Firewall Project

The last iteration ended with us assigning our documentation tasks. I would like to thank to Zigurds and Paul because they made todays presentation possible. Even though we had some ups and downs we had an acceptable ending to this iteration.

Hopefully we have convinced the client to buy our solution.

Project owner: Red leader

Project customer: CompanyX.INC

Users: CompanyX employees.

Requirements:

-Functional

• The users should be able to access the  internet.
• The users won’t have access to  social networking websites like Facebook or Skype.
• Downloading files will have a size limit.
• Users don’t have the ability to install software on their working Pc’s
• The traffic will be monitored and analyzed.
• The company will offer acces to a web page.
• The Lan clients will be able to access the Samba file server.
• Webserver must be running and exposed to the external network.
• A firewall must be set up to limit traffic between the two networks.
• The firewall must be monitored.
• Proxy implemented to bypass the firewall.

-Non-Functional

• Offer a simple solution for connection to the Samba file server.
• The project should be cost effective.
• Hardware should be powerfull enough to handle the software.
• Secured connection to the Samba file server is available using VPN.

Regarding OpenVPN clients these are the selected options:

Windows clients

For Windows clients there is the OpenVPN GUI for Windows:

http://openvpn.se/

The instalation is pretty straight forward, still just in case some pointers may be found here(also the way to make it work is also here):

http://thinkhole.org/wp/2006/03/28/ipcop-openvpn-howto/

!Through the Virtual Machine NAT connection there need to be a port forwarding rule set up for the port the VPN is using. Also there is required to modify the IP that the VPN client is connecting to:

-in the *.ovpn file you need to modify the “remote” line to point your IP from the local lan:

Linux clients

Linux has in its Repository a very nifty addon for the Network Manager called network-manager-openvpn:

Just to be on the safe side update your Repository so you know you will be getting the newest version:

sudo apt-get update

Installation:

sudo apt-get install network-manager-openvpn

Using the network connections icon-> Go to VPN Connections -> Configure VPN…

Now Click the Add button and select OpenVPN connection:

Now here is the catch:

The Zerina OpenVPN add-on makes the certificates as 1 pk12 file.In order to work we need to break this down into 3 pieces. This is done with the following commands:

#Extracting CA certificate:

openssl pkcs12 -in myvpn.p12 -cacerts -nokeys -out myvpnca.pem

_^ file that we are extracting             ^ new file where to extract

#Extract the Personal Certificate:

openssl pkcs12 -in myvpn.p12 -clcerts -nokeys -out myvpncert.pem

#Extract the Private Key:

-With password:  openssl pkcs12 -in mydccert.p12 -clcerts -nocerts -out myvpnkey.pem
-Without: openssl pkcs12 -in mydccert.p12 -clcerts -nocerts -nodes -out myvpnkey.pem

http://www.carbm1.com/?p=184#comment-3996

A breviary with what each command means:

http://linux.die.net/man/1/pkcs12

#Assign them to their specific brackets:

Check the port that you are connecting by clicking the advanced button. It must be the same with the one assigned to the VPN server.

You can also import your configuration from the *.ovpn file, but you must change the extension to *.conf. Unfortunately the Extracting of the *.p12 file is not optional.

Mobile Android Phone

It accepts the normal configuration and pk12 files. Just importing them should make it work(Installation and testing of this has been carried out by Paul).

http://www.androidzoom.com/android_applications/communication/openvpn-installer_epia_download.html

Client for Mac

http://code.google.com/p/tunnelblick/

For the project we have the requirement of only the Windows and Android clients,  the other two can be implemented if the client requires in the future.

So far:

– Configure Blue Subnet(Paul)

-Monitoring

-Connecting Phone VPN

-Vulnerability Test (Romanas)

-Log settings, log posibilities

-IDS  (Bo + Zigurds)

-Create Guest Subnet

-FTP connect to VPN (Alexandru)

-FTP security

So far these are the tasks defined for this iteration. Some in progress some(most!) hopefully done till monday.

