Wargames: Part 3

If you missed Part 1, it can be found here
If you missed Part 2, it can be found here

As I've mentioned, there are two parts to the wargames: attacker and defender. This tutorial will look at things from the defender's point of view. And like the attacker there are certain things that have to be done beforehand. That said, while some of this may seem like common sense, it sometimes needs to be said. Now, I don't have to tell you what not to do. Rather this is stuff you should be doing to secure your machine/network down anyways.

1. Pick the Purpose

2. Plan out what will be run
- OS
- software needed
- services
- user needs
- partition planning
- hardware setup
- defenses

3. Actual installation

4. Patches, fixes, updates

5. Vulnerability scans

6. Potential compromises

7. Alternative Defender role

This particular situation works best in my advanced course where students spend a full semester on building a secure network. This should be no different than what an administrator does to setup a secure system. When it comes down to it the success of the goal is the same as the attacker: the more research you do and the more you plan, the better able you are to mitigate being broken into. Reality is there is NO such thing as 100% secure. It doesn't exist. As a defender, however, I can make it harder for someone to break in. They may have be noisier, craftier or really damn amazing blow your mind good. But I won't make it easy for them.

Planning is important for the defender. Writing stuff in a log book for future reference can help. Keep a log book beside you so you can record URLs, steps you did to configure something (in case you need to redo something), contacts, etc. Make it your "admin bible" if you will. You will have lots of reference material in your lifetime that will help you but none will be as critical as the log book you use for building your secure system.

1. Pick the Purpose

When you build a machine, you don't just do a "oh well, I feel like dishing out $2000 for hardware and such.. just because". There usually is a "raison d'etre" for the computer you use, whether at home, work or elsewhere. Know what the box will be used for. In the case of wargames in my advanced course students have to build into their network each of the following: DNS, email server, web server, ftp server, ssh/telnet server and router. They are required to use at least one of each *nix and Windows. Which version/variation is left up to them. And anything beyond the minimum requirements is up to them. So ensure you know in advance what the system in question is supposed to do. You should be able to identify then what you need to look for to run, what shouldn't be running and what might be missing.

2. Plan out what will be run

You should write out what things you will need to install on the system in question and at what point you'll connect it live to something (in this case, to the network the wargames will be a part of -- an internal network at your or a buddy's house). Let's start with the OS. The eternal debate is which is more secure: *nix or Windows. Well, how about neither? In the real world, it truly does come down to what the admin (YOU) are able to do. If you feel more comfortable with Windows, use it. If you are more comfortable with *nix, use it. IMHO, comfort factor is important in that you know where to find things and spend less time making "oops.. didn't meant to dealt that.. oh dammit, now the OS doesn't boot.. sigh.. start again" type of errors. (A colleague of mine decided to remove EVERYONE from all folders in NT. This caused his system to become unbootable).

And assume nothing when doing this exercise. Once you make assumptions (that is, deciding something without all the facts) you open yourself up to more pitfalls and vulnerabilities. It's harder to do for those that have been in the field for many years because experience tends to cloud one's vision of what might be going on and results in a reaction based on a previous experience rather than the immediate issue.

If you decide to try something new, take the time to read up on that OS. There is enough material out there on the Internet to help. Additionally a visit to the local bookstore can be helpful. If you're unsure which book to pick, Amazon sometimes can have reviews on various books to give you an idea as to the "worthiness" of a particular book. The following should give a good start at being successful:

All OSes

Google: 'nuff said.
- Any search engine in addition to google.com
- Antionline: Tutorials and specific forums have quite a lot of information in addition to the many members who are experts in their respective field(s) and area(s).
- SANS InfoSec Reading Room: has many OS specific white papers.

Windows OS
- Microsoft Press: for the most part isn't bad
- url="http://www.microsoft.com/technet/default.mspx"]TechNet[/url]: good resource
- WindowsSecurity.com: still houses the Navy's Guide to Securing NT
- NSA's Windows 2000 Security Guides

Linux (keep in mind there may be distro specific guides)
- LinuxSecurity
- O'Reilly books: by far, these are some of the best books around. Specifically, Building Secure Servers with Linux and Pratical Internet and Unix Security.
- LinuxQuestions

I'll leave it at this for now as these tend to be the OSes students use. There are sites for Macintosh, Solaris, Novell, etc. security in addition to many OS specific publications (Unleashed series, Bible series, etc.). Sometimes even the simplier books -- Learn in 24 hours, Sam's Teach Your Self, Visual Quick Starts -- can have good info (not necessarily in-depth information however). Don't rush your research and planning stage. You want to build a box that can last against an attacker. You do want to beat him, don't you?

