Managing Security with Open Source "

Sullivan IPCop Firewall IL-TCE

Managing Securitywith Open Source

“IPCop”

IL-TCE ConferenceMar 3 & 4, 2005

©2005 - Terence J. SullivanFree for Educational Use


www.ipcop.org


www.tech-geeks.org


Development & Accessory Sites• IPCop

– www.ipcop.org

• Firewall Addons– firewalladdons.sourceforge.net/

• Sourceforge Project– sourceforge.net/projects/ipcop

• Unofficial Modifications Site– www.supporting-role.net/software/ipcop/software-list.php


IPCop Project

• Based on “smoothwall” firewall• Stripped down linux

– “hardened” minimal subset of linux

• Uses• Requires minimal to no knowledge of

linux command line


Features• Stateful packet inspection with NAT & PAT• Full logging (by IP # or even username)• Port forwarding, IP blocking• Alias for WAN port, allowing multiple IP

address management• SNORT – community standard for intrusion

detection• Squid – community standard for Internet

proxy• FreeS/WAN IPSec support, VPN


Features (cont)

• LAN Services (dhcp, dynamic dnsregistration, etc)

• NIC, ISDN, & Modem supported• Web based configuration• Built in self patching/updating• Backup/Restore• Traffic Shaping• Time Server• Automatic update/patch management


Hardware Requirements

• Pentium II with 128 Meg RAM• 2 Gig HD• HCL (hardware compatibility list)

– Supported NICS– http://www.ipcop.org/modules.php?op=modload&name=phpWiki&file=index&pagename=IPCopHCLv01

• Boot from CDRom (easiest install)• Lightweight Package

–40 meg – ISO


Enhancement Utilities

• Web browser content filtering– Cop+ or SquidGuard

• POPFile - Email virus/spam filtering• BlockOutTraffic – Block IP• Nmap – local network auditing tool• Ident – collect username in logs

– local service or authenticate with proxy

• Syslog service – send logs to loggingserver

• LAN backup – backup to lan device


System Graphs


Traffic Graphs


Firewall Logs


Content Filter


Example Setup/Config

• A complete firewall can be setup andconfigured in less than an hour.

• IPCop vocabulary–Green NIC – inside LAN–Red NIC – outside WAN port to Internet–Orange NIC – DMZ public server port–Blue NIC – Wireless network isolation


Contact Info

Presentation Materials

www.shiloh.k12.il.us/tech

www.il-tce.org

Terence (Terry) [email protected]

Another Quality How-to from TechGeeks - <www.tech-geeks.org>

_____________________________________________________ ________| |________ \ | Installing IPCop 1.4.2 | / \ | <Date: 03-03-2005> | / / |_____________________________________________________| \ /___________) (__________\ /* Special thanks to the TechGeeks, LTC-4 & LTC-5 staff for all their notes, ideas, and suggestions from which this how-to was complied */ =========================================================================== HOW TO INSTALL IPCop 1.4.2 Firewall & Cop+ Content Filtering =========================================================================== 1) Download ISO CD-image and burn to make bootable CD: 1.4.0 - will require two patches http://prdownloads.sourceforge.net/ipcop/ipcop-1.4.0.iso 1.4.2 - will not require patches as of the date of this howto http://prdownloads.sourceforge.net/ipcop/ipcop-1.4.2.iso 2) Boot from CD and complete basic installation. * Note warning that all existing data on CD will be destroyed. * Boot: <--- press enter * Choose Language – English & then OK to Installing * Choose CDRom install, be sure CD is in the drive and <-- OK * Dialog will show progress as it formats/files to hard drive * Near end will ask for “Restore” CD-Rom to recover or clone skip for new install, but can be used to rebuild a system * Assign inside/LAN NIC (this will be called the "Green" card Probe for 1st Network Card Assign IP Address - (inside or local network gateway) xxx.xxx.xxx.xx with mask xxx.xxx.xxx.xxx * At this point CD will eject preparing for reboot * Will ask for keyboard country - <us> * Set Timezone - CST6CDT * Name the local machine ex. ‘ipcop’ <-- without quotes * Domain: 'district.k12.il.us' <-- FQDN without quotes * ISDN: not likely to use, so choose ‘Disable ISDN’ * Network configuration type Green Red <-- for basic firewall * Drivers and card assignments: Probe – find other NIC Assign to Red Messsage status - All cards allocated <-- OK * Address Settings Green – confirm Red – set outside / public IP number Static - normal setting for K12 school IP Address xxxx.xxx.xxx.xxx & Mask xxx.xxx.xxx.xxx 'DONE' to accept both card assignments * DNS and Gateway settings DNS primary and secondary Gateway or default route to the Internet * 'DONE' accept Network Configuration * Configure DHCP server: setup to suit your network <-- OK * CREATE management user accounts 1st screen is 'root' user for console access 2nd screen is 'admin' user for web management * Basic Setup is Complete <-- will reboot now 3) After reboot will come up to Console or Terminal login * login as 'root' * check connectivity try ping xxx.xxx.xxx.xxx outside network * note it is possible the Red/Green are reversed

if so, try reversing patch cables 4) In the future to modify any of the basic configuration return to console/root login and issue the command 'setup' <--- without quotes from command line

