CS591 F2009 Hw5

Homework #5: Configure a Secure Perimeter with DMZ Zone using Linux Firewalls.
Due day 11/23/2009; extend to 11/24/2009.

Goal:

Understand firewalls, related seurity policies and security design principles.
Learn how to use iptables provided in the Linux netfilter to construct a secure perimeter with DMZ hosting servers exposed to Internet.
Review the basic route commands for setting up the packet routing of the Intranet and DMZ subnet.
Learn how to set up network interfaces for the virtual machines and how virtual machines communicate with each others and Internet.

Teams for the homework 5 exercises:

Note that the team assignment is tentative. You can format a team of 2-3 people for hw5 exercises. You can also work alone. Email me your preference and team composition if different from what is assigned. Each team can share their configurations and exercise results such as captured images. But each of the team members should write/submit their own homework report.

Team	Name	CSNET Domain Names	IP Addresses	Assigned DMZ LAN Subnet	Assigned Intranet LAN Subnet	VMWare host
1	Almurayh, Abdullah Saeed	aalmuray, aalmuray2, aalmuray3, aalmuray4	128.198.62.211-214	172.16.11.0/24	10.0.11.0/24	a-212-01
1	Alqahtani, Mohammed Saeed	malqahta, malqahta2, malqahta3, malqahta4	128.198.62.215-218	172.16.15.0/24	10.0.15.0/24	a-212-01
2	Cordova, Raymond Lee	rcordova, rcordova2, rcordova3, rcordova4	128.198.62.19-22	172.16.19.0/24	10.0.19.0/24	a-212-01
2	Cormier, Paul Gerard	pcormier, pcormier2, pcormier3, pcormier4	128.198.62.23-26	172.16.23.0/24	10.0.23.0/24	a-212-01
3	Crowther, Brandon Glade	bcrowthe, bcrowthe2, bcrowthe3, bcrowthe4	128.198.62.27-30	172.16.27.0/24	10.0.27.0/24	a-212-01
3	Erickson, Derrick Scott	derickso, derickso2, derickso3, derickso4	128.198.62.31-34	172.16.31.0/24	10.0.31.0/24	a-212-01
4	Gray, Nicole Kayzie	nbrown3, nbrown32, nbrown33, nbrown34	128.198.62.35-38	172.16.35.0/24	10.0.35.0/24	a-212-02
4	Hausman, Michael Aaron	mhausman, mhausman2, mhausman3, mhausman4	128.198.62.39-42	172.16.39.0/24	10.0.39.0/24	a-212-02
5	Hernandez, Joseph Edward	jhernan2, jhernan22, jhernan23, jhernan24	128.198.62.43-46	172.16.43.0/24	10.0.43.0/24	a-212-02
5	Hinson, Jeffrey Scott	jhinson, jhinson2, jhinson3, jhinson4	128.198.62.47-50	172.16.47.0/24	10.0.47.0/24	a-212-02
6	Huynh, Philip Huu	phuynh, phuynh2, phuynh3, phuynh4	128.198.62.51-54	172.16.51.0/24	10.0.51.0/24	a-212-02
6	Jahnke, Shane Rulon	sjahnke, sjahnke2, sjahnke3, sjahnke4	128.198.62.55-58	172.16.55.0/24	10.0.55.0/24	a-212-02
7	Jewell, Jeffrey Howard	jjewell, jjewell2, jjewell3, jjewell4	128.198.62.59-62	172.16.59.0/24	10.0.59.0/24	a-212-03
7	Kopps, Michael John	mkopps, mkopps2, mkopps3, mkopps4	128.198.62.63-66	172.16.63.0/24	10.0.63.0/24	a-212-03
8	Lama, Palden	plama, plama2, plama3, plama4	128.198.62.67-70	172.16.67.0/24	10.0.67.0/24	a-212-03
8	Liptak, Jason Jeffrey	jliptak, jliptak2, jliptak3, jliptak4	128.198.62.71-74	172.16.71.0/24	10.0.71.0/24	a-212-03
9	Logan, James Phillip	jlogan, jlogan2, jlogan3, jlogan4	128.198.62.75-78	172.16.75.0/24	10.0.75.0/24	a-212-03
9	Magby, John Arthur	jmagby, jmagby2, jmagby3, jmagby4	128.198.62.79-82	172.16.79.0/24	10.0.79.0/24	a-212-03
10	Magee, Anthony William	amagee, amagee2, amagee3, amagee4	128.198.62.83-86	172.16.83.0/24	10.0.83.0/24	a-212-04
10	Mccullough, Clifford Allen	cmccullo, cmccullo2, cmccullo3, cmccullo4	128.198.62.87-90	172.16.87.0/24	10.0.87.0/24	a-212-04
11	Meadows, Harold Brett	hmeadows, hmeadows2, hmeadows3, hmeadows4	128.198.62.91-94	172.16.91.0/24	10.0.91.0/24	a-212-04
11	Menozzi, Michael Jason	mmenozzi, mmenozzi2, mmenozzi3, mmenozzi4	128.198.62.95-98	172.16.95.0/24	10.0.95.0/24	a-212-04
12	Namburu, Mounika	mnamburu, mnamburu2, mnamburu3, mnamburu4	128.198.62.99-102	172.16.99.0/24	10.0.99.0/24	a-212-04
12	Nguyen, Lan Le	lnguyen2, lnguyen22, lnguyen23, lnguyen24	128.198.62.103-106	172.16.103.0/24	10.0.103.0/24	a-212-04
13	Nguyen, Minh Thy	mnguyen4, mnguyen42, mnguyen43, mnguyen44	128.198.62.107-110	172.16.107.0/24	10.0.107.0/24	se-a-210-05
13	Parks, Brian Christopher	bparks, bparks2, bparks3, bparks4	128.198.62.111-114	172.16.111.0/24	10.0.111.0/24	se-a-210-05
14	Sanchez-vasquez, Phillip Troy	pgurule, pgurule2, pgurule3, pgurule4	128.198.62.115-118	172.16.115.0/24	10.0.115.0/24	se-a-210-05
14	Sapkota, Archana	asapkota, asapkota2, asapkota3, asapkota4	128.198.62.119-122	172.16.119.0/24	10.0.119.0/24	se-a-210-05
15	Shuster, Christopher Michael	cshuster, cshuster2, cshuster3, cshuster4	128.198.62.123-126	172.16.123.0/24	10.0.123.0/24	se-a-210-05
15	Spence, Terry James	tspence, tspence2, tspence3, tspence4	128.198.62.127-130	172.16.127.0/24	10.0.127.0/24	se-a-210-05
16	Stroud, Benjamin Scott	bstroud, bstroud2, bstroud3, bstroud4	128.198.62.131-134	172.16.131.0/24	10.0.131.0/24	se-a-210-05
16	Ujvarosy, Gareth Richard	gujvaros, gujvaros2, gujvaros3, gujvaros4	128.198.62.135-138	172.16.135.0/24	10.0.135.0/24	se-a-210-05
17	Chow, Edward	chow, chow2, chow3, chow4	128.198.62.139-142	172.16.139.0/24	10.0.139.0/24	se-a-210-05
17	CS591	cs591, cs5912, cs5913, cs5914	128.198.62.143-146	172.16.143.0/24	10.0.143.0/24	se-a-210-05

