified to be working.
The preferred configuration method is to use a graphical user interface (GUI) front end or a web interface remote console similar to that of a residential gateway device. These applications will construct and save the required commands and will often have a basic configuration set to ensure a reasonably safe default configuration. Such configuration tools generally provide more thorough and less error-prone firewall configurations than manually applying commands.
Searching for Linux firewall configuration GUI in a search engine to find this type of software may produce the following links: http://www.simonzone.com– SimonZone Guarddog: free firewall configuration utility with a full default safe configuration. Designed for the KDE (K Desktop Environment). Also, check out the other software available here to help configure an Internet gateway and server, such as Guidedog, Guidance and Watchdog (version 2.4.0 updated 17 December 2004). http://www.fs-security.com – FS-Security Firestarter: free, open-source firewall configuration utility with a full default safe configuration. Requires Gnome to be installed but also works under the KDE (version 1.0.3 updated 28 January 2005).
9 , 2006
http://www.webmin.com – Webmin Webmin: a free, open-source browser-based configuration utility that can configure just about anything on Linux systems remotely. This includes the Linux firewall and the Shorewall firewall. Everything starts at the default or current installed options, so for the initial setup of a firewall there is a lot of work to do to ensure a safe configuration, but the commands are created and saved which avoids typing errors creating an insecure configuration (version 1.270 updated 5 April 2006).
Note: If you searched for just Linux firewall, you will also get pages that use the ipchains command or even the ipfwadm command. These are old commands used with pre-2.4.0 Linux kernels, so while the topics of discussion on these pages are often relevant, the actual commands are not.
For a home or small business network, an old computer may have sufficient capacity to become an Internet gateway with two network cards. A full Linux firewall distribution becomes the size of a CD-ROM or even a floppy disk, such as Vortech Consulting Coyote Linux: http://www.coyotelinux.com – a free floppy disk-based personal firewall. It fits onto one floppy disk and runs without a hard drive in the machine. The firewall can be administered through a web interface using any browser. The initial configuration requires either a functioning Linux or Windows system (version 2.24 updated 5 May 2005). The floppy version is no longer under development but is still available for download and use without support. The floppy version has been replaced by a small hard drive installation version (3.x). This is still free for personal and educational use (version 3.00.47 updated 14 April 2006). Linux Embedded Appliance Firewall LEAF: http://leaf.sourceforge.net A free, open-source project with a very versatile router/firewall Linux distribution. Unfortunately, the initial setup is difficult. The project bears watching for the enhancements to simplify the installation process and update the documentation (version 2.4.1 updated 23 April 2006). FREESCO: http://www.freesco.org – a free, open-source floppy disk- based router with advanced firewall capabilities. It fits onto one floppy disk and runs without a hard drive in the machine. Installation to a small hard drive is also possible. It can also run from a CD, but the configuration changes require writing a new CD each time. See the How-to list to add extra functionality to the base system. The drawback is there is no GUI to configure the installation (version 0.3.5 updated 1 April 2006).
There are many dedicated gateway products available commercially that use Linux as the foundation operating system. These include Point Clark Networks’ Clark Connect: http://www.clarkconnect.com Clark Connect provide a free-to-home-user version and a fee for their
10 2006
update services on two commercial versions. The products are open source so you can update them independently. Vortech Consulting Wolverine Linux: http://www.coyotelinux.com – a fully-featured firewall installed from a CD to a dedicated PC system. The firewall can be administered through a web interface using any browser. The initial configuration from the CD takes only a few minutes to a small hard drive (<100 MB required) (version 2.01.1000 updated 12 April 2006).
For other dedicated distributions you can use the following link: http://wiki.linuxquestions.org/wiki/Firewall_distributions
These Linux systems - used as Internet gateways - are networked basically the same as either the ICS or the residential gateway solutions discussed earlier.
If a general-purpose distribution is used with a configuration tool, then the solution is similar to the ICS host system. The difference here is that the Linux host can have any LAN-side IP addresses to match existing network configurations.
If a dedicated distribution or commercial product is used (possibly with an older computer system), then you have a solution similar to the residential gateway. In fact, the Wolverine Linux is commercially available in a number of embedded hardware and software solutions to produce a residential gateway device and also an enterprise-level Internet gateway appliance.
Activity 3
To research different Linux gateway solutions, complete Activity 3 – Exploring Linux gateways, in the Activities section of the Topic menu.
Appliances
Appliances are basically corporate or enterprise-level versions of the residential gateways described earlier. The functionality and throughput of these devices distinguishes them from the home-use product. Features and specifications that are found on appliances that are not available or are at much lower capacity include the following: virtual private networking (VPN) connections voice over Internet protocol (VoIP) increased IP filtering rates encryption numbers of users considered, possibly in the thousands.
