Beruflich Dokumente
Kultur Dokumente
DEPLOY SECURE NETWORK DEFENSE SOLUTION FOR SMALL ENTERPRISE USING IPCOP
FIREWALL 3
1.0 Introduction 3
Part 8: Troubleshooting Problem with Intrusion Detection (Snort) on IPCop Firewall 1.4.21 49
2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Project: Deploy secure network defense Solution for small enterprise (SMB) using IPCop firewall with
URLfilter, Copfilter and OpenVPN add-ons.
Today, small and medium sized businesses (SMBs) are the backbone of the global economy – more-so in
the developed countries and recently emerging markets. However, with current global economic
meltdown, they’re all more inclined act cautious, they maintain a stable business and they are not subject
to the high demands of investors. But nevertheless, SMBs are affected by the current economic climate
even more so than larger businesses. This is why we see more and more businesses fall back to
consumer products to secure their IT environment in order to reduce costs and maintain ROI, they lower
their level of security. This is a dangerous compromise. However, there are great open source network
security solutions out there that when implemented correctly can go along way to keep the bad guys off
their network resources. In these series of IT Security & Network Defense Hands-on Labs Training, we’re
going to be looking at some of the software solutions that can easily be deployed to secure private
network resources.
1.0 Introduction
Information security is commonly thought of as a process and not a product. However, standard security
implementations usually employ some form of dedicated mechanism to control access privileges and
restrict network resources to users who are authorized, identifiable, and traceable. And firewalls have
been keeping guard between the private network and Internet and; is as old as the Internet itself.
Firewalls are one of the core components of a network security implementation. Several vendors market
firewall solutions catering to all levels of the marketplace: from home users protecting one PC to data
center solutions safeguarding vital enterprise information. Firewalls can be stand-alone hardware
solutions, such as firewall appliances by Cisco, Nokia, and Sonicwall. Vendors such as Checkpoint,
McAfee, and Symantec have also developed proprietary software firewall solutions for home and business
markets.
Apart from the differences between hardware and software firewalls, there are also differences in the way
firewalls function that separate one solution from another. In this guide, we’ll only concentrate in SMB type
of network configuration with very limited or no budget to carter for exotic firewall infrastructure. However,
with the open source Linux based operating system you have a lot of choices for protection. And for this
lab session, we are going to use IPCop firewall.
The IPCop project is a GNU/GPL project that offers an exceptional feature packed stand alone firewall to
the internet community. Its comprehensive web interface, well documented administration guides, and its
involved and helpful user/administrative mailing lists make users of any technical capacity feel at home. It
3
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
goes far beyond a simple ipchains / netfilter implementation available in most Linux distributions and even
the firewall feature sets of commercial competitors.
IPCop is a cut-down Linux distribution that is intended to operate as a firewall, and only as a firewall. It
has some advanced firewalling features, including VPNs using IPSec. It’s a complete firewall solution,
taking control of the machine and replacing any other operating system that is installed. Therefore, it is not
similar to packages like ipchains or any of the GUI firewall administration tools. It is not an additional
security service you would run on your machine; rather, it is a complete operating system and firewall
administration kit in a box that the user would dedicate a single machine to house and run as an Internet
gateway. And that is the format we’re going following in this Hands-on training labs.
Today, firewalls have had to undergo a tremendous metamorphosis as a result of evolving threats. IPCop
is exemplary in offering such a range of default features and even further a large set of optional plug-ins
which can provide further functionality and its security capability as will see later in the text.
Some of IPCops impressive base install features include: secure https web-based GUI administration
system, SSH server for Remote Access, TCP/UDP port forwarding, DHCP Server, Proxying (Squid), DNS
Proxying, Dynamic DNS, Time Server, Traffic Shaping, Traffic/Systems/Firewall/IDS graphing, Intrusion
Detection (Snort), ISDN/ADSL device support and IPSec based VPN Support (FreeSWAN) with Control
Area and support for Check Point SecuRemote. As if these base features were not an astounding enough
there are dozens of add-ons which can further expand the functionality of your IPCop from Web Filtering
to Anti virus scanning.
Network Defense
Perimeter Defenses
In IT speak; security is a many-layered thing for most IT
managers. This is basically because attacks may target Network Defenses
network, workstation, server or application vulnerabilities.
