Video: pfSense on a Flash Drive (Part One)


A reader e-mailed me asking the pros and cons of running pfSense from a flash drive. I wasn’t sure myself, so I got a flash drive and tried it myself. In part two, I will try to run pfSense from the flash drive on one of my computers.

pfSense 2.1.3 Released

pfSense 2.1.3, a relatively minor upgrade from the recently-released 2.1.2, has been release. You can read about it in this blog posting at the official pfSense site. I decided to upgrade my firmware to the latest version, and even made a video of it:

pfSense 2.1.2 Release Up For Testing

nlogUnless you’ve been living in a broom closet, you probably know about the OpenSSL bug that makes users using sites whose web servers use the OpenSSL library potentially vulnerable to eavesdropping. The pfSense development team is on the case, and they have already posted a fix for the OpenSSL bug. Needless to day, I guess I am going to have to update the links on the downloads page again, since this will likely become the pfSense 2.1.2 release. You can read about it at the pfSense mailing list.

New Website Launched

Although pfsensesetup.com remains my primary focus, I have launched a new website: eVPN Gratis. The emphasis on this new blog will be on reviews and information about free VPN services. There are only two articles posted so far, but I will be adding new articles in the upcoming weeks.

Chris Buechler Interviewed

Chris Buechler of the pfSense project was interviewed on Jupiter Broadcasting’s BSD podcast. The interview begins 13 minutes and 13 seconds into the podcast.

Remote Access Options

remote accessSooner or later, odds are good that you will either want or need the ability to work remotely. Providing remote access must be undertaken very cautiously, because as soon as you allow an employee to connect to the corporate network, you have to some degree extended your network boundary to their workstation. This means your network’s security is now only as good as the security of the remote user’s system or network. In some cases, this borders on no security at all. This is why remote access must only be granted after careful consideration and planning. While the different types of remote access have different levels of security risk, all types of remote access have some common planning and configuration steps.

Remote Access: VPNs

The first step is to determine what type of remote access is appropriate. A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This generally provides the greatest level of functionality, but also poses the greatest risk. If the remote system is compromised, an attacker is effectively inside your corporate network. While there are steps you can take to mitigate these risks, they may be time-intensive and effort-intensive. To plan, configure and properly secure a VPN solution is the most involved choice of the various remote access solutions you could provide.

Remote Access: Remote Desktop Software

Another option is to provide remote desktop functionality. This would allow a remote user to see and use the desktop of a system at work. A remote desktop acts as if the user is at work, while a VPN acts as if the user’s computer is at work. This type of solution is slightly easier to implement, because you can typically isolate the traffic that needs to be permitted through the firewall to a single TCP port. Many of the same risks exist, however, in that if an attacker manages to gain access to an internal desktop remotely, it is usually easy for them to move information out of the network or otherwise cause mischief. Another key consideration with this type of solution is that you need to have a computer at home and a computer at work. With the VPN option, youonly need to use one system, so if the user has a laptop, it can be used while they work remotely. There are several options for remote desktop functionality: LogMeIn (which is no longer free), TeamViewer (free for home users), and Symantec’s PcAnywhere, to name but a few.


Remote Access: Remote Shell

The last and least functional option is that of a remote shell. Because most users do not operate extensively (or even at all) in a console environment, this type of remote access is generally most suitable for network administration personnel. While it may be impossible for typical users to operate their systems without a GUI, many network tasks and most firewall administration tasks can be permormed with only terminal access. Because the widely-used Telnet protocol sends all data unencrypted, any sensitive tasks should only be performed using a secured protocol such as secure shell (SSH), or Telnet over a Secure Internet Protocol (IPsec) tunnel.

External Links:

VPN at Wikipedia

netfilter Operation: Part Two

netfilter operationNow that we have covered the various tables and chains, we can discuss the overall packet flow. The key to remember is that not all packets traverse all chains. To further complicate matters, packets will traverse different chains depending on whether they are sourced from the netfilter host, destined for the netfilter host, or just passing through the netfilter host. Knowing this will save you time when troubleshooting your firewall rules in the future.

Targets are the actions that should be taken when a packet matches a given rule. A target is specified using the -j syntax (for jump). The primary targets used for a firewall are ACCEPT and DENY.

