Upload
tinhthanvn
View
367
Download
2
Embed Size (px)
Citation preview
Securing The Perimeter andProviding Secure Remote Access with Endian Firewall
Endian Firewall (EFW) is a “turn-key” Linux Security Distribution that helps transform every
system into a standalone, fully featured security device. The biggest advantage of using Endian is
that it bundles together several packages facilitating usability. Through a series of easy to configure
menus, the administrator's task of using the command line has been transformed into simple point
and click methods of configuration. EFW is Open Source Software, licensed under GNU's GPL
License.
Some of the off-the-shelf features offered are:
1. Stateful Packet Inspection Firewall
2. Application Level Proxies for various protocols (HTTP, FTP, POP3, SMTP)
3. Antivirus support
4. Virus and Spam Filtering for email traffic
5. Content Filtering of Web Traffic
6. Establishment of zones (DMZ,Trusted, Wireless, etc.)
7. Easy VPN Solution
Endian Firewall consists of four interfaces listed below:
1. RED interface: It is the interface that connects the Firewall to the outside world, most often the
Internet. Endian Supports many types of RED interfaces.
2. ORANGE interface: It defines the untrusted network such as the Demilitarized Zone (DMZ).
Such an interface can be used to host a network of computers such as the Web Server which do
not require to be in a protected internal zone.
3. GREEN interface: This is the trusted network which hosts those machines that are not to be
exposed. Any network information that originates from this zone is masked before it leaves it.
4. BLUE interface: This has been specially designed for wireless hosts on the network.
Unless otherwise configured, the firewall blocks all traffic coming from outside, by default. Since
GREEN is the trusted network, traffic originating form it will be allowed to pass to any other zone
(BLUE/ORANGE). However, for each pass from one zone to another, NAT is performed to hide the
source address of the sender from the GREEN zone.
On the destination side, by default, all access is blocked except for the RED interface. Still only some
standard services (HTTP, FTP, SMTP, DNS) are allowed by default when accessing from the GREEN
zone and only DNS when trying to access from the BLUE and ORANGE zones.
The network setup will consist of six machines as shown in the diagram. The details are -
1. Endian Firewall Community (EFW): A Linux based distribution that will serve as the
perimeter security appliance for the network. It has four interfaces, but we will be using
only three, given by the IP addresses – 192.168.30.1 (red), 10.0.2.1 (green) and
10.0.1.1(orange).
2. Franks: An IIS server which will serve the web pages to other hosts. Franks is in the Orange
Zones.
3. Ike: A Domain Controller, that is used to support Marshall under the AIA domain. It is in the
GREEN Zones. IP address - (10.0.2.4)
4. Marshall: A Mail Exchange Server, that is responsible for providing SMTP and POP3
services within the network. This is also in the GREEN Zones.
5. VTE Launchpad: A Windows 2003, that allows remote access to other computers and is
used for configuration. IP Address:10.0.254.254.
6. IRH_Outside_host: This is a CentOS machine that is connected on the RED interface of
Endian. IP Address: 192.168.30.254.
1. Boot up the Virtual Machines
Fire the EFW_Community Firewall, Franks, Ike, Launchpad, Marshall and Outside_host Virtual
Machines. EFW is configured with a default IP address on br0, the default bridge, given by
192.168.0.15 . This address should be used to configure it initially. The order of booting should be -
1. EFW 2. IKE 3. Marshall 4.launchpad 5. Franks 6. Outside-host
EFW's username is 'root' and the password is 'endian'.
The username for other machines is 'Administrator' and password 'tartans'.
2. Log onto Launchpad
Start by logging onto Launchpad by entering the following:
Username: Administrator
Password: tartans
Since the IP address of Launch pad is 10.0.254.254, it is not on the same subnet as Endian. Endian
can be configured by hosts that exist ONLY on the GREEN interface. Thus we have to change the
IP settings for Launchpad to put it on this zone. Follow these steps on Launchpad -
1. Double click the 'Local Area Connection' icon on the task bar. Click properties.
2. Select TCP/IP from the listbox.
3. On the 'Local Area Connection Status' Window, click the 'Properties' button.
4. Change the IP address from 10.0.254.254 to 192.168.0.254, to match Endian's. Also change
the subnet mask to 255.255.255.0.