Host Defenses
Blended threats combine multiple attack vectors – Trojan
horses, spyware, worms and viruses, for example – in an Application Defenses
attempt to outflank an organization’s defenses. And over
the years, starting from the mid 80s and the birth of PCs, Data & Resources
4
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada Fig. 1: Enterprise Security – Defense-In-Depth
the attack tools have been growing in sophistication, which require almost no technical skills to use, as
depicted in Fig. 2. In response, enterprise erected a series of barriers on the principle that an attack that
beats one security measure won’t get past other protections. This approach goes by several names:
layered security, defense-in-depth – but the underlying premise is the same, see Fig. 1
The traditional thinking view of layered security places firewall at the outermost ring of the protection –
guarding the corporate network from public network (the Internet) borne incursions, see Figs. 1 & 2. After
the firewall, attention turns to network-based intrusion detection/prevention systems that aim to snuff out
attacks that sneak through the firewall. Antivirus software and host-based intrusion detection/prevention
systems protect servers and client PCs, providing still another layer.
Firewall – via filter rules (TCP, UDP, & ports) must be the gateway for all communications between trusted and
untrusted and unknown networks (NWs). It is the choke point where all communication must pass through
Perimeter network (NW) or DMZ which is put in place using: firewalls & routers – on the NW edge, permits
secure communications between corporate NW and third-parties. It includes: DMZ, extranet, & intranets. Perimeter
network is the key that enables many mission-critical NW services. It also offers a layer of protection for the internal
NW in the event that one of Internet accessible servers is compromised
Bastion Hosts: cannot initiate, on its own, a session request back to the private NW. Implies it can only forward
packets that have already been requested by clients from internal private NW. To maintain secure communication
and Private network protection, bastion hosts should have all appropriate up-to-date service packs (SP), hot fixes,
and patches installed. System/network admins must also ensure that logging of all security-related events should
also be enabled and regularly reviewed/analyzed to track both successful and unsuccessful security events.
While emerging classes of tools may fend off attacks at multiple layers, there are pitfalls if the tools are not
properly configured, managed or integrated with existing systems. In effect, chief information and security
officers have to be jack of all trades to implement an effective layered security strategy. In overall, a
5
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
layered security strategy – built around numerous preventive controls – requires good perimeter defenses
– i.e., you need to have host- and network-based intrusion detection integrated with other security
solutions all the way down to the desktop level, also known as end-point. Current statistics indicate that a
typical enterprise spends more than 5% of its IT budget on security, with expected growth in annual
spending pegged at 9%, compared to 4% to 5% for IT overall.
Today, most IT network security strategists prefer to define layers in terms of critical security processes –
tasks such as vulnerability management and intrusion prevention. Process-based definitions like these
don’t commit IT managers to a specific technology approach and also guard against redundant
technology. For example, anti-spyware products entered the market a few years ago – as a product set
distinct from antivirus; however, both support the same process. In this respect, one may wonder “what is
so different about process of blocking spyware from the process of blocking viruses”. Currently, vendors
such as Symantec have since consolidated anti-spyware and antivirus on the same desktop. This new
approach, has given rise to increased emphasis on host security for so-called end-points such as servers
and PCs so that these devices can defend themselves. These technologies include host-based intrusion
protection systems (HIDS). For information more read: Developing IT Security Risk Management Plan.
In this Hands-on Labs we’ll concentrate only on firewall part of layered network IT security infrastructure
using IPCop firewall with URLfilter, Copfilter and OpenVPN add-ons.
Hardware Pre-requisite
IPCop installation generally runs for 25 minutes, and you can complete it with relatively modest hardware
requirements such as a 386 processor with 32MB RAM and >300MB of disk, and 3 Network Cards (2 if
there is no need for a DMZ). If you plan to utilize caching proxy, IDS or other add-ons, consider additional
horsepower in terms of RAM/Processor.
Solution:
In this Hands-on Lab session, you’ll learn how to setup virtual network on VMware (you may also use any
other virtual machines like MS VirtualPC, Linux Xen, or VirtualBox from Sun). Next you will learn how to
initialize a virtual machine with three NIC adapters, which we’ll use to install & configure IPCop firewall.
You’ll also learn how to install & configure a second virtual machine with WinXP to use for testing your
firewalled network connectivity to public network (Internet), and also configure and update the as-installed
IPCop. Finally you’ll have an opportunity to do the Hands-on Labs assignments to test what you have
learned in this lesson. Once you’re done with this labs session you should have gained an experience and
capability to enable you to plan design implement and deploy a simple but secure SMB network
infrastructure.
