Securing The Perimeter andProviding Secure Remote Access with Endian Firewall

Endian Firewall (EFW) is a “turn-key” Linux Security Distribution that helps transform every

system into a standalone, fully featured security device. The biggest advantage of using Endian is

that it bundles together several packages facilitating usability. Through a series of easy to configure

menus, the administrator's task of using the command line has been transformed into simple point

and click methods of configuration. EFW is Open Source Software, licensed under GNU's GPL

License.

Some of the off-the-shelf features offered are:

1. Stateful Packet Inspection Firewall

2. Application Level Proxies for various protocols (HTTP, FTP, POP3, SMTP)

3. Antivirus support

4. Virus and Spam Filtering for email traffic

5. Content Filtering of Web Traffic

6. Establishment of zones (DMZ,Trusted, Wireless, etc.)

7. Easy VPN Solution

Endian Firewall consists of four interfaces listed below:

1. RED interface: It is the interface that connects the Firewall to the outside world, most often the

Internet. Endian Supports many types of RED interfaces.

2. ORANGE interface: It defines the untrusted network such as the Demilitarized Zone (DMZ).

Such an interface can be used to host a network of computers such as the Web Server which do

not require to be in a protected internal zone.

3. GREEN interface: This is the trusted network which hosts those machines that are not to be

exposed. Any network information that originates from this zone is masked before it leaves it.

4. BLUE interface: This has been specially designed for wireless hosts on the network.

Unless otherwise configured, the firewall blocks all traffic coming from outside, by default. Since

GREEN is the trusted network, traffic originating form it will be allowed to pass to any other zone

(BLUE/ORANGE). However, for each pass from one zone to another, NAT is performed to hide the

source address of the sender from the GREEN zone.

On the destination side, by default, all access is blocked except for the RED interface. Still only some

standard services (HTTP, FTP, SMTP, DNS) are allowed by default when accessing from the GREEN

zone and only DNS when trying to access from the BLUE and ORANGE zones.

The network setup will consist of six machines as shown in the diagram. The details are -

1. Endian Firewall Community (EFW): A Linux based distribution that will serve as the

perimeter security appliance for the network. It has four interfaces, but we will be using

only three, given by the IP addresses – 192.168.30.1 (red), 10.0.2.1 (green) and

10.0.1.1(orange).

2. Franks: An IIS server which will serve the web pages to other hosts. Franks is in the Orange

Zones.

3. Ike: A Domain Controller, that is used to support Marshall under the AIA domain. It is in the

GREEN Zones. IP address - (10.0.2.4)

4. Marshall: A Mail Exchange Server, that is responsible for providing SMTP and POP3

services within the network. This is also in the GREEN Zones.

5. VTE Launchpad: A Windows 2003, that allows remote access to other computers and is

used for configuration. IP Address:10.0.254.254.

6. IRH_Outside_host: This is a CentOS machine that is connected on the RED interface of

Endian. IP Address: 192.168.30.254.

1. Boot up the Virtual Machines

Fire the EFW_Community Firewall, Franks, Ike, Launchpad, Marshall and Outside_host Virtual

Machines. EFW is configured with a default IP address on br0, the default bridge, given by

192.168.0.15 . This address should be used to configure it initially. The order of booting should be -

1. EFW 2. IKE 3. Marshall 4.launchpad 5. Franks 6. Outside-host

EFW's username is 'root' and the password is 'endian'.

The username for other machines is 'Administrator' and password 'tartans'.

2. Log onto Launchpad

Start by logging onto Launchpad by entering the following:

Username: Administrator

Password: tartans

Since the IP address of Launch pad is 10.0.254.254, it is not on the same subnet as Endian. Endian

can be configured by hosts that exist ONLY on the GREEN interface. Thus we have to change the

IP settings for Launchpad to put it on this zone. Follow these steps on Launchpad -

1. Double click the 'Local Area Connection' icon on the task bar. Click properties.

2. Select TCP/IP from the listbox.

3. On the 'Local Area Connection Status' Window, click the 'Properties' button.

4. Change the IP address from 10.0.254.254 to 192.168.0.254, to match Endian's. Also change

the subnet mask to 255.255.255.0.

