Case Study 2 SPR500 Fall 2009



From this document you will learn the answers to the following questions:

What do the developers of Sotnec's website use to maintain?

What type of hard drive is included in the Intel Dual core machine?

What is the only connection Sotnec has?

Similar documents
Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

IP Filter/Firewall Setup

Firewall Examples. Using a firewall to control traffic in networks

How to install PowerChute Network Shutdown on VMware ESXi 3.5, 4.0 and 4.1

Project 2: Firewall Design (Phase I)

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

IP Address: the per-network unique identifier used to find you on a network

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Freshservice Discovery Probe User Guide

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

CS Computer and Network Security: Firewalls

Lab Objectives & Turn In

CS Computer and Network Security: Firewalls

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

What is included in the ATRC server support

Firewall Defaults and Some Basic Rules

Linux: 20 Iptables Examples For New SysAdmins

Load Balancing Clearswift Secure Web Gateway

Firewalls. Chien-Chung Shen

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Protecting and controlling Virtual LANs by Linux router-firewall

CSC574 - Computer and Network Security Module: Firewalls

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Firewall Firewall August, 2003

Personal Telepresence. Place the VidyoPortal/VidyoRouter on a public Static IP address

CIS 433/533 - Computer and Network Security Firewalls

GregSowell.com. Mikrotik Security

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Linux Networking Basics

Alinto Mail Server Pro

Information Security Training. Assignment 1 Networking

DEPLOYMENT GUIDE. This document gives a brief overview of deployment preparation, installation and configuration of a Vectra X-series platform.

Linux Routers and Community Networks

SolarWinds Log & Event Manager

Cloud.com CloudStack Community Edition 2.1 Beta Installation Guide

LAN TCP/IP and DHCP Setup

Vocia MS-1 Network Considerations for VoIP. Vocia MS-1 and Network Port Configuration. VoIP Network Switch. Control Network Switch

Firewalls with IPTables. Jason Healy, Director of Networks and Systems

NetCrunch 6. AdRem. Network Monitoring Server. Document. Monitor. Manage

ISERink Installation Guide

Multi-Homing Dual WAN Firewall Router

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Course Syllabus. Fundamentals of Windows Server 2008 Network and Applications Infrastructure. Key Data. Audience. Prerequisites. At Course Completion

Assignment 3 Firewalls

Evaluation guide. Vyatta Quick Evaluation Guide

Firewall implementation and testing

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

CSE543 - Computer and Network Security Module: Firewalls

Definition of firewall

VMware Identity Manager Connector Installation and Configuration

BF2CC Daemon Linux Installation Guide

Parallels Plesk Panel

Setting up pfsense as a Stateful Bridging Firewall.

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

SUSE Manager in the Public Cloud. SUSE Manager Server in the Public Cloud

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Linux Cluster Security Neil Gorsuch NCSA, University of Illinois, Urbana, Illinois.

HOWTO: Set up a Vyatta device with ThreatSTOP in router mode

NEFSIS DEDICATED SERVER

Savvius Insight Initial Configuration

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

Novell Open Workgroup Suite

Firewall VPN Router. Quick Installation Guide M73-APO09-380

FIREWALL AND NAT Lecture 7a

McAfee Firewall for Linux 8.0.0

Appendix D: Configuring Firewalls and Network Address Translation

Internet infrastructure. Prof. dr. ir. André Mariën

Proof of Concept Guide

DEPLOYMENT GUIDE. Websense Enterprise Websense Web Security Suite TM. v6.3.3

Load Balancing Smoothwall Secure Web Gateway

Linux Network Security

UNIVERSITY OF BOLTON CREATIVE TECHNOLOGIES COMPUTING AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2014/2015 NETWORK SECURITY MODULE NO: CPU6004

OpenWRT - embedded Linux for wireless routers

Manage a Firewall Using your Plesk Control Panel Contents

GregSowell.com. Mikrotik Basics

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Parallels Plesk Automation

How to Secure RHEL 6.2 Part 2

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Firewalls. Pehr Söderman KTH-CSC

