You are on page 1of 31

Securing The Perimeter and Providing Secure Remote Access with Endian Firewall

Endian Firewall (EFW) is a “turn-key” Linux Security Distribution that helps transform every system into a standalone, fully featured security device. The biggest advantage of using Endian is that it bundles together several packages facilitating usability. Through a series of easy to configure menus, the administrator's task of using the command line has been transformed into simple point and click methods of configuration. EFW is Open Source Software, licensed under GNU's GPL License. Some of the off-the-shelf features offered are: 1. Stateful Packet Inspection Firewall 2. Application Level Proxies for various protocols (HTTP, FTP, POP3, SMTP) 3. Antivirus support 4. Virus and Spam Filtering for email traffic 5. Content Filtering of Web Traffic 6. Establishment of zones (DMZ,Trusted, Wireless, etc.) 7. Easy VPN Solution Endian Firewall consists of four interfaces listed below: 1. RED interface: It is the interface that connects the Firewall to the outside world, most often the Internet. Endian Supports many types of RED interfaces. 2. ORANGE interface: It defines the untrusted network such as the Demilitarized Zone (DMZ). Such an interface can be used to host a network of computers such as the Web Server which do not require to be in a protected internal zone. 3. GREEN interface: This is the trusted network which hosts those machines that are not to be exposed. Any network information that originates from this zone is masked before it leaves it. 4. BLUE interface: This has been specially designed for wireless hosts on the network. Unless otherwise configured, the firewall blocks all traffic coming from outside, by default. Since GREEN is the trusted network, traffic originating form it will be allowed to pass to any other zone (BLUE/ORANGE). However, for each pass from one zone to another, NAT is performed to hide the source address of the sender from the GREEN zone. On the destination side, by default, all access is blocked except for the RED interface. Still only some standard services (HTTP, FTP, SMTP, DNS) are allowed by default when accessing from the GREEN

zone and only DNS when trying to access from the BLUE and ORANGE zones.

The network setup will consist of six machines as shown in the diagram. The details are 1. Endian Firewall Community (EFW): A Linux based distribution that will serve as the perimeter security appliance for the network. It has four interfaces, but we will be using only three, given by the IP addresses – 192.168.30.1 (red), 10.0.2.1 (green) and 10.0.1.1(orange). 2. Franks: An IIS server which will serve the web pages to other hosts. Franks is in the Orange Zones. 3. Ike: A Domain Controller, that is used to support Marshall under the AIA domain. It is in the GREEN Zones. IP address - (10.0.2.4) 4. Marshall: A Mail Exchange Server, that is responsible for providing SMTP and POP3 services within the network. This is also in the GREEN Zones. 5. VTE Launchpad: A Windows 2003, that allows remote access to other computers and is used for configuration. IP Address:10.0.254.254. 6. IRH_Outside_host: This is a CentOS machine that is connected on the RED interface of Endian. IP Address: 192.168.30.254.

1. Boot up the Virtual Machines
Fire the EFW_Community Firewall, Franks, Ike, Launchpad, Marshall and Outside_host Virtual Machines. EFW is configured with a default IP address on br0, the default bridge, given by 192.168.0.15 . This address should be used to configure it initially. The order of booting should be 1. EFW 2. IKE 3. Marshall 4.launchpad 5. Franks 6. Outside-host EFW's username is 'root' and the password is 'endian'. The username for other machines is 'Administrator' and password 'tartans'.

2. Log onto Launchpad
Start by logging onto Launchpad by entering the following: Username: Administrator Password: tartans Since the IP address of Launch pad is 10.0.254.254, it is not on the same subnet as Endian. Endian can be configured by hosts that exist ONLY on the GREEN interface. Thus we have to change the IP settings for Launchpad to put it on this zone. Follow these steps on Launchpad 1. Double click the 'Local Area Connection' icon on the task bar. Click properties. 2. Select TCP/IP from the listbox. 3. On the 'Local Area Connection Status' Window, click the 'Properties' button. 4. Change the IP address from 10.0.254.254 to 192.168.0.254, to match Endian's. Also change the subnet mask to 255.255.255.0. 5. Remove the numbers from 'Default gateway' field. 6. There should not be anything in the DNS server addresses field. 7. Click OK and again click OK on the Local Area Connection Properties window. 8. Close the Local Area Connection Status Window. Open Mozilla Firefox from the Desktop and browse to the IP address http://192.168.0.15 Click OK when it prompts you with a Domain Name Mismatch error. You will get to the screen shown below.