5. Remove the numbers from 'Default gateway' field.

6. There should not be anything in the DNS server addresses field.

7. Click OK and again click OK on the Local Area Connection Properties window.

8. Close the Local Area Connection Status Window.

Open Mozilla Firefox from the Desktop and browse to the IP address http://192.168.0.15

Click OK when it prompts you with a Domain Name Mismatch error.

You will get to the screen shown below.

1. Click the '>>>' button to proceed.

2. By default the Language will be English and it will prompt you for a Timezone. You may

enter America/Chicago and hit '>>>'.

3. On the next screen, tick the Checkbox after reading the License Agreement. Click '>>>'

4. We do not want to restore a backup so click '>>>'.

5. Set Admin and root (Console) password as 'endian' for simplicity. Such a password should

not be used for reasons other than testing and certainly not for production environments.

3. Configure the EFW Network Interfaces

Since we want to customize Endian according to our network, it is necessary to reconfigure the

setup. From Launchpad, continue with the following steps -

i. Assign Static IP address to all the interfaces, RED is the interface facing the outside

insecure and dangerous Internet. For a different type of Internet connection (such as ADSL

for a home user or ISDN for Business), choose the appropriate option. The subsequent steps

will remain the same but configuration will vary when Endian throws other settings later.

For example, when IP addresses are assigned dynamically using DHCP, Endian will need to

be configured to behave as a DHCP server.

Select 'ETHERNET STATIC' from the options shown in the diagram.

ii. Do the same thing for ORANGE interface, the interface connected to DMZ network. As

shown below, select Orange which will serve as our DMZ. Several hosts will run on this

including the Web Server. Note that the Mail Exchange Server exists on the Green Network

since we do not want to expose it the outside world. It should not be confused with a mail

service for clients, but thought of as a mechanism for networked users to exchange emails

within the boundaries of the environment.

iii. Assign static IP address to GREEN interface, the interface connected to trusted and

protected internal network. Note that we are reconfiguring the IP addresses to suit our

network's needs.

Green interface

IP Address : 10.0.2.1

Network Mask : 255.255.255.0

Orange interface

IP Address : 10.0.1.1

Network Mask : 255.255.255.0

Change the 'Hostname' field to 'Endian' and click '>>>'..

iv. The Red interface is the gateway to the external world. It interfaces the inner network to the

Internet. Since, the controlled Lab Environment does not allow access to the Internet, we

will use a special 192.168.30.1 interface to differentiate it from the orange and green

networks.

Assign a static IP address to RED interface as demonstrated below.

Red interface

IP Address : 192.168.30.1

Network Mask : 255.255.255.0

Default Gateway : 192.168.30.1

Click the '>>>' button to proceed to the next screen.

v. Add 10.0.2.4 as DNS in both the entries. This is because 10.0.2.4 (Ike) is our

webserver. DNS resolution is not necessary to open the website on Ike so we

just use the IP address and specify that as the DNS namespace.

vi. Finally, apply the configuration by clicking OK. You may go back anytime to make changes

by clicking '<<<'.

vii.Configuration is now complete. Unlike, the note on the resulting page, you

will not be redirected or successful in logging onto the EFW interface from

launchpad anymore. This is because we have configured Endian to accept

connections from a new zone. When the screen looks like the one below, close

the web browser.

4. Connect to Ike from Launchpad

Restore the IP address of Launchpad by going into the Local Area Connection Properties and set the IP

address to 10.0.254.254, the original one, default gateway address to 10.0.2.1 and DNS to 10.0.2.4 . Now

Launchpad is in the same network as Ike.

Launchpad will be used to connect to Ike via the Remote Desktop Connection (Start->All Programs->

Remote Desktop Connection). Endian has to be configured either through its Console or using another

host on the Green trusted Subnet. Ike is hosted on the Green interface, thus serves as a good configuration

machine. You will be unable to use Launchpad for further transactions after the changes mentioned

previously are incorporated. On the Remote Desktop Connection use the following to log in -

IP address: 10.0.2.4

Username: administrator

Password: tartans

Next, open Internet Explorer and enter http://10.0.2.1 in the address box. This is Endian's IP address.