  • ACCEPT: The packet is accepted and processed by the rest of the TCP/IP stack.
  • DENY: The packet is dropped and no notice is given to the sender. While this does not honor the TCP/IP protocol specifications, it is considered the most secure option, because it denies a hacker useful information about the firewall. This behavior also has a negative side effect, which is if a system is trying to initiate a connection to a port that is blocked by a firewall, the connection attempt must time out before the initiating host gives up. If you use REJECT, the Internet Control Message Protocol (ICMP) port will allow the initiating system to abort the connection attempt immediately.
  • LOG: This allows you to perform kernel logging, which appears in the syslog log. Further options allow you to specify the log level and a descriptive prefix for the log entry.
  • RETURN: Processing continues in the previous chain at the rule just after the last rule processed in that chain.
  • QUEUE: This is a special target that will hold (or queue) a packet for processing by a userspace process.


Unlike some firewalls, netfilter allows you to apply multiple rulesets (chains) to the same interface. Although it may seem minor, this option creates a lot of powerful possibilities. For example, suppose you have an ACL and you want to permit all packets originating on the 192.168.1.0 network except those from 192.168.1.25, which is a host that a third party uses and is not a completely trusted system. You want packets sourced from 192.168.1.25 with a destination port of 22, 25, 53, 80 and 443 to be permitted, while all other packets are to be blocked.

Using netfilter and iptables, you can create a rule to implement this policy:

1 somerule
2 iptables -A FORWARD -p tcp -s 192.168.1.25 -j CUSTOM
2.1 iptables -A CUSTOM -p tcp -s 192.168.1.25 –dport 22 -j ACCEPT
2.2 iptables -A CUSTOM -p tcp -s 192.168.1.25 –dport 25 -j ACCEPT
2.3 iptables -A CUSTOM -p tcp -s 192.168.1.25 –dport 53 -j ACCEPT
2.4 iptables -A CUSTOM -p tcp -s 192.168.1.25 –dport 80 -j ACCEPT
2.5 iptables -A CUSTOM -p tcp -s 192.168.1.25 –dport 443 -j ACCEPT
2.6 iptables -A CUSTOM -p ip -s 192.168.1.25 -j DROP
2.7 iptables -A CUSTOM -j RETURN
3 iptables -A FORWARD -p ip -s 192.168.1.0/24 -j ACCEPT
4 somerule

Using netfilter and iptables, we created rule #2, which says that the source address is 192.168.1.25 for processing the CUSTOM chain. You can create the CUSTOM chain with the iptables -N CUSTOM command. Within the CUSTOM chain, you check for the five permitted destination ports (rules 2.1-2.5) and then reject everything else (rule 2.6). Rule #2.7 has no matching criteria and will therefore match on nay packet and instruct the packet to return to the FORWARD chain where processing can continue. FORWARD chain rule #3 permits all other packets from the 192.168.1.10/24 network. This means that packets not sourced from 192.168.1.25 only have to be checked against rule #2 and can then move through the chain(s) instead of being checked against all the rules.


External Links:

Using Custom Chains in iptables at my.safaribooksonline.com

Linux Firewall Installation Media

Linux firewallOne of the more interesting features that Linux has over Windows is that it can be run from a variety of media. While Windows is notoriously difficult to configure to run from a CD-ROM (but still possible: see www.ubcd4win.com for the Ultimate Boot CD for Windows), there are Linux distributions that are capable of running off a traditional hard disk install, CD-ROM, a Universal Serial Bus (USB) drive, or even a floppy disk. Each media type offers some security pros and cons, and not every distribution will be available on every media type. If you need the features of a specific distribution that doesn’t come on the media you prefer, you may need to make a compromise. You will need to research the different media options and choose one that fits in your environment. We will review some of the pros and cons of each for Linux firewall installations.

Linux Firewall: Hard Disk Installation

The full install is the traditional install to a system’s hard disk. Much like Windows, you boot up an install CD and walk through a guided install process. Most of the Linux distributions installed on the hard disk offer graphical user interface (GUI) install programs that walk you through the installation steps. There is no great advantage to using this type of distribution other than that the size of the hard disk allows you to install a lot of extra software. For a firewall, you generally want to keep the software running to a minimum to enhance security, so this shouldn’t be a very big consideration. This type of installation also has the advantage that it will be easy to modify and alter the configuration if needed.