So what do you need to plan? Well, once you've chosen your OS, you need to figure out what things you will install from that OS that you need. If you don't need something, don't install it. Period. I've never understood why a web server would need Windows Media Player? Default installs are a no-no. NEVER do that. Always configure the install to what you need and nothing more. Go cheaper is better. It's easier to add what you need than to figure out what you forgot to remove. If the OS can survive without a GUI, then so can you. No server really needs a GUI (and in some environment's I've been in, having a monitor that's more than 10" and more than 2 colours was a treat). There is a lot of power in command-line. Use it.

Once you determine what parts of the OS you need, then figure out what software/application you will be running on this box. Obviously, this is based on what the box will be doing. In an ideal world, you have one box per service. The reality of $$ often says otherwise. In the classroom setting, students are often limited by a) machines that are stable (I don't know what it is about educational machines but they often seem to be the flakiest things around) b) physical hard drives they have (students in my classes have removable drives that they've accumulated over the years -- as few as 2 but as many as 8 in some cases). If you have to do a multi-service machine plan accordingly. In the classroom setups, students have combined the following (to great success):

- Router/IDS/Firewall
- DNS/Email
- FTP/Web
- MySQL/Internal Sniffer

What you decide to choose is up to you, but keep in mind that the more services you run on a single machine, the more the risk as well more the work on a single box. Obviously, if it's a network of boxes, then you have even more work to do spread out.

When picking the necessary application/software it isn't just a matter of choosing the latest, greatest. In fact, in some cases that may not be the best. While Sendmail and BIND are common *nix SMTP and DNS servers respectively, that doesn't make them the best. Qmail, while a bit harder to configure, might be a good alternative for an SMTP server (these are just ideas, not recommendations). Again, it gets down to researching various products and understanding what features, flexibilities and drawbacks they have. When it comes to a limited budget issue, search out the Open Source alternatives. In addition, many people are unaware the Microsoft offers many of it's products for 180 day, fully working trial (yes, that's 6 months). Use these to your advantage when learning how to secure items.

You may need to run additionally services along with the primary application/software. Do the necessary research on that particular service to understand fully how it integrates with the software/application in question. Key ones tend to be things like RPC, TCP/IP stacks, logging, etc. You may need to deal with specific risks/problems with those services.

Again, depending on what the planned OS will be doing, you may need to consider what the user(s) can and can't do on the box. It's not just a question of putting them into a solid jailed environment where they can only log in. In the work environment, they need a functional account. This may include things like email, web surfing, etc. So setup as per what a user needs and not necessarily what a user wants (this also goes for the admin. Saying that users cannot download streaming audio and then doing it yourself as an admin doesn't usually go over well). The user setup may require limiting access to certain areas (do they really need to have access to <winnt>/system32/repair where the backup SAM is kept after running rdisk /s?). Figure out what areas they really need to get to and where they don't.

You should also do appropriate partition planning. Now this will vary depending on the size of the hard drive(s) and whether you are using a RAID configuration or not. But some things are worthwhile to keep in mind. First, I seperate DoS attacks into two types: bandwidth consumption (remote attack only) and resource starvation remote or local attack). Bandwidth consumption is self-explanatory. Resource starvation is when the CPU, RAM and/or Hard drive(s) are run up to 100% and thus, make those resources unavailable. Partitioning your OS properly can help mitigate some of the effects of a resource starvation DoS. Seperate OS from Data, thus making it easier to rebuild the OS if need be without compromising the data. Set quotas for users and common areas in regards to CPU, RAM and hard drive space. We often associate quotas with hard drive space only but go play with a bash shell fork exploit and tell me how well your P4 with gobs of RAM with stood it. Probably pooched it pretty quick, eh? You might even decide to set up a partition for logging (if you decide you want logging locally).

Now, with the wargames in the classroom, this is hard to do but certain a home-variation can have this done. Ensure that the hardware is also secured. Put passwords on BIOS, bootup, disable/remove floppy, disable/remove CD/DVD, put security screws on the case, etc. You don't want to find out that while you were out getting the beer for the games your machine suffered a "power outage" and rebooted ... and was "rewted" with a boot disk.

