Administering the SmoothWall Firewall The easiest way to manage the SmoothWall firewall is using the Web interface.. • Services: This is where you configure various basic and optional se
Trang 1You will see it formatting the disk and then probing your machine for its network interfaces It should auto-detect any network interface cards (NICs) It lets you accept or skip each one and set them up as firewall interfaces For example, if you have two NICs on your computer but only want to use one as a firewall interface on the firewall, you would define that here
4.Define the attributes of each selected interface Assign them an IP address and sub-net mask After this, SmoothWall installs some additional driver files and asks you
to eject the CD-ROM You have finished installing the program and will automati-cally enter setup mode
5.In setup mode, you will be asked for a hostname for the SmoothWall You can use the hostname to access the machine instead of using its LAN IP address
6.Next it asks if you want to install the configuration from a backup This nifty fea-ture allows you to easily restore your firewall to its original configuration if the system crashes (assuming you made a backup, which is covered later in this sec-tion) Don’t select this unless you are in the process of restoring from a backup
7.Assuming you chose to set up a new firewall (not from backup) in the previous step, you will be prompted to set up several network types:
• ISDN: Leave this set to Disable if you aren’t using ISDN If you are, then add the parameters appropriate for your IDSN line
• ADSL: This section is necessary only if you are using ADSL and actually have the ADSL modem in your computer Leave this on Disable if you aren’t using ADSL service or if the provider gives you an external modem to plug into Otherwise, click on the settings for your ADSL service
• Network configuration: SmoothWall divides its zones into three categories:
• Green: Your internal network segment to be protected or your “trusted” network
• Red: The external network to be firewalled off from the LAN The “untrusted” network, usually the Internet or everything that is not your LAN
• Orange: This is an optional segment that can contain machines that you gener-ally trust but need to be exposed to the Internet (the DMZ mentioned earlier) This protects your internal LAN, should one of the servers be compromised, since DMZ nodes don’t have access to the LAN by default, and also allows these machines to be accessed by the outside world
Select the configuration that is appropriate for your network Most simple networks will use Green (Red is for modems or ISDN), or Green and Red if you have two NIC cards in the machine
8.Now it is time to set up the DHCP server If you want your firewall to be responsi-ble for handing out and managing dynamic IP addresses on your LAN, enaresponsi-ble this feature Otherwise leave it turned off You can set the range to be assigned, and the DNS and lease times for the addresses given out
Trang 280 Chapter 3 • Firewalls
9.You now set several passwords for different levels and methods of access The
“root” password is accessible from the console and command line interface and acts just like UNIX root in that you have total control over the box You then assign
a password for the “setup” user account This user can also access the system from the console and command line This user has more limited powers than “root” and can only run the setup utility program
10.Finally, set up a Web interface user account This isn’t a UNIX-type account and can’t be accessed from the command line It is strictly used to control access to features from the Web interface
11.Now reboot the machine and your SmoothWall firewall should be up and running You can log into the machine from the console using either the root or setup user You can also SSH into the box from a remote location and get the command line interface However, one of the truly nice things about this program is that there is a powerful and easy-to-use GUI accessible from any Web browser that makes administering the firewall a snap
Administering the SmoothWall Firewall
The easiest way to manage the SmoothWall firewall is using the Web interface This gives you a powerful tool for administering and adding other functionality to your firewall You can access this interface two ways: via port 81 for normal Web communications or via port
441 for secured Web communications using SSL Either way, you put the IP address or URL with the port number in the location window of a Web browser For example, if your firewall LAN interface card has IP address 192.168.1.1, you would enter the following into the Web browser
http://192.168.1.1:81/
for normal Web communications, or
https://192.168.1.1:441/
for secure Web access
This will display the SmoothWall opening screen To access any of the other screens
you will need to enter your user name and password The default user name is admin and
the password is the one you entered for the Web interface during the setup process There are several main menus accessible from the main page (see Figure 3.7)