In this Hands-on lab, you’ll also learn how to extend IPCop’s functionality using URL filter to implement
company policy about web surfing and internet access. Also you learn how to install and configure
Copfilter to add web security functionality, like AntiVirus, safe web surfing, email scanning, FTP scanning
for viruses. You’ll also learn how to setup and Metasplot and Nessus to test and audit your network
security vulnerabilities.
Figure 3 shows our network setup for pilot lab test session of our private SMB LAN, which we have
configured using VMware with three NIC adapters attached to IPCop firewall (Virtual Machine 1). The
eth2 (RED) is attached to the public side of the network and is receiving its IP address from DHCP
server. The eth0 (GREEN) is configured with static IP address and is also the NIC that is attached to
DHCP server which feed the dynamic IP address to the devices located within the private LAN via the
VMnet2 virtual switch. The third NIC adapter, eth1 (ORANGE), is attached to DMZ network side. Virtual
Machine 1 is running Linux based IPCop firewall.
Modem
DMZ LAN
192.168.2.0/24
Virtual Machine 2
“Internal PC”
Internal LAN
Fig. 3: Small Enterprise LAN, with test PC (Internal PC) added, and Web server in DMZ
Note: once you’re done with pilot testing and all is working great then you can migrate your setup
to your production environment.
7
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
1. Hope over to IPCop website and download the latest package, which at the time of writing this lab
manual was "Latest installation ISO (i386 1.4.20) "
2. Once you have downloaded the IPCop ISO specific to your distribution, you have the option burning it
into CD or just by using the ISO package to install it from your virtual machine, in our case VMware.
3. Fire-up a new virtual machine and perform the initial configuration and setup to use ISO package,
ensure give the virtual machine three NIC adapters
4. Start the virtual machine, and you should be able to see the first IPCop installation screen as shown
Fig. 4. Hit the Enter key to commence installation.
8
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
5. From Fig. 5, select the desired Language and the click OK.
Fig. 5
9
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 6
10
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 7
Fig. 8
11
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 9
10. Since we’re not using data from backup to populate this new IPCop install, therefore, select Skip by
using the Tab key to make the selection, and then click OK as shown in Fig. 10.
Fig. 10
11. From Fig. 11, the select Probe to enable IPCop install to probe all the available NIC adapters
installed, and then click OK when done.
12
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 11
12. From Fig. 12, IPCop has detected the first NIC card for the GREEN interface. Click OK to continue.
Fig. 12
13. From Fig. 13, enter the IP address for the GREEN interface, and then click OK to continue.
13
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 13
14. As can be seen from Fig. 14, IPCop has been successfully installed. Remember to make a note port
numbers 81 and 445, and the respective URLs: http://ipcop:81 or for secure https://ipcop:445. Click
OK to continue
Fig. 14
15. For the next successive screens choose your keyboard type and time zone.
14
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
16. From Fig. 15, accept the default hostname "ipcop", or change as desired, and then click OK to
continue.
Fig. 15
17. For next screen, accept the default Domain name "localdomain", or change as desired, and then
click OK to continue.
18. From Fig. 16, accept the default Protocol/Country selection, and then click "Disable ISDN", as
we’re not going to use it.
Fig. 16
19. For the next screen, accept the default selection "Network Configuration type", and then click
OK to continue.
15
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
20. Recall that we have three NIC adapters to be used by this firewall, therefore, we’ll choose "GREEN +
ORANGE + RED", and then click OK to continue, see Fig. 17.
Fig. 17
21. Recall that we have already assigned the GREEN interface an IP address. Now it’s time to assign the
ORANGE and RED interfaces. Use the down-arrow key to "Drivers and card assignments",
and then click OK to continue, see Fig. 18.
Fig. 18
22. From Fig. 19, we’re informed that the "ORANGE" and "RED" interfaces are UNSET. Click OK to
continue.
16
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 19
23. From Fig. 20, accept the default "ORANGE" selection to assign the unclaimed Ethernet card. Click OK
to continue.
Fig. 20
24. Repeat the same on the next screen to assign the unclaimed "RED" Ethernet card, and then click OK
to continue.
25. From Fig. 21, we’re informed that all the cards have been successfully allocated. Click OK to
continue.
