Professional Documents
Culture Documents
Endian Firewall (EFW) is a turn-key Linux Security Distribution that helps transform every system into a standalone, fully featured security device. The biggest advantage of using Endian is that it bundles together several packages facilitating usability. Through a series of easy to configure menus, the administrator's task of using the command line has been transformed into simple point and click methods of configuration. EFW is Open Source Software, licensed under GNU's GPL License. Some of the off-the-shelf features offered are: 1. Stateful Packet Inspection Firewall 2. Application Level Proxies for various protocols (HTTP, FTP, POP3, SMTP) 3. Antivirus support 4. Virus and Spam Filtering for email traffic 5. Content Filtering of Web Traffic 6. Establishment of zones (DMZ,Trusted, Wireless, etc.) 7. Easy VPN Solution Endian Firewall consists of four interfaces listed below: 1. RED interface: It is the interface that connects the Firewall to the outside world, most often the Internet. Endian Supports many types of RED interfaces. 2. ORANGE interface: It defines the untrusted network such as the Demilitarized Zone (DMZ). Such an interface can be used to host a network of computers such as the Web Server which do not require to be in a protected internal zone. 3. GREEN interface: This is the trusted network which hosts those machines that are not to be exposed. Any network information that originates from this zone is masked before it leaves it. 4. BLUE interface: This has been specially designed for wireless hosts on the network. Unless otherwise configured, the firewall blocks all traffic coming from outside, by default. Since GREEN is the trusted network, traffic originating form it will be allowed to pass to any other zone (BLUE/ORANGE). However, for each pass from one zone to another, NAT is performed to hide the source address of the sender from the GREEN zone. On the destination side, by default, all access is blocked except for the RED interface. Still only some standard services (HTTP, FTP, SMTP, DNS) are allowed by default when accessing from the GREEN
zone and only DNS when trying to access from the BLUE and ORANGE zones.
The network setup will consist of six machines as shown in the diagram. The details are 1. Endian Firewall Community (EFW): A Linux based distribution that will serve as the perimeter security appliance for the network. It has four interfaces, but we will be using only three, given by the IP addresses 192.168.30.1 (red), 10.0.2.1 (green) and 10.0.1.1(orange). 2. Franks: An IIS server which will serve the web pages to other hosts. Franks is in the Orange Zones. 3. Ike: A Domain Controller, that is used to support Marshall under the AIA domain. It is in the GREEN Zones. IP address - (10.0.2.4) 4. Marshall: A Mail Exchange Server, that is responsible for providing SMTP and POP3 services within the network. This is also in the GREEN Zones. 5. VTE Launchpad: A Windows 2003, that allows remote access to other computers and is used for configuration. IP Address:10.0.254.254. 6. IRH_Outside_host: This is a CentOS machine that is connected on the RED interface of Endian. IP Address: 192.168.30.254.
1. Click the '>>>' button to proceed. 2. By default the Language will be English and it will prompt you for a Timezone. You may enter America/Chicago and hit '>>>'. 3. On the next screen, tick the Checkbox after reading the License Agreement. Click '>>>' 4. We do not want to restore a backup so click '>>>'. 5. Set Admin and root (Console) password as 'endian' for simplicity. Such a password should not be used for reasons other than testing and certainly not for production environments.
ii. Do the same thing for ORANGE interface, the interface connected to DMZ network. As shown below, select Orange which will serve as our DMZ. Several hosts will run on this including the Web Server. Note that the Mail Exchange Server exists on the Green Network since we do not want to expose it the outside world. It should not be confused with a mail service for clients, but thought of as a mechanism for networked users to exchange emails within the boundaries of the environment.
iii. Assign static IP address to GREEN interface, the interface connected to trusted and protected internal network. Note that we are reconfiguring the IP addresses to suit our network's needs.
Green interface
IP Address
: 10.0.2.1
Network Mask : 255.255.255.0 Orange interface IP Address : 10.0.1.1 Network Mask : 255.255.255.0
iv. The Red interface is the gateway to the external world. It interfaces the inner network to the Internet. Since, the controlled Lab Environment does not allow access to the Internet, we will use a special 192.168.30.1 interface to differentiate it from the orange and green networks. Assign a static IP address to RED interface as demonstrated below.