On the down side, this type of installation has all of the same disadvantages of a Windows bastion host: the entire system is sitting on the hard drive, and if a hacker manages to compromise the root account, they will be able to install a virus or Trojan on the system that can survive future reboots. This type of install isn’t any better or worse than if you were using Windows for your bastion host OS. Despite these concerns, it is the most common type of Linux firewall installation, and most versions of Linux install the firewall components by default. This means if you download a version of Linux you like and install it to a hard disk, you will have a firewall waiting to be configured when you’re done.

Linux Firewall: CD-ROM Installation

While you can get Windows running off of a bootable CD-ROM or live CD, it takes a lot more work than it does with Linux. There are many versions of Linux designed specifically to run from a CD-ROM, allowing you to turn virtually any machine into a Linux firewall, router, or general-purpose PC. There is an obvious security advantage to having all of your configuration information on read-only media media. Even if a hacker manages to compromise the system, all it takes is a reboot and it can be restored to its previous condition. The system can still fall victim to a hardware failure such as a failed central processing unit (CPU), all you would need to do to restore your firewall would be to move the CD to a new system and reboot.

The primary advantage to a CD-ROM-based Linux firewall installation is also the primary disadvantage. If you burn the entire OS and configuration settings to a CD, any time you need to make adjustments you would need to burn a new CD-ROM. The cost of the CD media should not be an issue, but such a configuration may hinder your ability to remotely administer the system, which would be limited to making changes to the running configuration. Changes that remained after a reboot would require someone local to insert the CD-ROM containing the new configuration. If you needed to implement and test changes that required a reboot to take effect, this type of setup would make things more difficult. Finally, due to simple space limitations on a CD-ROM, you may not be able to fit all of the needed software or functionality on a CD-ROM. That being said, if the firewall rules are relatively static and don’t require frequent adjustment, a live CD could be a very attractive option.

Linux Firewall: USB Drive Installation

If the space limitations are acceptable, a Linux firewall booting from a USB disk may offer the best compromise in security and flexibility. Having the operating systems and firewall software on a pen drive offers the same type of flexibility that a CD-ROM-based system provides, with increased storage capacity over that of a CD-ROM. If you purchase a USB disk that includes a physical write protect switch, you can make changes on the fly, like a live system, and then write protect the disk against modification when you are done. As the storage capacity of USB drives increases, you will be able to use a USB-based distribution that includes increasingly greater functionality. One key consideration with this type of media is that not all systems will support booting from a USB disk. While almost all newer systems support this option, some of the older systems that you may wish to install a free firewall on do not.

Linux Firewall: Floppy Disk Installation

Although the functionality is typically very limited, there are many versions of Linux that can fit on a 3.5-inch disk, and that can be used for Linux firewalls. The primary advantage of these distributions is their low resource requirements. Often, the systems only require 8 or 16 megabytes of memory and a 486 to function. The ability to toggle the write-protect switch on the floppy can also provide a high degree of configuration flexibility and security. Considering the unreliable nature of floppy disks, it probably wouldn’t be appropriate for use if an outage cannot be tolerated. At the very least you should have duplicate floppy disks available in the event of a failure. Another disadvantage to these is functionality. Generally, these floppy-based distributions are single purpose devices and lack much in the way of functionality. Another consideration is that due to the space restrictions on a floppy disk, these floppy-based distributions are almost always command line only, with no GUI for configuration or management.

Now that we’ve covered installation media for Linux firewalls, we can cover the operation of a Linux firewall, which we will in the next article.


External Links:

Ultimate Boot CD for Windows site

Devil-Linux – a distribution which boots and runs completely from a CD-ROM or USB flash drive

Damn Small Linux – the original Linux on a CD-ROM/USB drive distro

Running sudo: Examples

using sudo

The sudo command in action under CentOS. sudo -l shows the commands user chris is allowed to run as root.