Asterisk SIP Trunk Settings - Vestalink

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

F-Secure Messaging Security Gateway. Deployment Guide

EventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13

Netwatch Installation For Windows

VIA CONNECT PRO Deployment Guide

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Network Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Load Balancing Trend Micro InterScan Web Gateway

Understanding Slow Start

Virtualized Open-Source Network Security Appliance

Transcription:

Case Study 2 SPR500 Fall 2009 6 th November 2009 Due Date: 9 th December 2009 Securing Sotnec's web site using Linux Firewall technology Sotnec corporation, an Open Source Company, consists of a small but growing team of core developers providing an Enterprise class Linux Distribution freely to the public. Sotnec has been running their web site with 3 Linux servers: one web server, one DNS server (a primary name server for their own domain sotnec.org), and one database server (also hosts a central syslog server). Their developers use several laptops and desktops to maintain their distribution and their Wiki web site. Users on the Internet can download their distribution and access the contents of their wiki site. Since their business is growing and they want to add another layer of security to their web site by using Linux's firewall technology. The Company hires you as their security consultant to design and deploy their firewall layer to harden their web site. Current Status of the web site: Sotnec runs their web site with the following resource: 1. An Intel Quad core machine with 4GB main memory and 50GB hard disk running Apache and MediaWiki on CentOS 5.3 Linux. FQDN: cs2 as1.sotnec.org 2. An Intel Single core machine with 1GB main memory and 10GB hard disk running BIND on CentOS 5.3 Linux. FQDN: cs2 as2.sotnec.org 3. An Intel Dual core machine with 4 GB main memory and 500GB hard disk running MySQL server and a central syslog log server on CentOS 5.3 Linux. FQDN: cs2 as3.sotnec.org. 4. Three Laptops (will have more laptops in the future). FQDN: none 5. One Desktop machine (will have more in the future). FQDN: none 6. An router/gateway running Fedora 11 for connecting to the Internet. FQDN: none Functional Requirements for the site: The following services must be provided to the users on the Internet: An authoritative DNS server (cs2_as2) to answer queries on their domain sotnec.org A web server (cs2_as1) hosting the ISO image of their Enterprise class Linux distribution for downloading. A wiki web site on the web server (cs2_as1) contains the documentation for their Linux distribution Supporting services for running their web server: A MySQL (cs2_s3) database server providing data storage for the wiki site. This MySQL server can be accessed only by the web server (cs2_as1) and the Desktop machine(s) in the internal private LAN.

Site Network Diagram: The following is the layout of Sotnec's web site plus the four suggested firewalls placement.

Sotnec has stated the following access policy for their web resource: The web site should be secured by adding four firewalls as shown on the network diagram. Do not allow any user to surf the net on any of the application servers (cs2_as1 cs2_as3). All workstations should be on a different logical network segment from the laptops All workstations and laptops are allowed to surf the Net using http and https protocols only All workstations and laptops are allowed to ssh to any servers on the Internet, except cs2_as1 and cs2_as2. Only Laptops are allowed to use the mysql command to connect to the MySQL database server. Only specific workstations with known MAC addresses are allowed to ssh to the three application servers (cs2_as1 cs2_as3). The gateway allows SSH connection from the Internet and from the workstations but not from any of the laptops. Do not allow SSH connection from the Internet to any of the application servers (cs2_as1 cs2_as3) All the systems (the three application servers, the router, laptops, workstations) should respond to local ICMP request. ICMP requests from the Internet to the web server and DNS server should be limited to not more than 10 packets per minute. The MySQL server should allows database connection requested only from the wiki server and laptops on the local network P (LAN P). The wiki web server accepts only secure web transactions. Only the DNS server should be allowed to send DNS queries to the root name servers on the Internet. Logging and Reporting: Any illegal network activities should be logged and reported by the firewall's logging mechanism. Any known layer 2 (network layer) and layer 3 (transport layer) attack packets, as described in the text book, must be logged and reported when detected. [Bonus mark (+10%)] Any host on the Internet that attempts to ssh to any machines on the web site (router, application servers, etc) should be block for 15 minutes and the attempts must be logged and reported. IP Address allocation: 1. The IP address for the external network interface on the router/gateway should be 142.204.xxx.xxx. Use a variable (e.g. INET_IP) to hold this value and use it in your firewall policy construction tables and your firewall scripts. 2. The netmask for the external network interface on the router/gateway should be 255.255.255.192 but may be changed to some other value. Use a variable (e.g. INET_NM) to hold this value and use it in your firewall policy construction tables and your firewall scripts. 3. The internal LAN D uses the 192.168.x.0/24 network, where x can be from 1 to 40. Use a varible (e.g. LAN_D) to hold this value and use it in your firewall policy construction tables and your firewall scripts. 4. The netmask for LAN D is 255.255.255.0. You could also use a variable to hold this value to