Red interface IP Address Default Gateway : 192.168.30.1 : 192.168.30.1 Network Mask : 255.255.255.0
v. Add 10.0.2.4 as DNS in both the entries. This is because 10.0.2.4 (Ike) is our webserver. DNS resolution is not necessary to open the website on Ike so we just use the IP address and specify that as the DNS namespace.
vi. Finally, apply the configuration by clicking OK. You may go back anytime to make changes by clicking '<<<'.
vii.Configuration is now complete. Unlike, the note on the resulting page, you will not be redirected or successful in logging onto the EFW interface from launchpad anymore. This is because we have configured Endian to accept connections from a new zone. When the screen looks like the one below, close the web browser.
Password: tartans Next, open Internet Explorer and enter http://10.0.2.1 in the address box. This is Endian's IP address. 1. Click Yes if it prompts you to view pages over a secure connection.
2. You will be asked to View a Certificate which you may check to verify that the server is legitimate. Click 'Yes' on the Security Alert screen to proceed further 3. Log onto Endian with username: 'admin' and password 'endian'. You will be challenged with the screen given below.
You should see the following page after you are connected:
If there is a problem while connecting to the firewall the connection will be highlighted in Red color and the status will show Failed. This could be because Endian might not have been Powered On. Sometimes Re-connecting and Refreshing helps. If the status shows 'Connecting' continuously, in yellow color, then the Red interface is not configured properly. (Specially when the IP addresses do not match and are different form the default assigned ones in the range 192.168.X.X) 5. Configure The Proxy Server i. Endian's proxy server has two advantages First, it allows indirect network connections to other network services and filters them based on content, permissions, malicious activity etc. Secondly, it employs a cache mechanism where a page is cached upon access and this improves the network throughput as unnecessary requests are not incumbent on the network. ii. HTTP Proxy settings: Click on 'Proxy' tab on the top menu. Enable web proxy for DMZ as well as the trusted network. Allow only http (80), Squid (800), https (443) and ntop (3001) ports. Delete rest of the entries from the textboxes .Enable Log and 'Log user agents' by clicking the '>>' button below 'Log Settings' category.. iii. Enable proxy for trusted/protected (GREEN) and DMZ (ORANGE) networks
Allowed Ports: 80 (http) 800 (Squid) Allowed SSL ports 443 (https) 3001 (ntop)
iv. Cache management parameters can be set by specifying size of cache etc. in textboxes. v. Also tick the checkbox 'Contentfilter Enabled' vi. Network Based Access Control:
Scroll down the proxy page and configure the settings described in the image above, under Network based Access Control. This step is very important. If omitted, it will lead to 'Access Denied Errors' while transacting over the network. Note that you have to select 'Allow Access from ORANGE to GREEN' checkbox. Finally, click the 'Save and Restart' button at the bottom of the page.
9. Enable Logging
Usually if Endian Firewall has a public ip address and therefore is the door to the outside, there are packets that will be blocked by the firewall. Not all of these are hostile attempts from attackers, but will nevertheless be logged and will create a lot of data. Here you have the possibility to globally configure what you would like to be logged and what is to be omitted. Click the log tab in the top menu. Enable the following Firewall security related log settings (Click the Log Settings tab on the left menu) -
Log packets with BAD constellation of TCP flags TCP allows everybody to set flags in constellations which make no sense at all. Such constellations may confuse firewalls and/or computers in general and allow an attacker to gather more information than you would like to share. Especially port scanners do this. Endian Firewall blocks such attempts. Tick this on if you want to have it logged. You will find such attempts in the firewall log resulting as packets which passed the chain BADTCP. Log portscans You may enable portscan detection by ticking this checkbox on. The portscan detection will be performed using the netfilter psd match. You will find the logged portscans in the firewall log resulting as packets which passed the chain PORTSCAN. Log NEW connections without SYN flag
Packets which should establish a TCP connection must have set the SYN flag. If it is not set, it is not sane. Endian Firewall will block such packets and you can log the attempts if you tick this checkbox on. Log refused packets If you tick this on, Endian Firewall will log all connection attempts which have been denied by Endian Firewall. Since Endian Firewall as default denies all connection attempts and allows only what you have defined, this certainly will lead to a bunch of unneeded data, so you may toggle this off. It may be useful to check which ports you need to open for applications that are using ports you don't know. Log accepted outgoing connections Tick this on if you would like to globally log all connections which have successfully passed Endian Firewall without being dropped. You can use this to test if your newly created rules are correct as this allows you to see the connections made by your applications. Summaries can be generated periodically and are configurable as separate tabs on the menu on the left (for each facility). The figure below shows the general settings for logs. Remember to click save at the bottom, upon finishing.