11 , 2006
The network arrangement of these appliances is similar to the residential gateways discussed earlier. Being enterprise-level devices in a large organisation, the physical security of these appliances tends to be a higher priority. Many of these units are mounted in air-conditioned, locked racks along with many other network and communications devices.
Activity 4
To research different enterprise appliances, go to Activity 4 – Enterprise appliances, in the Activities section of the Topic menu.
Install and configure gateway products Let’s install and configure a simple Internet gateway suitable for use in a home Internet gateway situation.
Scenario
A family has a broadband connection to the Internet and wishes to share this connection with the three computers currently in use in the house. They want to be able to have just the computers that want access to the Internet to be on, as the computers are in bedrooms.
There is already a wired network infrastructure with a hub and connections to all bedrooms, the lounge room and garage. An old computer in good condition is available to be used as an Internet gateway. This computer can be located in a garage area since it has access to the ADSL broadband connection and the network infrastructure. The computer specification is a Pentium 133 megahertz system, with 32 megabytes of RAM. It has a CD- ROM drive, floppy drive and a 2.1 gigabyte hard disk drive.
Solution
By looking at the solutions for an Internet gateway already given, we can see that there are a number of options. Windows 98 SE with ICS general purpose Linux with firewall configuration software Linux firewall-specific distribution.
After discussion with the family, they decide to go with the final solution given for a number of reasons but primarily because they want a free solution don’t have a license for Windows 98 SE (only Windows 95)
12 2006
want it to be as ‘off the shelf’ as possible.
This leads you to choose between Coyote Linux and Clark Connect products. Finally you decide on the Coyote Linux floppy version product as it fits on a floppy disk and would mean that the hard drive and CD-ROM drive could be removed from the computer to make a very quiet system.
Installation 1. Download the Windows-based installer from the Coyote Linux website. Go to http://www.coyotelinux.com and click on the Downloads link and then the Coyote Linux Floppy Edition link. Download the Windows Disk Creation Wizard v2.24.0 (2.48 megabytes) at the bottom of the list. 2. Extract the files from the zip file you just downloaded and go to the wizard-2.24.0 folder. 3. Run the coyote.exe program by double-clicking on it or follow your computer’s execute steps. The basic set-up can be done with just a few entries for the target system. For brevity, the steps with no changes have been omitted:
Step 1: Set the LAN IP address. The default is 192.168.0.1.
Step 2: Set the password that will be used to administer the firewall. Note that you will log in as root in order to administer the Internet gateway.
Step 3: Set the remote logging server if you have one.
Step 4: Set up the Internet connection type. The default is DHCP Assigned Address. Other choices are for Static IP, PpoE Configured and PPP Modem Dial Up.
Step 5: Enable and set up the DHCP server. Default is not enabled.
Step 6: Set the drivers for the network cards. This is where you have to know something about the target system. Linux supports a large number of network cards, but due to the size of the floppy disk distribution, only the required network drivers are installed at this point. You need to select the correct one.
13 , 2006
Image: Screen shot of step 2 of the Coyote Linux Disk Creator shows the password entry screen, requiring entry of password and then entry to confirm password setting the password to use with the “root” user name to administer the Internet gateway.
Figure 4: Step 2 of the Coyote Linux Disk Creator
How to identify the network cards
If these network cards have been installed in a Windows system before, then you may be able to read the information from the control panel in that system. Alternatively, you may determine the network card by inspecting the card and identifying the major chip used on it. The largest chip will have a 5- or 6-digit number on it, eg 8139, which is the NIC chip.
Some BIOSes (Award) show the chip number in the PCI device listing summary. You can pause the screen and look for Network Controller in the Device Class column. The Device ID to the left is an indication of the chip number. Note that 8086 as the Vendor ID indicates an Intel chip but not which one.
14 2006
A live Linux CD such as the 50 megabyte Damn Small Linux distribution may be able to identify the network card for you. Go to http://www.damnsmalllinux.org/
If all else fails, then you would have to repeatedly create the disk with a pair of card types and try them over and over. When you find one that works, then you can write that down and continue pairs for the other one. Finally, choose the correct two and make the final disk.
Of course it is possible that your network card is too old or too new to have a driver included or it may just be faulty.
If you end up with only one network card for this topic, then at least you will be able to access the web configuration tool.
Step 7: Set the language that will be used in the web configuration tool and the console. You should probably set this to English.
Step 8: This is the disk creation step. Put a formatted floppy disk into the floppy disk drive and click on the Create Disk button.