1. Click Yes if it prompts you to view pages over a secure connection.

2. You will be asked to View a Certificate which you may check to verify that the server is

legitimate. Click 'Yes' on the Security Alert screen to proceed further

3. Log onto Endian with username: 'admin' and password 'endian'. You will be challenged with the

screen given below.

You should see the following page after you are connected:

If there is a problem while connecting to the firewall the connection will be highlighted in Red

color and the status will show Failed. This could be because Endian might not have been Powered

On. Sometimes Re-connecting and Refreshing helps. If the status shows 'Connecting'

continuously, in yellow color, then the Red interface is not configured properly. (Specially when

the IP addresses do not match and are different form the default assigned ones in the range

192.168.X.X)

5. Configure The Proxy Server

i. Endian's proxy server has two advantages – First, it allows indirect network connections to other

network services and filters them based on content, permissions, malicious activity etc. Secondly,

it employs a cache mechanism where a page is cached upon access and this improves the network

throughput as unnecessary requests are not incumbent on the network.

ii. HTTP Proxy settings: Click on 'Proxy' tab on the top menu. Enable web proxy for DMZ as well

as the trusted network. Allow only http (80), Squid (800), https (443) and ntop (3001) ports.

Delete rest of the entries from the textboxes .Enable Log and 'Log user agents' by clicking the '>>'

button below 'Log Settings' category..

iii. Enable proxy for trusted/protected (GREEN) and DMZ (ORANGE) networks

Allowed Ports: Allowed SSL ports

80 (http) 443 (https)

800 (Squid) 3001 (ntop)

iv. Cache management parameters can be set by specifying size of cache etc. in textboxes.

v. Also tick the checkbox 'Contentfilter Enabled'

vi. Network Based Access Control:

Scroll down the proxy page and configure the settings described in the image above, under Network

based Access Control. This step is very important. If omitted, it will lead to 'Access Denied Errors' while

transacting over the network. Note that you have to select 'Allow Access from ORANGE to GREEN'

checkbox.

Finally, click the 'Save and Restart' button at the bottom of the page.

6. Enabling Content Filtering and Antivirus

For a typical office network, you would not want the employees to surf the Internet for

objectionable material. We will set these parameters in 'Http Content Filter'. Click the 'Content

Filter' tab on top. Tick related topics you want to restrict access to. Your settings should

reassemble the one shown below and should be even more stringent in highly critical network

environments. Set the 'Max. Score' to 60. At last, save the changes.

7. Stateful Packet Inspection.

You don't have to do any special settings for this. Select 'Status' from the top menu and click on

'Connections' from the left menu window. Below is the screenshot that shows some ESTABLISHED and

some terminated (TIME_WAIT) states. In case some malicious activity is suspected, it will be useful to

see these connections. This will reveal the open connections and the machines which might be

participating in the attack.

8. Enable Intrusion Detection System (Snort)

Incidents that are detected by the EFW IDS are portrayed in the screenshot that follows. By default, the

IDS system is inactive after a fresh install and needs to be manually activated. Go to 'Services' tab on the

top menu and select 'Intrusion Detection' from the left menu bar. Enable the IDS for the different zones,

that is, red, orange and green by ticking the corresponding checkboxes. In a production environment, you

would also want to Subscribe to appropriate signature update services.

9. Enable Logging

Usually if Endian Firewall has a public ip address and therefore is the door to the outside, there are

packets that will be blocked by the firewall. Not all of these are hostile attempts from attackers, but will

nevertheless be logged and will create a lot of data. Here you have the possibility to globally configure

what you would like to be logged and what is to be omitted. Click the log tab in the top menu. Enable the

following Firewall security related log settings (Click the Log Settings tab on the left menu) -

Log packets with BAD constellation of TCP flags

TCP allows everybody to set flags in constellations which make no sense at all. Such

constellations may confuse firewalls and/or computers in general and allow an attacker to gather

more information than you would like to share. Especially port scanners do this. Endian Firewall

blocks such attempts. Tick this on if you want to have it logged. You will find such attempts in the

firewall log resulting as packets which passed the chain BADTCP.