a-212-01.csnet.uccs.edu: 128.198.62.11
a-212-02.csnet.uccs.edu: 128.198.62.12
a-212-03.csnet.uccs.edu: 128.198.62.13
a-212-04.csnet.uccs.edu: 128.198.62.14
se-a-210-05.csnet.uccs.edu: 128.198.62.15

Note that I only configure the DNS server on gandalf.uccs.edu for the above DNS entries. Therefore you need to configure your network settings to point their primary DNS server to gandalf or 128.198.60.194, in order the resolve these DNS names. Each team can use their assigned DNS names, IP addresses, and DMZ/intranet subnet addresses for their exercises. Note that you only have the remote desktop connection and vmware server access to those designed vmware hosts. If your team prefers to use a specific vmware host, let me know what additional accesses if you need.

Make sure you suspend the virtual machines each time you finish your experiment.

Configuration of Secure Perimeter Network Testbed:

We will use vmware virtual machines for homework 5 exercises.
Make sure you suspend your virtual machines after you finish your exercises and free up main memory for other team. If you use remote desktop connection, make sure you logoff not just disconnect. So that others can connect to these machines.
We will use two ubuntu v9.10 server virtual machine as firewalls, a virtual machine running Fedora Core 11 OS as a DMZ web server, the virtual machine XPup you have created in hw3 as an intranet machine to form our secure perimter network testbed. A copy of these four virtual machines has been created in the c:\work\cs591\F2009\<yourlogin> directory of your designated vmware host. They are contained in chowFC11, chowFWout, chowFWin, chowXPup direcotries. When you acces the vmware server on your designated host, you will see these four folders as you open up your datastore.
We will use viva host, CS lab machines (those in EN138/140), the CS Unix machines, or your home machine as a legitimate user or "malicious" machine to test the firewall policy.
With those four virtual machines, each team will configure the virtual network interfaces to form a secure perimeter network testbed with DMZ, as similar to the system below.
Each testbed consists of a set of four machines. Two firewalls, one server runs apache web server for external web access; you are welcome to configure DNS server and mail server on the server virtual machines), and one XP client in intranet.
As indicated in the above team assignment table, Brandon and Derrick are the 3rd team. They will use a-212-01 as vmware host to configurre/run those four virtual machines. The will configure the testbed with eightIP addresses 128.198.62.27-34. Designate one of them as web server IP address, one for the external firewall.

Configure network interfaces of the virtual machine

We will configure the virtual machines with three network interfaces. From the summary tab of the vmware server interface, you can see these three NICs are named Network Adaptor 1, Network Adaptor 2, and Network Adaptor 3. If you click on them and select "Edit". You will see they are configured as "Bridged", "Host Only", and "Host Only" connection type.
When the guest OS is started, these three NICs will be detected. You probably will imagine that they will show up from within the machines as eth0, eth1, and eth2. But they are not. The reason is as follows:
- When you start your copy of the vm, the vmware server will detect that it has been moved or copied (very smart!) and it will prompt you to indicate whether it is "copied" or "moved". you will select "copied". Here is the rational behind the choices:
  - Six of you share the same vmware host. If all of you said the copy of the vm is "moved", then vmware will not change the original mac address in the configuration file (.vmx) and the guest OS will detect the same mac address and assigned the same ethernet #. But if two of you make the same "moved" choice, we will have two virtual machines share the same mac address and resulting an address conflict!!
  - Based on the above reason, we will choose "copied" when prompted. The vmware server will then pick a new unique mac address for the new copy of the virtual machine. (how they do that?!! a good test question!!). Now all six copies will run with different mac addresses and no address conflict! Amazing.
  - But by assigning a new mac address to the virtual machine, there is consequence! When the guest OS wakes up, it will detect a new mac address in its interface, and conclude that this is a new NIC card, therefore assigned it with a new ethernet #!!. The original eth0 will become eth3 or eth4.
  - There is a file in the /etc/udev/rules.d/70-persistent-net.rules we can edit to map the mac address to a specific ethernet #. For example, the one on chowFWout contains
```
# line, and change only the value of the NAME= key.

# PCI device 0x1022:0x2000 (pcnet32)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:d2:b9:bc", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

# PCI device 0x1022:0x2000 (pcnet32)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:42:4e:8d", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"

# PCI device 0x1022:0x2000 (pcnet32)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:42:4e:83", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth2"

# PCI device 0x1022:0x2000 (pcnet32)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:42:4e:97", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth3"
```
    By examining the configuration of network adpator 1 (click Network Aadpator 1 icon on the summary tab of chowU9FWout),
    
    , we know that bridged network connectin is assigned with 00:0c:29:42:4e:83 mac address by vmware server.
  - we can edit the line with that mac address in from
```
# PCI device 0x1022:0x2000 (pcnet32)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:42:4e:83", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth2"

to 
# PCI device 0x1022:0x2000 (pcnet32)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:42:4e:83", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"



similar we can map mac address of the network adapter 2
 to eth1, and that of network adapter 3 to eth2.


once the /etc/udev/rules.d/70-persistent-net.rules is edited, reboot the machine. You should 
eth0, eth1, and eth2 map properly to network adapter 1, 2, and 3.
```
- Even though we can change the type of the virutal network interface of the virtual machine while it is running, we cannot add additional network interface while it is suspended or running. The virtual machine needs to be shut down before we can add additional network interface.

The first network interface is configured as a bridged network connection so that we can contact it directly from Internet during set up. The outside firewall will be the only machines with active first network interface. Guest Linux OS will detect the first NIC as eth0.
The seconds network interface is configured as host-only.
The 3rd network interface is configured as host-only.
You may want to double check the connnection type if no response from the machines connected on the same subnet.

Step 0. Start Virtual Machines

Use https://<your designated vmware hostname or IP address>:8333/ to access your designated vmware server.
Indicate that the this virtual machine, you get it by "copy it" not "move it". I have made "copy" for you. uni
The main memory image saved in the ufw1 directory will be read in to the host main memory and the firewall virtual machine started. This is very much like you resume from a standy PC.
Next we will assign new static IP addresses to ufw1's three network interfaces.