Image: Screen shot of step 6 of the Coyote Linux Disk Creator showing the selection of Network card drivers available for use in the firewall system. In this example, the Local network card is shown as ‘tulip’ and the Internal network card type is 81 39too.
15 , 2006
Figure 5: Step 6 of the Coyote Linux Disk Creator
Hint: You may have difficulty creating this disk on a USB floppy drive. Using a reliable internal floppy drive should make this less frustrating.
You should now have a floppy disk that can be used to boot a computer as described in the scenario. The disk should not write to a hard drive in a computer, so it should be safe to boot from in order to see the console of the Internet gateway produced, which is a screen similar to the one in Figure 6.
Image: Coyote Linux console screen Version 2.24 with an IP address 192.168.0.1with an image of a coyote drawn with code on the left.
Figure 6: The Coyote Linux console screen for version 2.24.
Note the default IP address of 192.168.0.1 from Step 1 of the installation. You could log in by entering root here, then entering the password you created when prompted.
All remaining configuration and ongoing administration of the Coyote Linux Internet gateway can be done with the web administration interface by using the URL given in the console screen in Figure 6, ie http://192.168.0.1:8180, or the IP address you gave at Step 1 above with: 8180 on the end with no spaces.
Note the use of the: 8180 on the end of the URL. This says to access the web server that is listening on port 8180.
Configuring
The creation of the floppy disk for Coyote Linux does a partial configuration of the Internet gateway. It ensures that you have at least one IP address to access in order to connect to the web administration interface.
16 2006
Access the web administration interface by entering the URL given on the Coyote Linux Console screen – http://192.168.0.1:8180 – or the IP address you gave at Step 1 above with: 8180 on the end with no spaces.
The Internet gateway should respond with a simple web page with a link to the protected area as
Image: Coyote Linux Web Administrator link with a coyote on the left and the words Coyote Linux Web Administrator on the right.
Figure 7: The Coyote Linux Web Administrator link
This appears on the web page accessed by the URL http://192.168.0.1:8180 in your browser address bar.
Clicking this link pops up a realm login entry screen as in Figure 8.
Image: Screen shot of the Coyote Linux console screen Version 2.24 with an IP address 192.168.0.1
17 , 2006
Figure 8: The Coyote Linux console screen for version 2.24.
Note the default IP address of 192.168.0.1 from Step 1 of the installation. You could log in by entering root here, then entering the password you created when prompted.
Log in here using the user name of root and the password you previously entered during the installation step 1. The Information screen of the Coyote Linux web administration tool will be displayed (see Figure 9). This tool is similar to many other browser-based configuration utilities provided by appliance and residential gateway manufacturers.
Image: Screen shot of Coyote Linux Web Administration Information screen with General information, Network status – Internet, Network status – Local Network, DNS Information, Services, System Information.
Figure 9: The Coyote Linux Web Administration Information screen
From the front screen of the web administration interface, a quick glance shows the status of the network interfaces along with their associated IP addresses, and gateway information as shown in Figure 10.
18 2006
Image: Section of the Coyote Linux web administration interface’s Information screen showing the Network status for the Internet, Network status – Local Network and DNS Information.
Figure 10: Section of the Coyote Linux web administration interface
The information screen shows the status of both the Internet and local network interfaces. The menu bar down the left side of the Information screen allows access to all the configuration options for the Internet gateway’s functionality.
19 , 2006
Image: Coyote Linux Information screen’s menu bar with Information, LAN configuration, Internet configuration, DHCP Configuration, Administrative Config, Port Forwarding, Simplified Firewall Configuration, Advanced Firewall Configuration, QOS Configuration, System Password, Configuration Files, Diagnostic Tools, Backup Now, Reboot.
Figure 11: The Coyote Linux Information screen
The menu bar provides access to all the configuration options.
For our purposes, suppose that one of the home computers requires access for a download program such as BitTorrent. In order to achieve this, the port forwarding item needs to be selected and appropriate settings need to be added to redirect accesses to this port from the Internet to the internal system, as in Figures 12–14.
20 2006
Image: Coyote Linux Port Forwarding Rules Configuration screen
Figure 12: The Coyote Linux Port Forwarding Rules
The configuration screen allows editing of the port forwarding (redirection) rules. You can modify an existing rule or create a new rule for a single port or a range of ports. The Pre-Configured Services will be best for our scenario since the BitTorrent ports are already known and only the IP address of the local workstation needs to be added.
Image: Coyote Linux Port Forwarding Wizard for Pre-Configured Services showing the known services that can be easily configured.