5. Remove the numbers from 'Default gateway' field.
6. There should not be anything in the DNS server addresses field.
7. Click OK and again click OK on the Local Area Connection Properties window.
8. Close the Local Area Connection Status Window.
Open Mozilla Firefox from the Desktop and browse to the IP address http://192.168.0.15
Click OK when it prompts you with a Domain Name Mismatch error.
You will get to the screen shown below.
1. Click the '>>>' button to proceed.
2. By default the Language will be English and it will prompt you for a Timezone. You may
enter America/Chicago and hit '>>>'.
3. On the next screen, tick the Checkbox after reading the License Agreement. Click '>>>'
4. We do not want to restore a backup so click '>>>'.
5. Set Admin and root (Console) password as 'endian' for simplicity. Such a password should
not be used for reasons other than testing and certainly not for production environments.
3. Configure the EFW Network Interfaces
Since we want to customize Endian according to our network, it is necessary to reconfigure the
setup. From Launchpad, continue with the following steps -
i. Assign Static IP address to all the interfaces, RED is the interface facing the outside
insecure and dangerous Internet. For a different type of Internet connection (such as ADSL
for a home user or ISDN for Business), choose the appropriate option. The subsequent steps
will remain the same but configuration will vary when Endian throws other settings later.
For example, when IP addresses are assigned dynamically using DHCP, Endian will need to
be configured to behave as a DHCP server.
Select 'ETHERNET STATIC' from the options shown in the diagram.
ii. Do the same thing for ORANGE interface, the interface connected to DMZ network. As
shown below, select Orange which will serve as our DMZ. Several hosts will run on this
including the Web Server. Note that the Mail Exchange Server exists on the Green Network
since we do not want to expose it the outside world. It should not be confused with a mail
service for clients, but thought of as a mechanism for networked users to exchange emails
within the boundaries of the environment.
iii. Assign static IP address to GREEN interface, the interface connected to trusted and
protected internal network. Note that we are reconfiguring the IP addresses to suit our
network's needs.
Green interface
IP Address : 10.0.2.1
Network Mask : 255.255.255.0
Orange interface
IP Address : 10.0.1.1
Network Mask : 255.255.255.0
Change the 'Hostname' field to 'Endian' and click '>>>'..
iv. The Red interface is the gateway to the external world. It interfaces the inner network to the
Internet. Since, the controlled Lab Environment does not allow access to the Internet, we
will use a special 192.168.30.1 interface to differentiate it from the orange and green
networks.
Assign a static IP address to RED interface as demonstrated below.
Red interface
IP Address : 192.168.30.1
Network Mask : 255.255.255.0
Default Gateway : 192.168.30.1
Click the '>>>' button to proceed to the next screen.
v. Add 10.0.2.4 as DNS in both the entries. This is because 10.0.2.4 (Ike) is our
webserver. DNS resolution is not necessary to open the website on Ike so we
just use the IP address and specify that as the DNS namespace.
vi. Finally, apply the configuration by clicking OK. You may go back anytime to make changes
by clicking '<<<'.
vii.Configuration is now complete. Unlike, the note on the resulting page, you
will not be redirected or successful in logging onto the EFW interface from
launchpad anymore. This is because we have configured Endian to accept
connections from a new zone. When the screen looks like the one below, close
the web browser.
4. Connect to Ike from Launchpad
Restore the IP address of Launchpad by going into the Local Area Connection Properties and set the IP
address to 10.0.254.254, the original one, default gateway address to 10.0.2.1 and DNS to 10.0.2.4 . Now
Launchpad is in the same network as Ike.
Launchpad will be used to connect to Ike via the Remote Desktop Connection (Start->All Programs->
Remote Desktop Connection). Endian has to be configured either through its Console or using another
host on the Green trusted Subnet. Ike is hosted on the Green interface, thus serves as a good configuration
machine. You will be unable to use Launchpad for further transactions after the changes mentioned
previously are incorporated. On the Remote Desktop Connection use the following to log in -
IP address: 10.0.2.4
Username: administrator
Password: tartans
Next, open Internet Explorer and enter http://10.0.2.1 in the address box. This is Endian's IP address.