You should also plan as to what defenses you'll put in place. While you can lock down the machine well, there are always ways around any setups. Again, it gets down to mitigating the risk and making it harder for the attacker. You might include some or all of these (depending on the complexity of the wargames, number of machines available and planning time -- in the classroom setting, while not explicity told, students are expected to include them): firewall(s), intrusion detection system(s) -- both host-based and network based, anti-virus software, network sniffer, honeypot(s).

Firewalls are self-explanatory but one thing to note. I often see people asking how to stop a service and others response with "put up a firewall". This isn't an accurate way of dealing with open ports. If there is a port open, disable it by removing the service or shut down the service. If the service must remain, then the firewall is needed for appropriate defense.

There are different types of firewalls and strengths to each. As a defender, it can be worthwhile to do the wargames trying different firewalls to see how well they respond to situations (e.g., DoS attacks, scans, spoofs, etc.) HIDS (host-based IDS) are generally placed on the system immediately after it's built but before it's connected to the network. NIDS (Network-based IDS) would, ideally, be on another machine and monitoring activity to and from the defender. Depending on the budget, there may need to be a hub so the NIDS can pick up all traffic. Anti-virus software is a required item for Windows environment machines but might also be worthwhile for *nix machines (remember, make no-assumptions during an all-out wargame). Network sniffer can pick up all traffic, malicious or otherwise (wargames are a good way to learn how to read packets like those from tcpdump. For more indepth help, get Stephen Northcutt's Network Intrusion Detection, 3rd Ed.). The honeypot(s) are obviously for a network wargames where you have many machines (about 10+).

3. Actual Installation

Now that you've planned everything, you will do the install. Before installing, download what is needed to a safe, central location. You do not want to build this box while it's connected to the Internet or another network. This leaves it open to be attacked before you completely install everything. (I've seen this happen in wargames successfully).

Follow what you've decided but also write down step by step what you do to install. This includes the mundance of "Press Next", etc. It goes a long way for you to recreate if you need to, pass on information to others (it's always great to read someone else's stuff but just as great to give information) and you can easily find where mistakes were made if need be.

4. Patches, fixes, updates

As part of your planning, you would have researched what the necessary patches, upgrades, fixes, etc. there are for both the OS and the application/software, right? You'd add them in after your bare-minimum install and lock down the box as necessary. Keep in mind in some cases there may be a required order to the patches and you may need to re-apply the patches as is needed.

5. Vulnerability scans

Once the system is complete, do some vulnerability scans with tools like nmap, Retina (great against Windows boxes), nessus and others. The more, the merrier. If you remember in the previous tut, I mentioned that you can get different responses with different scanners. This is true from the defenders point of view as well. The more information you have on your box the better. Research any vulnerabilities found, no matter how insignificant they may seem and fix any problems found. Repeat as many times as necessary. Remember to record any information found.

6. Potential Compromises

If you system gets compromised, don't fret. Talk with the "attacker" and find out how they did it. Compare it with your notes (you've been doing good notes thus far haven't you?). You should be able to see where the hole is and fix it accordingly. If this turns out to be an undocumented flaw, then congrats on finding a new one. Dont' take compromises as a sign of failure but rather as a learning experience. It is far better to learn it in this environment than outside where it could cost you your job.

7. Alternative Defender role

Now, I've suggested this as an alternative for my Intro classes. Have the defender use -- deliberately -- an older OS (NT 4, RH 6.2, etc.). Let them set it up as default and let the attacker go to town on it. Then, take the time to lock it down and see if the attacker can still get in. I've seen this done with great success in the classroom. You might wonder why do this. Isn't everyone using the latest versions? Not always. Small companies, SOHOs, educational units, etc. have small budgets and cannot upgrade as often as others. As such, they often have older software. The reality is, however, even that can be secured if done right. The "Hoser" abuse box we have the school is a RH 6.2 box and is locked down tight. It's a rare thing to see it compromised.

While this is by no means definitive, I think you get the gist of what needs to be done. In wargames, the more potential attackers versus a single or couple of defenders the better. Variety adds a lot to the ability to defend properly. When my advanced class is small the effect isn't the same compared to the larger class. Keep in mind this is done for learning and fun so don't get too vengeful or malicious in the attacks and defense.