Log portscans

You may enable portscan detection by ticking this checkbox on. The portscan detection will be

performed using the netfilter psd match. You will find the logged portscans in the firewall log

resulting as packets which passed the chain PORTSCAN.

Log NEW connections without SYN flag

Packets which should establish a TCP connection must have set the SYN flag. If it is not set, it is

not sane. Endian Firewall will block such packets and you can log the attempts if you tick this

checkbox on.

Log refused packets

If you tick this on, Endian Firewall will log all connection attempts which have been denied by

Endian Firewall. Since Endian Firewall as default denies all connection attempts and allows only

what you have defined, this certainly will lead to a bunch of unneeded data, so you may toggle

this off. It may be useful to check which ports you need to open for applications that are using

ports you don't know.

Log accepted outgoing connections

Tick this on if you would like to globally log all connections which have successfully passed

Endian Firewall without being dropped. You can use this to test if your newly created rules are

correct as this allows you to see the connections made by your applications.

Summaries can be generated periodically and are configurable as separate tabs on the menu on the

left (for each facility). The figure below shows the general settings for logs. Remember to click

save at the bottom, upon finishing.

10. Enabling the Firewall

Click the Firewall tab and select 'Zone PinHoles' from the menu on the left.

10.1 Zone Pinholes

This subsection allows you to configure the Zone Pinholes settings for Endian Firewall.

A DMZ or Demilitarized Zone (Orange zone) is used as a semi-safe interchange point between the

external RED Zone and the internal GREEN zone. The GREEN zone has all the internal

machines. The RED zone is the Internet at large. The DMZ allows them to share servers without

allowing undue access to the internal LAN by those in the RED Zone.

In a traditional firewall setup, this wouldn't work, because the request for access to the GREEN

zone would be initiating from outside the GREEN zone. You certainly do not want to give all your

customers direct access to the machines on the GREEN side. This can however work by using the

DMZ and zone pinholes. It is often required for example, if a trusted database is to be accessed

from time to time for some update transaction.

Zone pinholes thus give machines in the Orange (DMZ) zone (and also BLUE zone) limited

access to certain ports on Green machines. Configure the settings to look like the screenshot given

below.

Click 'Add new Rule'. Make the following configuration-

Protocol: TCP/UDP (TCP in our case)

Source Net: ORANGE

Destination Net: GREEN

Source IP: 10.0.1.104

Destination IP: 10.0.2.3

Destination port: 25

Click 'Add new Rule' once again and use -

Protocol: TCP/UDP (TCP in our case)

Source Net: ORANGE

Destination Net: GREEN

Source IP: 10.0.1.104

Destination IP: 10.0.2.3

Destination port: 110

Click 'Add new Rule' once again and use -

Protocol: TCP/UDP (TCP in our case)

Source Net: ORANGE

Destination Net: GREEN

Source IP: 10.0.1.104

Destination IP: 10.0.2.4

Destination port: 80

10.2 Enable the Outgoing Traffic Rules (Egress Filtering)

Egress filtering ensures that unauthorized traffic does not leave the network. Internal data should

not be made publicly available except for services like DNS, webserver, mail server, amongst a

few others. It should be noted that in a production environment, every application that demands

Internet Access may require modification of firewall rules/policy.

10.3 Enable the Incoming Traffic Rules (Ingress Filtering)

The incoming firewall rules dictate what kind of connections are allowed to pass through the

firewall. This is often required for services such as ssh, ftp, smtp etcetera.

11. Enabling Antivirus

Endian makes use of the ClamAV antivirus. ClamAV is an Open Source virus scanner that can be used to

scan all incoming traffic for viruses. Endian Firewall lets you configure the most important features.

In the Clamav configuration box you can set the way ClamAV will handle incoming archives. The

options are described below:

Max. archive size

This lets you set the maximum archive size in Megabytes that will be scanned by ClamAV.

Max. nested archives

Here you can specify the maximum depth of nested archives ClamAV will scan.

Max. files in archive

ClamAV will not scan archives that contain more files than specified here.

Handle bad archives

By selecting the 'Do not scan but pass' radio-button, all archives that fail to comply to any of the

parameters described above will not be scanned but will still pass. You can change this behavior

by selecting Block as virus.