1. Click Yes if it prompts you to view pages over a secure connection.
2. You will be asked to View a Certificate which you may check to verify that the server is
legitimate. Click 'Yes' on the Security Alert screen to proceed further
3. Log onto Endian with username: 'admin' and password 'endian'. You will be challenged with the
screen given below.
You should see the following page after you are connected:
If there is a problem while connecting to the firewall the connection will be highlighted in Red
color and the status will show Failed. This could be because Endian might not have been Powered
On. Sometimes Re-connecting and Refreshing helps. If the status shows 'Connecting'
continuously, in yellow color, then the Red interface is not configured properly. (Specially when
the IP addresses do not match and are different form the default assigned ones in the range
192.168.X.X)
5. Configure The Proxy Server
i. Endian's proxy server has two advantages – First, it allows indirect network connections to other
network services and filters them based on content, permissions, malicious activity etc. Secondly,
it employs a cache mechanism where a page is cached upon access and this improves the network
throughput as unnecessary requests are not incumbent on the network.
ii. HTTP Proxy settings: Click on 'Proxy' tab on the top menu. Enable web proxy for DMZ as well
as the trusted network. Allow only http (80), Squid (800), https (443) and ntop (3001) ports.
Delete rest of the entries from the textboxes .Enable Log and 'Log user agents' by clicking the '>>'
button below 'Log Settings' category..
iii. Enable proxy for trusted/protected (GREEN) and DMZ (ORANGE) networks
Allowed Ports: Allowed SSL ports
80 (http) 443 (https)
800 (Squid) 3001 (ntop)
iv. Cache management parameters can be set by specifying size of cache etc. in textboxes.
v. Also tick the checkbox 'Contentfilter Enabled'
vi. Network Based Access Control:
Scroll down the proxy page and configure the settings described in the image above, under Network
based Access Control. This step is very important. If omitted, it will lead to 'Access Denied Errors' while
transacting over the network. Note that you have to select 'Allow Access from ORANGE to GREEN'
checkbox.
Finally, click the 'Save and Restart' button at the bottom of the page.
6. Enabling Content Filtering and Antivirus
For a typical office network, you would not want the employees to surf the Internet for
objectionable material. We will set these parameters in 'Http Content Filter'. Click the 'Content
Filter' tab on top. Tick related topics you want to restrict access to. Your settings should
reassemble the one shown below and should be even more stringent in highly critical network
environments. Set the 'Max. Score' to 60. At last, save the changes.
7. Stateful Packet Inspection.
You don't have to do any special settings for this. Select 'Status' from the top menu and click on
'Connections' from the left menu window. Below is the screenshot that shows some ESTABLISHED and
some terminated (TIME_WAIT) states. In case some malicious activity is suspected, it will be useful to
see these connections. This will reveal the open connections and the machines which might be
participating in the attack.
8. Enable Intrusion Detection System (Snort)
Incidents that are detected by the EFW IDS are portrayed in the screenshot that follows. By default, the
IDS system is inactive after a fresh install and needs to be manually activated. Go to 'Services' tab on the
top menu and select 'Intrusion Detection' from the left menu bar. Enable the IDS for the different zones,
that is, red, orange and green by ticking the corresponding checkboxes. In a production environment, you
would also want to Subscribe to appropriate signature update services.
9. Enable Logging
Usually if Endian Firewall has a public ip address and therefore is the door to the outside, there are
packets that will be blocked by the firewall. Not all of these are hostile attempts from attackers, but will
nevertheless be logged and will create a lot of data. Here you have the possibility to globally configure
what you would like to be logged and what is to be omitted. Click the log tab in the top menu. Enable the
following Firewall security related log settings (Click the Log Settings tab on the left menu) -
Log packets with BAD constellation of TCP flags
TCP allows everybody to set flags in constellations which make no sense at all. Such
constellations may confuse firewalls and/or computers in general and allow an attacker to gather
more information than you would like to share. Especially port scanners do this. Endian Firewall
blocks such attempts. Tick this on if you want to have it logged. You will find such attempts in the
firewall log resulting as packets which passed the chain BADTCP.