17
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 21
26. From Fig. 22, accept the default selection "Address Settings", and then click OK to continue.
Fig. 22
27. From Fig. 23, select "DHCP" to set the RED interface public IP address, and then click OK to
continue.
18
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 23
28. From Fig. 24, go ahead and set the ORANGE interface with a static IP address, and then click OK to
continue.
Fig. 24
29. From Fig. 25 accept the default selection "DNS and Gateway Settings", and then click OK to
continue.
19
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 25
30. From Fig. 26, if you had selected to use Internet DHCP with RED interface as in case, then you do not
need enter the DNS and Gateway settings, leave them blank. Next, go ahead and click OK to
continue.
Fig. 26
Note 1: For production network, the public Primary DNS server address and Default Gateway address
would have been given to you by your ISP. Then in this case it would have been preferable to use
Static IP address on your RED interface.
Note 2: Failure to add the correct gateway IP address will prevent computers in the private LAN from
accessing the Internet.
20
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
31. From Fig. 27, the DHCP server configuration, we’ll have the firewall to play the DHCP server role,
so we’ll enable it by hitting the space bar. Set the Start Address and End Address as desired.
Click OK to continue.
Fig. 27
32. From Fig. 28, we’re done adding all the required interfaces IP address, Gateway and DNS settings, so
we can now move out of this menu by clicking Done to continue.
Fig. 28
21
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
33. From Fig. 29, enter root user password. For security reason remember to use root password with
good complexity!
Fig. 29
Note: when typing the password there will be no echo from the keyboard or movement of the cursor! So just go
ahead and type the password and hit the Tab key to re-type it again.
34. For the next two screens, enter admin and backup users’ password. Again for security reason
remember to use password with good complexity!
35. The Setup is complete, as shown in Fig. 30. Press OK to reboot the IPCop firewall.
Fig. 30
22
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
36. Once the virtual machine has rebooted, go ahead and login into the IPCop console as the user root
user with root password you entered earlier during setup, as shown in Fig. 31.
Fig. 31: Login into the IPCop console using root user and password
37. Next, we want to check if all our interfaces were configured correctly. To do this, issue the
"ifconfig" command to test each interface, i.e., eth0 (GREEN), eth1 (ORANGE) and eth2 (RED).
And from Fig. 32, we can see that all the configurations were done correctly.
23
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
38. Now want to test all our interfaces connectivity using the PING command. So let’s see if we’re able to
ping all the network interfaces i.e., the GREEN interface "192.168.2.1"; on the DMZ ORANGE
interface "192.168.3.1"; and on the RED interface "192.168.83.211", as shown in Fig. 33.
24
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 33c: Ping interface eth2 (RED) – IP address "192.168.83.211" from the Internet DHCP.
Note: from all the ping tests we’re able to get all the required replies back indicating they’re configured
and communicating correctly as per their respective interfaces. So we know that the three interfaces
are correctly connected to the Virtual Machine 1 holding IPCop firewall.
Step 2: Test your Firewall Security from Outside your Private Network
In this section we will test our firewall security using PING test again, however, this time round from
outside our firewalled network.
To perform this login into any computer that is not part of your network. In our case I am going to perform
my ping test from my WinXP host machine (IP address 192.168.1.113) which is hosting my
VMware virtual machines (i.e., the IPCop and Internal PC virtual machine2).
1. From Virtual Machine 1 (IPCop console), Fig. 3 ping WinXP host machine (IP address
192.168.1.113) not shown in the network diagram, you should be able to have connectivity without
any problem, as shown in Fig. 34.
2. Now from WinxXP host machine issue the ping test again, to the RED interface eth2 with IP address
"192.168.83.211". Thus, if your firewall is working correctly, you should get connectivity without
any problem, as shown in Fig. 35
25
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 35
3. Next, from WinxXP host machine issue the ping test again, first to GREEN interface eth0 with IP
address "192.168.2.1"; and then ORANGE interface eth1 with IP address "192.168.3.1",
respectively. Again, if your firewall is working correctly, you should not be able to ping the eth0 and
eth1 from outside the firewalled network. You should see "Request time out" or "Network
unreachable", as shown in Fig. 36.
Fig. 36
26
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 37
3. Next, fire-up your favorite browser and from the Address bar type: https://192.168.2.1:445.
Accept the security warning regarding the security certificate.