Figure 13: The Coyote Linux Port Forwarding Wizard
This is for Pre-Configured Services showing the services available. Once a server type is selected, the local LAN IP address of the system can be entered. You can modify an existing rule or create a new rule for a single port.
21 , 2006
Image: Coyote Linux Port Forwarding Rules Configuration screen showing the newly configured BitTorrent access for the computer with IP Address 192.168.0.4 with the headings Active, Protocol, External IP, External Port(s), Internal IP, Internal Port(s), Local Access, Comments, Actions.
Figure 14: The Coyote Linux Port Forwarding Rules configuration screen
The screen shows the newly configured BitTorrent access. The firewall configuration should now be reloaded and saved in order to activate the changes just made and to make them permanent.
Activity 5
To practise installing an Internet gateway, complete Activity 5 – Install Coyote Linux Internet gateway, in the Activities section of the Topic menu.
Plan and execute tests In order to test your Internet gateway, a test system needs to be put into place with the software needed to access all the provided services. If a DMZ and Internet-accessible servers are required, then off-site facilities or alternative independent Internet access may be necessary to ensure that services are duplicated during testing. In a business situation, the continuity of the business is paramount during the testing phase. Often you will run a test system in parallel with an existing system and phase in the new system as the testing proves successful.
Prior planning of tests is important, with an entire test suite developed including the tests and conditions and the expected results. Remember that if a test fails and a subsequent repair or reconfiguration is performed, then the entire test suite should be repeated to ensure that the whole solution continues to work with the modification. Documentation of ‘on the fly’ modifications is vital to ensure the consistency and accuracy of documentation for future maintenance, troubleshooting, and modification or addition of features.
22 2006
If you need to test access to a number of Internet sites, then typing the web address in for each test is inefficient. A test list needs to be compiled in order to finish testing in a complete and efficient manner. This may be made in a web page with each link ready to access in order.
An alternative may be to create a spreadsheet with the test links in a column. The worksheet can also then be used to keep track of the testing and can document faults and remedies. The tests should include access to all the different types of sites that will be used from the LAN workstations and may include DMZ computers and external access from the Internet to Internet-accessible servers and services. More than one program may be required to perform the tests. An example test plan sample workbook is included in the link below and an extract appears in Figure 15.
Test Plan - Sample Workbook (19 KB Test Plan_Sample Workbook.xls)
Image: Section of the Test Plan Sample Workbook with the headings Browser checks, Test Results and Comments, Final Result
Figure 15: Section of the Test Plan Sample Workbook
In the workbook, the tests are shown with instructions and the expected results with the reasoning about what the test achieves.
A separate test plan may be required if the Internet gateway should be providing Internet-accessible services. In such cases, a test plan with a group of tests and expected results should be developed to confirm functionality of the system from outside the LAN, preferably from an independent Internet link.
Negative testing
Remember that testing an Internet gateway may involve the denial of services as well. You would test these in the same way as above, but the expected results would contain an error situation or message. If these results from the negative test are achieved, then that test is passed.
23 , 2006
The denial of service functionality is extremely important to the testing of Internet-accessible services to prevent unwanted access to services requiring authentication. These services will need to be checked before any sensitive data is made available to the Internet in order to reduce losses and damage during the testing and acceptance process.
Penetration testing
There is a method for testing an Internet gateway using third party tools known as penetration testing. These tools attempt to identify vulnerabilities in a system by trying to hack into the system in a similar manner to that of a malicious intruder. These testing tools may start with a simple port scan to identify open TCP and UDP ports on the target system. You can then check that these ports are meant to be open and take appropriate action to close any that should not be open.
The tools then may check that the ports that are meant to be open do not exhibit the aspects of known vulnerabilities associated with the port or the application monitoring the port. In order to be completely thorough, these tools need to be as up-to-date as possible so that they test the most recent vulnerabilities as they become known.
Web resources on the use of penetration testing include Security Focus: Penetration testing IPSec VPNs – http://www.securityfocus.com/infocus/1821 InformIT: Sample chapter from Penetration Testing and Network Defense – Performing Host Reconnaissance – http://www.informit.com/articles/article.asp?p=469623&rl=1 Cybersite Consulting: Penetration testing – http://www.cybersite.com.au/security/pentesting Lab Mice: Network penetration and vulnerability testing – http://labmice.techtarget.com/security/penetration.htm Ferret: Ultimatum: Penetration tests on wireless networks – http://www.ferret.com.au/articles/b3/0c012db3.asp
An external security company may be contracted to perform the penetration testing and advise you on the appropriate actions to take in order to rectify the vulnerabilities. This would also give your client an unbiased, independent evaluation and assessment report on the security of their Internet gateway.
