Securing The Perimeter and Providing Secure Remote Access with Endian Firewall

Endian Firewall (EFW) is a turn-key Linux Security Distribution that helps transform every system into a standalone, fully featured security device. The biggest advantage of using Endian is that it bundles together several packages facilitating usability. Through a series of easy to configure menus, the administrator's task of using the command line has been transformed into simple point and click methods of configuration. EFW is Open Source Software, licensed under GNU's GPL License. Some of the off-the-shelf features offered are: 1. Stateful Packet Inspection Firewall 2. Application Level Proxies for various protocols (HTTP, FTP, POP3, SMTP) 3. Antivirus support 4. Virus and Spam Filtering for email traffic 5. Content Filtering of Web Traffic 6. Establishment of zones (DMZ,Trusted, Wireless, etc.) 7. Easy VPN Solution Endian Firewall consists of four interfaces listed below: 1. RED interface: It is the interface that connects the Firewall to the outside world, most often the Internet. Endian Supports many types of RED interfaces. 2. ORANGE interface: It defines the untrusted network such as the Demilitarized Zone (DMZ). Such an interface can be used to host a network of computers such as the Web Server which do not require to be in a protected internal zone. 3. GREEN interface: This is the trusted network which hosts those machines that are not to be exposed. Any network information that originates from this zone is masked before it leaves it. 4. BLUE interface: This has been specially designed for wireless hosts on the network. Unless otherwise configured, the firewall blocks all traffic coming from outside, by default. Since GREEN is the trusted network, traffic originating form it will be allowed to pass to any other zone (BLUE/ORANGE). However, for each pass from one zone to another, NAT is performed to hide the source address of the sender from the GREEN zone. On the destination side, by default, all access is blocked except for the RED interface. Still only some standard services (HTTP, FTP, SMTP, DNS) are allowed by default when accessing from the GREEN

zone and only DNS when trying to access from the BLUE and ORANGE zones.

The network setup will consist of six machines as shown in the diagram. The details are 1. Endian Firewall Community (EFW): A Linux based distribution that will serve as the perimeter security appliance for the network. It has four interfaces, but we will be using only three, given by the IP addresses 192.168.30.1 (red), 10.0.2.1 (green) and 10.0.1.1(orange). 2. Franks: An IIS server which will serve the web pages to other hosts. Franks is in the Orange Zones. 3. Ike: A Domain Controller, that is used to support Marshall under the AIA domain. It is in the GREEN Zones. IP address - (10.0.2.4) 4. Marshall: A Mail Exchange Server, that is responsible for providing SMTP and POP3 services within the network. This is also in the GREEN Zones. 5. VTE Launchpad: A Windows 2003, that allows remote access to other computers and is used for configuration. IP Address:10.0.254.254. 6. IRH_Outside_host: This is a CentOS machine that is connected on the RED interface of Endian. IP Address: 192.168.30.254.

1. Boot up the Virtual Machines

Fire the EFW_Community Firewall, Franks, Ike, Launchpad, Marshall and Outside_host Virtual Machines. EFW is configured with a default IP address on br0, the default bridge, given by 192.168.0.15 . This address should be used to configure it initially. The order of booting should be 1. EFW 2. IKE 3. Marshall 4.launchpad 5. Franks 6. Outside-host EFW's username is 'root' and the password is 'endian'. The username for other machines is 'Administrator' and password 'tartans'.

2. Log onto Launchpad

Start by logging onto Launchpad by entering the following: Username: Administrator Password: tartans Since the IP address of Launch pad is 10.0.254.254, it is not on the same subnet as Endian. Endian can be configured by hosts that exist ONLY on the GREEN interface. Thus we have to change the IP settings for Launchpad to put it on this zone. Follow these steps on Launchpad 1. Double click the 'Local Area Connection' icon on the task bar. Click properties. 2. Select TCP/IP from the listbox. 3. On the 'Local Area Connection Status' Window, click the 'Properties' button. 4. Change the IP address from 10.0.254.254 to 192.168.0.254, to match Endian's. Also change the subnet mask to 255.255.255.0. 5. Remove the numbers from 'Default gateway' field. 6. There should not be anything in the DNS server addresses field. 7. Click OK and again click OK on the Local Area Connection Properties window. 8. Close the Local Area Connection Status Window. Open Mozilla Firefox from the Desktop and browse to the IP address http://192.168.0.15 Click OK when it prompts you with a Domain Name Mismatch error. You will get to the screen shown below.