4. From Fig. 38, click then Connect button and then login using admin credentials.
5. After logging in, we need to check for and install updates to bring our firewall system up-to-date with
the latest security updates.
6. To do this, perform the following procedure: Go to Systems Æ Update Æ Download new updates,
and then perform the following procedure (see Fig. 39):
27
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
7. Now, click Status Æ SYSTEM STATUS to view which Services and other systems activities, as
shown in Fig. 40.
28
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 41
29
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
6. Once the installation is completed, click Start Æ Programs ÆNmap Æ Nmap – Zenmap GUI
7. Next, enter the IP address of Internet facing IP address "192.168.83.211", i.e., the RED NIC
adapter, eth2, and then click Scan, as shown in Fig. 42.
8. As can be observed from Fig. 42 above, NMAP confirms the firewall is filtering traffic sent to the public
IP (RED). The nice thing with IPCop it is a stateful firewall.
9. For best security we need to disable ping responses from the RED interface using IPCop's web GUI
under the Firewall tab | Firewall Options | Save, as shown in Fig. 43.
You’re done with NMAP installation and using it to test our IPCop firewall.
30
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
1. Login into your IPCop Web-admin GUI, wee need to enable SSH, to allow us to transfer files securely
into IPCop systems. Go to the System Æ SSH Access Æ Check the box and then click Save.
2. Download and Install WinSCP, which we’re going to use to transfer fires into IPCop system. Ensure
that you installed the Explorer version for ease of use.
3. Download and Install URL Filter Add-on at the time of writing "ipcop-urlfilter-1.9.3.tar.gz"
and place it on the Desktop.
4. To complete the install, I’ll connect to IPCop via Remote Access, click Start Æ Program Æ WinSCP
Æ WinSCP. Use. Hostname: ipcop, Port Number: 222 for SSH access and use the root credentials
and then click Login button. Click Yes when prompted.
Charge to IPCop’s /tmp directory, then drag and drop the "ipcop-urlfilter-1.9.3.tar.gz"
file into the directory.
5. Now login to IPCop’s Console and change into the /tmp directory, and Untar the downloaded file, as
shown in Fig. 44.
Fig. 44
6. Next change into the unpacked "ipcop-urlfilter" directory, and then run the install, as follows:
# cd ipcop-urlfilter
# ./install
Click yes to proceed. The install process begins and will scroll through the installation process and
verify that the installation was successful. After the installation is completed, go back and disable the
SSH access to IPCop by unchecking it. The rest of the configuration will be done using IPCop’s Web
GUI.
8. Now to have the IPCop's Web proxy use this content filter, we need to enable it first. You can activate
the URL filter; click Services tab and then select Proxy server and then checkmark the following
options, as shown in Fig. 45:
Enabled on Green: This turn on the Web Proxy
Transparent on Green: This silently redirects Web traffic to be processed by the web proxy
Log Enabled: Create a log file of all usage, even when it is blocked
Note 1: Here we wanted the Web content filter to always be enabled even if computer geek users
manage to change the proxy settings within the browser. As long as all of the computer's on the LAN
are using this firewall as their gateway it will always force Internet access traffic to pass through the
web content filter.
Note 2: To enable web content filter, both Enable on Green and Transparent on Green must
be checked. Leaving the Transparent on Green unchecked will still provide web content filtering as
long as it has been set in the web browser's proxy settings. Note also that we have used the default
proxy port of 8080. Click Save to apply the changes, as shown in Fig. 45.
32
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Clicking Update now will download the latest lists. Be patient it does take some time, depending on
your network bandwidth. When completed, you need to refresh the page, after which you should be
able to see an expanded lists of categories to choose from.
4. The URL filter is highly configurable with many options, and its simple web filter is easy to setup.
Simple click the block categories as desired, e.g., in our case we have selected to block: porn, ads,
gamble, hacking, spyware, and jobsearch., as shown in Fig. 47.
33
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 47
5. Now that we’re done with blocking sites that enforces company web use policy – we need way to
notify users via a warning page – in the event that a user "accidentally" surfs these sites against
company policy.
Key Advanced Settings
There are a few additional settings that most network admin do make the firewall more robust. To this
scroll down, and perform the following tasks, see also Fig. 48:
1. Under Block page settings headings, we need to enable the following:
• Sow category on block page: When a page is blocked, this will show the user what web
filter category is enforced to cause the site to be blocked.
• Show URL on the block page: This will show the actual address that triggered the filter.