Many network security companies are available, and a local company that can come on site and discuss and help rectify problems is an advantage. In order to give an overview of the services offered by these companies, two are listed below: EnGarde Systems Inc: http://www.engarde.com/
24 2006
Sage Technology: http://www.sagetechnology.com.au/site.asp?PID=85
Activity 6
To practise planning and executing tests, complete Activity 6 – Plan and execute tests, in the Activities section of the Topic menu.
Analyse and respond to error reports Analysing error reports is a process of troubleshooting and the refining the error until the root cause is located, isolated and corrected. Errors come from many sources. You need to keep all possible sources in mind during the analysis of an error situation, including general hardware failures disruption of power supplies network cabling problems (infrastructure and patch cables) misconfiguration misuse.
Apart from the failure of the hardware and software from vulnerabilities to environment and age, the source of errors may come from a variety of human motivations, such as deliberate, malicious or intentionally introduced problems from either an external or internal source accidental or careless damage unsuspecting or uninformed actions; results of poor training or poor documentation on the use of the system.
Error reports come in many different formats. You should supply your clients with a standard form to complete when reporting errors in order to reduce the amount of different formats you need to deal with. This allows the client to prepare for the questions that you are going to ask during your response and saves time locating the person reporting the error.
The test plan is the most efficient way to check that the basic functionality is still available. You will appreciate the effort you have put into the preparation of the tests and expected results. The reasoning for the different tests you created will help you track down a problem with confidence.
The idea is to reduce the problem down to common factors when analysing any problems with computer systems and networks. If you can isolate the problem, then the solution is generally easily definable. Some questions you need to ask, or to locate on the error report, are shown in the table below.
25 , 2006
Table 1: Questions to ask
Question Reasoning Solution
Is it an error or Perhaps the error is Evaluate the function and get appropriate is it a function actually something authorisation and implement the new not supported? that the user would functionality. like to do with a new program. Is the error It is hard to locate Try to get an idea of all the circumstances that reproducible? and repair a fault that were present at the time of the fault. cannot be What other programs were running? What reproduced. else were they doing on the computer? How long had the computer been on? What other applications had previously been run? Is the error This would make it a Locate the common component that is causing reproducible on general fault and the error and correct it. other possibly not isolated The fault may still be in each workstation. workstations? to an individual Occasionally programs and media are revised workstation. using new versions of applications, and the workstations need to be updated to a compatible version in order to function correctly. Examples are Flash Player, Adobe Acrobat Reader and Java. Could it be an Is the user When all hardware and software problems are operational performing the eliminated, then the possibility of operator error mistake? procedure in the needs to be addressed. Ask the user correct order? Are experiencing the error to reproduce the error they logged in as the and take note of the steps. Are there any missed correct user? steps that may be causing the error to occur? If this is found to be the problem, then the remedy involves user training for affected users. This may also mean updating any training documents that do not adequately demonstrate the procedure to follow to avoid the error. After any resolution of an error or adding additional functionality, it is important to recheck that the system functions correctly for the test plan. This may require updating the test plan and documentation.
Remember that you may not be the next person to work on any particular system, so updating any documentation is vital.
Activity 7
To practise analysing and responding to error reports, complete Activity 7 – Analyse and respond to error reports, in the Activities section of the Topic menu.
26 2006
Activities
Image: Activities icon
Activity 1 – Research ICS Access the Microsoft website in order to find information on Internet connection sharing. You could go to the Microsoft home page at http://www.microsoft.com/en/us/default.aspx and search for Internet connection sharing or follow these links: http://support.microsoft.com/default.aspx?scid=kb;en-us;234815 (Description of Internet connection sharing) http://www.microsoft.com/windowsxp/using/networking/learnmore/icf. mspx (Use of the Internet connection firewall) http://support.microsoft.com/kb/237254/ (How to enable Internet connection sharing on a network connection in Windows 2000) http://support.microsoft.com/kb/314066/EN-US/ (How to enable Internet connection sharing on a home or small office network connection in Windows XP)
Can you confirm the following information regarding ICS from these sites? An IP address of 192.168.0.1 with network mask of 255.255.255.0 is given to the ICS host computer. The above settings cannot be changed without disabling ICS. Internet connection firewall or Windows firewall are recommended. Dial-up connections are automatically dialled whenever anyone tries to access the Internet.
Feedback
You should have been able to locate the information for conformation from the web page links provided. Also, you will have seen that information on
27 , 2006
the configuration of each ICS host system from Windows 98 SE through to the latest Windows operating systems is available.
