chapter 4 research methodology - thesis.binus.ac.idthesis.binus.ac.id/asli/bab4/bab...
TRANSCRIPT
30
CHAPTER 4
RESEARCH METHODOLOGY
Three main areas which are described in this chapter: the research approach, the research
method, and the research design. The observation on the phase of simulation is currently
using user requirement observation, performance observation and security robustness,
the whole process are simulated using the real devices under a certain circumstances to
capture how the system arrive at the actual result, and how they risk specifically. Several
potential strategies were identified and use to evaluate the best result in section 4.2
against the three criteria of security requirement, network performance and the network
security. The following justification of system observation study strategy in section
4.2.2, the nature of the actual implementation of simulation observation in the natural
settings on a certain environment is examined in section 4.3 and section 4.4 in the
research design phase.
4.1 Choosing the Appropriate Defense Method
The need of security requirement is a necessity which is never determined in a certain
working methodology that describes a certain technique to defense a certain network.
Other than that, based on the fact, it is proven that it is impossible to build impenetrable
network regarding the rapid growth of hacking techniques and tools. However building a
secure network environment based on its complexity means to use a certain approach to
practically defense the network against all possible incoming attacks under a certain
environmental circumstances Heesook Choi (2008) describe the process of making the
30
31
methodology of defending the wireless mobile network based on multilayered IPSEC
shows that to achieve high throughput in wireless networks it is critical to use smart
forwarding techniques and processing of packets in the middle of packets transition
within the routers wireless links [6]. Under a certain situation the result shows that these
services cannot be provided if data session are protected using end to end encryption as
with IPSEC, because the information needed by these algorithm resides inside the
portion of the packets that is encrypted. However in this research it is not necessary the
case of concerning to use the data session as the author perform the simulation. A
previously research which conduct research about network enhancement that is using
IPSEC in between a wired network environment shows that the proposed protocol which
called multi-layered IPSEC (ML-IPSEC) modifies IPSEC in a way so that certain
portions of the datagram may be exposed to intermediate network elements, that is
increase the network performance by enabling the intermediate network elements [7].
4.2 Research Approach
To achieve the best result on each environmental need it is necessary to determine the
need of each environment in detail measurement. In general the different between a
certain network environments to another is classified into several elements including the
bandwidth speed, the complexity of the network topology, and the possible network
attack. Based on these factors we should classified the needs into Home use network,
small sized business, small to medium business, and medium to large business, which
shows as the Table 1 below
Net
Typ
Hom
Sma
Bus
twork
pe
Exis
me
all
siness
sting Problem
Table 1 C
m
Comparison T
Vulnerabi
Encryption byp
Bandwidth ste
Encryption byp
Bandwidth ste
Unauthorized
access
Table of Propo
ility Sugge
pass
ealing
pass
ealing
file
osed Solution
ested Solution
& Benchmark
n
k
Techn
MAC ad
Static IP
Hide SSI
WPA2-P
encryptio
Regular
change
MAC ad
Static IP
Hide SSI
WPA2-P
encryptio
Hardenin
sharing a
Regular
change
32
nique use
ddress filtering
P Addressing
ID
PSK
on
password
ddress filtering
P Addressing
ID
PSK
on
ng the security
and policy
password
Med
Bus
Lar
Bus
dium
siness
ge
siness
Encryption byp
Bandwidth ste
Unauthorized
access
MITM
Encryption byp
Bandwidth ste
Unauthorized
access
MITM
Social Enginee
Possible
attack
pass
ealing
file
pass
ealing
file
ering
inside
MAC ad
Static IP
Hide SSI
WPA2-P
encryptio
Hardenin
sharing a
VPN ser
Regular
change
MAC ad
Static IP
Hide SSI
WPA2-P
encryptio
Hardenin
sharing a
VPN ser
IDPS im
33
ddress filtering
P Addressing
ID
PSK
on
ng the security
and policy
rver
password
ddress filtering
P Addressing
ID
PSK
on
ng the security
and policy
rver
mplementation
34
Based on above diagram we can see that there are two criteria of attacks that is possible
to perform in the described area, however the defense mechanism cannot be applied with
the same technique regarding the bandwidth speed that is not necessarily the same on
each network environment.
