Network Topology

1. Introduction

Whenever we're doing a penetration test, it's good to figure out the topology of the network we're testing. We can't figure out the whole topology, because we don't have access to their internal network, but even if we manage to figure out part of the topology it's pretty cool.

But if we want to do that, we must have a pretty good understanding of what type of technology is usually implemented; thus we need to have at least a basic understanding of the following topics: switches, routers, IDS/IPSs, firewalls, VPNs, DMZs, VLANs, etc. This isn't such a small requirement.

First we must describe what all of those things are. For those of you who already know at least something about those topics, it'll be just a quick refresh, but if you've never encountered those, you should probably read more comprehensive material.

2. Networking Internals

Switch: A network switch or switching hub is a computer networking device that connects network segments or network devices [1]. We should remember that a network switch is operating at layer 2 OSI/ISO model (some of them also know about layer 3, but let's forget that for now). You should take a look at the Cisco switches as they are quite popular in larger networks.

Router: A router is a device that forwards data packets between computer networks, creating an overlay internetwork. A router is connected to two or more data lines from different networks. When a data packet comes in one of the lines, the router reads the address information in the packet to determine its ultimate destination. Then, using information in its routing table or routing policy, it directs the packet to the next network on its journey. Routers perform the "traffic directing" functions on the Internet [2]. The router is operating at layer 3 OSI/ISO, which means it is capable of doing NAT. NAT is a network address translation, translating WAN IPs into LAN IPs, so the packets can be routed though the internal network.

IDS: An intrusion detection system can be software-based or hardware-based and is used to monitor network packets or systems for malicious activity and do a specific action if such activity is detected. Usually, if malicious activity is detected on the network, the source IP of the malicious traffic is blocked for a certain period of time, and all of the packets from that IP address will be rejected. More about this can be read here: http://resources.infosecinstitute.com/packet-filtering/.

IPS: The intrusion prevention system is basically an upgrade of the intrusion detection system. Where the IDS is used to detect and log the attack, the IPS is used to detect, block and log the attack. The IPS systems are able to prevent certain attacks while they are happening. There are multiple versions of IPS systems, but we won't describe them in detail, since they are the same as with IDS systems, with the exception that all of the types of IPS system also prevent the attack from continuing. The types of IPS systems are: NIPS, HIPS, WIPS, NDA. More about this can be read here: http://resources.infosecinstitute.com/packet-filtering/.

Firewall: A firewall can either be software-based or hardware-based and is used to help keep a network secure. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. A network's firewall builds a bridge between an internal network that is assumed to be secure and trusted, and another network, usually an external (inter)network, such as the Internet, that is not assumed to be secure and trusted. More about this can be read here: http://resources.infosecinstitute.com/packet-filtering/.

VPN: A virtual private network (VPN) is a technology for using the Internet or another intermediate network to connect computers to isolated remote computer networks that would otherwise be inaccessible. A VPN provides security so that traffic sent through the VPN connection stays isolated from other computers on the intermediate network. VPNs can connect individual users to a remote network or connect multiple networks together [3]. When the network of a particular company is very big, not all of the hardware can usually be located at the same geographical place. But those hardware devices should nevertheless be part of the same network. So even if those network devices are connected to the Internet half a world away with a different ISP, they still need to be part of the same network. Let's take a look at a simple example: if a company is dealing with computer hardware sells, they probably have shops all around the country (whatever country) and even in multiple countries. In order to keep those devices part of the same network even though their Internet is provided from different ISPs, the VPNs are used. Thus, through VPNs, users are able to access remote resources as if they were part of the same local network.

DMZ: DMZ is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network [4]. We need to put only the servers that should be accessible to the world wide web into the DMZ. Thus, access to the servers in the DMZ zone will be allowed, but any other servers which are part of the same network but not in a DMZ will be hidden. The servers in the DMZ zone also don't have access to the rest of the internal network, so even if a breach happens, the attacker will only be able to compromise the servers in the DMZ itself.

VLAN: VLAN is a concept of partitioning a physical network, so that distinct broadcast domains are created. This is usually achieved on switch or router devices. Grouping hosts with a common set of requirements regardless of their physical location by VLAN can greatly simplify network design. A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together more easily even if not on the same network switch [5]. VLANs can be used to set up a virtual LAN, where we don't have to physically relocate the devices, which is really good in virtualized environments. But let's face it, almost every company today uses a virtualized networking setup.

3. Presenting a Network Topology

Here we'll present a common network topology that can be seen in the picture below. I would like feedback on the picture presented. If you use a different topology can you please write a sentence or two about it so we can gather knowledge about different set-ups. I think various start-up companies can gain by that, because we can present the picture of different topologies, giving them different options to choose from, based on their requirements.