Block encrypted archives

ClamAV can not scan encrypted archives. If you do not want encrypted archives to pass the virus

check tick this on.

You can also change the update interval of your Clamav signature database by selecting the

appropriate interval-type in the Clamav signature update schedule section.

Ensure that your settings look similar to following screenshot

12.Enable File attachment filtering and SPAM blocking configuration

a. Click the Proxy tab on the top menu and select SMTP from left menu. Click the File Extensions

menu. You will see a window as shown below.

For example, we will set SMTP Proxy to block all email attachments having '.bat' extensions.

Typically you would want to block more than just '.bat' files, viz., .exe, .pif, etc. This should be

driven by the organization's security policies.

Change 'Email used for notification on banned files (Admin)' to 'adminstrator@aia.class'

Select 'Banned files destination' BOUNCE.

Hit 'Save Changes and Restart'.

The anti-spam module uses the 'Spam Assassin' and 'amavisd-new' to filter out spam. Make sure

that your settings look like the images shown below, which are defaults.

Hit 'Save Changes and Restart'.

Click 'Main' tab To get the following screen: Tick the following checkboxes shown in figure below.

Click 'Domains' tab. Enter values as shown below:

Click 'Save and Restart'.

13. Providing VPN Access

Virtual Private Networks or VPNs allow two networks to connect directly to each other over another

network such as the Internet. All data is transmitted securely over an encrypted tunnel, hidden from

prying eyes. Similarly, a single computer can also connect to another network using the same facilities.

Endian Firewall can easily establish VPNs to other Endian Firewalls. EFW can also inter-operate with

just about any VPN product that supports OpenVPN, IPSec and standard encryption technologies such as

3DES. VPN connections in Endian Firewall are defined as Net-to-Net (Gateway-to-Gateway) or Host-to-

Net (Roadwarrior).

Net-to-net (or gateway-to-gateway) VPNs link two or more private networks across the Internet by

creating a encrypted "tunnel".

We are speaking of a Host-to-Net connection when Endian Firewall is on one end of the VPN tunnel and

a remote or mobile user is on the other end. The mobile user is most likely to be a laptop user with a

dynamic public IP address assigned by an ISP, hence the terms Host-to-Net or Roadwarrior.

OpenVPN is an SSL/TLS based virtual private network solution. It is much easier to set up than any

other VPN solutions.

13.1 GLOBAL SETTINGS

The steps to setup an Open VPN server in Host to Net scenario are described:

OpenVPN Server enabled

Select this to enable the OpenVPN Server on Endian

IP Pool

Specify the start and ending IP address of an IP range from the GREEN network, which

are desired to be assigned to the OpenVPN clients connecting to the server.

Port

Specify the port on which OpenVPN will listen for incoming requests.

Protocol

Protocol allows you to change your protocol from UDP to TCP.

NOTE: The protocol will be TCP in our case so select TCP.

Block DHCP responses coming from tunnel

Select this option if you do not want the remote DHCP server to assign IP addresses to the

local workstations within the GREEN network. In our case, the IP addresses are static and

thus this should not be ticked.

CA Certificate

It is the textual representation of the Certification Authority Certificate. This is required on

every OpenVPN client that wants to connect to our OpenVPN server.

Download CA Certificate

By clicking this link you can download the CA Certificate which is needed by each

OpenVPN client in order to be able to connect to your OpenVPN server. Go ahead and

click it to obtain the same.

Just below the Global Settings box, there is a window for Managing Accounts that can

connect to the OpenVPN server. All the known users will be listed here. The following

settings should be selected for each user:

Configure Networks

Clicking here will redirect you to another Window which will allow you to specify the

user's network settings.

Enabled icon

It it is already clicked the user is enabled, else enable her by clicking it.

Trash can icon

This should be used in the event of deleting the user.

Pencil icon

This is used to Edit the account.

Click on the Add Account Button which will redirect you to another Window, the details for

which are given below:

13.2 ADD ACCOUNT

When a new Account is created the following account settings are found:

Username: Type in the username that you want.

Password: Select a password for the new account.

Verify Password:Type in the same password again.