Note that due to selection of creating of new idenifier to avoid conflict with other copies of the same ubuntu virtual machine, all three ethernets of the virtual machine are now assigned with new MAC address. When the vitual machine reboot, the guest OS will detect three new network interfaces and assigned them with eth3, eth4, and eth5.

Use "sudo bash" to obtain a bash with root

Type "ifconfig -a " to see the network interface recognized by the OS.

csnet@beta:~$ sudo bash
[sudo] password for csnet: 
root@beta:~# ifconfig -a
eth3      Link encap:Ethernet  HWaddr 00:0c:29:1a:45:34  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:117 errors:0 dropped:0 overruns:0 frame:0
          TX packets:79 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:15202 (14.8 KB)  TX bytes:8988 (8.7 KB)
          Interrupt:16 Base address:0x1400 

eth4      Link encap:Ethernet  HWaddr 00:0c:29:1a:45:34  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:18 Base address:0x1800 

eth5      Link encap:Ethernet  HWaddr 00:0c:29:1a:45:2a  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:17 Base address:0x1480 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:90 errors:0 dropped:0 overruns:0 frame:0
          TX packets:90 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:10260 (10.0 KB)  TX bytes:10260 (10.0 KB)

It shows that we have three network interface eth3, eth4, and eth5, and one loop back interface 127.0.0.1.

Assign eth3 with your designated IP address, eth4 with 172.16.<last byte of your designated IP address>.1, and add a defaut gateway routing entry to allow outside access. Here I assume your designated IP address is 128.198.62.77. Therefore eth5 is assigned with 172.16.77.1 and is connected to Host-Only connection with 172.16.77.0/24 subnet. The third byte in my case is 77 and is used to distinguish the different teams.

root@beta:~# ifconfig et5  172.16.77.1 netmask 255.255.255.0
root@beta:~# ifconfig eth3 128.198.62.77 netmask 255.255.255.0
root@beta:~# route add default gw 128.198.61.1
root@beta:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
128.198.61.0    0.0.0.0         255.255.255.128 U         0 0          0 eth3
172.16.77.0      0.0.0.0         255.255.255.0     U         0 0          0 eth5
0.0.0.0         128.198.62.1    0.0.0.0         UG        0 0          0 eth3

Note that the detection of these ethernet devices may not follow the same order of external Ethernet, Ethernet2, Ethernet3. I found that my ufw1 eth5 is actually mapped to Ethernet3 and need to change the IP address assignment:

root@beta:~# ifconfig eth4 172.16.77.1 netmask 255.255.255.0



root@beta:~# ifconfig eth3 128.198.62.77 netmask 255.255.255.0
root@beta:~# route add default gw 128.198.62.1
root@beta:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
128.198.62.0    0.0.0.0         255.255.255.0 U         0 0          0 eth3
172.16.77.0      0.0.0.0         255.255.255.0     U         0 0          0 eth4
0.0.0.0         128.198.62.1    0.0.0.0         UG        0 0          0 eth3

Now you can use SSH secure shell client to access this virtual machine and capture the session dialog more easily.
Edit /etc/hostname to change the hostname from beta to <login>_ufw1

Edit /etc/networking/interfaces to include the network interfave configuration:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#iface eth0 inet dhcp
auto eth3
iface eth3 inet static
address 128.198.62.77
netmask 255.255.255.0
gateway 128.198.62.1
# eth4
auto eth4
iface eth4 inet static
address 172.16.77.1
netmask 255.255.255.0

Run "echo "1" > /proc/sys/net/ipv4/ip_forward" to allow packets to be forwared between the two NICs.
Run "iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE" to allow packets initial from DMZ or Intranet LAN to go out.
Note that if each iptables command with -A
After configure ufw2, we will add "root@chow_ufw1:~# route add -net 10.0.0.0 netmask 255.0.0.0 gw 172.16.77.3" to allow intranet xpup to ping ufw1 and send packet to Internet.

Configure FWin.

Repeat the process similar above and configure internal firewall FWin.
We will assign eth4 with 172.16.77.3 and eth5 with 10.0.77.1.