. continue with the following steps i. 3. Assign Static IP address to all the interfaces. By default the Language will be English and it will prompt you for a Timezone. The subsequent steps will remain the same but configuration will vary when Endian throws other settings later. For a different type of Internet connection (such as ADSL for a home user or ISDN for Business). choose the appropriate option. tick the Checkbox after reading the License Agreement. when IP addresses are assigned dynamically using DHCP. Endian will need to be configured to behave as a DHCP server. You may enter America/Chicago and hit '>>>'. Click '>>>' 4. On the next screen. Select 'ETHERNET STATIC' from the options shown in the diagram. Such a password should not be used for reasons other than testing and certainly not for production environments. 5. Click the '>>>' button to proceed. We do not want to restore a backup so click '>>>'. From Launchpad. For example. it is necessary to reconfigure the setup. Configure the EFW Network Interfaces Since we want to customize Endian according to our network. Set Admin and root (Console) password as 'endian' for simplicity. 2. 3. RED is the interface facing the outside insecure and dangerous Internet.1.

As shown below. but thought of as a mechanism for networked users to exchange emails within the boundaries of the environment. It should not be confused with a mail service for clients. Green interface . the interface connected to DMZ network. Do the same thing for ORANGE interface. Note that the Mail Exchange Server exists on the Green Network since we do not want to expose it the outside world. iii. the interface connected to trusted and protected internal network.ii. Assign static IP address to GREEN interface. Several hosts will run on this including the Web Server. Note that we are reconfiguring the IP addresses to suit our network's needs. select Orange which will serve as our DMZ.

Since.1 interface to differentiate it from the orange and green networks.1 Network Mask : 255.2.255..30.1 Network Mask : 255.168.255.255.0 Change the 'Hostname' field to 'Endian' and click '>>>'.1 : 192.IP Address : 10. the controlled Lab Environment does not allow access to the Internet.0. Red interface IP Address Default Gateway : 192.168.255.1 Network Mask : 255.1. iv.0. It interfaces the inner network to the Internet. The Red interface is the gateway to the external world. we will use a special 192.0 .30.0 Orange interface IP Address : 10. Assign a static IP address to RED interface as demonstrated below.255.30.168.255.

v.4 (Ike) is our webserver. apply the configuration by clicking OK.2.0. . DNS resolution is not necessary to open the website on Ike so we just use the IP address and specify that as the DNS namespace.Click the '>>>' button to proceed to the next screen. vi.0.2. Add 10. This is because 10. You may go back anytime to make changes by clicking '<<<'.4 as DNS in both the entries. Finally.

Launchpad will be used to connect to Ike via the Remote Desktop Connection (Start->All Programs-> Remote Desktop Connection).2. Unlike. Ike is hosted on the Green interface. the original one. Endian has to be configured either through its Console or using another host on the Green trusted Subnet. You will be unable to use Launchpad for further transactions after the changes mentioned previously are incorporated.4 Username: administrator . 4.254. you will not be redirected or successful in logging onto the EFW interface from launchpad anymore. default gateway address to 10.2.254.0. close the web browser.1 and DNS to 10. thus serves as a good configuration machine. Now Launchpad is in the same network as Ike.4 .Configuration is now complete. When the screen looks like the one below. On the Remote Desktop Connection use the following to log in IP address: 10. the note on the resulting page. Connect to Ike from Launchpad Restore the IP address of Launchpad by going into the Local Area Connection Properties and set the IP address to 10.0.2.vii.0.0. This is because we have configured Endian to accept connections from a new zone.