• Show IP on the block page: This list the actual IP address of the page visited.
34
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
• Enable log: This setting when enabled ensures that users’ web visits are logged.
4. Finally, don't forget to click on the Save and restart button to apply and effect all the changes.
6. Now, anyone surfing to sites which are blocked will get this message on their monitor screen, as
shown Fig. 48. To test this, enter any URL or domain name related to a blocked category.
In this case a user has been denied access to the website, because he tried to search for a job on
accompany computer, which is set to block "jobsearch" category under a company policy. In this
case employees for this respective company are not allowed to use computer non-work relateted use,
e.g., search for job while at work using company’s computers.
35
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 48: A web user denied access to a job search website due to company web use policy.
In the next section we’re going to further extend IPCop firewall capability by installing Copfilter, which
comes with an impressive list security programs like antivirus to keep watch on your network.
Note: At this point before continue with the next section it may be necessary to backup your current
status of your IPCop, as we’re going to do more installation and configuration of the system.
Copfilter is a package of various open source traffic filtering software and tools, customized and built to
work together smoothly. All included proxies filter traffic transparently, which means that no client
reconfiguration is necessary.
36
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
It scans POP3 and SMTP emails for viruses and spam. Instead of a virus infected emails, a user will
receive virus notification messages containing details about originally sent emails, which can also be
quarantined if desired.
Spam emails will be tagged as spam by inserting the following text into the subject field: *** SPAM ***
With this procedure any email client will be able to use its own message filtering rules to automatically
delete or move these spam messages into a different folder for a later review.
HTTP and FTP traffic will also be scanned for viruses. If a virus is found, access to that web page or file
will be denied.
1. Login to the IPCop’s web admin GUI and then ensure that you enable SSH access to allow uploading
of Copfilter.
2. Hope over and download Copfilter, at the time of writing we used copfilter-0.84beta3a.tgz which the
author considers the most stable and place it in your favourite browser
3. Fire-up your WinSCP and login using SSH access, and then move the downloaded file into the /tmp
directory:
# cd /tmp
# tar –xzvf copfilter-0.84beta3a.tgz
# cd copfilter-0.84beta3a
# ./install
# [y/N] y
37
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Reboot the systems after installation is successfully completed for the changes to take effect.
Note: On rebooting, the systems might report some errors, as shown in Fig. 50. Hitting enter on the
terminal brought up the login prompt. The problem was the e-mail address where to send reports was
still not set.
Fig. 50: Errors reported during reboot after Copfilter installation. Hit enter and proceed to login.
4. Login to the IPCop web admin GUI, and proceed to correct the email problem by going into the Email
link from Copfilter menu, as shown in Fig. 51.
Fig. 51: To correct the errors, configure the email settings as desired.
5. Reboot the systems again after configuring the Email link on Copfilter.
6. This time round you shouldn’t any errors unless your messaging server is not working correctly.
38
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Scroll down and click Save settings (and restart service) button.
39
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
1. To access these setting go to Copfilter Æ POP3 FILTER configuration, to access POP3 Scanning
(P3Scan), as shown in Fig. 55. The following options detail those to be turned ON and all others will
be left in the default OFF configuration.
Note: The net effect of this configuration will be an aggressive stance on scanning, dropping and
notifying you of the spam/malware, before it reaches your internal network
1. To do this, click Status tab Æ System. There is 40% increase in memory usage after enabling
security programs under Copfilter.
2. Since we’re running IPCop firewall as a virtual machine, adding more memory is as easy as editing
the virtual machine’s settings, i.e., no more need to open a physical box!
3. Shutdown the IPCop virtual machine, then from the VMware Machine infrastructure, click VM menu Æ
Settings and then from the Hardware tab, click Memory and then adjust memory settings as desired,
in our case we have set it to 1.5G.
42
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Note 1: Remember to backup you IPCop virtual machine just in case you may want to restore it in
case a catastrophic system failure.
43
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
You’re done with lab assignment for now. However, you may continue to explore and expand the
functionality of your IPCop machine as desired.
1. Login to the IPCop’s Web Admin GUI and enable SSH, this will allow us to use WinSCP to upload
OpeneVPN package into IPCop system.