Run "echo "1" > /proc/sys/net/ipv4/ip_forward" to allow packets to be forwared between the two NICs.

root@chow_FWout:~# ifconfig -a
eth3      Link encap:Ethernet  HWaddr 00:0c:29:fc:cf:13  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:17 Base address:0x1400 

eth4      Link encap:Ethernet  HWaddr 00:0c:29:fc:cf:1d  
          inet addr:10.0.77.1  Bcast:10.0.77.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fefc:cf1d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:118 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:11413 (11.1 KB)  TX bytes:5905 (5.7 KB)
          Interrupt:18 Base address:0x1480 

eth5      Link encap:Ethernet  HWaddr 00:0c:29:fc:cf:27  
          inet addr:172.16.77.3  Bcast:172.16.77.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fefc:cf27/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:375 errors:0 dropped:0 overruns:0 frame:0
          TX packets:288 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:35225 (34.3 KB)  TX bytes:31047 (30.3 KB)
          Interrupt:19 Base address:0x1800 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:27 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2348 (2.2 KB)  TX bytes:2348 (2.2 KB)

root@chow_ufw2:~# cat /proc/sys/net/ipv4/ip_forward
1
root@chow_ufw2:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
172.16.77.0      0.0.0.0         255.255.255.0     U         0 0          0 eth5
10.0.77.0        0.0.0.0         255.255.255.0       U         0 0          0 eth4
0.0.0.0         172.16.77.1     0.0.0.0         UG        0 0          0 eth5

I found that eth4 and eth5 of chow_ufw2 was mapped to Connection2 10.0.0.0/8 subnet and Connection3 172.16.0.0/16 subnet. By pinging 10.0.0.1 and 172.16.0.1 after configuring the IP addresses.

Configure FC11 server virtual machine.

Follow the same steps as above, select the "home" tab and "open existing virtual machines" to setup FC11.
We would like to
- set eth1 with IP address 172.16.77.2 and its gateway as 172.16.77.1, so that it can connect to Internet
- set a routing entry with 10.0.77.0/24 subnet so that all responses to intranet can be routed to inside firewall FWin.
- set up a default web page /var/www/html/index.html "<h2>This is cs591 secure site 2 created by <your name></h2>" so that we can test the availability of web server inside DMZ from anywhere in Internet. The other network service we can test with DNAT is SSHD (port 22) on DMZ server.
The virtual machine in your directory only has one network interface Ethernet with bridge connection type. We need to add one more NIC, i.e., Ethernet 2 that i is connected to the HOST ONLY(172.16.77.0/24) which we designated as our DMZ LAN.
- Click start this virtual machine.
- Enter root as username and the password distributed in class (same as that used in hw3 virtual machine).
- To bring up a shell terminal window on FC11, you select "Application | Accessories | Terminal" menuitem.
- Edit /etc/sysconfig/network to add the hostname <login>_fc11.
- Edit /etc/sysconfig/network-scripts/ifcfg-eth0, replace "ONBOOT=yes" to "ONBOOT=no". This disables the eth0.
- cp ifcfg-eth0 ifcfg-eth4
- Edit /etc/sysconfig/network-scripts/ifcfg-eth4, replace the content with
```
# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth4
#BOOTPROTO=dhcp
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
NETMASK=255.255.255.0
IPADDR=172.16.77.2
GATEWAY=172.16.77.1
TYPE=Ethernet
USERCTL=no
PEERDNS=yes
IPV6INIT=no
```
- You need to change 77 to your designated number (the last byte of the IP address you used for external firewall.
- Run "service network restart". Double check the network configuration with ifconfig and route commands.
- Apache web server setup:
  - The recent version of Apache httpd web server starts to do self identity check, if cannot reliably determine the full qualifed domain name through DNS search, it will fail.
  - Normal DNS search sequence as specified in /etc/nsswitch.conf, is
    file dns
    Here the file is referred to /etc/hosts file.
    By modifying the /etc/hosts as follows, (commenting out 127.0.0.1 and add 172.16.77.2)
    # Do not remove the following line, or various programs
    # that require network functionality will fail.
    #127.0.0.1      fc22.csnet.uccs.edu fc11 localhost.localdomain localhost localhost
    172.16.77.2     jlogan.csnet.uccs.edu jlogan localhost.localdomain localhost localhost
    
    ::1             localhost6.localdomain6 localhost6
    
    You should satisfy the httpd.
  - After modifying /etc/hsots, start apache httpd with "service httpd restart"
    
    root@rwhite2_fc9 ~]# service httpd restart
    Stopping httpd: [FAILED]
    Starting httpd: [ OK ]
- Create a default web page with heading "<h1>CS591 secure testbed created by <your name>. </h1>" as /var/www/html/index.html on the server. This allows users to test the DNAT set up later on external firewall from outside browser.
- Note that once fc9 server is setup, you should distable eth0 and only leave eth1 running. With eth0 and eth1 both active, the packet routing may not be correct. You can use "ifconfig eth0 down" to bring down eth0.