make it more flexible. 5. The internal LAN P uses the 192.168.y.0/24 network, where y is 100+x. Use a variable (e.g. LAN_P) to hold this value and use it in your firewall policy construction tabless and your firewall scripts 6. The default netmask for LAN P is 255.255.255.0. However, you may have to subnet the 192.168.y.0/24 network into a few subnet in order to meet the Company requirement of putting all the laptops in one subnet and all the Workstations in another subnet. 7. IP addresses for the web server, DNS server and MySQL/Syslog server are: Web Server: 192.168.x80 DNS Server: 192.168.x.53 MySQL Server: 192.168.y.33 MAC Addresses: If you need to use the MAC address of any network interface in your firewall policy construction tables or your firewall scripts, it is your responsibility to find it out. Your Task: 1. (20%) Study the network diagram, access policy and logging/reporting requirements provide by the Company. Evaluate and comment on the current site setup and make your firewall proposal on the firewall placement and policy. 2. (40%) Based on your firewall proposal, use a format similar to the following table to present your firewall policy. You need to create one firewall policy for the Internet router (perimeter firewall), one firewall policy for the web server, one firewall policy for the DNS server, and one firewall policy for the database server. Make sure that you include policy to handle the attacks mentioned in the text book chapter 2, 3, and 4. The format of the following is only a suggestion, you may have to add or remove column to meet the need of your firewall policy requirement. Service Name Protocal (tcp flag) Source Address (IP/MAC) Source Port Iptables' chain Destination Address Dest. Port Action: Drop/Accept Log / etc. INVALID ANY ANY ANY IN ANY ANY DROP INVALID ANY ANY ANY IN ANY ANY LOG ICMP echo request ICMP LOCAL IN Local ACCEPT

3. (40%) Based on each firewall policy tables created in task 1, convert them into a shell script to generate the corresponding firewall rulesets on each server/router. Run your firewall scripts, test your firewalls for correctness and hand in the followings: a. A listing of all your firewall scripts. b. A listing of the output on each firewall using the commands /sbin/iptables L v and /sbin/iptables t nat L v c. A listing of the output on each firewall using the commands /sbin/iptables save Note: Do no hard code network addresses or other values in your shell scripts. You should put them in a separate file and source it in your shell script. Please add at least one comment for each firewall rule in your script as a form of in line documentation. Your shell script should be the only command to be executed in order to set up each firewall. Submission: Part 1 Firewall Scripts Name the four scripts as gw fw.sh, as1 fw.sh, as2 fw.sh, and as3 fw.sh. Create a directory called cs2dir and copy all your firewall scripts to cs2dir. Go to the parent directory of cs2dir and create a compressed tar ball file called cs2.tgz by running the command tar czf cs2.tgz cs2dir. Email the compressed tar ball file to your instructor with the subject line SPR500 0903 CS2 Submission on or before the due date. Part 2 Listing of Firewall scripts and rulesets and Firewall Proposal Label each listing clearly, bind all listings together with a cover page, an index page, and your firewall proposal and hand in to your instructor on or before the due date. Any questions about this Case Study should be forwarded to your instructor via email no later than November 13, 2009.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information