4.2.1 Home Use Wireless Defense Mechanism
On the home network environment, people tend to hack the wireless network to steal
information by performing MITM (man in the middle) attack, which can be performed
once they got in, to get into the network; it is a common technique to bypass the wireless
network encryption using a third party hacking tools application or a certain operating
system. Since the hacker successfully got in to the network the hacker is having a
bandwidth that the victim subscribe as a free internet connection for them and if the
victim lack of knowledge in network security they will not realize that there is someone
currently using their bandwidth. This fact is worsen by the automatic login that applied
by the device once the user is successfully enter the security password and automatically
log them in anytime they were in network range. However, that is not the biggest
problem regarding the home use network attack, on the hackers point of view, we might
thing of what is possible to steal from the victim once the hacker is successfully bypass
the wireless encryption. It is possible to steal the victim’s personal information using the
man in the middle attack by applying the packet monitoring tools in between the
Criteria speed bandwidth
Host and Servers possible attacks
Home use 0,384 ‐ 1 MBps 1‐4 host Encryption bypass + MITM + DOS
Small business 1 ‐ 2MBps 5‐30 host Encryption bypass + MITM + DOS
Medium business 3 ‐ 5MBps 30‐299 host + server
Encryption bypass + MITM + DOS + data extraction
Large business > 10MBps >300 host + servers
Encryption bypass + MITM + DOS + data extraction
Table 2 Data Survey of Bandwidth Speed in Indonesia
n
a
c
A
T
w
c
a
network. It
account can
can perform
A propose so
The use of h
wireless rou
configured u
authenticatio
is very poss
n be retrieved
m a remote ac
olution to so
Fi
home wirele
uter securit
using the late
on and set th
PC Name
James
John
sible that th
d by the hac
ccess to the v
olve these pr
igure 11 Home
ess network
ty, as ment
est encryptio
he password
IP Ad
192.16
192.16
MAC Ad Static
he informatio
cker using t
victim’s hard
roblems are r
e Use Wireless
is secured b
tioned in a
on algorithm
d using alpha
ddress
68.1.2
68.1.3
ddress Filteringc IP Addressing
on such as i
this tool, oth
dware to stea
refer to the f
s Defense Mec
by optimizin
above diagr
m, which are
a numeric sy
MAC Ad
00-0C-F
00-B0-D
g
id and passw
her than that
al data of pu
figure 11 bel
chanism
ng the featur
ram, the w
the WPA2-P
ymbol comb
ddress
1-56-98-AD
D0-86-BB-F7
word of a ce
t, the hacker
ut virus in it.
low
res of the de
wireless rout
PSK for the
bination so t
35
ertain
r also
efault
ter is
login
that it
36
would be more difficult to bypass. Other than that, to prevent the unauthorized user from
entering the network, the wireless router is also configured using MAC address filtering
techniques where the user should be able to retrieve their device MAC address first
which apparently different from one and another which later would be registered as a
denied or allowed machine on the network depending on the needs of the users. Using
the MAC address filtering techniques in the network, it allows several PC to be
classified as an authorized PC to enter the network, this techniques is preventing the
unauthorized user to enter the network if the unauthorized user is in some way could
bypass the WPA2-PSK encryption. For more advance protection it is necessary to use
disable SSID broadcast, so that the user which is in range cannot see the network and log
in to the network, unless they were previously has log in to the network, or using the
manual network addition which requires the user to enter the network name, the
encryption use and the password manually.
The performance measurement is based on the transfer rate of downloading a certain
amount of data and the transfer rate of uploading using the same data that is use for
measuring the download transfer rate. The easiest way to measure the maximum
network performance in terms of download and upload speed can be done using the
local area file transfer, where the process could be done using file sharing technique
from host a to host b in a situation that one of them is using cable connection to the
wireless router. The measurement tool is installed on the client side which monitors the
bandwidth performance using the third party application. The cable connection here is
simulating the server from the internet which usually connected through a cable
connection. This technique is use in the simulation and performance measurement to
a
i
a
e
d
a
F
T
r
c
n
f
p
avoid the bo
internet base
Base
and the base
each enviro
degradation.