Click Yes if it prompts you to view pages over a secure connection.2. This is Endian's IP address. Log onto Endian with username: 'admin' and password 'endian'. . open Internet Explorer and enter http://10. You will be challenged with the screen given below. 2.1 in the address box. Click 'Yes' on the Security Alert screen to proceed further 3.0. 1.Password: tartans Next. You will be asked to View a Certificate which you may check to verify that the server is legitimate.

ii. Enable proxy for trusted/protected (GREEN) and DMZ (ORANGE) networks Allowed Ports: 80 (http) 800 (Squid) Allowed SSL ports 443 (https) 3001 (ntop) . This could be because Endian might not have been Powered On. HTTP Proxy settings: Click on 'Proxy' tab on the top menu. Sometimes Re-connecting and Refreshing helps.168. Squid (800).X) 5. Enable web proxy for DMZ as well as the trusted network. iii. then the Red interface is not configured properly. If the status shows 'Connecting' continuously.. in yellow color. malicious activity etc. permissions. Delete rest of the entries from the textboxes . Secondly.You should see the following page after you are connected: If there is a problem while connecting to the firewall the connection will be highlighted in Red color and the status will show Failed. it allows indirect network connections to other network services and filters them based on content. it employs a cache mechanism where a page is cached upon access and this improves the network throughput as unnecessary requests are not incumbent on the network.X.Enable Log and 'Log user agents' by clicking the '>>' button below 'Log Settings' category. Endian's proxy server has two advantages – First. Allow only http (80). Configure The Proxy Server i. https (443) and ntop (3001) ports. (Specially when the IP addresses do not match and are different form the default assigned ones in the range 192.

Finally. it will lead to 'Access Denied Errors' while transacting over the network. Note that you have to select 'Allow Access from ORANGE to GREEN' checkbox. . v. under Network based Access Control. If omitted. in textboxes. Also tick the checkbox 'Contentfilter Enabled' vi. Cache management parameters can be set by specifying size of cache etc. Network Based Access Control: Scroll down the proxy page and configure the settings described in the image above. This step is very important.iv. click the 'Save and Restart' button at the bottom of the page.

save the changes. Your settings should reassemble the one shown below and should be even more stringent in highly critical network environments.6. Tick related topics you want to restrict access to. . you would not want the employees to surf the Internet for objectionable material. Set the 'Max. Enabling Content Filtering and Antivirus For a typical office network. We will set these parameters in 'Http Content Filter'. Score' to 60. Click the 'Content Filter' tab on top. At last.

you would also want to Subscribe to appropriate signature update services. . In a production environment.7. Go to 'Services' tab on the top menu and select 'Intrusion Detection' from the left menu bar. This will reveal the open connections and the machines which might be participating in the attack. 8. In case some malicious activity is suspected. Enable Intrusion Detection System (Snort) Incidents that are detected by the EFW IDS are portrayed in the screenshot that follows. Select 'Status' from the top menu and click on 'Connections' from the left menu window. Enable the IDS for the different zones. red. that is. orange and green by ticking the corresponding checkboxes. Stateful Packet Inspection. the IDS system is inactive after a fresh install and needs to be manually activated. You don't have to do any special settings for this. Below is the screenshot that shows some ESTABLISHED and some terminated (TIME_WAIT) states. it will be useful to see these connections. By default.

Enable the following Firewall security related log settings (Click the Log Settings tab on the left menu) - Log packets with BAD constellation of TCP flags TCP allows everybody to set flags in constellations which make no sense at all. Here you have the possibility to globally configure what you would like to be logged and what is to be omitted. You will find the logged portscans in the firewall log resulting as packets which passed the chain PORTSCAN. Tick this on if you want to have it logged. Enable Logging Usually if Endian Firewall has a public ip address and therefore is the door to the outside. there are packets that will be blocked by the firewall. Such constellations may confuse firewalls and/or computers in general and allow an attacker to gather more information than you would like to share. The portscan detection will be performed using the netfilter psd match. Click the log tab in the top menu. but will nevertheless be logged and will create a lot of data. Log NEW connections without SYN flag . Log portscans You may enable portscan detection by ticking this checkbox on. Not all of these are hostile attempts from attackers.9. Especially port scanners do this. You will find such attempts in the firewall log resulting as packets which passed the chain BADTCP. Endian Firewall blocks such attempts.