1. Click the '>>>' button to proceed. 2. By default the Language will be English and it will prompt you for a Timezone. You may enter America/Chicago and hit '>>>'. 3. On the next screen, tick the Checkbox after reading the License Agreement. Click '>>>' 4. We do not want to restore a backup so click '>>>'. 5. Set Admin and root (Console) password as 'endian' for simplicity. Such a password should not be used for reasons other than testing and certainly not for production environments.

3. Configure the EFW Network Interfaces

Since we want to customize Endian according to our network, it is necessary to reconfigure the setup. From Launchpad, continue with the following steps i. Assign Static IP address to all the interfaces, RED is the interface facing the outside insecure and dangerous Internet. For a different type of Internet connection (such as ADSL for a home user or ISDN for Business), choose the appropriate option. The subsequent steps will remain the same but configuration will vary when Endian throws other settings later. For example, when IP addresses are assigned dynamically using DHCP, Endian will need to be configured to behave as a DHCP server. Select 'ETHERNET STATIC' from the options shown in the diagram.

ii. Do the same thing for ORANGE interface, the interface connected to DMZ network. As shown below, select Orange which will serve as our DMZ. Several hosts will run on this including the Web Server. Note that the Mail Exchange Server exists on the Green Network since we do not want to expose it the outside world. It should not be confused with a mail service for clients, but thought of as a mechanism for networked users to exchange emails within the boundaries of the environment.

iii. Assign static IP address to GREEN interface, the interface connected to trusted and protected internal network. Note that we are reconfiguring the IP addresses to suit our network's needs.
Green interface

IP Address

: 10.0.2.1

Network Mask : 255.255.255.0 Orange interface IP Address : 10.0.1.1 Network Mask : 255.255.255.0

Change the 'Hostname' field to 'Endian' and click '>>>'..

iv. The Red interface is the gateway to the external world. It interfaces the inner network to the Internet. Since, the controlled Lab Environment does not allow access to the Internet, we will use a special 192.168.30.1 interface to differentiate it from the orange and green networks. Assign a static IP address to RED interface as demonstrated below.
Red interface IP Address Default Gateway : 192.168.30.1 : 192.168.30.1 Network Mask : 255.255.255.0

Click the '>>>' button to proceed to the next screen.

v. Add 10.0.2.4 as DNS in both the entries. This is because 10.0.2.4 (Ike) is our webserver. DNS resolution is not necessary to open the website on Ike so we just use the IP address and specify that as the DNS namespace.

vi. Finally, apply the configuration by clicking OK. You may go back anytime to make changes by clicking '<<<'.

vii.Configuration is now complete. Unlike, the note on the resulting page, you will not be redirected or successful in logging onto the EFW interface from launchpad anymore. This is because we have configured Endian to accept connections from a new zone. When the screen looks like the one below, close the web browser.

4. Connect to Ike from Launchpad

Restore the IP address of Launchpad by going into the Local Area Connection Properties and set the IP address to 10.0.254.254, the original one, default gateway address to 10.0.2.1 and DNS to 10.0.2.4 . Now Launchpad is in the same network as Ike. Launchpad will be used to connect to Ike via the Remote Desktop Connection (Start->All Programs-> Remote Desktop Connection). Endian has to be configured either through its Console or using another host on the Green trusted Subnet. Ike is hosted on the Green interface, thus serves as a good configuration machine. You will be unable to use Launchpad for further transactions after the changes mentioned previously are incorporated. On the Remote Desktop Connection use the following to log in IP address: 10.0.2.4 Username: administrator

Password: tartans Next, open Internet Explorer and enter http://10.0.2.1 in the address box. This is Endian's IP address. 1. Click Yes if it prompts you to view pages over a secure connection.