above using
Figure 12 Ben
The file is st
router as if
connection,
network via
first downlo
performance
ottle neck e
ed on the sub
eline is need
e result or t
nment there
. The bench
the file shar
nchmark Meas
tored in the
f the file is
and the host
wireless co
oading the fi
e using the t
ffect from I
bscription pa
ded in the re
the benchma
e will be a
hmark result
ring techniqu
surement Mec
file server th
being store
t in this case
nnection wh
ile which is
third party a
ISP which d
acket that we
esult compar
ark, so in ea
differentiati
t is perform
ue as shown
chanism
hat is using t
ed in the in
e is a wireles
hich uses no
stored in th
application w
decreases ou
e choose.
rison to com
ach phase of
ion which s
ed using the
below
the cable con
nternet that
ss client lapt
security de
he file server
which is inst
ur bandwidth
mpare the pro
f testing the
showing an
e same tech
nnection thro
usually con
top which is
fense techni
r and measu
talled on the
h speed from
oposed techn
e performanc
improveme
hnique as ex
ough the wir
nnected via
s connected t
iques. The u
ure the bandw
e client's sid
37
m the
nique
ce on
ent or
xplain
reless
cable
to the
user is
width
e, the
38
result of this simulation then will become the download performance benchmark. The
same technique is applied to get the benchmark result for the upload bandwidth
performance; the user’s laptop is storing a certain file from the user’s laptop to the file
server and measure the upload performance in order to get the benchmark speed for
upload bandwidth performance.
For the security aspects, the penetration testing will be done based on the
possible attack which are described earlier to prove that the propose solution is satisfy
the security demand on the home use environment. Several tools which will be used on
the penetration testing phase are Net tools, Ethercap, and Aircrack. The Aircrack is used
to get the result of how secure or how difficult hackers can actually bypass the network
encryption before they were successfully entering the network. The Ethercap is used to
perform MITM attack which monitor the packet goes in and out the network to retrieve
some information. And the other tool which is net tools is use to perform the denial of
service attacks using UDP flood, or ping of death technique.
4.2.2 Small Business Wireless Defense Mechanism
On the small business wireless environment (SOHO) it is not categorically different
from the home use environment regarding the bandwidth performance that is balanced
by the total host inside the network. Small business network environment usually use
higher bandwidth rather than the home network environment but regardless the network
performance it has more hosts almost twice or three times the number of hosts in the
home network environment. Besides that, from the hacker point of view, it is not quite
different in terms of hacking techniques that should be applied to penetrate the small
business network, the main thing that differentiates the small business network and the
39
home use network is the data sensitivity. Based on that fact it is necessary to harden the
defense on the security and sharing policy to make the data extractions are more difficult
to perform. The small business defense propose solution is showed on the figure below
Figure 13 Simulation on Small Business Environment
Refer to the figure shown above, the small business usually has some desktop PC
connected through the network using cable connection, and since the small business
does not have a very complex network topology, it is not necessarily to use sophisticated
devices as to satisfy the needs of the business, for instance the core router on the
topology is actually relies on the wireless router which is directly connected with the
modem from the ISP through the internet. Besides that, rather than using a layer 3
switches which provide more feature which provides more feature regarding network
security, it is adequate to distribute the network bandwidth through all wired host using
Static IP Addressing
40
layer 2 switches including the file server due to the network design which not very
complicated based on the structure of each business corporation.
The performance measurement will be done using the same tool that is use in the home
network bandwidth measurement, but unlike the previous simulation which is done in
the home environment, it use a separated PC which is dedicated to monitor the network
that connected to the network using cable connection through the wireless router. Other
than monitoring tool installation which installed on a dedicated machine other than the
client machine, the process of measuring the upload and download performance is
typically the same with the previous simulation on the home network. The main thing on
measuring the performance and security on this type of network can be done by focusing
on the main differentiation between the small business network and the home use
network security requirement which is described previously by using a certain security
and sharing policy configuration. To summarize, all the data that is use in the business
process is stored on the file server side and protected using authentication before the
host is be able to use the data for further use. The data is processed inside the server
without copying it outside the server so the data remains safe.
On the penetration testing phase, the tools will the same tools that is use in the previous
penetration test on home use network which are net tools for performing denial of
service attacks, in this case we have file server to be DOS, Aircrack service to bypass
the wireless router encryption, and the ethercap to monitor the traffic.