Activity 2 – Terminology used to set configuration of devices The following link is for a manufacturer of a proprietary Internet phone system. Their software requires routers or firewalls to be configured to allow the service to be accessed from the Internet on their client’s computers. The feature that allows this is often called port forwarding. Click on the link provided below and scroll down to the bottom of the page where you will find links for a variety of routers and firewalls. Click on each of these links in turn (use the Back button in between) and assess the differences in terminology and the logical grouping of services in the various menu systems used in these routers and firewalls. Specifically, identify the port forwarding references and create a table with the alternative naming, description and grouping for each of the router and firewall products and devices listed.
http://www.haxial.com/faq/routerconfig (Haxial Software)
Feedback
The pages for the different routers and firewalls show various options for port forwarding to be configured, such as those shown in the next table.
Table: Devices and terminology
Device or software product Terminology used for port forwarding
Microsoft Windows XP Service setting not port forwarding to another system, just a different port on the ICS host enabled through the Windows firewall. Apple AirPort Port mapping Linksys Forwarding and customised applications Sustworks IPNetRouter Window – Port mapping Linux The example demonstrates the direct iptables commands, which is the application used to configure the router/firewall found in all recent distributions. However, there are many programs that help configure the built-in router, such as FireStarter. MacOS X Firewall Sharing – firewall is not port forwarding to another system, just opening the port on the firewall computer to allow access to a specific port.
28 2006
DrayTek Advanced set-up – NAT set-up – Configure port redirection table Asante Advanced – Distributed server set-up Efficient SpeedStream Firewall – Port forwarding D-Link Advanced – Virtual server Vicomsoft InterGate Network – Firewall settings
Activity 3 – Exploring Linux gateways Research some of the Linux gateway solutions shown in the Reading notes. Click on each of the links and investigate the features and licensing for the various products offered. Produce a table with a basic summary of your findings. http://www.simonzone.com (SimonZone Guarddog) http://www.coyotelinux.com (Vortech Consulting Coyote Linux) http://www.clarkconnect.com (Point Clark Networks’ ClarkConnect) http://www.coyotelinux.com (Vortech Consulting Wolverine Linux)
Feedback
Each of the products has differing requirements in both the knowledge needed to install them and the ongoing support given. Generally, if a payment and annual fee is required, then support will be more dependable. (You get what you pay for.) The free products are not necessarily inferior to the commercial offerings—often they only differ in the support offered.
GuardDog requires a working Linux installation before it can be used, so a working knowledge of Linux is required in order to install and configure the Internet gateway.
The other solutions are installed on dedicated systems. Coyote Linux is the least resource hungry and may be installed on an otherwise-disused computer system with two network cards.
Both Clark Connect and Wolverine Linux will benefit from a more powerful system, depending on the final level of performance required by the Internet gateway. So a system with a small hard drive and memory may be suitable without purchasing new equipment specifically for the Internet gateway to be set up on.
29 , 2006
Activity 4 – Enterprise appliances Research some of the enterprise appliances available from the following manufacturers. Find information on the firewall and VPN throughput and the maximum number of connections. Cisco Systems: http://www.cisco.com – search for “Adaptive Security Appliances Models Comparison” and follow the resulting links to locate detailed specifications on an ASA product. Hint: Put in the double quotes inside the search field (“…”). Symantec Systems: http://www.symantec.com – search for “Symantec Security Appliances Comparison Chart” and follow the resulting links to locate detailed specifications on an appliance product and get the actual comparison chart from the resources list at the bottom of the page. Hint: Put in the double quotation marks inside the search field (“…”).
Feedback
Look at the tables below.
Table: Cisco Adaptive Security Appliance – ASA 5510 specifications
Feature Description
Firewall throughput Up to 300 Mbps VPN throughput Up to 170 Mbps Maximum connections 50,000 Go to http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.ht ml
Table: Symantec Gateway Security – SGS 5420 specifications
Feature Description
Firewall throughput Up to 200 Mbps VPN throughput Up to 90 Mbps Maximum concurrent sessions 64,000 Go to http://www.symantec.com/content/en/us/small_business/media/pdf/SGS_30 0_matrix.pdf
30 2006
Activity 5 – Install Coyote Linux Internet gateway If you haven’t already done so, follow the instructions given in the Reading notes on downloading and installing the floppy disk version of the Coyote Linux Internet gateway.
The floppy disk version can run on an existing system without affecting the main hard drive of the system, so you can check that it at least boots. If you have a second computer, or an old computer with at least a floppy drive and one network card, then you can create an Internet gateway and use the web administration interface.
If you have a dial-up Internet connection, then you could try to configure the Internet gateway with a dial-up connection during the initial disk creation. Then you only need the one network card and you have a dial-up Internet gateway.