Setup intra1 XP client.

use xpup. Set up the network connection (the biggest number in the set) with 10.0.77.2 and default gateway 10.0.77.1.
For Window XP, Use Start | Settings | Control Panel | Network Connections | Local Area Network 5| Properties | Internet Protocol (TCP/IP)
to set static IP address, Subnet mask, default gateway and DNS servers IP addresses (128.198.60.194 and 128.198.1.250) for the Intra1 window XP.

Step1. Physical Layer Connection:

In real network we will connect the ethernet cables from the PCs to the designed switch.
Here with the VMWare, we specifies the connection type (Bridged; NAT; Host-only; Customize) of each network interface.
- By specifying bridged connection type, we use an external IP address and share the host's ethernet interface (similar to configure an network interface card (NIC) with multiple IP addresses using alias eth0:0).
- By specifying NAT, the virutal network interface of our virtual machine is connected to an emulated switch VMNET-8 that provides NAT service. We can share the host ethernet connection. From the virtual machine, we typically use DHCP to request a private LAN IP address. It is typically 192.168.x.0/24. You can use ipconfig or ifconfig command on the host machine to find out what is the IP address of VMNET-8 assigned to the host. This is the same gateway address returns to the virtual machine by the DHCP protocol.
- By specifying Host-Only, the virutal network interface of our virtual machine is connected to an emulated switch VMNET-1 that provides DHCP service. You are not allow to connect to outside world. You do have network connection to the host machine though.
- By specifying customized, the virutal network interface of our virtual machine is connected to one of the 10 emulated switches (VMNET-1 to VMNET-9). You can assign different subnet addresses for those emulated switches from the virtual network setting menu.