This will be more of a reference post in regards to “How to” install the Zerina OpenVPN add-on for IPcop. I will supplement with additional information to each link, as important points in the instalation directions or comments.

The first link is a step by step How to install Zerina on IPcop remotely and one of the software clients that we will be using for our Windows clients machines:

http://thinkhole.org/wp/2006/03/28/ipcop-openvpn-howto/

*Currently the software only supports Host-to-Net VPN configuration.

(4) There is a important issue in the instalation process at Step 4. If the version of IPcop is “incompatible” with the version of  Zerina addon you will be prompted with the following:

If you have the newest version of IPcop it will without a doubt happen. Fortunately there is a very easy way to bypass this.

Using the text editor nano or any other text editor you are able to use modify the line from the code:

if [ ! “`echo $IPCOPVERSION | grep “1.4.15”`” ] ; then    (instead of the 1.4.15 change it to the IPcop version you are using)

Alternatively comment (#) all of the following lines:

#if [ ! “`echo $IPCOPVERSION | grep “1.4.15”`” ] ; then
# echo
# echo “ERROR: This ZERINA addon only works with IPCop 1.4.15!\n”
# echo “Sorry. Please update your IPCop – visit www.ipcop.org!\n”
# echo “”
# exit 1
#fi

http://www.ipcops.com/phpbb3/viewtopic.php?f=8&t=11719

(5) Step 5 is very important:  It has to generate a configuration file, which without you will not be able to have access to the export files for setting up your client machines(the actual process of installing and configuring will be covered in a different post).

Configuration guide to Zerina OpenVPN:

http://www.openvpn.eu/index.php?id=73&L=0

*It is possible to have small differences from what version you have installed in comparison to the actual tutorial pictures.The setup will be fairly the same.

Test the log file to see if everything and connect with the client installed on a machine from either the green or the orange network (isolates the problem if any involving the server configuration).

Snip of our configuration:

Clients connected

Statistics page with the client systems

In our DMZ setup there are 2 things that require to setup Port Forwarding for: the Webserver and the VPN(for the FTP server).

The process of port forwarding to the exterior of the virtual machine was covered in the first post regarding this.

For the actual network itself the VPN server installed has his own configuration settings, meaning  IPcop will only require a single portforwarding rule for the Webserver.

The Firewall tab in the picture above has 4 submenus:

1) Port Forwarding – used to set port forwarding rules for the DMZ.

2)External Acess – this doesn’t have any effect to the DMZ zone (Green and Orange networks). It is used to gain exterior access to the actual firewall and it is only used for this purpose.

3)DMZ Pinholes – this is used if it is required to give access from the Orange to the Green network(considering our setup). It will not be used in our configuration.Using could have a high security risk involved with it.

4) Firewall Options – a menu that you can chose whether ping response is allowed or not.

More detailed information on the tabs and IPcop is found here:

http://www.ipcop.org/1.4.0/en/admin/html/section-firewall.html

This is a “How to” on port forward virtualbox. It comes as an addition to the short tutorial presented here: http://vojev.wordpress.com/2011/02/28/enable-port-forwarding-virtualbox/.

If you haven’t read it, it would be fairly wise to do so in the idea of understanding the things that i am going to express.                                                                                              *For getting access to VBoxManage commands you are required(in command line) to be in the folder where you have installed your VirtualBox.

Use Start -> Run and write: “cmd”.

The above image describes the pathway to access my VirtualBox folder.The command cd is equivalent to change directory and the lines that precede it represent the path to get inside the folder that you are looking for.

