1. Trang chủ
  2. » Công Nghệ Thông Tin

Open Source Security Tools : Practical Guide to Security Applications part 11 potx

10 400 0

Đang tải... (xem toàn văn)

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 10
Dung lượng 441,3 KB

Nội dung

Installing SmoothWall 79 You will see it formatting the disk and then probing your machine for its network interfaces. It should auto-detect any network interface cards (NICs). It lets you accept or skip each one and set them up as firewall interfaces. For example, if you have two NICs on your computer but only want to use one as a firewall interface on the firewall, you would define that here. 4. Define the attributes of each selected interface. Assign them an IP address and sub- net mask. After this, SmoothWall installs some additional driver files and asks you to eject the CD-ROM. You have finished installing the program and will automati- cally enter setup mode. 5. In setup mode, you will be asked for a hostname for the SmoothWall. You can use the hostname to access the machine instead of using its LAN IP address. 6. Next it asks if you want to install the configuration from a backup. This nifty fea- ture allows you to easily restore your firewall to its original configuration if the system crashes (assuming you made a backup, which is covered later in this sec- tion). Don’t select this unless you are in the process of restoring from a backup. 7. Assuming you chose to set up a new firewall (not from backup) in the previous step, you will be prompted to set up several network types: • ISDN: Leave this set to Disable if you aren’t using ISDN. If you are, then add the parameters appropriate for your IDSN line. • ADSL: This section is necessary only if you are using ADSL and actually have the ADSL modem in your computer. Leave this on Disable if you aren’t using ADSL service or if the provider gives you an external modem to plug into. Otherwise, click on the settings for your ADSL service. • Network configuration: SmoothWall divides its zones into three categories: • Green: Your internal network segment to be protected or your “trusted” network. • Red: The external network to be firewalled off from the LAN. The “untrusted” network, usually the Internet or everything that is not your LAN. • Orange: This is an optional segment that can contain machines that you gener- ally trust but need to be exposed to the Internet (the DMZ mentioned earlier). This protects your internal LAN, should one of the servers be compromised, since DMZ nodes don’t have access to the LAN by default, and also allows these machines to be accessed by the outside world. Select the configuration that is appropriate for your network. Most simple networks will use Green (Red is for modems or ISDN), or Green and Red if you have two NIC cards in the machine. 8. Now it is time to set up the DHCP server. If you want your firewall to be responsi- ble for handing out and managing dynamic IP addresses on your LAN, enable this feature. Otherwise leave it turned off. You can set the range to be assigned, and the DNS and lease times for the addresses given out. Howlett_CH03.fm Page 79 Wednesday, June 23, 2004 2:59 PM 80 Chapter 3 • Firewalls 9. You now set several passwords for different levels and methods of access. The “root” password is accessible from the console and command line interface and acts just like UNIX root in that you have total control over the box. You then assign a password for the “setup” user account. This user can also access the system from the console and command line. This user has more limited powers than “root” and can only run the setup utility program. 10. Finally, set up a Web interface user account. This isn’t a UNIX-type account and can’t be accessed from the command line. It is strictly used to control access to features from the Web interface. 11. Now reboot the machine and your SmoothWall firewall should be up and running. You can log into the machine from the console using either the root or setup user. You can also SSH into the box from a remote location and get the command line interface. However, one of the truly nice things about this program is that there is a powerful and easy-to-use GUI accessible from any Web browser that makes administering the firewall a snap. Administering the SmoothWall Firewall The easiest way to manage the SmoothWall firewall is using the Web interface. This gives you a powerful tool for administering and adding other functionality to your firewall. You can access this interface two ways: via port 81 for normal Web communications or via port 441 for secured Web communications using SSL. Either way, you put the IP address or URL with the port number in the location window of a Web browser. For example, if your firewall LAN interface card has IP address 192.168.1.1, you would enter the following into the Web browser http://192.168.1.1:81/ for normal Web communications, or https://192.168.1.1:441/ for secure Web access. This will display the SmoothWall opening screen. To access any of the other screens you will need to enter your user name and password. The default user name is admin and the password is the one you entered for the Web interface during the setup process. There are several main menus accessible from the main page (see Figure 3.7) Each menu has a number of submenus underneath it. • Control: This is the firewall homepage and contains copyright and uptime information. • About Your Smoothie: This has a number of useful submenus: • Status: This shows you the status of the various services on the SmoothWall. • Advanced: This screen contains detailed information about your system. Howlett_CH03.fm Page 80 Wednesday, June 23, 2004 2:59 PM Administering the SmoothWall Firewall 81 • Graphs: This is one of the cooler features in SmoothWall. This enables you to cre- ate bandwidth graphs so you can analyze your network traffic on different inter- faces at different times of the day and on different days. You can use this as a quick way to find network problems. If you notice huge bandwidth increases on the weekend or late at night without any known reason, you know that something is amiss (see Figure 3.8). • Services: This is where you configure various basic and optional services on the SmoothWall (see Figure 3.9). • Web Proxy: If you want to be able to set up your SmoothWall to act as a proxy for anyone surfing the Web, this function can be set up here. • DHCP: The built-in DHCP server is configured here. • Dynamic DNS: If your ISP assigns you a dynamic IP address but you still want to allow services in from the outside, you can set up the SmoothWall to update a DNS record automatically with its new IP address. It can be configured to use any one of several online services such as dyndns.org and dhs.org. • Remote Access: This section controls access to your SmoothWall from anywhere but the console. You can enable SSH (it is disabled by default) and control what specific addresses can get access. • Time: This configures the time settings on the machine. This can be very important if you are comparing its log files to other servers. You can set it up to get time from a public time server, which makes logs more accurate. Figure 3.7 SmoothWall Main Menu Howlett_CH03.fm Page 81 Wednesday, June 23, 2004 11:48 PM 82 Chapter 3 • Firewalls Figure 3.8 SmoothWall Traffic Graph Figure 3.9 SmoothWall Services Screen Howlett_CH03.fm Page 82 Wednesday, June 23, 2004 2:59 PM Administering the SmoothWall Firewall 83 • Networking: This is where you configure anything associated with the firewall and network functions of the SmoothWall. This includes adding, deleting, or modifying the rule sets and other functions: • Port Forwarding: You can forward a specific port or series of ports to an internal protected host. • Internal Service Access: Click here if you need access to an internal service from the outside. • DMZ Pinhole: This lets you set up access from a host on your DMZ to a host on your LAN. This is normally not allowed as part of the function of a DMZ. • PPP Settings: If you are using the SmoothWall to connect to the Internet via dial- up, you set the various phone settings here such as number, modem commands, and so on. • IP Block: This is a nice feature that allows you to easily block an IP or range of IP addresses from your network without having to write any rules. • Advanced: Several miscellaneous network settings such as Universal Plug and Play (UpnP) support are found here. • VPN: Here is where you configure the SmoothWall to act as a VPN for secure remote access from another network. The details are covered later in this chapter. • Logs: Access to all the log files kept by the SmoothWall is facilitated through this screen. The interface allows you to easily scan different types of log files such as system and security. • Tools: There are several standard network tools here including ping, traceroute, and whois. They also include a nifty Java-based SSH client so you can access SSH servers from your Web browser. • Maintenance: This section is used for system maintenance activity and has several submenus. • Maintenance: This section keeps track of any patches to your SmoothWall operating system. It is important to keep the SmoothWall OS patched. Just like any operating system, there are security holes discovered from time to time that are fixed in the patches. New features or compatibility are added periodically as well. • Password: You can change any of the logins and passwords for the system here (assuming you have the old passwords). • Backup: You can make a backup of your SmoothWall configuration so that in the event of a crash you can easily restore it. You should make a backup as soon as you get the SmoothWall configured to your liking to save your settings. • Shutdown: This will safely shut down SmoothWall. Howlett_CH03.fm Page 83 Wednesday, June 23, 2004 2:59 PM 84 Chapter 3 • Firewalls Creating a VPN on the SmoothWall Firewall You can use SmoothWall to set up a secure connection to another network by creating a VPN tunnel with IPsec encryption. 1. To configure the VPN function on the firewall, click on the VPN item from the main menu. There are two submenus located there (see Figure 3.10). • Control: This is the main screen where you can start and stop your configured VPN sessions as well as get status information on them. • Connections: Here is where you configure new VPN connections. It gives you a pretty simple way to create new VPN connections. On SmoothWall Express (the free GPL version), both ends must have a static, public IP address. To create a new connection profile, go to the Connections tab off of the main VPN tab (see Figure 3.11). 2. Enter a name for this connection. Be sure to use a name that makes it obvious what is being connecting. 3. Define the “left” and “right” sides of the connection. (These names have nothing to do with direction, but are just used as references to differentiate the ends of a VPN. The local side is typically on the left.) Input the IP address and subnet for your local SmoothWall on the left side, and the IP address and subnet of the remote SmoothWall on the right side. Figure 3.10 SmoothWall VPN Control Screen Howlett_CH03.fm Page 84 Wednesday, June 23, 2004 2:59 PM Creating a VPN on the SmoothWall Firewall 85 4. Below that you enter the shared secret that is used to create the encryption. This secret has to be the same on both firewalls being connected. It should be protected and not passed through insecure means (for example, e-mail). Make your secret at least 20 characters long and comprised of lowercase, uppercase, and special char- acters to make your VPN as strong as it can be. 5. You can also click on the compression box to make your VPN data stream smaller. But keep in mind that this will eat processor cycles and might slow your VPN down more than the gain from less bandwidth. 6. Make sure you click on the Enable box and then click on Add to add your VPN connection. You will now see it on the main VPN Control page and it will come up immediately if the link it is associated with is up. 7. You can also export the VPN settings to another SmoothWall to make for easier con- figuration and avoid data entry error on configuring additional VPN endpoints. Simply click on Export and it will create a file called vpnconfig.dat. You can then take this to your remote machine and go to the same page and select import. SmoothWall will automatically reverse the entries for the remote end. Your VPN is now ready to go. Repeat this process for as many additional sites as you want to add. Additional Applications with the SmoothWall This section is only a cursory overview of the basic functions of the SmoothWall. There are other advanced functions covered in the documentation that accompanies SmoothWall. Figure 3.11 VPN Connections Screen Howlett_CH03.fm Page 85 Wednesday, June 23, 2004 2:59 PM 86 Chapter 3 • Firewalls For details on setting up the other special services, such as the Web proxy or dynamic DNS, consult the administration manual. All three documentation files are contained in the SmoothWall directory on this book’s CD-ROM in PDF format. If you have a spare machine to dedicate to your firewall, SmoothWall Express lets you go beyond simple fire- wall functionality and provides a full security appliance for your network. Windows-Based Firewalls None of the firewalls described in this chapter run on Windows. Regrettably, there is a lack of quality of firewall open source software for Windows. Because Windows code is itself not open, it isn’t easy for programmers to write something as complex as a firewall, which requires access to operating system–level code. With the addition of a basic firewall in Windows XP, there is even less motivation for coders to develop an open source alterna- tive. This is unfortunate, because the firewall included with XP is fine for individual users, but it isn’t really up to the task of running a company gateway firewall. There are commer- cial options available for Windows from companies such as Checkpoint. However, even they are moving away from a purely Windows-based solution because of the underlying security issues with Windows. If you need to use a Windows-based firewall solution, you will probably have to go to a commercial firewall, as there isn’t a good open source fire- wall for Windows. This underscores the limitations and issues with closed source operat- ing systems. Howlett_CH03.fm Page 86 Wednesday, June 23, 2004 2:59 PM 87 C HAPTER 4 Port Scanners A firewall helps protect your network from the most basic attacks and is a mandatory tool for any network attached to the Internet. Now that you have protected your network’s front door, we will examine tools to help you check your locks and windows to make sure that the openings in your network are secure. Looking at the OSI model of network communications again, you see that once a basic network connection has been established between two machines, an application uses that connection to perform whatever function the user requests. The application could be to download a Web page, send an e-mail, or log in interactively using Telnet or SSH. Chapter Overview Concepts you will learn: • TCP/UDP ports • TCP fingerprinting • How port scanning works • Port scanning configuration • Port scanning techniques Tools you will use: Nmap, Nmap for Windows, and Nlog The Internet Assigned Numbers Authority (IANA) assigns TCP/UDP port numbers. This little known but important organization keeps track of the many different standards and systems that make the Internet run. Among its duties are handing out IP addresses and Howlett_CH04.fm Page 87 Wednesday, June 23, 2004 10:24 PM 88 Chapter 4 • Port Scanners delegating who is responsible for top-level domain names. The IANA wields considerable power, albeit mostly behind the scenes. Few people outside the engineering departments of communications companies even know IANA exists, but it controls a big part of the Internet “real estate.” The IANA is also responsible for keeping a list of which services can be found on what network ports, assuming the application or operating system is com- pliant with these standards. Of course, it behooves all companies making software to closely adhere to these standards; otherwise, their products may not work with other Inter- net-connected systems. Table 4.1 lists some of the most commonly used TCP ports for server applications. A full list of port numbers appears in Appendix C. You can also find the most current list at the IANA Web site (www.iana.org). Almost every major application has a port num- ber assigned to it. Port numbers range from 1 to 65,535 for both TCP services and UDP services. Port numbers 0 to 1,023 are considered reserved for common applications. These services usually run as root or a privileged user and are called the well-known port num- bers. Port numbers from 1,024 to 65,535 can be registered with the IANA for specific applications. These usually map to a specific service, but vendors don’t abide as strictly by these registrations as they do the reserved numbers. Finally there are ephemeral port numbers, which the operating system chooses at random from the numbers above 1,024, usually high up in the range. These are used for machines that connect on an ad-hoc basis to other machines. For example, your machine would connect on a Web server on port 80 to download a Web page. The server would see a connection coming in from a machine on some random port above 1,024. This way the server knows it is probably a user and not another application connecting to it. It also uses the ephemeral port number to track the specific user and session. For example, if you OSI Layer Number Layer Name Sample Protocols Layer 7 Application DNS, FTP, HTTP, SMTP, SNMP, Telnet Layer 6 Presentation XDR Layer 5 Session Named Pipes, RPC Layer 4 Transport NetBIOS, TCP, UDP Layer 3 Network ARP, IP, IPX, OSPF Layer 2 Data Link Arcnet, Ethernet, Token Ring Layer 1 Physical Coaxial, Fiber Optic, UTP Howlett_CH04.fm Page 88 Wednesday, June 23, 2004 11:53 PM . modem to plug into. Otherwise, click on the settings for your ADSL service. • Network configuration: SmoothWall divides its zones into three categories: • Green: Your internal network segment to. following into the Web browser http://192.168.1. 1:8 1/ for normal Web communications, or https://192.168.1. 1:4 41/ for secure Web access. This will display the SmoothWall opening screen. To access. is a mandatory tool for any network attached to the Internet. Now that you have protected your network’s front door, we will examine tools to help you check your locks and windows to make sure

Ngày đăng: 04/07/2014, 13:20

TỪ KHÓA LIÊN QUAN