Feedback
Hopefully, you will have been able to get the Internet gateway working to the point of using the web administration interface.
The hardest part was probably identifying the network cards in the computer you used for the gateway. Did you try the ideas and methodology given in the reading notes for identifying the correct drivers?
Were you able to configure your network and computers to connect to the Internet through your gateway?
Activity 6 – Plan and execute tests Download and open the Test Plan – Sample Workbook and try the test links while your Internet connection is open. Test Plan - Sample Workbook (19 KB Test Plan_Sample Workbook.xls) Practise filling in the workbook as you perform the tests. Do all the tests work? What other tests would be helpful in this test tool?
Feedback
Practise filling in the workbook by saving the sample test plan with a new file name changing the date heading to reflect the date when you performed the tests
31 , 2006
filling in either Pass or Fail in the results column under the date you just entered.
Most connections to the Internet should allow all of these tests to succeed.
Additional tests that would extend the usefulness of the test tool include trial downloading of various file types – ZIP, EXE, COM trial using of different communications programs – MSN Messenger, ICQ, SSH, Telnet, BitTorrent.
Activity 7 – Analyse and respond to error reports Construct a suitable Error Reporting Form for use with an Internet gateway. The form should help you get the most from a user’s error situation without making it too technically daunting. Simple instructions should be embedded in the form to aid in the completion of the document.
You should consider what information is required in what order it should be requested how to avoid duplication the use of a mixture of closed and open-ended questioning.
Feedback
Your form should be trying to gather the appropriate information. Check out the following site to get an idea of how others have tried to gather information that is immediately helpful. You can also try searching the Internet to get further resources.
http://plone.org/documentation/how-to/ask-for-help (Plone.Org – Asking for Help with Errors and Problems)
This site explains to people having trouble getting their problems resolved and how to efficiently detail their problem and get advice. Your form should be trying to achieve the same objective for the user having problems.
32 2006
References
Image: References
There is no specific textbook for this topic. The following list contains some suggested textbooks and manuals only. There are many software manuals, reference books and user guides available from libraries, bookshops, on CD- ROMs or on the Internet. Ensure that the manuals used are written for the version of the software being used.
Wolf, C Troubleshooting Microsoft Technologies: The ultimate administrator’s repair manual, Addison Wesley. ISBN: 0321-13345-5
Long, L Home Networking Demystified, McGraw-Hill Osborne. ISBN: 0- 07-225878-0
TechRepublic PC User’s Troubleshooting Guide, TechRepublic ZDNet. ISBN: 1-931490-78-3
Dawson, Purdy and Bautts Linux Network Administrator’s Guide, O’Reilly ZDNet. ISBN: 0-596-00548-2
TechRepublic Small Office Networking, TechRepublic ZDNet. ISBN: 1- 931490-71-6
Internet
The following websites contain information on risk analysis, disaster recovery planning and/or links to other similar sites. If the web page does not open by clicking the link, try copying and pasting the link into your web browser’s address bar.
http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/simulatio n/demo_sim.html (Demo of configuration of a real router from Cisco)
33 , 2006
http://www.lib.unb.ca/Texts/PST/2005/pdf/geng.pdf (Usable firewall configuration)
http://www.webcamsoft.com/en/faq/firewall.html (Configure for DMZ servers)
http://www.haxial.com/faq/routerconfig (Port forwarding examples)
http://www.portforward.com/help/porttrigger.htm (Explanation of ports, NAT and port forwarding)
http://www.portforward.com/help.htm (Basic help and definitions)
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configu ration_guide_chapter09186a00801162eb.html (Configuring PIX firewall)
http://www.irchelp.org/irchelp/security/fwfaq.html (Firewall FAQ)
http://www.tp-link.com/product/show.asp?ProductNO=295 (TP-Link TD- 8800 ADSL Router – Residential Gateway. Download the Users Guide.)
http://www.tp-link.com/product/show.asp?ProductNO=362 (TP-Link TL- 4000 Router – Small business to enterprise gateway. Download the Users Guide.)
