Perimeter Firewalls 09/22/2007 brought to you by: Brandon Napier Rick Archibald Pete Jamison in association with HAL PC & HLUG
Who am I? Brandon Napier Got interested in computers in 1992, in high school local BBS's 2400 baud modem high school programming classes and contests Pascal B.S. in Computer Science from University of Texas at Austin I.T. Manager for small manufacturing company since 2001 Process Management, Software Development, Systems Administration, Training, etc... Got serious about learning Linux in mid 2006 still addicted Why should you listen to me? Just spent a little time learning. Now I use IPCop at work and at home.
Who are you? Who uses the Internet? Who uses dial up? Who has some Linux knowledge? (this is not necessary to use a Linux Firewall solution, but it does help) Ever setup a Router or Wireless Access Point? Who has knowledge or experience with IPCop, SmoothWall Express, Devil Linux, or another Linux based do it yourself firewall? Who is familiar with IP Addresses? Who knows what DHCP is?
General Introduction What is a firewall? Boundary between you and the Wild Wild Web Controls what network traffic comes in and goes out Personal vs. Perimeter Firewalls Personal Firewall: runs as a software application on your computer: good at controlling egress examples: ZoneAlarm, many many more Perimeter Firewall: Gateway between a LAN (local area network) and the Internet: good at preventing intrustion Provides NAT Provides DHCP Best practice is to use both a personal and perimeter firewall.
What is NAT? (Network Address Translation) Allows many computers to share an internet connection by sharing one I.P. address on the internet (this is the external address) Provides crucial layer of security between your computer and the web When bad guys come knocking they reach a hardened firewall and can't get through to the computers behind it.
Reserved IP Ranges for Private Networks Client Computers must be assigned internal addresses from one of the 3 reserved ranges: 192.168.0.0 192.168.255.255 172.16.0.0 172.31.255.255 10.0.0.0 10.255.255.255
DHCP DHCP: Dynamic Host Configuration Protocol A DHCP server assigns IP Addresses to client computers The client computer when first connected to the network, calls out. It says, someone please give me an IP address. The DHCP server responds and assigns the client an IP address. Now the client can use the network.
Types of perimeter firewalls: Hardware/embedded: manufactured device with a built in operating system (usually Linux) Simple as a Router or Wireless Access Point/Router combination (Linksys, NetGear, Cisco etc.) Some are very powerful (and very expensive), like some Cisco devices. Software/DIY (Do it Yourself) YOU install an operating system runs on a PC that has multiple network cards typically runs on old hardware examples of DIY firewall OS's: IPCop, SmoothWall, Devil Linux
Machine Classes Door Stop: (200Mhz to 1Ghz, around 256MB memory) Boat Anchor: (P1 200 Mhz or below, probably 16 128 MB memory) Ideal machine for DIY firewall probably capable of running a limited DIY firewall Target Practice: (486 or below) not much to do with a machine like this except shoot it up (or recycle!)
Why DIY Part 1? HW may be cheaper Flexibility and Control blocking porn, advertising, malware capability block on multiple levels: host file, dnsmasq, proxy (Squid) Logging/graphical analysis Ease of Backup and Restoring Settings good for multiple deployments
Why DIY Part 2? Functionality can be greater short of very expensive commercial solutions VPN (Virtual Private Networking) IDS (Intrusion Detection System) Snort Proxy Squid Much more included, potential for even more functionality through addons Better understanding of your network: You will learn a lot!
DIY Determine Basic Configuration (number of network cards) Each type of network and its card is represented by a unique color Basic Setup Green + Red Red = Internet Connection (external I.P. address) Typically a network card connected to your DSL or Cable Modem Can also be a Dial Up Modem or ISDN Card Green = Local Area Network (internal I.P. address), connects to a switch or hub with your client computers
DIY Determine Basic Configuration (number of network cards) Optional Additions Orange = DMZ (accessible from in and outside), This is typically used for servers. Blue/Purple = inside network for WiFi connect an Access point to this interface or use a Wifi NIC Card (not necessary for WiFi you can also connect an Access Point to your regular Green network
Example Network Diagram
IPCop Specifics Web Page: http://ipcop.org/ Uses version 2.4 Linux Kernel (supports IPTables) Uses dnsmasq simple compared to BIND Too many other features to list here. IPCop is completely free can run headless (no monitor/keyboard), administration through web page Comes from the same family tree as SmoothWall
If you don't have an install CD you will need to make one. Download the latest.iso file from the IPCop homepage. Use your favorite burning software to burn the.iso to a CD (make sure to select 'Burn Image', not just a data project) If your CD contains only one.iso file, then you burned it the wrong way. Pop the install disk into the computer you intend to use and boot off the CD (you may need to change the BIOS settings to tell it to boot off CD) The computer you are installing to needs to have a single sacrificial hard drive. This hard drive will be completely formatted and erased.
