Analyzing Offensive and Defensive Networking Tools in a Laboratory Environme
Permanent address of the item is
Verkon hyökkäys- ja puolustustyökalujen testausta laboratorioympäristössä
The safest way of conducting network security testing is to do it in a closed laboratory environment that is isolated from the production network, and whose network configuration can be easily modified according to needs. Such an environment was built to the Department of Pervasive Computing in the fall of 2014 as part of TUTCyberLabs. In addition to the networking hardware, computers and servers, two purchases were made: Ruge, a traffic generator, and Clarified Analyzer, a network security monitor. Open source alternatives were researched for comparison and the chosen tools were Ostinato and Security Onion respectively. A hacking lab exercise was created for Computer Network and Security course employing various tools found in Kali Linux that was installed on the computers. Different attack scenarios were designed for the traffic generators and Kali Linux, and they were then monitored on the network security monitors. Finally a comparison was made between the monitoring applications. In the traffic generator tests, both Ruge and Ostinato were capable of clogging the gigabit network found in the laboratory. Both were also able to cause packet loss in two different network setups rendering the network virtually unusable. Where Ostinato finally lost the comparison was its lack of support for stateful connections, e.g., TCP handshake. In the hacking lab exercise the students’ task was to practice penetration testing against a fictional company. Their mission was to exploit various vulnerabilities and use modules found in Metasploit to get a remote desktop connection on a Windows XP machine hidden behind a firewall, by pivoting their connection through the company’s public web server. Comparing the monitoring applications, it became clear that Clarified Analyzer is focused on providing a broad overview of one’s network, and does not provide any alerts or analysis on the traffic it sees. Security Onion on the other hand lacks the overview, but is able to provide real time alerts via Snort. Both of the applications provide means to export packet capture data to, e.g., Wireshark for further analysis. Because of the network overview it provides, Clarified Analyzer works better against denial of service attacks, whereas Security Onion excels in regard to exploits and intrusions. Thus the best result is achieved when both of these are used simultaneously to monitor one’s network.