If it is not set. this certainly will lead to a bunch of unneeded data. because the request for access to the GREEN zone would be initiating from outside the GREEN zone. Log refused packets If you tick this on. The GREEN zone has all the internal machines. 10. . 10. The figure below shows the general settings for logs. this wouldn't work. Endian Firewall will block such packets and you can log the attempts if you tick this checkbox on. You can use this to test if your newly created rules are correct as this allows you to see the connections made by your applications. Enabling the Firewall Click the Firewall tab and select 'Zone PinHoles' from the menu on the left. Since Endian Firewall as default denies all connection attempts and allows only what you have defined. The DMZ allows them to share servers without allowing undue access to the internal LAN by those in the RED Zone. Remember to click save at the bottom.1 Zone Pinholes This subsection allows you to configure the Zone Pinholes settings for Endian Firewall. upon finishing. You certainly do not want to give all your customers direct access to the machines on the GREEN side. Summaries can be generated periodically and are configurable as separate tabs on the menu on the left (for each facility). The RED zone is the Internet at large. Log accepted outgoing connections Tick this on if you would like to globally log all connections which have successfully passed Endian Firewall without being dropped. Endian Firewall will log all connection attempts which have been denied by Endian Firewall. In a traditional firewall setup. It is often required for example. This can however work by using the DMZ and zone pinholes. so you may toggle this off.Packets which should establish a TCP connection must have set the SYN flag. It may be useful to check which ports you need to open for applications that are using ports you don't know. if a trusted database is to be accessed from time to time for some update transaction. A DMZ or Demilitarized Zone (Orange zone) is used as a semi-safe interchange point between the external RED Zone and the internal GREEN zone. it is not sane.

104 Destination IP: 10.1. Click 'Add new Rule'.0.0.3 Destination port: 110 Click 'Add new Rule' once again and use Protocol: TCP/UDP (TCP in our case) Source Net: ORANGE Destination Net: GREEN Source IP: 10.104 Destination IP: 10.0.0.1.2.0.2.Zone pinholes thus give machines in the Orange (DMZ) zone (and also BLUE zone) limited access to certain ports on Green machines.4 Destination port: 80 .2.0.1. Make the following configurationProtocol: TCP/UDP (TCP in our case) Source Net: ORANGE Destination Net: GREEN Source IP: 10. Configure the settings to look like the screenshot given below.3 Destination port: 25 Click 'Add new Rule' once again and use Protocol: TCP/UDP (TCP in our case) Source Net: ORANGE Destination Net: GREEN Source IP: 10.104 Destination IP: 10.

.2 Enable the Outgoing Traffic Rules (Egress Filtering) Egress filtering ensures that unauthorized traffic does not leave the network. It should be noted that in a production environment. mail server.3 Enable the Incoming Traffic Rules (Ingress Filtering) The incoming firewall rules dictate what kind of connections are allowed to pass through the firewall. Internal data should not be made publicly available except for services like DNS. webserver. This is often required for services such as ssh. smtp etcetera. amongst a few others. 10.10. every application that demands Internet Access may require modification of firewall rules/policy. ftp.

all archives that fail to comply to any of the parameters described above will not be scanned but will still pass. nested archives Here you can specify the maximum depth of nested archives ClamAV will scan. files in archive ClamAV will not scan archives that contain more files than specified here. Max. ClamAV is an Open Source virus scanner that can be used to scan all incoming traffic for viruses.11. Endian Firewall lets you configure the most important features. archive size This lets you set the maximum archive size in Megabytes that will be scanned by ClamAV. Enabling Antivirus Endian makes use of the ClamAV antivirus. Handle bad archives By selecting the 'Do not scan but pass' radio-button. If you do not want encrypted archives to pass the virus check tick this on. Block encrypted archives ClamAV can not scan encrypted archives. You can change this behavior by selecting Block as virus. Ensure that your settings look similar to following screenshot . Max. In the Clamav configuration box you can set the way ClamAV will handle incoming archives. You can also change the update interval of your Clamav signature database by selecting the appropriate interval-type in the Clamav signature update schedule section. The options are described below: Max.