2. Hope over and download the ZERINA installer and save it to one of your favorite directory. At the time
of writing this article, we downloaded "ZERINA-0.9.7a14-Installer.tar.gz"
3. Now use WinSCP to upload the downloaded file into /tmp directory, and then issue the following
command
# cd /tmp
# tar –xzvf ZERINA-0.9.7a14-Installer.tar.gz
# ./install
44
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Troubleshooting: If you encounter a problem during Zerina installation with IPCop versioning, it’s
because Zerina installer does a version check. Open the "install" file with your favorite Text
editor and change the relevant line. This has been discussed here before and a search on "1.4.21"
and "Zerina" would have got you this information. OpenVPN is copyright and trade mark of OpenVPN
Technologies, Inc., a Delaware corporation in US.
4. When done with OpenVPN installation, do ensure that you have disabled SSH.
5. Head back to http://192.168.2.1:81, click VPN tab, and then select OpenVPN. You will see the
screen as shown in Fig. 60. This page has all of the configuration options for OpenVPN.
1. Configure OpenVPN
6. Now set up the following:
• Check the box next to "OpenVPN on Red", which is the external connection you want
OpenVPN to listen on.
• Change "Local VPN Hostname/IP" to a different IP Range (i.e., 192.168.83.211)
• Change "OpenVPN Subnet" to the appropriate settings for your IP range
• Change "Protocol" to TCP.
• Check the box next to "LZO-Compression"
• Click Save
7. Next, from Fig. 60, click the Advanced Server Options screen and under the Additional Push
Route section, in the first box type in the IP / Subnet of your Remote IPCop GREEN network. There
are 6 boxes, in our case, I’ll only fill the 1st box, as follows:
GREEN Subnet: 192.168.0.0/255.255.255.0
Click: Saved Advanced Options
45
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Note 1: On the OpenVPN configuration page, under the Roadwarrior Client status and control
heading, after you have created a client connection profile, you will see the icons next to it on the
right-hand side, as shown in 63. You can download it by clicking the Diskette icon.
Fig. 63
Note 2: Click the icon to the left of the info icon, and save the .zip file in favorite folder. You’ll need
to get this file to the client/remote computer (e.g. via USB memory stick or email).
10. Now that everything is set up, click on the "Start OpenVPN" button to start the OpenVPN server. If
everything is set up correctly the status will change to "Running".
In this section we’re going to install and configure OpenVPN on the Client machine (Roadwarrior
machine). To do this, perform the following procedure:
1. Hope over and download and install OpenVPN, in our case we’re going to setup on Windows, so we’ll
download OpenVPN GUI as it allows the user to start and stop OpenVPN from a taskbar icon.
(Linux/Unix users can either download and compile OpenVPN or download it via their package
managers.)
2. Click to download "openvpn-2.0.9-gui-1.0.3-install.exe" at the time of writing; and then click Run and
Run again and follow the OpenVPN Setup Wizard shown in Fig. 64 to complete the installation.
Fig. 64
Note: When done you should see an additional icon on your Task bar.
47
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
4. Extra these files in the C:\Program Files\OpenVPN\config folder on your client computer. Open
the ".ovpn" file in a text editor verify that the ‘remote’ line IP Address points to your external IP; if it’s
not change as desired. If you have a dynamic IP address, then I would suggest signing up for a
dynamic DNS service like DynDNS.org (which IPCop has an update client for) and replacing the IP
with your DynDNS address.
Right-click on the OpenVPN icon and click Connect, as shown in Fig. 65. Enter password we set in
Step 2, list 9, and you should be connected, and the icon should change to .
Fig. 65
6. OpenVPN should connect to your firewall and assign you an internal IP address in the range
"10.231.132.0" range by default. From this point you can browse your home computers just like
you were sitting at home
7. To test your connectivity to the Private network, ping the Internal PC from the Roadwarrior Remote
client machine, and as can be seen in Fig, 66, we are able to have connectivity without any problem.
Fig. 66
48
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
You’re now done with installing and configuring OpenVPN on IPCop firewall
Stay tuned as I’ll continue to add more info and hands-on labs!
Part 8: Troubleshooting Problem with Intrusion Detection (Snort) on IPCop Firewall 1.4.21
To solve the problem when updating issue error: "HTTP::Response=HASH(0x82a3c14)->code
registered md5",
1. In case you encountered any problem after installing & setting up Intrusion Detection with Surcefire
VRT Certified Rules using Oink Code, and when you tried to Refresh update list, if you see the
following error messages:
HTTP::Response=HASH(0x82a3c68)->code
The reason is that currently snort.org publishes rules now on current branch that are no more
compatible with snort-2.6.1.5
We have manually added the current branch, to - date it is 2. You can find on snort if you have
your account on snort.org under My Account-->My Oinkcodes along with the code (You must
have account at snort to access code and use snort in IPCop).