41
4.2.3 Medium Business Wireless Defense Mechanism
Medium business network mechanism could be very vulnerable to be attacked in various
types of attacks if it is not properly designed and implemented. It is very critical to
defend the wireless network environment due to the number of factors that indicates the
importance of the network security is increasing. Based on Japan government
employment status survey, a certain corporation could be called as a medium business
when the corporation has at least 30 to 299 employees and based on the fact, most of the
companies existed nowadays are implementing a computer networking infrastructure to
support their business needs. Moreover for business of this size, it is a common need to
provide a high bandwidth speed for the network as well as the secure devices to satisfy
the security needs regarding the number of vulnerabilities which keeps increasing.
However to secure the wireless network infrastructure within the whole network is not
an easy task to perform regarding there will be a lot of wireless routers or wireless
access points within the network. The more wireless access points that are use inside the
network the more area of coverage we need to secure. Based on survey on
www.owasp.org the most common attacks that perform by hackers to penetrate this type
of network on this size of business is to perform brute force attack, data extraction, and
perform denial of service attacks. These attacks are not necessarily coming from the
cable network connection or on the other words coming from the internet, it is possible
and easier to perform the same attacks via wireless infrastructure if the wireless is not
implemented properly.
B
m
w
t
i
a
T
P
s
u
t
f
B
p
Based on tha
most secure
wireless netw
that is existe
infrastructur
as the figure
The IPSEC
Private Netw
secure defen
use to conne
to protect
foundation o
Based on th
placed in be
at fact, it is i
e defense tec
working tha
ed on the ca
re is to impl
e shown belo
technology w
work techno
nse to protec
ect two diffe
wireless ne
on chapter tw
e figure sho
etween the w
important to
chnique in o
at is accessib
able network
lement the I
ow.
which chose
ology (VPN)
ct the IP pack
erent networ
etwork infra
wo.
wn above, w
wireless rout
Figure 14 Pro
o protect the
order to pro
ble by peopl
k infrastructu
PSEC techn
en to protect
), based on
ket within th
rks within th
astructure a
we can see th
ter and the m
oposed Solutio
wireless net
otect the pac
le regardless
ure. One so
nology withi
t the packet
the fact, it
he network.
he internet a
as previousl
hat there are
main router;
on for Medium
twork infrast
cket which g
s the limitati
lution to pro
in the wirele
within the n
shows that
However V
and infrequen
ly explained
e several ded
this is impl
m Business
tructure usin
going aroun
ion or bound
otect the wir
ess infrastruc
network is V
VPN is the
VPN technolo
ntly implem
d on theor
dicated PC t
lemented in
42
ng the
nd the
daries
reless
cture,
Virtual
most
ogy is
mented
retical
that is
order
t
p
l
r
a
b
t
r
T
p
m
m
e
R
A
m
c
t
to prevent t
proposed so
local area n
router itself.
application f
be enhanced
the other ty
reliability an
The perform
proposed ea
measure the
measuremen
earlier on th
Refer to figu
As we can s
main router
client or the
the VPN ser
the hacker
lution will c
etwork and
. The VPN s
for the VPN
d using sever
ype of secur
nd free, as w
mance meas
arlier on th
e maximum
nt will be com
e first phase
ure below
see, the file
, while the
e host should
rver side. Th
Figure 15
or unauthor
covering the
the uplink o
server itself i
N service whi
ral types of s
rity machine
well as the thi
surement w
e small bus
performanc
mpared with
e of testing.
server is lo
client is loc
d be double
he client wou
5 Medium Bus
rized user t
two differen
of the wirele
is using Ubu
ich is OpenV
settings and
e. On top o
ird applicatio
will be cond
siness netwo
ce for the n
h the result o
ocated in the
cated in the
authenticate
uld get two
siness Perform
to gain acc
nt area of ne
ess local are
untu 8 serve
VPN. OpenV
patches, and
of that Ubun
on OpenVPN
ducted usin
ork which
network. Th
of the benchm
e core netwo
e local wirel
ed on the w
IP addresses
mance Measur
ess to the
etwork which
ea network w
r and install
VPN is chos
d also can be
ntu is chose
N.
ng the same
is using the
he result of
mark result t
ork connecte
less network
wireless route
s one is from
rement Scenar
core router.
h are the wir
which is the
ed the third
sen because
e combined
en because
e technique
e file sharin
the perform
that is perfor
ed directly t
k area whic
er side as w
m wireless ro
rio
43
. The
reless
e core
party
it can
using
of its
e that
ng to
mance
rming
to the
ch the
well as
outer,
44
and the other one is from the VPN server. Based on this mechanism, the measurement
will use the IP address provided by the VPN server to download the file from the file
server.