Log portscans
You may enable portscan detection by ticking this checkbox on. The portscan detection will be
performed using the netfilter psd match. You will find the logged portscans in the firewall log
resulting as packets which passed the chain PORTSCAN.
Log NEW connections without SYN flag
Packets which should establish a TCP connection must have set the SYN flag. If it is not set, it is
not sane. Endian Firewall will block such packets and you can log the attempts if you tick this
checkbox on.
Log refused packets
If you tick this on, Endian Firewall will log all connection attempts which have been denied by
Endian Firewall. Since Endian Firewall as default denies all connection attempts and allows only
what you have defined, this certainly will lead to a bunch of unneeded data, so you may toggle
this off. It may be useful to check which ports you need to open for applications that are using
ports you don't know.
Log accepted outgoing connections
Tick this on if you would like to globally log all connections which have successfully passed
Endian Firewall without being dropped. You can use this to test if your newly created rules are
correct as this allows you to see the connections made by your applications.
Summaries can be generated periodically and are configurable as separate tabs on the menu on the
left (for each facility). The figure below shows the general settings for logs. Remember to click
save at the bottom, upon finishing.
10. Enabling the Firewall
Click the Firewall tab and select 'Zone PinHoles' from the menu on the left.
10.1 Zone Pinholes
This subsection allows you to configure the Zone Pinholes settings for Endian Firewall.
A DMZ or Demilitarized Zone (Orange zone) is used as a semi-safe interchange point between the
external RED Zone and the internal GREEN zone. The GREEN zone has all the internal
machines. The RED zone is the Internet at large. The DMZ allows them to share servers without
allowing undue access to the internal LAN by those in the RED Zone.
In a traditional firewall setup, this wouldn't work, because the request for access to the GREEN
zone would be initiating from outside the GREEN zone. You certainly do not want to give all your
customers direct access to the machines on the GREEN side. This can however work by using the
DMZ and zone pinholes. It is often required for example, if a trusted database is to be accessed
from time to time for some update transaction.
Zone pinholes thus give machines in the Orange (DMZ) zone (and also BLUE zone) limited
access to certain ports on Green machines. Configure the settings to look like the screenshot given
below.
Click 'Add new Rule'. Make the following configuration-
Protocol: TCP/UDP (TCP in our case)
Source Net: ORANGE
Destination Net: GREEN
Source IP: 10.0.1.104
Destination IP: 10.0.2.3
Destination port: 25
Click 'Add new Rule' once again and use -
Protocol: TCP/UDP (TCP in our case)
Source Net: ORANGE
Destination Net: GREEN
Source IP: 10.0.1.104
Destination IP: 10.0.2.3
Destination port: 110
Click 'Add new Rule' once again and use -
Protocol: TCP/UDP (TCP in our case)
Source Net: ORANGE
Destination Net: GREEN
Source IP: 10.0.1.104
Destination IP: 10.0.2.4
Destination port: 80
10.2 Enable the Outgoing Traffic Rules (Egress Filtering)
Egress filtering ensures that unauthorized traffic does not leave the network. Internal data should
not be made publicly available except for services like DNS, webserver, mail server, amongst a
few others. It should be noted that in a production environment, every application that demands
Internet Access may require modification of firewall rules/policy.
10.3 Enable the Incoming Traffic Rules (Ingress Filtering)
The incoming firewall rules dictate what kind of connections are allowed to pass through the
firewall. This is often required for services such as ssh, ftp, smtp etcetera.
11. Enabling Antivirus
Endian makes use of the ClamAV antivirus. ClamAV is an Open Source virus scanner that can be used to
scan all incoming traffic for viruses. Endian Firewall lets you configure the most important features.
In the Clamav configuration box you can set the way ClamAV will handle incoming archives. The
options are described below:
Max. archive size
This lets you set the maximum archive size in Megabytes that will be scanned by ClamAV.
Max. nested archives
Here you can specify the maximum depth of nested archives ClamAV will scan.
Max. files in archive
ClamAV will not scan archives that contain more files than specified here.
Handle bad archives
By selecting the 'Do not scan but pass' radio-button, all archives that fail to comply to any of the
parameters described above will not be scanned but will still pass. You can change this behavior
by selecting Block as virus.