Zone pinholes thus give machines in the Orange (DMZ) zone (and also BLUE zone) limited access to certain ports on Green machines. Configure the settings to look like the screenshot given below.
Click 'Add new Rule'. Make the following configurationProtocol: TCP/UDP (TCP in our case) Source Net: ORANGE Destination Net: GREEN Source IP: 10.0.1.104 Destination IP: 10.0.2.3 Destination port: 25 Click 'Add new Rule' once again and use Protocol: TCP/UDP (TCP in our case) Source Net: ORANGE Destination Net: GREEN Source IP: 10.0.1.104 Destination IP: 10.0.2.3 Destination port: 110 Click 'Add new Rule' once again and use Protocol: TCP/UDP (TCP in our case) Source Net: ORANGE Destination Net: GREEN Source IP: 10.0.1.104 Destination IP: 10.0.2.4 Destination port: 80
10.2 Enable the Outgoing Traffic Rules (Egress Filtering) Egress filtering ensures that unauthorized traffic does not leave the network. Internal data should not be made publicly available except for services like DNS, webserver, mail server, amongst a few others. It should be noted that in a production environment, every application that demands Internet Access may require modification of firewall rules/policy.
10.3 Enable the Incoming Traffic Rules (Ingress Filtering) The incoming firewall rules dictate what kind of connections are allowed to pass through the firewall. This is often required for services such as ssh, ftp, smtp etcetera.
For example, we will set SMTP Proxy to block all email attachments having '.bat' extensions. Typically you would want to block more than just '.bat' files, viz., .exe, .pif, etc. This should be driven by the organization's security policies. Change 'Email used for notification on banned files (Admin)' to 'adminstrator@aia.class' Select 'Banned files destination' BOUNCE. Hit 'Save Changes and Restart'. The anti-spam module uses the 'Spam Assassin' and 'amavisd-new' to filter out spam. Make sure that your settings look like the images shown below, which are defaults. Hit 'Save Changes and Restart'.
Click 'Main' tab To get the following screen: Tick the following checkboxes shown in figure below.
Endian Firewall can easily establish VPNs to other Endian Firewalls. EFW can also inter-operate with just about any VPN product that supports OpenVPN, IPSec and standard encryption technologies such as 3DES. VPN connections in Endian Firewall are defined as Net-to-Net (Gateway-to-Gateway) or Host-toNet (Roadwarrior). Net-to-net (or gateway-to-gateway) VPNs link two or more private networks across the Internet by creating a encrypted "tunnel". We are speaking of a Host-to-Net connection when Endian Firewall is on one end of the VPN tunnel and a remote or mobile user is on the other end. The mobile user is most likely to be a laptop user with a dynamic public IP address assigned by an ISP, hence the terms Host-to-Net or Roadwarrior. OpenVPN is an SSL/TLS based virtual private network solution. It is much easier to set up than any other VPN solutions. 13.1 GLOBAL SETTINGS The steps to setup an Open VPN server in Host to Net scenario are described: OpenVPN Server enabled Select this to enable the OpenVPN Server on Endian IP Pool Specify the start and ending IP address of an IP range from the GREEN network, which are desired to be assigned to the OpenVPN clients connecting to the server. Port Specify the port on which OpenVPN will listen for incoming requests. Protocol Protocol allows you to change your protocol from UDP to TCP.
Block DHCP responses coming from tunnel Select this option if you do not want the remote DHCP server to assign IP addresses to the local workstations within the GREEN network. In our case, the IP addresses are static and thus this should not be ticked. CA Certificate It is the textual representation of the Certification Authority Certificate. This is required on every OpenVPN client that wants to connect to our OpenVPN server.