http://www.wkmn.com/newsite/dsl.html (WKMN – DSL Resources – information about many factors of this topic)
http://www.microsoft.com/technet/prodtechnol/winxppro/Plan/topology.ms px (Home and Small Office Network Topologies – Microsoft’s explanation of choices available for small networking solutions)
http://www.securityfocus.com/infocus/1821 (Security Focus – Penetration Testing IPSec VPNs)
http://www.informit.com/articles/article.asp?p=469623&rl=1 (InformIT – Sample chapter from Penetration Testing and Network Defense – Performing Host Reconnaissance)
http://www.cybersite.com.au/security/pentesting (Cybersite Consulting – Penetration testing)
http://labmice.techtarget.com/security/penetration.htm (Lab Mice – Network penetration and vulnerability testing)
http://www.ferret.com.au/articles/b3/0c012db3.asp (Ferret – Ultimatum: Penetration tests on wireless networks)
http://plone.org/documentation/how-to/ask-for-help (Plone.Org – Asking for help with errors and problems)
http://www.simonzone.com (Guarddog – SimonZone)
34 2006
http://www.coyotelinux.com (Coyote Linux – Vortech Consulting)
http://www.clarkconnect.com (ClarkConnect – Point Clark Networks)
http://www.coyotelinux.com (Wolverine Linux – Vortech Consulting)
http://zonelabs.com (Zone Alarm – Zone Labs)
http://www.grisoft.com (AVG Firewall – GriSoft)
http://www.symantec.com (Norton Personal Firewall – Symantec)
http://www.grisoft.com (AVG Anti-Virus – GriSoft)
http://www.f-prot.com (F-Prot Anti-Virus – Frisk - Software International)
http://www.lavasoft.com (Adaware Anti-Malware – Lavasoft)
http://www.safer-networking.org (Spybot - Search and Destroy – Anti- Malware – Spybot)
35 , 2006
Topic quiz
Image: Topic quiz
This quiz will help you review the content you have learned in this topic.
Answer the questions, check the feedback at the end of each question and take note of the areas you need to review.
1. What are two types of device used to provide Internet gateways for home and small offices and larger enterprises?
Feedback
Devices that provide the Internet gateway function for home and small businesses are known as residential gateways. Larger enterprises use devices with similar functionality but generally greater throughput called appliances.
2. What purpose do anti-virus and anti-malware products serve on the workstations of a local area network protected behind an Internet gateway?
Feedback
Even though a LAN is protected behind an Internet gateway, there are other ways that threats may enter a LAN. The anti-virus and anti-malware applications still have a role in detecting such threats and preventing them from spreading within the network. These threats may have come from various sources including email, portable storage devices (USB drives) and even cameras and MP3 players.
3. Which of the following statements is false with reference to Internet connection sharing?
ICS allows multiple computers to access the Internet through a single ISP account
the ICS host system will be automatically allocated the 192.168.0.1 IP address
ICS requires only the workstation wanting access to be powered on
36 2006
all computers in the LAN will use the same DNS address settings
Feedback
Correct! The following statements is false with reference to Internet connection sharing: ICS requires only the workstation wanting access to be powered on
Incorrect. Go to the Reading notes and review the section Identify configuration options.
4. Port forwarding is available on most Internet gateway systems – it is just a matter of configuring it. Which of the following is not a valid reason for using port forwarding on the Internet gateway?
provide access to servers within the LAN from the Internet
provide Internet-accessible services
allow FTP downloads to LAN workstations
allow Internet-based multi-player games to be played.
provide email server facilities
Feedback
Correct! Allowing for FTP downloads is not a valid reason for using port forwarding on the Internet gateway.
Incorrect. Go to the Reading notes and review the section Install and configure gateway products.
5. In what situations might a particular port need to be opened on the Internet gateway?
Feedback
Some applications require access to services through ports other than the standard ports opened. The blocking of most ports by default prevents intrusion but can prevent some functionality of required applications. Many of these application problems can be solved with either a state-full packet inspection (SPI) firewall or port forwarding as part of the Internet gateway solution.
6. Along with testing that an Internet gateway is providing the services as required, what else needs to be tested?
Feedback
37 , 2006
An Internet gateway has more than one purpose. Not only should it provide access to services to and from the Internet, but it must also prevent unwanted intrusion from the Internet and limit access to undesirable sites from within the LAN. The testing plan must address these negative tests as well and provide the expected outcomes from the test attempts. It is also a great idea to initially, then periodically, carry out a penetration test to prove the robustness of the Internet gateway and attempt to discover vulnerabilities before others find them.
7. In general, what are three main causes of error in the Internet gateway? What is a good first step in locating and resolving most of these problems?
Feedback
Generally faults occur in three distinct areas – hardware failure, misconfiguration, and misuse. These can be exemplified by the following situations: a component or cable fault identified by specific error messages or indicator lights (or their absence); a small typographical error; and an attempt to use a program for a service not previously intended. A good first step in locating and resolving these errors is the error reporting process and gathering information to reproduce the error. This step would be followed by the use of the test plan to confirm functionality, thus determining what is working and what is not. The error location should hopefully be identified as a particular common element that can be reconfigured or repaired or replaced.
38 2006