2. You will be asked to View a Certificate which you may check to verify that the server is legitimate. Click 'Yes' on the Security Alert screen to proceed further 3. Log onto Endian with username: 'admin' and password 'endian'. You will be challenged with the screen given below.

You should see the following page after you are connected:

If there is a problem while connecting to the firewall the connection will be highlighted in Red color and the status will show Failed. This could be because Endian might not have been Powered On. Sometimes Re-connecting and Refreshing helps. If the status shows 'Connecting' continuously, in yellow color, then the Red interface is not configured properly. (Specially when the IP addresses do not match and are different form the default assigned ones in the range 192.168.X.X) 5. Configure The Proxy Server i. Endian's proxy server has two advantages First, it allows indirect network connections to other network services and filters them based on content, permissions, malicious activity etc. Secondly, it employs a cache mechanism where a page is cached upon access and this improves the network throughput as unnecessary requests are not incumbent on the network. ii. HTTP Proxy settings: Click on 'Proxy' tab on the top menu. Enable web proxy for DMZ as well as the trusted network. Allow only http (80), Squid (800), https (443) and ntop (3001) ports. Delete rest of the entries from the textboxes .Enable Log and 'Log user agents' by clicking the '>>' button below 'Log Settings' category.. iii. Enable proxy for trusted/protected (GREEN) and DMZ (ORANGE) networks
Allowed Ports: 80 (http) 800 (Squid) Allowed SSL ports 443 (https) 3001 (ntop)

iv. Cache management parameters can be set by specifying size of cache etc. in textboxes. v. Also tick the checkbox 'Contentfilter Enabled' vi. Network Based Access Control:

Scroll down the proxy page and configure the settings described in the image above, under Network based Access Control. This step is very important. If omitted, it will lead to 'Access Denied Errors' while transacting over the network. Note that you have to select 'Allow Access from ORANGE to GREEN' checkbox. Finally, click the 'Save and Restart' button at the bottom of the page.

6. Enabling Content Filtering and Antivirus

For a typical office network, you would not want the employees to surf the Internet for objectionable material. We will set these parameters in 'Http Content Filter'. Click the 'Content Filter' tab on top. Tick related topics you want to restrict access to. Your settings should reassemble the one shown below and should be even more stringent in highly critical network environments. Set the 'Max. Score' to 60. At last, save the changes.

7. Stateful Packet Inspection.

You don't have to do any special settings for this. Select 'Status' from the top menu and click on 'Connections' from the left menu window. Below is the screenshot that shows some ESTABLISHED and some terminated (TIME_WAIT) states. In case some malicious activity is suspected, it will be useful to see these connections. This will reveal the open connections and the machines which might be participating in the attack.

8. Enable Intrusion Detection System (Snort)

Incidents that are detected by the EFW IDS are portrayed in the screenshot that follows. By default, the IDS system is inactive after a fresh install and needs to be manually activated. Go to 'Services' tab on the top menu and select 'Intrusion Detection' from the left menu bar. Enable the IDS for the different zones, that is, red, orange and green by ticking the corresponding checkboxes. In a production environment, you would also want to Subscribe to appropriate signature update services.

9. Enable Logging
Usually if Endian Firewall has a public ip address and therefore is the door to the outside, there are packets that will be blocked by the firewall. Not all of these are hostile attempts from attackers, but will nevertheless be logged and will create a lot of data. Here you have the possibility to globally configure what you would like to be logged and what is to be omitted. Click the log tab in the top menu. Enable the following Firewall security related log settings (Click the Log Settings tab on the left menu) -

Log packets with BAD constellation of TCP flags TCP allows everybody to set flags in constellations which make no sense at all. Such constellations may confuse firewalls and/or computers in general and allow an attacker to gather more information than you would like to share. Especially port scanners do this. Endian Firewall blocks such attempts. Tick this on if you want to have it logged. You will find such attempts in the firewall log resulting as packets which passed the chain BADTCP. Log portscans You may enable portscan detection by ticking this checkbox on. The portscan detection will be performed using the netfilter psd match. You will find the logged portscans in the firewall log resulting as packets which passed the chain PORTSCAN. Log NEW connections without SYN flag