Block encrypted archives
ClamAV can not scan encrypted archives. If you do not want encrypted archives to pass the virus
check tick this on.
You can also change the update interval of your Clamav signature database by selecting the
appropriate interval-type in the Clamav signature update schedule section.
Ensure that your settings look similar to following screenshot
12.Enable File attachment filtering and SPAM blocking configuration
a. Click the Proxy tab on the top menu and select SMTP from left menu. Click the File Extensions
menu. You will see a window as shown below.
For example, we will set SMTP Proxy to block all email attachments having '.bat' extensions.
Typically you would want to block more than just '.bat' files, viz., .exe, .pif, etc. This should be
driven by the organization's security policies.
Change 'Email used for notification on banned files (Admin)' to '[email protected]'
Select 'Banned files destination' BOUNCE.
Hit 'Save Changes and Restart'.
The anti-spam module uses the 'Spam Assassin' and 'amavisd-new' to filter out spam. Make sure
that your settings look like the images shown below, which are defaults.
Hit 'Save Changes and Restart'.
Click 'Main' tab To get the following screen: Tick the following checkboxes shown in figure below.
Click 'Domains' tab. Enter values as shown below:
Click 'Save and Restart'.
13. Providing VPN Access
Virtual Private Networks or VPNs allow two networks to connect directly to each other over another
network such as the Internet. All data is transmitted securely over an encrypted tunnel, hidden from
prying eyes. Similarly, a single computer can also connect to another network using the same facilities.
Endian Firewall can easily establish VPNs to other Endian Firewalls. EFW can also inter-operate with
just about any VPN product that supports OpenVPN, IPSec and standard encryption technologies such as
3DES. VPN connections in Endian Firewall are defined as Net-to-Net (Gateway-to-Gateway) or Host-to-
Net (Roadwarrior).
Net-to-net (or gateway-to-gateway) VPNs link two or more private networks across the Internet by
creating a encrypted "tunnel".
We are speaking of a Host-to-Net connection when Endian Firewall is on one end of the VPN tunnel and
a remote or mobile user is on the other end. The mobile user is most likely to be a laptop user with a
dynamic public IP address assigned by an ISP, hence the terms Host-to-Net or Roadwarrior.
OpenVPN is an SSL/TLS based virtual private network solution. It is much easier to set up than any
other VPN solutions.
13.1 GLOBAL SETTINGS
The steps to setup an Open VPN server in Host to Net scenario are described:
OpenVPN Server enabled
Select this to enable the OpenVPN Server on Endian
IP Pool
Specify the start and ending IP address of an IP range from the GREEN network, which
are desired to be assigned to the OpenVPN clients connecting to the server.
Port
Specify the port on which OpenVPN will listen for incoming requests.
Protocol
Protocol allows you to change your protocol from UDP to TCP.
NOTE: The protocol will be TCP in our case so select TCP.
Block DHCP responses coming from tunnel
Select this option if you do not want the remote DHCP server to assign IP addresses to the
local workstations within the GREEN network. In our case, the IP addresses are static and
thus this should not be ticked.
CA Certificate
It is the textual representation of the Certification Authority Certificate. This is required on
every OpenVPN client that wants to connect to our OpenVPN server.
Download CA Certificate
By clicking this link you can download the CA Certificate which is needed by each
OpenVPN client in order to be able to connect to your OpenVPN server. Go ahead and
click it to obtain the same.
Just below the Global Settings box, there is a window for Managing Accounts that can
connect to the OpenVPN server. All the known users will be listed here. The following
settings should be selected for each user:
Configure Networks
Clicking here will redirect you to another Window which will allow you to specify the
user's network settings.
Enabled icon
It it is already clicked the user is enabled, else enable her by clicking it.
Trash can icon
This should be used in the event of deleting the user.
Pencil icon
This is used to Edit the account.
Click on the Add Account Button which will redirect you to another Window, the details for
which are given below:
13.2 ADD ACCOUNT
When a new Account is created the following account settings are found:
Username: Type in the username that you want.
Password: Select a password for the new account.
Verify Password:Type in the same password again.