Click the Proxy tab on the top menu and select SMTP from left menu.Enable File attachment filtering and SPAM blocking configuration a. Click the File Extensions menu. . You will see a window as shown below.12.

Hit 'Save Changes and Restart'. Click 'Main' tab To get the following screen: Tick the following checkboxes shown in figure below.exe.class' Select 'Banned files destination' BOUNCE. The anti-spam module uses the 'Spam Assassin' and 'amavisd-new' to filter out spam. . we will set SMTP Proxy to block all email attachments having '.pif. which are defaults. .For example.bat' files. etc. This should be driven by the organization's security policies. Hit 'Save Changes and Restart'.. viz. Change 'Email used for notification on banned files (Admin)' to 'adminstrator@aia. Make sure that your settings look like the images shown below. Typically you would want to block more than just '.bat' extensions. .

All data is transmitted securely over an encrypted tunnel. Similarly.Click 'Domains' tab. . Providing VPN Access Virtual Private Networks or VPNs allow two networks to connect directly to each other over another network such as the Internet. hidden from prying eyes. Enter values as shown below: Click 'Save and Restart'. a single computer can also connect to another network using the same facilities. 13.

IPSec and standard encryption technologies such as 3DES.1 GLOBAL SETTINGS The steps to setup an Open VPN server in Host to Net scenario are described: OpenVPN Server enabled Select this to enable the OpenVPN Server on Endian IP Pool Specify the start and ending IP address of an IP range from the GREEN network. VPN connections in Endian Firewall are defined as Net-to-Net (Gateway-to-Gateway) or Host-toNet (Roadwarrior).Endian Firewall can easily establish VPNs to other Endian Firewalls. . The mobile user is most likely to be a laptop user with a dynamic public IP address assigned by an ISP. It is much easier to set up than any other VPN solutions. Net-to-net (or gateway-to-gateway) VPNs link two or more private networks across the Internet by creating a encrypted "tunnel". NOTE: The protocol will be TCP in our case so select TCP. which are desired to be assigned to the OpenVPN clients connecting to the server. Port Specify the port on which OpenVPN will listen for incoming requests. EFW can also inter-operate with just about any VPN product that supports OpenVPN. hence the terms Host-to-Net or Roadwarrior. 13. Protocol Protocol allows you to change your protocol from UDP to TCP. OpenVPN is an SSL/TLS based virtual private network solution. We are speaking of a Host-to-Net connection when Endian Firewall is on one end of the VPN tunnel and a remote or mobile user is on the other end.

All the known users will be listed here. the IP addresses are static and thus this should not be ticked. The following . Just below the Global Settings box. there is a window for Managing Accounts that can connect to the OpenVPN server. Download CA Certificate By clicking this link you can download the CA Certificate which is needed by each OpenVPN client in order to be able to connect to your OpenVPN server.Block DHCP responses coming from tunnel Select this option if you do not want the remote DHCP server to assign IP addresses to the local workstations within the GREEN network. CA Certificate It is the textual representation of the Certification Authority Certificate. Go ahead and click it to obtain the same. This is required on every OpenVPN client that wants to connect to our OpenVPN server. In our case.

the details for which are given below: 13.settings should be selected for each user: Configure Networks Clicking here will redirect you to another Window which will allow you to specify the user's network settings. Pencil icon This is used to Edit the account. Click on the Add Account Button which will redirect you to another Window. Trash can icon This should be used in the event of deleting the user. else enable her by clicking it. Enabled icon It it is already clicked the user is enabled.2 ADD ACCOUNT .