Step2. Test the network connectivities.
- Once you configure the IP address, you want to verify you have connectivity among machines within the subnet.
- For example, from fwout,
  - "ping 128.198.62.1" (default gateway), "ping 172.16.77.2" (dmzserver), and "ping 172.16.77.3" (fwin);
  - from xpup, "ping 10.0.77.1" (fwin).
  - from fc11, "ping 172.16.77.1" (default gateway) and "ping 172.16.77.3" (inner firewall).
- Note that at this point, from xpup, "ping 172.16.77.1" will not get response, if we did not have a routing table entry for 10.0.77.0/24 set up on fwout and we did not turn on ip_forwarding on inner firewall.
Step3. Configure the routing tables
- Use "route add defaut gw <gatewayIPAddress>" and "route add -net <subnetAddress> -gw <gatewayTotheSubnet>" to configure routing table properly in the firewalls and DMZ server.
- For example, on fwout, we use "route add default gw 128.198.62.1" and
  "route add -net 10.0.77.0/24 -gw 172.16.77.3".
- With the first route commands, fwout should be able to ping 128.198.62.1 and Internet, including ping 128.198.1.250.
- You now can bring in any scripts you have prepare from outside to fwout and then to fwin.
- The 2nd "route add -net" command allow it send responses back to intranet.
- Note that here in this testbed, the default gateway for fwout is csnet gatway with IP address128.198.62.1.
- The default gateway for any DMZ machine, including dmzserver and fwin, is fwout and the related gateway IP adress to them to use in their "route add default gw" command is 172.16.77.1.
- You need run "route add -net" command to allow intranet machine to talk to dmzserver, says for uploading web page to the DMZ web server.
- The default gatway for any intranet machines including intra1 (XP) will be fwin. I will let you figure out what it is right gateway IP address to be used by intra1.
- Use Start | Settings | Control Panel | Network Connections | Local Area Network | Properties | Internet Protocol (TCP/IP) to set static IP address, Subnet mask, and default gateway for the Intra1 window XP.
- After setting up the above routing tables, if you still cannot ping outside machine from dmzserver, fwin, and intra1. The reason is the two firewall machines are not allowed packets to be forwarded between its two ports.
Forwarding Packets
- To allow that, we run 'echo "1" > /proc/sys/net/ipv4/ip_forward' command on both fwout and fwin. make sure you have " around 1 in the echo command. check if the ip_forward flag is set, by the command "cat /proc/sys/net/ipv4/ip_forward" to see if the memory resident file content is 1.
- Now try ping 172.16.77.1 (fwout) from intra1. You will get response because the ICMP messages are forwarded by fwin. Same when you ping 10.0.77.2 from the DMZ server.
- But you will find that you can not ping 128.198.1.250 (Internet; UCCS DNS server) from any machine except fwout.
- Why this that? The reason is all the ICMP message from those machines will have private LAN address in their source IP address and their responses can not be routed back . To solve that, we need SNAT service on fwout. See Step4.
Step4. Configure firewalls on FWout with proper firewall rules to provide DNAT/SNAT services.
- Setup net alias on outer firewall fwout:
  - ifconfig eth3:1 128.198.62.78
    eth3:n is called alias for eth3
  - ifconfig eth3:2 128.198.62.80
  - ifconfig eth3:3 128.198.62.81
- Use "iptables -L" and "iptables -t nat -L" to list the firewall rules.
- To be safe, let us flush the firewall rules so that we start fresh. Same commands to use if iptables -L or iptables -t nat -L indicates the firewall rule set are garbled.
  - iptabels -F
  - iptables -t nat -F
  - If you find you can ping from intranet or DMZ machines but can not retrieve web page or SSH to internet machines, you can try to flush the rule set and reset your firewall.
- The simplest DNAT and SNAT rules for testbed 2 are
  iptables -t nat -A PREROUTING -p TCP -i eth3 -d 128.198.62.78 --dport 80 -j DNAT --to-destination 172.16.77.2
- iptables -t nat -A PREROUTING -p TCP -i eth3 -d 128.198.62.78 --dport 22 -j DNAT --to-destination 172.16.77.2
  iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE
  Here I assume 128.198.62.78 is external IP address of the web server/ssh server. Internally the web server is run on dmzserver machine with 172.16.77.2.
- With the first DNAT rule, outside (internet) machines can access the web page on our web server.