Remote network: Not required in our case because the Remote Client that connects to this
network is in Bridged Mode. Otherwise, specify the network address of the remote GREEN
network (10.0.2.1) to allow Endian to create correct routing table entries.
Remote Network Mask: Fill the netmask of the remote client if it is configured to be in routing
mode.
Use this firewall as default gateway: Tick this on to allow the remote client to create routing
entries so that allow traffic can be tunneled through VPN to the EFW, where it then can leave the
RED interface. This is useful on roadwarriors to enforce security policies, otherwise the remote
side certainly has its own internet connection and a possible intruder may come in through the
VPN and compromise the local GREEN network. This option does the following on the remote
side:
1. Creates a host route which sends all traffic with our RED IP address as destination to the IP
address which is used as default gateway.
2. Removes the default route entry.
3. Creates a new default route entry with our GREEN IP address as gateway.
push route to blue zone: This option will grant the new user access to your BLUE zone.
Note: This option is only available if you have configured your BLUE zone.
push route to orange zone This option will grant the new user access to your ORANGE zone.
Note: This option is only available if you have configured your ORANGE zone.
You will finally see a screen as below:
13.3 Connection status and control
This shows you all the currently connected users and their details such as log in time and the table
gives the following information:
User: The name of the user that is connected to the server.
Assigned IP
The IP address which has been assigned to the client by the server. This IP address belongs to the
GREEN IP range configured above.
Real IP: The real public IP address of the connected client.
RX: The data volume that has been received through this tunnel.
TX : The data volume that has been transmitted through this tunnel.
Connected since: The timestamp when the client has connected.
Uptime: The amount of time the respective client is already connected.
The following actions can be performed on each connected user:
Kill Kills the connection immediately. The user can reconnect and this will happen since the
openvpn client on the remote side will automatically reconnect as soon as it recognizes the
disconnect, which will take up to a couple of minutes.
Ban Bans the user. This deactivates and then kicks the user in a row. The user cannot reconnect.
At this time, the remote Roadwarrior VPN client should be configured using OpenVPN. Use the
configuration file supplied with the software for the same.
Verification
1. Content Filtering
Log onto Marshall (10.0.2.3) using Remote Desktop Connection from Launchpad by supplying the
following:
Username: Administrator
Password: tartans
Open Internet Explorer and try to browse to the website http://10.0.1.104/ . This website is hosted on
Franks 2003 and will displayed properly.
Now try to open a page which contains inappropriate and forbidden content for the target users. To do
this, enter http://10.0.1.104/content.html . You should get an 'Access Denied ' error as displayed below.
2. Blocking Email with attachments having a undesired file extension(s)
Open Outlook Express on Marshall and Franks 2003. Send an email from Marshall to Franks 2003 with
an attachment having a .bat extension. (Use the Browse button, for example c:\attach.bat. Create a
dummy file if this is missing). You can even email from Franks to Marshall since the requests go via
EFW.
To Address: [email protected]
Subject: Specify any subject if required
Click on 'Send'.
Check whether a new email has come, on Franks 2003. It should have been banned by EFW as shown
below. This email has been banned since .bat was blacklisted.
3. Intrusion Detection
Log into CentOS (Outside_host) with -
Username: 'root'
Password: 'tartans'
Open the 'Terminal' by clicking the icon on the Desktop.
At the shell prompt give this command (Ignore the #)
#nmap -sT 192,168.30.1
Nmap is a popular port scanner which we will employ to scan TCP ports on the network perimeter
specified by the IP address 192.168.30.1 (RED).
Next, click 'Logs' from the top menu and select IDS Logs from the left menu bar. You will detect Port
Scan warnings from the CentOS system which is external to the network. A full sample report is given in
the screenshot below.
4. Confirm that logging is working
Click 'Logs' on the top menu and choose some of the options from the left pane. Firewall Log Viewer is
demonstrated by the screenshot which can be seen by clicking 'Firewall Logs'.
You can also see the logs for Content Filtering by clicking 'Content Filter Logs'.
5. View the Services Running
Click 'Status' on the menu on top. The screenshot summarizes the various states of a service including
RUNNING and STOPPED.
Apart from some of the necessary security intensive procedures described, other features of EFW, taken
together make it a bundle of useful software.