Packets which should establish a TCP connection must have set the SYN flag. If it is not set, it is not sane. Endian Firewall will block such packets and you can log the attempts if you tick this checkbox on. Log refused packets If you tick this on, Endian Firewall will log all connection attempts which have been denied by Endian Firewall. Since Endian Firewall as default denies all connection attempts and allows only what you have defined, this certainly will lead to a bunch of unneeded data, so you may toggle this off. It may be useful to check which ports you need to open for applications that are using ports you don't know. Log accepted outgoing connections Tick this on if you would like to globally log all connections which have successfully passed Endian Firewall without being dropped. You can use this to test if your newly created rules are correct as this allows you to see the connections made by your applications. Summaries can be generated periodically and are configurable as separate tabs on the menu on the left (for each facility). The figure below shows the general settings for logs. Remember to click save at the bottom, upon finishing.

10. Enabling the Firewall

Click the Firewall tab and select 'Zone PinHoles' from the menu on the left. 10.1 Zone Pinholes This subsection allows you to configure the Zone Pinholes settings for Endian Firewall. A DMZ or Demilitarized Zone (Orange zone) is used as a semi-safe interchange point between the external RED Zone and the internal GREEN zone. The GREEN zone has all the internal machines. The RED zone is the Internet at large. The DMZ allows them to share servers without allowing undue access to the internal LAN by those in the RED Zone. In a traditional firewall setup, this wouldn't work, because the request for access to the GREEN zone would be initiating from outside the GREEN zone. You certainly do not want to give all your customers direct access to the machines on the GREEN side. This can however work by using the DMZ and zone pinholes. It is often required for example, if a trusted database is to be accessed from time to time for some update transaction.

Zone pinholes thus give machines in the Orange (DMZ) zone (and also BLUE zone) limited access to certain ports on Green machines. Configure the settings to look like the screenshot given below.

Click 'Add new Rule'. Make the following configurationProtocol: TCP/UDP (TCP in our case) Source Net: ORANGE Destination Net: GREEN Source IP: 10.0.1.104 Destination IP: 10.0.2.3 Destination port: 25 Click 'Add new Rule' once again and use Protocol: TCP/UDP (TCP in our case) Source Net: ORANGE Destination Net: GREEN Source IP: 10.0.1.104 Destination IP: 10.0.2.3 Destination port: 110 Click 'Add new Rule' once again and use Protocol: TCP/UDP (TCP in our case) Source Net: ORANGE Destination Net: GREEN Source IP: 10.0.1.104 Destination IP: 10.0.2.4 Destination port: 80

10.2 Enable the Outgoing Traffic Rules (Egress Filtering) Egress filtering ensures that unauthorized traffic does not leave the network. Internal data should not be made publicly available except for services like DNS, webserver, mail server, amongst a few others. It should be noted that in a production environment, every application that demands Internet Access may require modification of firewall rules/policy.

10.3 Enable the Incoming Traffic Rules (Ingress Filtering) The incoming firewall rules dictate what kind of connections are allowed to pass through the firewall. This is often required for services such as ssh, ftp, smtp etcetera.

11. Enabling Antivirus

Endian makes use of the ClamAV antivirus. ClamAV is an Open Source virus scanner that can be used to scan all incoming traffic for viruses. Endian Firewall lets you configure the most important features. In the Clamav configuration box you can set the way ClamAV will handle incoming archives. The options are described below: Max. archive size This lets you set the maximum archive size in Megabytes that will be scanned by ClamAV. Max. nested archives Here you can specify the maximum depth of nested archives ClamAV will scan. Max. files in archive ClamAV will not scan archives that contain more files than specified here. Handle bad archives By selecting the 'Do not scan but pass' radio-button, all archives that fail to comply to any of the parameters described above will not be scanned but will still pass. You can change this behavior by selecting Block as virus. Block encrypted archives ClamAV can not scan encrypted archives. If you do not want encrypted archives to pass the virus check tick this on. You can also change the update interval of your Clamav signature database by selecting the appropriate interval-type in the Clamav signature update schedule section. Ensure that your settings look similar to following screenshot

12.Enable File attachment filtering and SPAM blocking configuration

a. Click the Proxy tab on the top menu and select SMTP from left menu. Click the File Extensions menu. You will see a window as shown below.

