Case Study 2 SPR500 Fall 2009

Transcription

1 Case Study 2 SPR500 Fall th November 2009 Due Date: 9 th December 2009 Securing Sotnec's web site using Linux Firewall technology Sotnec corporation, an Open Source Company, consists of a small but growing team of core developers providing an Enterprise class Linux Distribution freely to the public. Sotnec has been running their web site with 3 Linux servers: one web server, one DNS server (a primary name server for their own domain sotnec.org), and one database server (also hosts a central syslog server). Their developers use several laptops and desktops to maintain their distribution and their Wiki web site. Users on the Internet can download their distribution and access the contents of their wiki site. Since their business is growing and they want to add another layer of security to their web site by using Linux's firewall technology. The Company hires you as their security consultant to design and deploy their firewall layer to harden their web site. Current Status of the web site: Sotnec runs their web site with the following resource: 1. An Intel Quad core machine with 4GB main memory and 50GB hard disk running Apache and MediaWiki on CentOS 5.3 Linux. FQDN: cs2 as1.sotnec.org 2. An Intel Single core machine with 1GB main memory and 10GB hard disk running BIND on CentOS 5.3 Linux. FQDN: cs2 as2.sotnec.org 3. An Intel Dual core machine with 4 GB main memory and 500GB hard disk running MySQL server and a central syslog log server on CentOS 5.3 Linux. FQDN: cs2 as3.sotnec.org. 4. Three Laptops (will have more laptops in the future). FQDN: none 5. One Desktop machine (will have more in the future). FQDN: none 6. An router/gateway running Fedora 11 for connecting to the Internet. FQDN: none Functional Requirements for the site: The following services must be provided to the users on the Internet: An authoritative DNS server (cs2_as2) to answer queries on their domain sotnec.org A web server (cs2_as1) hosting the ISO image of their Enterprise class Linux distribution for downloading. A wiki web site on the web server (cs2_as1) contains the documentation for their Linux distribution Supporting services for running their web server: A MySQL (cs2_s3) database server providing data storage for the wiki site. This MySQL server can be accessed only by the web server (cs2_as1) and the Desktop machine(s) in the internal private LAN.

2 Site Network Diagram: The following is the layout of Sotnec's web site plus the four suggested firewalls placement.

3 Sotnec has stated the following access policy for their web resource: The web site should be secured by adding four firewalls as shown on the network diagram. Do not allow any user to surf the net on any of the application servers (cs2_as1 cs2_as3). All workstations should be on a different logical network segment from the laptops All workstations and laptops are allowed to surf the Net using http and https protocols only All workstations and laptops are allowed to ssh to any servers on the Internet, except cs2_as1 and cs2_as2. Only Laptops are allowed to use the mysql command to connect to the MySQL database server. Only specific workstations with known MAC addresses are allowed to ssh to the three application servers (cs2_as1 cs2_as3). The gateway allows SSH connection from the Internet and from the workstations but not from any of the laptops. Do not allow SSH connection from the Internet to any of the application servers (cs2_as1 cs2_as3) All the systems (the three application servers, the router, laptops, workstations) should respond to local ICMP request. ICMP requests from the Internet to the web server and DNS server should be limited to not more than 10 packets per minute. The MySQL server should allows database connection requested only from the wiki server and laptops on the local network P (LAN P). The wiki web server accepts only secure web transactions. Only the DNS server should be allowed to send DNS queries to the root name servers on the Internet. Logging and Reporting: Any illegal network activities should be logged and reported by the firewall's logging mechanism. Any known layer 2 (network layer) and layer 3 (transport layer) attack packets, as described in the text book, must be logged and reported when detected. [Bonus mark (+10%)] Any host on the Internet that attempts to ssh to any machines on the web site (router, application servers, etc) should be block for 15 minutes and the attempts must be logged and reported. IP Address allocation: 1. The IP address for the external network interface on the router/gateway should be xxx.xxx. Use a variable (e.g. INET_IP) to hold this value and use it in your firewall policy construction tables and your firewall scripts. 2. The netmask for the external network interface on the router/gateway should be but may be changed to some other value. Use a variable (e.g. INET_NM) to hold this value and use it in your firewall policy construction tables and your firewall scripts. 3. The internal LAN D uses the x.0/24 network, where x can be from 1 to 40. Use a varible (e.g. LAN_D) to hold this value and use it in your firewall policy construction tables and your firewall scripts. 4. The netmask for LAN D is You could also use a variable to hold this value to

4 make it more flexible. 5. The internal LAN P uses the y.0/24 network, where y is 100+x. Use a variable (e.g. LAN_P) to hold this value and use it in your firewall policy construction tabless and your firewall scripts 6. The default netmask for LAN P is However, you may have to subnet the y.0/24 network into a few subnet in order to meet the Company requirement of putting all the laptops in one subnet and all the Workstations in another subnet. 7. IP addresses for the web server, DNS server and MySQL/Syslog server are: Web Server: x80 DNS Server: x.53 MySQL Server: y.33 MAC Addresses: If you need to use the MAC address of any network interface in your firewall policy construction tables or your firewall scripts, it is your responsibility to find it out. Your Task: 1. (20%) Study the network diagram, access policy and logging/reporting requirements provide by the Company. Evaluate and comment on the current site setup and make your firewall proposal on the firewall placement and policy. 2. (40%) Based on your firewall proposal, use a format similar to the following table to present your firewall policy. You need to create one firewall policy for the Internet router (perimeter firewall), one firewall policy for the web server, one firewall policy for the DNS server, and one firewall policy for the database server. Make sure that you include policy to handle the attacks mentioned in the text book chapter 2, 3, and 4. The format of the following is only a suggestion, you may have to add or remove column to meet the need of your firewall policy requirement. Service Name Protocal (tcp flag) Source Address (IP/MAC) Source Port Iptables' chain Destination Address Dest. Port Action: Drop/Accept Log / etc. INVALID ANY ANY ANY IN ANY ANY DROP INVALID ANY ANY ANY IN ANY ANY LOG ICMP echo request ICMP LOCAL IN Local ACCEPT

5 3. (40%) Based on each firewall policy tables created in task 1, convert them into a shell script to generate the corresponding firewall rulesets on each server/router. Run your firewall scripts, test your firewalls for correctness and hand in the followings: a. A listing of all your firewall scripts. b. A listing of the output on each firewall using the commands /sbin/iptables L v and /sbin/iptables t nat L v c. A listing of the output on each firewall using the commands /sbin/iptables save Note: Do no hard code network addresses or other values in your shell scripts. You should put them in a separate file and source it in your shell script. Please add at least one comment for each firewall rule in your script as a form of in line documentation. Your shell script should be the only command to be executed in order to set up each firewall. Submission: Part 1 Firewall Scripts Name the four scripts as gw fw.sh, as1 fw.sh, as2 fw.sh, and as3 fw.sh. Create a directory called cs2dir and copy all your firewall scripts to cs2dir. Go to the parent directory of cs2dir and create a compressed tar ball file called cs2.tgz by running the command tar czf cs2.tgz cs2dir. the compressed tar ball file to your instructor with the subject line SPR CS2 Submission on or before the due date. Part 2 Listing of Firewall scripts and rulesets and Firewall Proposal Label each listing clearly, bind all listings together with a cover page, an index page, and your firewall proposal and hand in to your instructor on or before the due date. Any questions about this Case Study should be forwarded to your instructor via no later than November 13, 2009.