The topology below presents the way I see the network should be organized for a middle-sized company that uses /24 IP range.

image0

We can see the network topology of a company with /24 IP range. We can see that at the entry point of the network there is a gateway followed by a IDS/IPS system and a firewall. Those are there to block known malicious attacks from attacking the systems in the internal network. After that we can see the SRV demilitarized zone, which holds all the servers that should be accessible to the outside world. There are also various local networks (LANs), where the VLANs can be in use (common if hardware virtualization is in place). But let's not forget about the VPNs that can be present if the network is dispersed across multiple geographical locations.

4. Identify Network Topology: Simple Example

When identifying network topology of a company, we first need to determine its IP range. To identify the IP range of a Gentoo Linux foundation, we can use nslookup and whois tools as follows:

# nslookup gentoo.org
Server: 84.255.209.79
Address: 84.255.209.79#53

Non-authoritative answer:
Name: gentoo.org
Address: 89.16.167.134

# whois 89.16.167.134
% Information related to '89.16.167.128 - 89.16.167.143'

inetnum: 89.16.167.128 - 89.16.167.143
status: ASSIGNED PA
tech-c: BYT2-RIPE
descr: Gentoo Linux (www.gentoo.org)
netname: BYTEMARK-GENTOOLINUX
country: GB
admin-c: BYT2-RIPE
source: RIPE # Filtered
mnt-by: MNT-BYTEMARK

We can see that the Gentoo Linux has an IP range of 89.16.167.128 - 89.16.167.143, which can be represented with a CIDR 89.16.167.128/28. This can by calculated manually by hand or with an online tool accessible on a web page like this one.

We can also see that the Gentoo Linux is hosted at http://www.bytemark.co.uk, which we need to further investigate. To identify the ASN number of the ByteMark hosting company, we can execute the whois command below:

# whois -h whois.cymru.com 89.16.167.134
AS | IP | AS Name
35425 | 89.16.167.134 | BYTEMARK-AS Bytemark Computer Consulting
Ltd

Cool, the ASN number of "BYTEMARK-AS Bytemark Computer Consulting Ltd" is 35425. But we want to go further; we need to find out all IP addresses that are in the jurisdiction of ByteMark. We can again do this with whois command like this:

# whois -h whois.ripe.net -i origin -T route AS35425 | grep -w
"route:" | awk '{print $NF}' | sort -n
5.153.224.0/21
46.43.0.0/18
46.43.35.0/24
80.68.80.0/20
80.68.80.0/21
80.68.88.0/21
89.16.160.0/19
91.223.58.0/24
212.110.160.0/19
212.110.177.0/24
213.138.96.0/19

Notice that we used the AS35425 number, we learned in the previous step? Okay, so the Gentoo Linux IP range belongs in the 89.16.160.0/19 range.

The next thing is to traceroute the IP on the Gentoo Linux domain from different locations to find out the entry points.

The results of a traceroute from a web site http://centralops.net/ are presented below. We can see that the first node in the Bytemark hosting company is 91.223.58.79, which has direct access to the 89.16.167.134 that belongs to Gentoo. This is logical, because the Gentoo Linux doesn't have its own autonomous system (AS), so the Bytemark should have direct access to its own hosts.

image1

Let's try to run a few more traceroutes from different locations. The results of a traceroute from a web site http://network-tools.com/ are presented below.

image2

We can see the same results as above, the connection to 89.16.167.134 is going through 91.223.58.79. If we run the traceroute from a few more locations we can get a different result, because the packets would be routed from a different Bytemark router with a different IP.

We can see that since the Gentoo Linux topology really isn't that complicated, because they don't have their own ASN. And their hosting provider Bytemark really shouldn't have a filter or IDS/IPS system in place, because it's the job of the end customer to apply those. If the hosting provider would filter the packets destined to the ending IP address (whatever they are running; http, ssh, ftp, etc), they would need to look at the packets themselves and accept/deny them, which can cause a lot of problems. For example, let's say I'm connecting to www.gentoo.org, but the Bytemark's hosting filter decides that it will not let my packets through (for whatever reason). Can you see the problem there? It's not the Bytemark's decision what packets are going to Gentoo's website and they shouldn't decide to allow/block the connections.

5. Conclusion

We've seen how can we get a basic topology of a really simple company, but often the task is not that simple, because there are multiple filters, IDS/IPS systems in place that can block our requests. Usually the traceroute itself doesn't print all the hosts on the way to the target, because when the packet is entering the customer's network, it can be checked, filtered or even blocked.

References:

[1] Network switch, Wikipedia, accessible on http://en.wikipedia.org/wiki/Network_switch.

[2] Router (computing), Wikipedia, accessible on http://en.wikipedia.org/wiki/Router_(computing).

[3] Virtual private network, Wikipedia, accessible on http://en.wikipedia.org/wiki/Virtual_private_network.

[4] DMZ (computing), Wikipedia, accessible on http://en.wikipedia.org/wiki/DMZ_(computing).

[5] Virtual LAN, Wikipedia, accessible on http://en.wikipedia.org/wiki/Virtual_LAN.

Comments