3. Click Save Æ click Apply now Æ click Refresh update list Æ click Download new ruleset.
You’re done with IPCop firewall setup and configuration. In the next session, you’ll learn how to test and
audit your network security defence and vulnerability effectiveness.
2. Vulnerability scanning typically uses automated systems. It requires minimal hands-on intervention in
the qualification and assessment of vulnerabilities. This is a fast and inexpensive way to ensure that
no obvious vulnerabilities exist, but it doesn’t provide the granular analysis found in a full manual test.
3. Network security assessment sits between vulnerability assessment and full penetration testing and
utilizes an effective blend of tools. It requires qualified and trained security analysts.
4. Full penetration testing involves multiple attack vectors to compromise the target environment. Within
the security community penetration testing is considered an ‘art’
50
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Assessment
Depth
Cost/Time
• zero-knowledge test
• full knowledge test
• partial knowledge test
2. The target organization must decide what type of test is the best according to their IT security needs.
i. Zero-knowledge attack (black box): the penetration team has no real information about the
target environment and must generally begin with information gathering. This type of test is
obviously designed to provide the most realistic penetration test possible.
ii. Partial knowledge test (partial black box): the target organization provides the penetration
test team with the type of information a motivated attacker could be expected to find, and
saves time and expense. To conduct a partial knowledge test, the penetration team is
provided with such documents as policy and network topology documents, asset inventory,
and other valuable information.
iii. Full-knowledge attack (white box): the penetration team has as much information about the
target environment as possible. This approach is designed to simulate an attacker who has
intimate knowledge of the target organization’s systems, such as a current or former
employee.
51
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Rationale: It provides a useful framework and comes with a detailed documentation for penetration
testing. In particular, in reference to section S - Web Server Security Assessment , section T - Web
Application Security Assessment, section U – Web Application Security Assessment - SQL injections,
section V - Source Code Auditing.
1. Metasploit Framework
• What is it?
The Metasploit Framework is a development platform for creating security tools and exploits. The
framework is used by network security professionals to perform penetration tests, system
administrators to verify patch installations, product vendors to perform regression testing, and
security researchers world-wide. The framework is written in the Ruby programming language
and includes components written in C and assembler.
• What does it do?
The Metasploit Framework consists of tools, libraries, modules, and user interfaces. The basic
function of the framework is a module launcher, allowing the user to configure an exploit module
and launch it at a target system. If the exploit succeeds, the payload is executed on the target and
the user is provided with a shell to interact with the payload.
2. Nessus
Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities and
Exposures architecture for easy cross-linking between compliant security tools. Nessus employs the
Nessus Attack Scripting Language (NASL), a simple language that describes individual threats and
potential attacks.
Nessus has a modular architecture consisting of centralized servers that conduct scanning, and remote
clients that allow for administrator interaction. Administrators can include NASL descriptions of all
suspected vulnerabilities to develop customized scans. Significant capabilities of Nessus include:
• Compatibility with computers and servers of all sizes.
• Detection of security holes in local or remote hosts.
• Detection of missing security updates and patches.
• Simulated attacks to pinpoint vulnerabilities.
• Execution of security tests in a contained environment.
52
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
The Nessus server is currently available for UNIX, Linux and FreeBSD. The client is available for UNIX- or
Windows-based operating systems.
-----------------------------------------------
Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in
several fields of Science & Technology, IT Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance
your educating and career goals using the latest innovations and technologies.
53
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Internet
© January 20, 2007
Global Open Versity,
Vancouver Canada
www.globalopenversity.org
Business
Partners
Access
Public IP address
Internet Wi-Fi
DMZ Network
Switch 1
FTP Server
192.168.0.0/24
IDS IPCop
Switch 2 Firewall
Web Server
Win7
Mac OSX Server: Win2k8 AD
Dbase
Linux Internal
Wi-Fi Wi-Fi
Win-Vista
Switch 6 - Rm 300
SSO Access to
Network Resources
Terminal
WinXP
Note: Add network devices to switches 3 & 4 or any other part of the network as desired.
54
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada