Homework #4: Configure a Secure Site with DMZ Zone with Linux Firewalls.

Goal:

• Understand firewalls, related seurity policies and security design principles.
• Learn how to use iptables provided in the Linux netfilter to construct a site with DMZ hosting servers exposed to Internet.
• Review the basic route commands for setting up the Intranet and DMZ subnet.

Link to reserveation web page.

Groups for the homeworks 4-5 exercises:

1. Hakan Evecek; Rodolfo Ortizmagdaleno; Guozhi Fu
2. William Louis Bahn; Frank Xavier Gearhart; Beaux Sharifi
3. Nick Sterling; Sarah Summers; Sarah Wahl
4. Brian Ardrey; Balaji Ravi Badam; Duong Hang
5. Paul Box; John Lefever; Bea Wilds
6. Jeramie Reese; Candice Sonchar; Patrick Brannan
7. Lindsey McGrath; Christine Weiss; Osama Khaleel
8. Sujeeth Narayan; Ankur Patwa; Francisco Torres.
   
9. Jason Cook; Michael Rudolph; Adrian Johnson
10. Justin Gray; Michael Gerschefske; Joseph Lacont
    
11. Ricardo Torres; Patrick Walpole; Matt Weaver; Ben White

Configuration of Network Testbed:

• We have prepared three testbeds in EAS 143 for homeworks #4 and 5 exercises.
• Each testbed contains a stack of five PCs. The top three are installed with Fedora Core 4. The bottom two are installedwith Windows 2003 server and Window XP. Let us name the machines from top to bottom as machines 1, 2, 3, 4, and 5, and host names as fwout, dmzserver, fwin, intra1, and intra2. Note that since we only have a 4 port KVM switch at this time. Do not worry about the win2003 server. We will not use it.
• The top two Linux PCs contain two Ethernet interface cards and will be configured as firewalls, outer firewall and inner firewall respectively.
• Two DLink switches and ethernet cables are provided for each testbed and used to connect machines in DMZ and Intranet, and form the corresponding subnets.
• A 4-port KVM (Keyboard, Video, Mouse) switch is provided to connect four of the five PCs to a set of Keyboard, Monitor, and Mouse. The KVM switch allows you to switch between the consoles of those four PCs. The last PC is connected manually. The switch is right on top of the PC stack. There is a selection button to the right of the front panel. The red LED lights to its right indicating which machine is currently being selected. Pushing the button will cycle through the four machines.
• The following is the network topology diagram of the testbed:
  
• Four External IP addresses are assigned for each testbed:
  • Testbed1: 128.198.61.38-41 (lab6-lab9.csnet.uccs.edu)
  • Testbed2: 128.198.61.42-45 (lab10-lab13.csnet.uccs.edu)
  • Testbed3: 128.198.61.46-49 (lab14-lab17.csnet.uccs.edu)
• Among those four external IP addresses, the first two are reserved for the two DNS server, the thired one for FWout, the fourth one for the web server. Since we have only one machine for DMZ server, we will only configure the FC4 as web server for hw4. It will have 128.198.61.40 as IP address for testbed1.
• Before you start configuring the machines, we would suggest reboot them so that you get a cleaner start. The team before you may have left the machines in a strange state.
• After reboot them, use "iptables -F" and "iptables -t nat -F" commands to reset the iptables on fwout and fwin.
• Step1. Physical Layer Connection:
  • Connect the ethernet cables from the PCs to the designed switches.
  • Due the tedious effort of this step. Skip this step.
• Step2. Configure the IP addresses
  • For Fedora Core 4 Linux machine, use ifconfig eth0 or ifconfig eth1 command to configure the IP addresses.
    • FWout:
      • ifconfig eth0 128.198.61.38
      • ifconfig eth0:1 128.198.61.39
        eth0:n is called alias for eth0
      • ifconfig eth0:2 128.198.61.40
      • ifconfig eth0:3 128.198.61.41
      • ifconfig eth1 192.168.0.1
        This will be the default gateway for DMZ LAN
  • Optional: Edit /etc/sysconfig/network to specify the host name and network address.
  • Optional: Edit /etc/sysconfig/network-scritps/ifcfg-eth0 and ifcfg-eth1 to specify the IP address, netmask, onboot, bootprotocol.
  • The above two optional operations is to make the network configuration permanent even after reboot.
  • For Window XP and Win2003 server, Use Start | Settings | Control Panel | Network Connections | Local Area Network | Properties | Internet Protocol (TCP/IP)
    to set static IP address, Subnet mask, and default gateway for the Intra2 win2003 server and Intra1 window XP.
  • Note that since we only have 4 port KVM switch this time. Do not worry about the win2003 server. We will not use it.
  • Once you configure the IP address, you want to verify you have connectivity among machines within the subnet.
  • For example, from fwout, "ping 128.198.61.1" (default gateway), "ping 192.168.0.2" (dmzserver), and "ping 192.168.0.3" (fwin); from xp, "ping 10.0.0.1" (fwin).
  • Note that at this point, from xp, "ping 192.168.0.1" will not get response, since we did not have a routing table entry for 10.0.0.0/24 set up on fwout. We will do that in step 3.
• Step3. Configure the routing tables
  • Use "route add defaut gw <gatewayIPAddress>" and "route add -net <subnetAddress> -gw <gatewayTotheSubnet>" to configure routing table properly in the firewalls and DMZ server.
  • For example, on fwout, we use "route add default gw 128.198.61.1" and "route add -net 10.0.0.0/24 -gw 192.168.0.3".
  • With the first route commands, fwout should be able to ping 128.198.61.1 and Internet, including ping 128.198.1.250.
  • You now can bring in any scripts you have prepare from outside to fwout and then to fwin.
  • The 2nd "route add -net" command to send responses back to intra1.
  • Note that here in this testbed, the default gateway for fwout is csnet gatway with IP address128.198.61.1
  • The default gateway for any DMZ macines including dmzserver and fwin is fwout and the related gateway IP adress to them to use in their "route add default gw" command is 192.168.0.1.
  • You need run "route add -net" command to allow intranet machine to talk to dmzserver, says for uploading web page to DMZ web server.
  • The default gatway for any intranet machines including intra1 (XP) and itra2 (Win2003server) will be fwin. I will let you figure out what it is right gateway IP address to be used by intra1.
  • Use Start | Settings | Control Panel | Network Connections | Local Area Network | Properties | Internet Protocol (TCP/IP) to set static IP address, Subnet mask, and default gateway for the Intra2 win2003 server and Intra1 window XP.
  • After setting up the above routing tables, you still cannot ping outside machine from dmzserver, fwin, and intra1. The reason is the two firewall machines are not allowed packets to be foraded between its two ports.
  • To allow that, we run "echo 1 > /proc/sys/net/ipv4/ip_forward" command on both fwout and fwin.
  • Now try ping 192.168.0.1 (fwout) from intra1. You will get response because the ICMP messages are forwarded by fwin. Same when you ping 10.0.0.51 from dmzserver.
  • But you will find that you can not ping 128.198.1.250 (Internet; UCCS DNS server) from any machine except fwout.
  • Why this that? The reason is all the ICMP message from those machines will have private LAN address in their source IP address and their responses can not be routed back . To solve that, we need SNAT service on fwout. See Step4.
• Step4. Configure firewalls on FWout and FWin with proper firewall rules to provide DNAT/SNAT services.
  • The simplest DNAT and SNAT rules for testbed 3 are
    iptables -t nat -A PREROUTING -p TCP -i eth0 -d 128.198.61.47 --dport 80 -j DNAT --to-destination 192.168.0.2
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    Here I assume 128.198.61.47 is web server external IP address. Internally the web server is run on dmzserver machine with 192.168.0.2.
  • Now you should be able to access web pages in Internet from any of the machines in the testbed and ping 128.198.1.250.
  • Also if you login to blanca, say using "ssh -l <yourlogin> blanca.uccs.edu" and type "lynx 128.198.61.47" you should be able to get a web page with heading "CSNET Testbed 3 for CS591". If you did not get web page, try check if the apache web server is running on dmzserver. Use "service httpd restart" to start it.
  • Email me the browser result such as lynx 128.198.61.47 as a proof that the DNAT is set up correctly.
    
  • For more complete and secure firewall rules, use the DMZ firewall shell script as a template. Replace with our network IP address and network info.
    http://iptables-tutorial.frozentux.net/scripts/rc.DMZ.firewall.txt
  • Verify DNAT by login to blanca and issue the http request to dmzserver. You can use lynx a text-based for such test. Capture the http response from web server as a proof.
  • Verify SNAT by accessing web site in Internet from intra1.
• Step5. Check on the /var/log/message or /var/log/secure on FWout. Examine who are trying to break in using ssh with root.
  • Note that we have set "PermitRootLogin no" in /etc/ssh/sshd_config therefore the firewall by default will not accept root user access from Internet.
  • Add firewall rules to drop packets from those intruders.
  • If there is no such attack, find out the IP addresses of Blanca or a EAS 149 Lab pc; add firewall rule to block its access to the DMZ web server; verify indeed the access is blocked on that specific machine; make sure others still able to access.
  • Observe if any more log occurs after the above firewall rules are inserted
• Step6. Add to firewall rules to disallow intra2 to connect to Internet.
  • Save the firewall rules and network configurations (ifconfig, netstat -rn) as a file for submission.

Questions:

• Q1. In Step 5, we indicate that the remote ssh root access is turned off. What is the benefit of adding firewall rules to drop packets from those intruders? What rules you added? What chains you have added those rules?
• Q2. Similar to the DMZ firewall example in iptables tutorial (http://iptables-tutorial.frozentux.net/scripts/rc.DMZ.firewall.txt) The Sonic Firewall has three ports: one connects to Internet; one connects to DMZ subnet; and the last connects to the intranet. Their network topology is different from that of the above testbed, which has two firewall machines connecting through the DMZ LAN. Discuss what are the trade-off of these two different configurations based on the eight deisgn principle.
• Q3. Critic on the resource/machine assignments for this exercise: Suggest any improvement on the resource assignment