  - Try http://chow2.csnet.uccs.edu/ with the browser of windom or a home PC to verify the web server access. You should substitute the chow2 with the designate dns name associated with the IP address for the web server you specified in the DNAT service. For the Richard White and Joe Taylor, they use 128.198.61.75 as the web server IP address in the iptables command. Therefore they should use http://rwhite.csnet.uccs.edu/ as url to verify the web access.
  - You can also use lynx, a text browser on viva or use wget command to retrieve web page when you do not have access to the desktop environement for gui based browser.
  - Note that due to the default inclusion of the modsec module with apache on FC9, it will not allow http request with IP address in url. Therefore use the the domain name.
    Here is the log in modsec_audit.log where we access fc9 with IP address.
    
    Message: Access denied with code 400 (phase 2). Pattern match "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"]
    Action: Intercepted (phase 2)
    Stopwatch: 1227281695740933 1332 (685 1003 -)
    Producer: ModSecurity v2.1.6 (Apache 2.x)
    Server: Apache/2.2.8 (Fedora)
  - Note that on FC11, I did not see modsec is included. Therefore using IP address as url should be fined <verify that>
- With the 2nd SNAT rule, we should be able to access web pages of Internet web sites from any of the machines in the testbed and ping 128.198.1.250.
- Also if you login to blanca, say using "ssh -l <yourlogin> blanca.uccs.edu" and type "lynx 128.198.62.78" you should be able to get a web page with heading "CS591 secure testbed created by <your name>. ". If you did not get web page, try check if the apache web server is running on dmzserver. Use "service httpd restart" to start it.
- Email me the browser result such as lynx 128.198.62.78 as a proof that the DNAT is set up correctly.
- For more complete and secure firewall rules, use the DMZ firewall shell script as a template. Replace with our network IP address and network info.
  http://iptables-tutorial.frozentux.net/scripts/rc.DMZ.firewall.txt
- Verify DNAT by login to viva and issue the http request to your DMZ web server. You can use lynx a text-based browser or wget command for such test. Capture the http response from the web server as a proof and deliverable.
- Verify SNAT by accessing web site in Internet from intra1. Capture the http response from web server (screendump) as a proof and deliverable.
- Add firewall rules that follows fail-safe default principle and move these drop rules here after your test DNAT and masquerade since you may make error mistake in firewall rule setting and these drop rules will disable all connections to and from the site.
```
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
```
Step5. Check on the /var/log/message or /var/log/secure on FWout. Examine who are trying to break in using ssh with root.
- Note that we have set "PermitRootLogin no" in /etc/ssh/sshd_config therefore the firewall by default will not accept root user access from Internet.
- Add firewall rules to drop packets from those intruders.
- If there is no such attack, find out the IP addresses of Blanca or a EAS 149 Lab pc; add firewall rule to block its access to the DMZ web server; verify indeed the access is blocked on that specific machine; make sure others still able to access.
- Observe if any more log occurs after the above firewall rules are inserted.
- Provide the firwall rules and the log that prove successful blocking of specific machines as deliverable.
Option Step6. start bt3 as intra2 machine in intranet and add firewall rules to disallow intra2 to connect to Internet.
- Learn to create firewall rules as a shell script, similar to those examples in iptables-tutorials. http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html.
  http://www.frozentux.net/iptables-tutorial/scripts/rc.DMZ.firewall.txt
- Save the firewall rules and network configurations (ifconfig, netstat -rn) as a file for submission.
- When you are done with your secure perimeter testbed, email me to examine it.
Step7. Enforce the security policy that servers on DMZ can not initiate connections to intranet.
- See the example in DMZ firelwalls script.
- Hint: Apply the stateful firewall rules using -m state option to match connection state, similar to the rules below:
```
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
        
```
- Save the firewall rules and network configurations (ifconfig, netstat -rn) as a file for submission.
  Use command "iptables-save > ufw<name>rules.txt
  For example, it generates the following content, which correspnds to the set of iptables commands executed. The file can be read in using iptables-restore. It is faster then executing the scripts with ipables commands.
  