Hook up a monitor and keyboard to the computer you are installing to (no mouse) You will use the keyboard to navigate the menus: Arrow Keys, Tab, Space Bar, Enter Key I have created screen shots using VMWare, but we are going to do an actual install. So, time for me to hook up our install box!
After Booting you will be greeted with this screen. Just press enter to start the install process.
Select Your Language Tab down to Ok and press enter
Just press enter (and remember not to choose cancel later as that will cancel the ENTIRE install)
We are installing from CD. Press Enter.
It should find your first hard disk. Press enter to proceed.
If you are not importing any settings, press the Space Bar to select the Skip option. Then Tab down to 'Ok' and press enter
Press enter to 'Probe' and IPCop will detect your first network card.
IPCop has found our first network card. Press Enter.
Now its time to assign the internal/green IP address. I am going to use 192.168.110.1 Leave the 'Network Mask' to the default, as I have.
Take out the CD and then press Ok. But, we still have more work to do.
Select your keyboard type and press Ok.
Select your timezone and then hit 'Ok' Tip: You can press the 'u' key to jump down to the US zones quickly
Name your box whatever you want. I stuck with the default, but that is because I am lazy.
Call your domain whatever you want. I stuck with the default, but that is because I am still lazy.
Since we won't be using ISDN, tab down to 'Disable ISDN' and press enter.
We will work our way down this configuration menu start with the first one. So just press enter to configure Network Configuration type.
Use the arrow keys to select Green + Red then tab down to 'Ok' and press enter.
On to the the next one. Select Drivers and card assignments and press enter.
Press enter with 'Ok' highlighted to assign the red network card.
IPCop will probe and find the next network card. Press enter to use this card as the red interface.
That is good news. Press enter.
On to the next one. Select Address Settings and press enter.
We already configured the green network's address settings. Select Red and press enter.
Configure the red network's address settings: Change the IP address option from 'Static' to 'DHCP' (unless your Internet Provider tells you otherwise) Tab down to 'Ok' and press Enter
Tab down to 'Done' and press Enter
Skip 'DNS and Gateway settings'. They are only used if you selected static IP on the Red interface. Since we are using DHCP on the Red interface, these will be acquired automatically.
Yeah, the last one! Select DHCP server configuration and press enter.
Select 'Enable' (with the space bar) to enable DHCP on our green network (IPCop is acting as the DHCP server). Enter a Start Address and End address within your subnet range
Tab to Done and press enter. Warning the newest version of IPCop contains a minor bug. After selecting 'Done' it will take you back into DHCP server configuration. Just Tab down to Ok and press enter to continue on.
Set your root password. This will be used to login at the command line as the 'root' user. You must enter the password twice and you will not see anything displayed as you type.
Enter the admin password. This password as used to login to the web administration page as the 'admin' user.
Enter the backup password. This password is used for saving and restoring your IPCop settings.
We're done! Press enter.
As the machine loads you will see this screen for a few seconds. You don't need to do anything. Just let it boot with the default options.
Finally we see the command line login prompt. We can login as root if we like.
Web Administration In your browser, enter the following URL: https://192.168.110.1:445 (If you used a different green address, be sure to substitute whatever green address you assigned in place of '192.168.110.1') You could also use the hostname you set, but you must used https and port 445. (https default is port 443. Smoothwall Express uses port 441) Set this as a bookmark, so you won't have to type it every time You will receive a couple certificate notifications. Just press 'Ok' through them. You will be greeted with the admin page, and may not be asked to login until you actually try to do something. Remember login as 'admin' and use your admin password. We don't have time to cover much here. So I will leave to you to explore and learn. You can make use of the resources listed on the Resource slide to help you with this learning process.
IPCop Addons You probably won't need any addons IPCop already provides many features. Only consider an addon, if you need something IPCop is missing Addons do have the potential of making the firewall less secure. The more programs you have running, the higher chance there is of one of them having a security hole.
IPCop Addons: Examples Zerina OpenVPN for your IPCop (OpenVPN is an SSL based VPN whereas the VPN functionality built in to IPCop is IPSEC based) BOT (Block Outgoing Traffic) GUI to simplify creation of Netfilter/IPTables rules) Will allow you to control what Outgoing traffic is permitted Many, many more...
Resources This presentation available on the HLUG wiki: http://twiki.hlug.org/ IPCop home page: http://ipcop.org/ Check out the FAQ and the Documentation Section. They have many helpful guides. http://www.ipcops.com/ is an IPCop support site. They have an excellent forum dedicated to IPCop email me: brandon.napier@gmail.com Thanks for listening!! Good luck with IPCop or whatever firewall solution you choose!