Now the configuration of the portforwarding rule in Vboxmanage is dependent to how you have setup of your network and the rules that you want to implement.For this i would like to reference the setup that we are having:

Adapter 1:Pcnet-FAST III (Internal network, ‘Clients’)                                                       Adapter 2:Pcnet-FAST III(Internal network, ‘servernetwork’)                                             Adapter 3:Pcnet-FAST III(NAT)

Now this is our DMZ firewall configuration, my third Adapter (Adapter 3) is NAT and it will be the one needed to modify because it will represent the link with the exterior.              Breaking down some elements from the code that you will need to put for having portforward on the VM:

(1) This refers to the type of network card you are using: pcnet refers to either PCnet-FAST III or PCnet-PCI II(works for both). If you require for a diferent type it will have a diferent name, the two above are the most common to use. Check following link for another example of network card used and more information on the subject.

https://wiki.archlinux.org/index.php/VirtualBox#Accessing_server_on_VM_from_host

(2) This refers to the actual “slot” that you have assigned to the card.The enumeration of these start from zero.Basically: Adaptor 1 = 0, Adaptor 2=1 and continue to enumerate. The configuration with the 3 adaptors that i posted above mean that my NAT’ed adaptor is situated in the third slot. Meaning i will have to use the value “2”.

(3) This is the name(folder) of the actual rule that you are applying. It is usefull to know this if you require multiple ports to portforward, because you will have to define new names(folder) for them. !Putting a new rule over an existing one with the same command and trying new value at the end will simply modify the existing rule!

(4) When you are defining port forwarding you need to have add a command line for: GuestPort(value),HostPort(value) and Protocol(example UDP,TCP).

After defining these it is advised do the following two things:

1. check your entered code with:

(Defined by ” “ : name of the VM)

*it’s output (only showing relevant data) will be something in the lines of this:

2. The machine that you are making these modifications should neither be powered on or in a saved instantiation.

More info on VboxManage:

http://www.virtualbox.org/svn/vbox/trunk/doc/manual/en_US/user_VBoxManage.xml

http://www.virtualbox.org/manual/ch08.html

Task’s assigned to me for second iteration we’re :
– VPN (research & implementation);

– port-forwarding ( how to in pfsense&normal NAT config ,how to for FTP & Webserver in the DMZ).[mostly to familiarize and catch up with the rest]

My progress for second iteration was basically none. My reasoning for this is bad planning of personal time and  the fact that i misunderstood concepts like VPN in relation with our project.

1)In regards to Port-Forwarding: my understanding of the concept was ok , but when i had to actually implement it i have no luck in making it work.

*Update on this: Saturday after fresh install on Windows and putting to work the tips that Paul gave to me i got it working on pfsense & Ipcop (tested on webserver). Today it isn’t working anymore. Am still having bugs and being a novice on most things networks related, when i troubleshoot i screw them up even more.

2)Now VPN: In the second iteration my initial research was to use OpenVPN. Reasons we’re compatibility for both Linux and Windows clients, the fact that it works with SSL(Secure Sockets Layer), the amount of documentation available on the internet for it and in comparison with other options,for me made was the way to go.

(http://www.netheaven.com/TunnelTypes.html)

The issues that i had with this was that i had left a small timeframe to finish my task and my first understanding of the concept was the Host-To-Host setup of VPN wich i tried to implement like a ..(unrelated). The fact that i missunderstood the concept in regards to what we would have wanted to do for the project (roadwarrior setup) which made me totally waste iteration 2. This has neither been brought to the attention of the group or discussed in detail and for that and the fact that i haven’t achieved anything for the project in this iteration I would like to apologize, especially to Paul and Romanas.

I have not posted an entry for each task due to them being uncomplete and will make for them posts this iteration.

Alexandru

1) Installing Pf Sense and getting to know how to work with it.

– Installed and worked some basic configurations to connect to the internet. Researched on NAT, port forwarding.

-Installed Ubuntu for the configuration and connected to internet.

– Have done a bit of progress on web server and using port forward to connect to the web server.

2) Research on DMZ and firewalls in general.

– articles and wiki  posts read.

– other materials sent by red leader read.

We shall see how much i know.

Alexandru