For example, we will set SMTP Proxy to block all email attachments having '.bat' extensions. Typically you would want to block more than just '.bat' files, viz., .exe, .pif, etc. This should be driven by the organization's security policies. Change 'Email used for notification on banned files (Admin)' to 'adminstrator@aia.class' Select 'Banned files destination' BOUNCE. Hit 'Save Changes and Restart'. The anti-spam module uses the 'Spam Assassin' and 'amavisd-new' to filter out spam. Make sure that your settings look like the images shown below, which are defaults. Hit 'Save Changes and Restart'.

Click 'Main' tab To get the following screen: Tick the following checkboxes shown in figure below.

Click 'Domains' tab. Enter values as shown below:

Click 'Save and Restart'.

13. Providing VPN Access

Virtual Private Networks or VPNs allow two networks to connect directly to each other over another network such as the Internet. All data is transmitted securely over an encrypted tunnel, hidden from prying eyes. Similarly, a single computer can also connect to another network using the same facilities.

Endian Firewall can easily establish VPNs to other Endian Firewalls. EFW can also inter-operate with just about any VPN product that supports OpenVPN, IPSec and standard encryption technologies such as 3DES. VPN connections in Endian Firewall are defined as Net-to-Net (Gateway-to-Gateway) or Host-toNet (Roadwarrior). Net-to-net (or gateway-to-gateway) VPNs link two or more private networks across the Internet by creating a encrypted "tunnel". We are speaking of a Host-to-Net connection when Endian Firewall is on one end of the VPN tunnel and a remote or mobile user is on the other end. The mobile user is most likely to be a laptop user with a dynamic public IP address assigned by an ISP, hence the terms Host-to-Net or Roadwarrior. OpenVPN is an SSL/TLS based virtual private network solution. It is much easier to set up than any other VPN solutions. 13.1 GLOBAL SETTINGS The steps to setup an Open VPN server in Host to Net scenario are described: OpenVPN Server enabled Select this to enable the OpenVPN Server on Endian IP Pool Specify the start and ending IP address of an IP range from the GREEN network, which are desired to be assigned to the OpenVPN clients connecting to the server. Port Specify the port on which OpenVPN will listen for incoming requests. Protocol Protocol allows you to change your protocol from UDP to TCP.

NOTE: The protocol will be TCP in our case so select TCP.

Block DHCP responses coming from tunnel Select this option if you do not want the remote DHCP server to assign IP addresses to the local workstations within the GREEN network. In our case, the IP addresses are static and thus this should not be ticked. CA Certificate It is the textual representation of the Certification Authority Certificate. This is required on every OpenVPN client that wants to connect to our OpenVPN server.

Download CA Certificate By clicking this link you can download the CA Certificate which is needed by each OpenVPN client in order to be able to connect to your OpenVPN server. Go ahead and click it to obtain the same. Just below the Global Settings box, there is a window for Managing Accounts that can connect to the OpenVPN server. All the known users will be listed here. The following

settings should be selected for each user: Configure Networks Clicking here will redirect you to another Window which will allow you to specify the user's network settings. Enabled icon It it is already clicked the user is enabled, else enable her by clicking it. Trash can icon This should be used in the event of deleting the user. Pencil icon This is used to Edit the account. Click on the Add Account Button which will redirect you to another Window, the details for which are given below: 13.2 ADD ACCOUNT