From the security point of view, the measurement will be conducted based on the fact
that described the most common attacks which described earlier, the focus of the
security measurement will be covering denial of service attack which will performed
using Hping 3 and UDP flood, and file extraction using the same technique as earlier as
well which are Aircrack and packet monitoring.
4.2.4Large Business Wireless Defense Mechanism
As what we have been learn about the security holes of a large network environment in
the earlier phase, large business network environment could be described as a network
which needs a security protection both from inside and outside. Since the large business
is having more hosts inside the network, it should hold a bigger internet bandwidth
connection as well which can support a certain business needs, However based on the
author's experience in the field, most of the activity that occurred in the business process
is mostly take place inside the network because the servers are owned by the company
and located inside the network as well. Besides that, large business usually has more
than two office buildings which usually applied a centralized data banks and centralized
server farm to hold all the business process based on each criteria, all of the braches
which using the service of a certain server, usually connected through the main server
using VPN connection in the internet to gain the maximum security regarding the data
sensitivity as explained before. Therefore, the connection that goes in and out of the
network is mostly encrypted and already secure in terms of data authenticity, integrity,
and confidentiality.
T
P
T
o
s
a
The exampl
Pusdilkat
The figure 1
of the brach
servers are l
all the busin
le of large
Figur
16 shown ab
hes using VP
located insid
ness process
business ne
e 16 Entire PL
bove is topol
PN connecti
de the Pusdi
inside the PL
etwork is sh
LN-Pusdiklat-
logy of PLN
on through
iklat network
LN educatio
hown as the
-Udiklat logica
N Pusdiklat n
the ISP whi
k, and has n
onal activity.
e network t
al Topology
network whi
ich also own
nine active s
topology of
ich connectin
ned by PLN
servers to su
45
PLN
ng all
N, The
upport
46
The main problem of the entire network however is not the outgoing or ingoing
bandwidth that goes in and out the network, as explained before it is already secure for
the packet which travelling across the internet, However it is a must to protect the
internal network because the threat that can cause harmful damage is no longer
concentrated only from outside the network, but from the inside as well.
Besides the business process, the employees are also accessing the other websites or in
fact the other servers rather than the internal server for their own need. Based on the
actual survey that the author's conducted inside the network using third party application
monitoring tools, there would always be a traffic that goes outside the network which
not related to the business process as shown below
Figure 17 Statistic of Average Network Usage per Day
Figure shown above is the top five most commonly accessed websites other than
company owned servers.
Facebook Kaskus.us Google.com Yahoo.com Detik.com
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Average per day
Average per day
47
in other case based on author's observation, the threat is most commonly coming from
the employees who bring their own USB flash drive which contain most of the viruses
and Trojans which as a result spreading throughout the entire network. This situation can
be prevented by installing an antivirus server and install all of the clients with the clients
antivirus software, However devices such as wireless connected mobile phones and,
tablet pc and freshly connected laptop computers might possibly the cause of wide
spreading viruses as well, therefore rather than focusing on how people might get in to
the network which already consider secure enough on the earlier phase, it is more
important to concentrate on implementing tools for monitoring, producing report and
prevent such attack to occur.
The propose solution regarding problem that mentioned above is to implement a
standalone computer installed with a certain Linux operating system. Using the same
architecture that applied in medium business network environment the standalone
computer is placed on the outer side of switch in order to monitor every packet goes
through the network that get pass the switch including inside to outside attack, outside to
inside attack, and inside to inside attack.
Refer to figure shown below
48
Since the main switch is configured using VLAN configuration to make the network
more secure and manageable, it is easier for the IDPS system to make the report of
which attack coming or aiming to which destination. The measurement of the bandwidth
performance is tested using the same scenario that use in the earlier phase but enhanced
it with IDPS system to monitor the traffic. The result will be compared with the
benchmark performance that has been done earlier.
The measurement of the security will be done by performing the penetration testing from
inside the network, and check how many attacks are observed by the IDPS as well as
prevented.
Figure 18 Proposed Solution of LBN Topology Using IDPS