Remote network: Not required in our case because the Remote Client that connects to this network is in Bridged Mode. You will finally see a screen as below: . Note: This option is only available if you have configured your ORANGE zone. Otherwise. Verify Password:Type in the same password again. Removes the default route entry. This option does the following on the remote side: 1. 3. Creates a host route which sends all traffic with our RED IP address as destination to the IP address which is used as default gateway.2. Remote Network Mask: Fill the netmask of the remote client if it is configured to be in routing mode. push route to blue zone: This option will grant the new user access to your BLUE zone. This is useful on roadwarriors to enforce security policies.0.1) to allow Endian to create correct routing table entries. Creates a new default route entry with our GREEN IP address as gateway. Use this firewall as default gateway: Tick this on to allow the remote client to create routing entries so that allow traffic can be tunneled through VPN to the EFW. Note: This option is only available if you have configured your BLUE zone. specify the network address of the remote GREEN network (10.When a new Account is created the following account settings are found: Username: Type in the username that you want. where it then can leave the RED interface. Password: Select a password for the new account. push route to orange zone This option will grant the new user access to your ORANGE zone. otherwise the remote side certainly has its own internet connection and a possible intruder may come in through the VPN and compromise the local GREEN network. 2.

Ban Bans the user. At this time. . Uptime: The amount of time the respective client is already connected. Use the configuration file supplied with the software for the same. Connected since: The timestamp when the client has connected.3 Connection status and control This shows you all the currently connected users and their details such as log in time and the table gives the following information: User: The name of the user that is connected to the server. which will take up to a couple of minutes. This deactivates and then kicks the user in a row. Assigned IP The IP address which has been assigned to the client by the server. The following actions can be performed on each connected user: Kill Kills the connection immediately. TX : The data volume that has been transmitted through this tunnel.13. RX: The data volume that has been received through this tunnel. The user can reconnect and this will happen since the openvpn client on the remote side will automatically reconnect as soon as it recognizes the disconnect. The user cannot reconnect. the remote Roadwarrior VPN client should be configured using OpenVPN. Real IP: The real public IP address of the connected client. This IP address belongs to the GREEN IP range configured above.

3) using Remote Desktop Connection from Launchpad by supplying the following: Username: Administrator Password: tartans Open Internet Explorer and try to browse to the website http://10.1.2.bat extension.104/content. You should get an 'Access Denied ' error as displayed below.104/ .0. enter http://10.0. This website is hosted on Franks 2003 and will displayed properly.1. Now try to open a page which contains inappropriate and forbidden content for the target users. (Use the Browse button.0. You can even email from Franks to Marshall since the requests go via EFW.Verification 1. for example c:\attach.html . To do this. . Content Filtering Log onto Marshall (10. Send an email from Marshall to Franks 2003 with an attachment having a .bat. 2. Blocking Email with attachments having a undesired file extension(s) Open Outlook Express on Marshall and Franks 2003. Create a dummy file if this is missing).

168.class Subject: Specify any subject if required Click on 'Send'.bat was blacklisted. 3.30.1 Nmap is a popular port scanner which we will employ to scan TCP ports on the network perimeter specified by the IP address 192. Intrusion Detection Log into CentOS (Outside_host) with Username: 'root' Password: 'tartans' Open the 'Terminal' by clicking the icon on the Desktop. This email has been banned since . .168.1 (RED). It should have been banned by EFW as shown below.To Address: administrator@aia. on Franks 2003. Check whether a new email has come.30. At the shell prompt give this command (Ignore the #) #nmap -sT 192.

Next. click 'Logs' from the top menu and select IDS Logs from the left menu bar. . A full sample report is given in the screenshot below. You will detect Port Scan warnings from the CentOS system which is external to the network.

Confirm that logging is working Click 'Logs' on the top menu and choose some of the options from the left pane. . Firewall Log Viewer is demonstrated by the screenshot which can be seen by clicking 'Firewall Logs'.4.

5. . other features of EFW. View the Services Running Click 'Status' on the menu on top. The screenshot summarizes the various states of a service including RUNNING and STOPPED. Apart from some of the necessary security intensive procedures described.You can also see the logs for Content Filtering by clicking 'Content Filter Logs'. taken together make it a bundle of useful software.