Remote network: Not required in our case because the Remote Client that connects to this

network is in Bridged Mode. Otherwise, specify the network address of the remote GREEN

network (10.0.2.1) to allow Endian to create correct routing table entries.

Remote Network Mask: Fill the netmask of the remote client if it is configured to be in routing

mode.

Use this firewall as default gateway: Tick this on to allow the remote client to create routing

entries so that allow traffic can be tunneled through VPN to the EFW, where it then can leave the

RED interface. This is useful on roadwarriors to enforce security policies, otherwise the remote

side certainly has its own internet connection and a possible intruder may come in through the

VPN and compromise the local GREEN network. This option does the following on the remote

side:

1. Creates a host route which sends all traffic with our RED IP address as destination to the IP

address which is used as default gateway.

2. Removes the default route entry.

3. Creates a new default route entry with our GREEN IP address as gateway.

push route to blue zone: This option will grant the new user access to your BLUE zone.

Note: This option is only available if you have configured your BLUE zone.

push route to orange zone This option will grant the new user access to your ORANGE zone.

Note: This option is only available if you have configured your ORANGE zone.

You will finally see a screen as below:

13.3 Connection status and control

This shows you all the currently connected users and their details such as log in time and the table

gives the following information:

User: The name of the user that is connected to the server.

Assigned IP

The IP address which has been assigned to the client by the server. This IP address belongs to the

GREEN IP range configured above.

Real IP: The real public IP address of the connected client.

RX: The data volume that has been received through this tunnel.

TX : The data volume that has been transmitted through this tunnel.

Connected since: The timestamp when the client has connected.

Uptime: The amount of time the respective client is already connected.

The following actions can be performed on each connected user:

Kill Kills the connection immediately. The user can reconnect and this will happen since the

openvpn client on the remote side will automatically reconnect as soon as it recognizes the

disconnect, which will take up to a couple of minutes.

Ban Bans the user. This deactivates and then kicks the user in a row. The user cannot reconnect.

At this time, the remote Roadwarrior VPN client should be configured using OpenVPN. Use the

configuration file supplied with the software for the same.

Verification

1. Content Filtering

Log onto Marshall (10.0.2.3) using Remote Desktop Connection from Launchpad by supplying the

following:

Username: Administrator

Password: tartans

Open Internet Explorer and try to browse to the website http://10.0.1.104/ . This website is hosted on

Franks 2003 and will displayed properly.

Now try to open a page which contains inappropriate and forbidden content for the target users. To do

this, enter http://10.0.1.104/content.html . You should get an 'Access Denied ' error as displayed below.

2. Blocking Email with attachments having a undesired file extension(s)

Open Outlook Express on Marshall and Franks 2003. Send an email from Marshall to Franks 2003 with

an attachment having a .bat extension. (Use the Browse button, for example c:\attach.bat. Create a

dummy file if this is missing). You can even email from Franks to Marshall since the requests go via

EFW.

To Address: administrator@aia.class

Subject: Specify any subject if required

Click on 'Send'.

Check whether a new email has come, on Franks 2003. It should have been banned by EFW as shown

below. This email has been banned since .bat was blacklisted.

3. Intrusion Detection

Log into CentOS (Outside_host) with -

Username: 'root'

Password: 'tartans'

Open the 'Terminal' by clicking the icon on the Desktop.

At the shell prompt give this command (Ignore the #)

#nmap -sT 192,168.30.1

Nmap is a popular port scanner which we will employ to scan TCP ports on the network perimeter

specified by the IP address 192.168.30.1 (RED).

Next, click 'Logs' from the top menu and select IDS Logs from the left menu bar. You will detect Port

Scan warnings from the CentOS system which is external to the network. A full sample report is given in

the screenshot below.

4. Confirm that logging is working

Click 'Logs' on the top menu and choose some of the options from the left pane. Firewall Log Viewer is

demonstrated by the screenshot which can be seen by clicking 'Firewall Logs'.

You can also see the logs for Content Filtering by clicking 'Content Filter Logs'.

5. View the Services Running

Click 'Status' on the menu on top. The screenshot summarizes the various states of a service including

RUNNING and STOPPED.

Apart from some of the necessary security intensive procedures described, other features of EFW, taken

together make it a bundle of useful software.