Howto access server console Window from Windows need Putty or favorite secure Telnet Program Putty – server.ip.number port 222 <-- non-standard port First time will have to accept certificate Login as User ‘root’ and password ‘******' ------------------------------------------------ |for Putty help look at: | | http://root.phys.psu.edu/putty-winscp.php | ------------------------------------------------

5) From here configuration and management can be done via a browser To access WebAdmin Panel https://ipcop.school.org:445 <-- non-standard port accept warning about the site certificate – Continue To login to WebAdmin Panel Press Connect User 'admin' Password '******' <-- this is the 2nd password set Basic inital configuration System – SSH access - Enable - SAVE Services – Web Proxy - Enable Green & Transparent Green Services – NTP Server – Enable - choose NTP server update automatically every X days SAVE <-- don't forget to click save Services – Intrusion Detection – Enable on RED Download new rule set and SAVE

6) IPCop UPDATES: <not needed if using the 1.4.2 ISO image> Done in WebAdmin panel System - Updates - Click 'Refresh update list' Update 1 - 1.4.1 http://prdownloads.sourceforge.net/ipcop/update-1.4.1.tgz.gpg?download Update 2 - 1.4.2 http://prdownloads.sourceforge.net/ipcop/update-1.4.2.tgz.gpg?download Click 'info' behind Update-1 Download update to local hard drive To apply Browse - locate update package - Open then UPLOAD (its that easy -- permission,unpacking.install all automated) Repeat for Update-2 Does not require reboot If, reboot is ever recommended, be aware IPCop breaks without it

7) NEED "MOD" utility to install and use 3rd party add-on modules these are NOT from the IPCop project team, but outside sources

* Install has to be done manually

* Get MOD tarball: http://prdownloads.sourceforge.net/firewalladdons/addons-2.2-CLI-b2.tar.gz?download download onto local computer

* Use WinSCP or SCP to copy to IPCop server root WinSCP - User 'root' and Password '******' WinSCP uses Port 222 not normal Port 22 <-- non-standard port ------------------------------------------------ |for WinSCP help look at: | | http://root.phys.psu.edu/putty-winscp.php | ------------------------------------------------

* Next log in as root on your IPCop, either from the console or Putty from Windows cd / <-- to go to the top level directory

* Unpack the tarball: tar zxvf addons-2.2-CLI-b2.tar.gz there should now be a new directory with the install files * Change to the new addons directory cd / addons * To install package, run the setup program ./setup -i (that is period-slash setup dash-i) * To uninstall if needed ./setup -u * If successful, there will now be a new menu in the WebAdmin panel ------------------------------------------------------------------------- | caution: often after first installing the MOD package it is transparent | | at the end of the Webdmin management menu, however it will pick up | | the blue color after the first or second restart | | -------------------------------------------------------------------------

8) To install DansGuardian Content Filtering (Cop+) Use the WebAdmin panel and the MOD package manager * Menu - ADDONS - ADDONS and Click Refresh addons list * Click on 'info' behind Cop+ addon * Download to local computer * From Webadmin panel, ADDONS-ADDONS-Upload, browse, find and upload all automated and does not require reboot After install base package need one update * Menu - ADDONS - ADDONS-UPDATE <-- this is a different menu * Click refresh addons update list * Click on 'info' behind Cop+ Update * Download to local computer * From Webadmin panel, ADDONS-ADDONS-UPDATES-upload, browse/find/upload 9) Basic Content Filter configuration Done from WebAdmin panel, Service-Content Filter Menu

* Download Blacklist Now to get started * Enable automatic download * Adjust Banned sites, urls, weighted phrase list as needed * Adjust Exception sites, urls, phrase list as needed * Example mini-config-howto Every configuration change in DG requires a Filter Restart to activate The configuration is really stored in text files and the default setup has most of the filters "commented" out with a '#' as the first char in a line To activate a filter, edit the file, delete the '#', Save, and Restart Standard Disclaimer: What you do to your server and your network is your responsibility. There is a large K12 support community for IPCop, but do read the manual and on-line help. Not responsible for damages. Saturate before using. Slippery when wet. Contents very hot. Do not eat. Inhalation hazard. Safety glasses required. May become unstable when heated. Do not puncture. Risk of explosion. Point away from face. Dispose of properly.

Contains 100% RDA of network security for the linux K12 Geek.==================================== Howto last updated 3-03-2005====================================

Date post:	08-Jun-2015
Category:	Documents
Upload:	sandra4211
View:	552 times
Download:	3 times

Managing Security with Open Source "

Documents