In the previous article, we configured sudo to allow user chris root privileges for the ifconfig, kill and ls commands. If chris wants to run these commands, he must first enter the sudo command, and then his password. To see if it works, do the following:

  1. Log in as user chris.
  2. To find out what commands chris has root access to, enter this:
    sudo -l
  3. If this is your first time running sudo as user chris, a warning will display:
    We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things.
    #1) Respect the privacy of others.
    #2) Think before you type.
     #3) With great power comes great responsibility.
  4. A password prompt appears. Do not enter the root password. Enter chris’s password.
  5. The commands that chris is allowed to run on this host are listed.
  6. To test your sudo configuration, you can run an ifconfig option that requires root permission without using sudo. Enter:
    /sbin/ifconfig eth0 down
    Permission is denied beceause chris is not allowed to deactivate the system’s eth0 interface.
  7. To deactivate the interface, chris must use sudo. Enter:
    sudo /sbin/ifconfig eth0 down
    You will be successful. Please note that sudo will ask for chris’s password if chris’s ticket has expired (the default is five minutes). If you run this command within five minutes from the last time, you will not be prompted for a password.
  8. Reactivate the interface by typing:
    sudo /sbin/ifconfig eth0 up
  9. Next, restart one of the httpd processes using the kill command by entering:
    ps aux | grep httpd
  10. Choose an Apache PID from the list that appears (if Apache is not installed, select a different service process to restart). Enter:
    kill -HIP (PID NUMBER)
  11. You are not allowed to restart the httpd process because you are not root.
  12. Instead, use sudo to run the command as root by entering:
    sudo kill -HUP (PID NUMBER)
    You should be successful.

  13. Next, list the root directory as chris using the ls command. Enter:
    ls /root
    Permission is denied because you are not root.
  14. Again, use sudo to run the command as root:
    sudo ls /root
    Permission is granted and the root user’s directory is displayed.
  15. To expire chris’s timestamp, enter the command sudo -k. Chris will have to enter a password the next time he uses sudo.




External Links:

ifconfig at Wikipedia
kill at Wikipedia
ls at Wikipedia

Snort Security Optimization

snort securityIn the previous two articles (part one part two), I discussed the installation of snort. In this article, I will mention some ways to improve snort security.

Improving Snort Security

One of the snort security issues is preventing unauthorized access to a privileged account. There are several ways of preventing this. First, when running snort in daemon (-D) mode, the user (-u) and group (-g) switches should be used. This will allow snort to run as a given user and group after it is initialized. Typically, most system administrators prefer to add the snort user and group to their systems, and that the snort user should be unable to login or initiate shell privileges.




Second, the source code for snort/DAQ binaries, logging directories, shared/static libraries, and configuration files should all be owned by the snort user with appropriate permissions. Finally, all binaries which are produced by the compiling and installation process of snort and DAQ should be verified using a hash function and the output stored on removable media. A cron job could be used to run this process on a regular basis with results e-mailed to a system administrator. Another alternative would be the use of a utility called tripwire for auditing installed software on a computer. All of these measures are excellent ways of increasing snort security.


Mirroring or Copying Network Traffic to Snort

In addition, your small office/home office (SOHO) router can be used to mirror or copy network traffic to a snort sensor running on a standalone system or to a virtual machine running in VirtualBox, VMWare, or Xen. This method of improving snort security can be easily done provided you have a router that is running DD-WRT, OpenWRT, or Tomato as the firmware. If you are running Tomato, you may have to add the following to your startup script:

modprobe ipt ROUTE

Users of OpenWRT must use the Tee option for IPtable (provided by module iptables-mod-tee). The module “iptabels-mod-tee” must be loaded before the following command will work:

iptables -t mangle-A PREROUTING -j TEE -gateway x.x.x.x

Where x.x.x.x is an IP address you wish to mirror traffic to (usually a system running snort). It should be noted that in more recent versions of OpenWRT (10.03.1 and never), iptables-mod-tee does not seem to be enabled by default, and using it will require a rebuild/re-enabling of modules for OpenWRT.

Now, using DD-WRT or Tomato’s GUI (or SSHing into the router), issue the following commands:

iptables -A PREROUTING -t mangle -j ROUTE -gw x.x.x.x -tee

iptables -A POSTROUTING -t mangle -j ROUTE -gw x.x.x.x -tee

In each case, x.x.x.x is the address of the machine running snort. To stop mirroring traffic, type

iptables -F -t mangle

If you have snort running in test mode (-T option), try starting snort with /etc/rc.d/snort start (you should get a running message if snort is running properly). If there is a problem, check the output in /var/log/messages. Also, you can check the status of snort by issuing this command:

./snort status


External Links:

How to make some home routers mirror traffic to Snort at www.snort.org

DD-WRT

OpenWRT

Tomato

© 2013 David Zientara. All rights reserved. Privacy Policy