Professional Documents
Culture Documents
I. INTRODUCTION
The next generation of routers is increasingly becoming
virtual appliances. A number of vendors already have virtual
appliances on the market, Cisco has the Cisco Cloud Services
Router, and Palo Alto has a PAN-OS both companies offer an
impressive suite of tools such as malware blocking, virus
protection, spyware protection, data filtering, deep packet
inspection and promises of vulnerability detection. To fully get
an understanding of the functionality, security and
performance of a virtual appliance I built a virtual router from
a vendor that allowed a fully functional trial/Personal
evaluation.
The Halon security router (SR) is a network and software
distribution based off the OpenBSD Operating system. The
SR uses a single revision managed, clear-text configuration
file uses atomic commits meaning there is never a need for a
reboot even for rollbacks of changes [1] this is important for
production environments due to the cost of downtime. The SR
also has built in clustering meaning if one system fails there is
no downtime; this is if clustering is configured. Clustering
was not tested in the VM due to the fact reliable results could
not be obtained at this time. The SR also has a fully featured
load balancer (up to layer 7, with SSL acceleration)
I have a matrix of what constitutes a reboot/reset for soft
commits and how changes are applied to the system on figure
1.
Figure:1
II. Setup
The main operational requirement for deploying a virtual
router is that router functionality should not deteriorate as a
result of implementing a virtualized solution this includes
performance as well as security.
The system being evaluated as a virtual secure router is a
mix of open system scripts, patches, and closed backend
source code. The software can be installed on a number of
platforms such as Mac OS X, Linux/BSD, Microsoft
Windows, and virtual machines such as VMware and Oracles
Virtual box. The version that was used for my evaluation and
summary was halon-vsr-i386.vmdk installed within Oracles
virtual box version 4.3.12 r3733 on a Mac OS X version
10.9.5. The system deployed itself with ease. The Virtual box
settings were as follows: System base memory 4gb, video
memory of 16mb, and storage of 20gb. One virtual CPU was
allocated to the VM. The configuration was straight forward a
web address was given by the install to log into for further
configuration via a web UI. For the evaluation I wanted to
focus more on vulnerability detection and prevention in a
virtualized router situation. I did set up 3 virtual machines to
test various functions of the router capabilities. IP addresses
for my three virtual machines were 192.168.1.9, 192.168.1.12,
192.168.1.11 the .9 and .12 with the 192.168.1.9 having the
virtual cluster setup.
intercept data from the physical network and inject data into it,
effectively creating a new network interface in software. Even
though technically, everything that can be done using internal
networking can also be done using a bridged networking, there
are security advantages with internal networking.
In a bridged network mode, all traffic goes through a
physical interface of the host system. It is possible to attach a
packet sniffer such as wireshark to the host interface and log all
traffic going through it. If the goal is for the virtual machines
to communicate privately, hiding the data from both host
system and user, a bridged networking configuration is not an
option. I would not recommend this setup for a production
environment, but it served as a research testbed perfectly,
giving me the ability to really evaluate and analyze the traffic.
Figure 4: Bridged adapter allowing network connectivity
Figure 3:
IV. Configuration
One of the most attractive features of the halon router is the
configuration feature. The Configuration is stored in a
revision-managed database.
Every new configuration is saved, it is committed to the
database. The running configuration is shown by checking out
the latest configuration (like a feature MS word or excel has)
the latest configuration is called the HEAD, each revision is
associated with a revision number. Each revision is
incremented, by increasing numbers. When a user commits a
configuration, it is first applied (meaning its made effective) if
it is successful it is saved in the database.
New configuration events are transformed into event keys,
which have an ID and values. Whenever new keys are
generated they are compared to the running configuration keys,
which contain an event list. If a user commits a configuration
that contains no differences in keys an error is given.
When the system boots the latest revision is checked out
and compared to the last list of keys, which should be empty,
meaning every change needed to bring the system to the state
requested by the configuration is done.
V. WEB UI SECURITY
The web interface for the Halon SR was reviewed for
security flaws using two web vulnerability scanners for
scanning the public facing demo site. Kali Linux was used for
scanning the Web UI for vulnerabilities. The first scan was
done using OWASP Zap; there were no high alerts, however
Vega listed one finding as a high risk. The initial evaluation
was done scanning the public facing demo site. Kali Linux
was used for scanning the Web UI for vulnerabilities. The first
scan was done using OWASP Zap; there were no high alerts,
however Vega listed one finding as a high risk. Session
Cookie without Secure flag, the impact is that cookies can be
exposed to network eavesdroppers. Session cookies are
authentication credentials; attackers who obtain them can get
unauthorized access.
Figure 10:
The ability to set up IPsec was also very intuitive in the fact
that with just a few searches one can come up with usable
settings for setting up IPsec for their personal network. IPsec is
very important especially in todays climate of constant
network breaches. The internet protocol (IP) does not provide
protection to transferred data. It does not guarantee that the
sender is who you think they are. IPsec attempts to solve the
problem of securing IP traffic. The CIA triad of confidentiality,
integrity and availability is at the heart of information security.
IPsec supports them in a uniform matter, such as
[3] VirtualBox"Chapter13.SecurityGuide."Chapter13.Security
Guide.N.p.,n.d.Web.17Oct.2014.
[4] Wilmsmeier, Gordon. "Determinants of Liner Shipping Network
Configuration: A Two-region Comparison." GeoJournal 76.3
(2011): 213-28. Web.