Managing Security with Open Source "


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Managing Security with Open Source "

  1. 1. Managing Security with Open Source “IPCop” IL-TCE Conference Mar 3 & 4, 2005 ©2005 - Terence J. Sullivan Free for Educational Use Sullivan IPCop Firewall IL-TCE
  2. 2. Sullivan IPCop Firewall IL-TCE
  3. 3. Sullivan IPCop Firewall IL-TCE
  4. 4. Development & Accessory Sites • IPCop – • Firewall Addons – • Sourceforge Project – • Unofficial Modifications Site – Sullivan IPCop Firewall IL-TCE
  5. 5. IPCop Project • Based on “smoothwall” firewall • Stripped down linux – “hardened” minimal subset of linux • Uses • Requires minimal to no knowledge of linux command line Sullivan IPCop Firewall IL-TCE
  6. 6. Features • Stateful packet inspection with NAT & PAT • Full logging (by IP # or even username) • Port forwarding, IP blocking • Alias for WAN port, allowing multiple IP address management • SNORT – community standard for intrusion detection • Squid – community standard for Internet proxy • FreeS/WAN IPSec support, VPN Sullivan IPCop Firewall IL-TCE
  7. 7. Features (cont) • LAN Services (dhcp, dynamic dns registration, etc) • NIC, ISDN, & Modem supported • Web based configuration • Built in self patching/updating • Backup/Restore • Traffic Shaping • Time Server • Automatic update/patch management Sullivan IPCop Firewall IL-TCE
  8. 8. Hardware Requirements • Pentium II with 128 Meg RAM • 2 Gig HD • HCL (hardware compatibility list) – Supported NICS – • Boot from CDRom (easiest install) • Lightweight Package – 40 meg – ISO Sullivan IPCop Firewall IL-TCE
  9. 9. Enhancement Utilities • Web browser content filtering – Cop+ or SquidGuard • POPFile - Email virus/spam filtering • BlockOutTraffic – Block IP • Nmap – local network auditing tool • Ident – collect username in logs – local service or authenticate with proxy • Syslog service – send logs to logging server • LAN backup – backup to lan device Sullivan IPCop Firewall IL-TCE
  10. 10. System Graphs Sullivan IPCop Firewall IL-TCE
  11. 11. Traffic Graphs Sullivan IPCop Firewall IL-TCE
  12. 12. Firewall Logs Sullivan IPCop Firewall IL-TCE
  13. 13. Content Filter Sullivan IPCop Firewall IL-TCE
  14. 14. Example Setup/Config • A complete firewall can be setup and configured in less than an hour. • IPCop vocabulary – Green NIC – inside LAN – Red NIC – outside WAN port to Internet – Orange NIC – DMZ public server port – Blue NIC – Wireless network isolation Sullivan IPCop Firewall IL-TCE
  15. 15. Contact Info Presentation Materials Terence (Terry) Sullivan Sullivan IPCop Firewall IL-TCE
  16. 16. Another Quality How-to from TechGeeks - <> _____________________________________________________ ________| |________ | Installing IPCop 1.4.2 | / | <Date: 03-03-2005> | / / |_____________________________________________________| /___________) (__________ /* Special thanks to the TechGeeks, LTC-4 & LTC-5 staff for all their notes, ideas, and suggestions from which this how-to was complied */ =========================================================================== HOW TO INSTALL IPCop 1.4.2 Firewall & Cop+ Content Filtering =========================================================================== 1) Download ISO CD-image and burn to make bootable CD: 1.4.0 - will require two patches 1.4.2 - will not require patches as of the date of this howto 2) Boot from CD and complete basic installation. * Note warning that all existing data on CD will be destroyed. * Boot: <--- press enter * Choose Language – English & then OK to Installing * Choose CDRom install, be sure CD is in the drive and <-- OK * Dialog will show progress as it formats/files to hard drive * Near end will ask for “Restore” CD-Rom to recover or clone skip for new install, but can be used to rebuild a system * Assign inside/LAN NIC (this will be called the "Green" card Probe for 1st Network Card Assign IP Address - (inside or local network gateway) with mask * At this point CD will eject preparing for reboot * Will ask for keyboard country - <us> * Set Timezone - CST6CDT * Name the local machine ex. ‘ipcop’ <-- without quotes * Domain: '' <-- FQDN without quotes * ISDN: not likely to use, so choose ‘Disable ISDN’ * Network configuration type Green Red <-- for basic firewall * Drivers and card assignments: Probe – find other NIC Assign to Red Messsage status - All cards allocated <-- OK * Address Settings Green – confirm Red – set outside / public IP number Static - normal setting for K12 school IP Address & Mask 'DONE' to accept both card assignments * DNS and Gateway settings DNS primary and secondary Gateway or default route to the Internet * 'DONE' accept Network Configuration * Configure DHCP server: setup to suit your network <-- OK * CREATE management user accounts 1st screen is 'root' user for console access 2nd screen is 'admin' user for web management * Basic Setup is Complete <-- will reboot now 3) After reboot will come up to Console or Terminal login * login as 'root' * check connectivity try ping outside network * note it is possible the Red/Green are reversed