Download CA Certificate By clicking this link you can download the CA Certificate which is needed by each OpenVPN client in order to be able to connect to your OpenVPN server. Go ahead and click it to obtain the same. Just below the Global Settings box, there is a window for Managing Accounts that can connect to the OpenVPN server. All the known users will be listed here. The following
settings should be selected for each user: Configure Networks Clicking here will redirect you to another Window which will allow you to specify the user's network settings. Enabled icon It it is already clicked the user is enabled, else enable her by clicking it. Trash can icon This should be used in the event of deleting the user. Pencil icon This is used to Edit the account. Click on the Add Account Button which will redirect you to another Window, the details for which are given below: 13.2 ADD ACCOUNT
When a new Account is created the following account settings are found: Username: Type in the username that you want. Password: Select a password for the new account. Verify Password:Type in the same password again. Remote network: Not required in our case because the Remote Client that connects to this network is in Bridged Mode. Otherwise, specify the network address of the remote GREEN network (10.0.2.1) to allow Endian to create correct routing table entries. Remote Network Mask: Fill the netmask of the remote client if it is configured to be in routing mode. Use this firewall as default gateway: Tick this on to allow the remote client to create routing entries so that allow traffic can be tunneled through VPN to the EFW, where it then can leave the RED interface. This is useful on roadwarriors to enforce security policies, otherwise the remote side certainly has its own internet connection and a possible intruder may come in through the VPN and compromise the local GREEN network. This option does the following on the remote side: 1. Creates a host route which sends all traffic with our RED IP address as destination to the IP address which is used as default gateway. 2. Removes the default route entry. 3. Creates a new default route entry with our GREEN IP address as gateway. push route to blue zone: This option will grant the new user access to your BLUE zone.
Note: This option is only available if you have configured your BLUE zone. push route to orange zone This option will grant the new user access to your ORANGE zone.
Note: This option is only available if you have configured your ORANGE zone. You will finally see a screen as below:
13.3 Connection status and control This shows you all the currently connected users and their details such as log in time and the table gives the following information: User: The name of the user that is connected to the server. Assigned IP The IP address which has been assigned to the client by the server. This IP address belongs to the GREEN IP range configured above. Real IP: The real public IP address of the connected client. RX: The data volume that has been received through this tunnel. TX : The data volume that has been transmitted through this tunnel. Connected since: The timestamp when the client has connected. Uptime: The amount of time the respective client is already connected. The following actions can be performed on each connected user: Kill Kills the connection immediately. The user can reconnect and this will happen since the openvpn client on the remote side will automatically reconnect as soon as it recognizes the disconnect, which will take up to a couple of minutes. Ban Bans the user. This deactivates and then kicks the user in a row. The user cannot reconnect. At this time, the remote Roadwarrior VPN client should be configured using OpenVPN. Use the configuration file supplied with the software for the same.
Verification
1. Content Filtering
Log onto Marshall (10.0.2.3) using Remote Desktop Connection from Launchpad by supplying the following: Username: Administrator Password: tartans Open Internet Explorer and try to browse to the website http://10.0.1.104/ . This website is hosted on Franks 2003 and will displayed properly. Now try to open a page which contains inappropriate and forbidden content for the target users. To do this, enter http://10.0.1.104/content.html . You should get an 'Access Denied ' error as displayed below.
2. Blocking Email with attachments having a undesired file extension(s) Open Outlook Express on Marshall and Franks 2003. Send an email from Marshall to Franks 2003 with an attachment having a .bat extension. (Use the Browse button, for example c:\attach.bat. Create a dummy file if this is missing). You can even email from Franks to Marshall since the requests go via EFW.
To Address: administrator@aia.class Subject: Specify any subject if required Click on 'Send'. Check whether a new email has come, on Franks 2003. It should have been banned by EFW as shown below. This email has been banned since .bat was blacklisted.
3. Intrusion Detection Log into CentOS (Outside_host) with Username: 'root' Password: 'tartans' Open the 'Terminal' by clicking the icon on the Desktop. At the shell prompt give this command (Ignore the #) #nmap -sT 192,168.30.1 Nmap is a popular port scanner which we will employ to scan TCP ports on the network perimeter specified by the IP address 192.168.30.1 (RED).
Next, click 'Logs' from the top menu and select IDS Logs from the left menu bar. You will detect Port Scan warnings from the CentOS system which is external to the network. A full sample report is given in the screenshot below.
4. Confirm that logging is working Click 'Logs' on the top menu and choose some of the options from the left pane. Firewall Log Viewer is demonstrated by the screenshot which can be seen by clicking 'Firewall Logs'.
You can also see the logs for Content Filtering by clicking 'Content Filter Logs'.
5. View the Services Running Click 'Status' on the menu on top. The screenshot summarizes the various states of a service including RUNNING and STOPPED.
Apart from some of the necessary security intensive procedures described, other features of EFW, taken together make it a bundle of useful software.