  # Generated by iptables-save v1.3.8 on Mon Nov 24 04:39:43 2008
  *nat
  :PREROUTING ACCEPT [20190:2778370]
  :POSTROUTING ACCEPT [162:12290]
  :OUTPUT ACCEPT [324:23761]
  -A PREROUTING -d 128.198.62.73 -i eth3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.73.2
  -A PREROUTING -d 128.198.62.73 -i eth3 -p tcp -m tcp --dport 22 -j DNAT --to-destination 172.16.73.2
  -A POSTROUTING -o eth3 -j MASQUERADE
  COMMIT
  # Completed on Mon Nov 24 04:39:43 2008
  # Generated by iptables-save v1.3.8 on Mon Nov 24 04:39:43 2008
  *filter
  :INPUT ACCEPT [259:38777]
  :FORWARD ACCEPT [442:52183]
  :OUTPUT ACCEPT [114:11099]
  -A INPUT -s 128.198.162.60 -j LOG --log-prefix "BLANCA BLOCK"
  -A INPUT -s 128.198.162.60 -j DROP
  -A FORWARD -s 128.198.162.60 -j LOG --log-prefix "BLANCA BLOCK"
  -A FORWARD -s 128.198.162.60 -j DROP
  -A OUTPUT -s 128.198.162.60 -j LOG --log-prefix "BLANCA BLOCK"
  -A OUTPUT -s 128.198.162.60 -j DROP
  COMMIT
  # Completed on Mon Nov 24 04:39:43 2008
- When you are done with your secure perimeter testbed, email me to examine it.

Questions:

Q1. In Step 5, we indicate that the remote ssh root access is turned off to disallow intruders from guessing the password and login as root.
- What is the benefit of adding firewall rules to drop packets from those intruders?
- What rules you would like to add?
- To what chains you add those rules?
Q2. Similar to the DMZ firewall example in iptables tutorial http://www.frozentux.net/iptables-tutorial/scripts/rc.DMZ.firewall.txt. The Sonic Firewall has three ports: one connects to Internet; one connects to DMZ subnet; and the last connects to the intranet. Their network topology is different from that of the above testbed, which has two firewall machines connecting through the DMZ LAN.
Discuss what are the trade-off of these two different configurations based on the design principles mentioned in the firewall powerpoint presentation.
Q3. Critic on the resource/machine assignments for this exercise: Suggest any improvement on the resource assignment.

Homework #5: Configure a Secure Perimeter with DMZ Zone using Linux Firewalls. Due day 11/23/2009; extend to 11/24/2009.

Goal:

Teams for the homework 5 exercises:

Configuration of Secure Perimeter Network Testbed:

Questions:

Homework #5: Configure a Secure Perimeter with DMZ Zone using Linux Firewalls.
Due day 11/23/2009; extend to 11/24/2009.