  17. 17. if so, try reversing patch cables 4) In the future to modify any of the basic configuration return to console/root login and issue the command 'setup' <--- without quotes from command line Howto access server console Window from Windows need Putty or favorite secure Telnet Program Putty – server.ip.number port 222 <-- non-standard port First time will have to accept certificate Login as User ‘root’ and password ‘******' ------------------------------------------------ |for Putty help look at: | | | ------------------------------------------------ 5) From here configuration and management can be done via a browser To access WebAdmin Panel <-- non-standard port accept warning about the site certificate – Continue To login to WebAdmin Panel Press Connect User 'admin' Password '******' <-- this is the 2nd password set Basic inital configuration System – SSH access - Enable - SAVE Services – Web Proxy - Enable Green & Transparent Green Services – NTP Server – Enable - choose NTP server update automatically every X days SAVE <-- don't forget to click save Services – Intrusion Detection – Enable on RED Download new rule set and SAVE 6) IPCop UPDATES: <not needed if using the 1.4.2 ISO image> Done in WebAdmin panel System - Updates - Click 'Refresh update list' Update 1 - 1.4.1 Update 2 - 1.4.2 Click 'info' behind Update-1 Download update to local hard drive To apply Browse - locate update package - Open then UPLOAD (its that easy -- permission,unpacking.install all automated) Repeat for Update-2 Does not require reboot If, reboot is ever recommended, be aware IPCop breaks without it 7) NEED "MOD" utility to install and use 3rd party add-on modules these are NOT from the IPCop project team, but outside sources * Install has to be done manually * Get MOD tarball: download onto local computer * Use WinSCP or SCP to copy to IPCop server root WinSCP - User 'root' and Password '******' WinSCP uses Port 222 not normal Port 22 <-- non-standard port ------------------------------------------------ |for WinSCP help look at: | | | ------------------------------------------------ * Next log in as root on your IPCop, either from the console or Putty from Windows cd / <-- to go to the top level directory
  18. 18. * Unpack the tarball: tar zxvf addons-2.2-CLI-b2.tar.gz there should now be a new directory with the install files * Change to the new addons directory cd / addons * To install package, run the setup program ./setup -i (that is period-slash setup dash-i) * To uninstall if needed ./setup -u * If successful, there will now be a new menu in the WebAdmin panel ------------------------------------------------------------------------- | caution: often after first installing the MOD package it is transparent | | at the end of the Webdmin management menu, however it will pick up | | the blue color after the first or second restart | | ------------------------------------------------------------------------- 8) To install DansGuardian Content Filtering (Cop+) Use the WebAdmin panel and the MOD package manager * Menu - ADDONS - ADDONS and Click Refresh addons list * Click on 'info' behind Cop+ addon * Download to local computer * From Webadmin panel, ADDONS-ADDONS-Upload, browse, find and upload all automated and does not require reboot After install base package need one update * Menu - ADDONS - ADDONS-UPDATE <-- this is a different menu * Click refresh addons update list * Click on 'info' behind Cop+ Update * Download to local computer * From Webadmin panel, ADDONS-ADDONS-UPDATES-upload, browse/find/upload 9) Basic Content Filter configuration Done from WebAdmin panel, Service-Content Filter Menu * Download Blacklist Now to get started * Enable automatic download * Adjust Banned sites, urls, weighted phrase list as needed * Adjust Exception sites, urls, phrase list as needed * Example mini-config-howto Every configuration change in DG requires a Filter Restart to activate The configuration is really stored in text files and the default setup has most of the filters "commented" out with a '#' as the first char in a line To activate a filter, edit the file, delete the '#', Save, and Restart Standard Disclaimer: What you do to your server and your network is your responsibility. There is a large K12 support community for IPCop, but do read the manual and on-line help. Not responsible for damages. Saturate before using. Slippery when wet. Contents very hot. Do not eat. Inhalation hazard. Safety glasses required. May become unstable when heated. Do not puncture. Risk of explosion. Point away from face. Dispose of properly. Contains 100% RDA of network security for the linux K12 Geek. ==================================== Howto last updated 3-03-2005 ====================================