When a new Account is created the following account settings are found: Username: Type in the username that you want. Password: Select a password for the new account. Verify Password:Type in the same password again. Remote network: Not required in our case because the Remote Client that connects to this network is in Bridged Mode. Otherwise, specify the network address of the remote GREEN network (10.0.2.1) to allow Endian to create correct routing table entries. Remote Network Mask: Fill the netmask of the remote client if it is configured to be in routing mode. Use this firewall as default gateway: Tick this on to allow the remote client to create routing entries so that allow traffic can be tunneled through VPN to the EFW, where it then can leave the RED interface. This is useful on roadwarriors to enforce security policies, otherwise the remote side certainly has its own internet connection and a possible intruder may come in through the VPN and compromise the local GREEN network. This option does the following on the remote side: 1. Creates a host route which sends all traffic with our RED IP address as destination to the IP address which is used as default gateway. 2. Removes the default route entry. 3. Creates a new default route entry with our GREEN IP address as gateway. push route to blue zone: This option will grant the new user access to your BLUE zone.

Note: This option is only available if you have configured your BLUE zone. push route to orange zone This option will grant the new user access to your ORANGE zone.

Note: This option is only available if you have configured your ORANGE zone. You will finally see a screen as below:

13.3 Connection status and control This shows you all the currently connected users and their details such as log in time and the table gives the following information: User: The name of the user that is connected to the server. Assigned IP The IP address which has been assigned to the client by the server. This IP address belongs to the GREEN IP range configured above. Real IP: The real public IP address of the connected client. RX: The data volume that has been received through this tunnel. TX : The data volume that has been transmitted through this tunnel. Connected since: The timestamp when the client has connected. Uptime: The amount of time the respective client is already connected. The following actions can be performed on each connected user: Kill Kills the connection immediately. The user can reconnect and this will happen since the openvpn client on the remote side will automatically reconnect as soon as it recognizes the disconnect, which will take up to a couple of minutes. Ban Bans the user. This deactivates and then kicks the user in a row. The user cannot reconnect. At this time, the remote Roadwarrior VPN client should be configured using OpenVPN. Use the configuration file supplied with the software for the same.

Verification
1. Content Filtering
Log onto Marshall (10.0.2.3) using Remote Desktop Connection from Launchpad by supplying the following: Username: Administrator Password: tartans Open Internet Explorer and try to browse to the website http://10.0.1.104/ . This website is hosted on Franks 2003 and will displayed properly. Now try to open a page which contains inappropriate and forbidden content for the target users. To do this, enter http://10.0.1.104/content.html . You should get an 'Access Denied ' error as displayed below.

2. Blocking Email with attachments having a undesired file extension(s) Open Outlook Express on Marshall and Franks 2003. Send an email from Marshall to Franks 2003 with an attachment having a .bat extension. (Use the Browse button, for example c:\attach.bat. Create a dummy file if this is missing). You can even email from Franks to Marshall since the requests go via EFW.

To Address: administrator@aia.class Subject: Specify any subject if required Click on 'Send'. Check whether a new email has come, on Franks 2003. It should have been banned by EFW as shown below. This email has been banned since .bat was blacklisted.

3. Intrusion Detection Log into CentOS (Outside_host) with Username: 'root' Password: 'tartans' Open the 'Terminal' by clicking the icon on the Desktop. At the shell prompt give this command (Ignore the #) #nmap -sT 192,168.30.1 Nmap is a popular port scanner which we will employ to scan TCP ports on the network perimeter specified by the IP address 192.168.30.1 (RED).

Next, click 'Logs' from the top menu and select IDS Logs from the left menu bar. You will detect Port Scan warnings from the CentOS system which is external to the network. A full sample report is given in the screenshot below.

4. Confirm that logging is working Click 'Logs' on the top menu and choose some of the options from the left pane. Firewall Log Viewer is demonstrated by the screenshot which can be seen by clicking 'Firewall Logs'.

You can also see the logs for Content Filtering by clicking 'Content Filter Logs'.

5. View the Services Running Click 'Status' on the menu on top. The screenshot summarizes the various states of a service including RUNNING and STOPPED.

Apart from some of the necessary security intensive procedures described, other features of EFW, taken together make it a bundle of useful software.