Each menu has a number of submenus underneath it
• Control: This is the firewall homepage and contains copyright and uptime information
• About Your Smoothie: This has a number of useful submenus:
• Status: This shows you the status of the various services on the SmoothWall
• Advanced: This screen contains detailed information about your system
Trang 3• Graphs: This is one of the cooler features in SmoothWall This enables you to
cre-ate bandwidth graphs so you can analyze your network traffic on different inter-faces at different times of the day and on different days You can use this as a quick way to find network problems If you notice huge bandwidth increases on the weekend or late at night without any known reason, you know that something
is amiss (see Figure 3.8)
• Services: This is where you configure various basic and optional services on the
SmoothWall (see Figure 3.9)
• Web Proxy: If you want to be able to set up your SmoothWall to act as a proxy
for anyone surfing the Web, this function can be set up here
• DHCP: The built-in DHCP server is configured here
• Dynamic DNS: If your ISP assigns you a dynamic IP address but you still want to
allow services in from the outside, you can set up the SmoothWall to update a DNS record automatically with its new IP address It can be configured to use any one of several online services such as dyndns.org and dhs.org
• Remote Access: This section controls access to your SmoothWall from anywhere
but the console You can enable SSH (it is disabled by default) and control what specific addresses can get access
• Time: This configures the time settings on the machine This can be very
important if you are comparing its log files to other servers You can set it up to get time from a public time server, which makes logs more accurate
Figure 3.7 SmoothWall Main Menu
Trang 482 Chapter 3 • Firewalls
Figure 3.8 SmoothWall Traffic Graph
Figure 3.9 SmoothWall Services Screen
Trang 5• Networking: This is where you configure anything associated with the firewall and network functions of the SmoothWall This includes adding, deleting, or modifying the rule sets and other functions:
• Port Forwarding: You can forward a specific port or series of ports to an internal protected host
• Internal Service Access: Click here if you need access to an internal service from the outside
• DMZ Pinhole: This lets you set up access from a host on your DMZ to a host on your LAN This is normally not allowed as part of the function of a DMZ
• PPP Settings: If you are using the SmoothWall to connect to the Internet via
dial-up, you set the various phone settings here such as number, modem commands, and so on
• IP Block: This is a nice feature that allows you to easily block an IP or range of
IP addresses from your network without having to write any rules
• Advanced: Several miscellaneous network settings such as Universal Plug and Play (UpnP) support are found here
• VPN: Here is where you configure the SmoothWall to act as a VPN for secure remote access from another network The details are covered later in this chapter
• Logs: Access to all the log files kept by the SmoothWall is facilitated through this screen The interface allows you to easily scan different types of log files such as system and security
• Tools: There are several standard network tools here including ping, traceroute, and whois They also include a nifty Java-based SSH client so you can access SSH servers from your Web browser
• Maintenance: This section is used for system maintenance activity and has several submenus
• Maintenance: This section keeps track of any patches to your SmoothWall operating system It is important to keep the SmoothWall OS patched Just like any operating system, there are security holes discovered from time to time that are fixed in the patches New features or compatibility are added periodically as well
• Password: You can change any of the logins and passwords for the system here (assuming you have the old passwords)
• Backup: You can make a backup of your SmoothWall configuration so that in the event of a crash you can easily restore it You should make a backup as soon as you get the SmoothWall configured to your liking to save your settings
• Shutdown: This will safely shut down SmoothWall
Trang 684 Chapter 3 • Firewalls
Creating a VPN on the SmoothWall Firewall
You can use SmoothWall to set up a secure connection to another network by creating a VPN tunnel with IPsec encryption
1.To configure the VPN function on the firewall, click on the VPN item from the main menu There are two submenus located there (see Figure 3.10)
• Control: This is the main screen where you can start and stop your configured VPN sessions as well as get status information on them
• Connections: Here is where you configure new VPN connections It gives you a pretty simple way to create new VPN connections On SmoothWall Express (the free GPL version), both ends must have a static, public IP address To create a new connection profile, go to the Connections tab off of the main VPN tab (see Figure 3.11)
2.Enter a name for this connection Be sure to use a name that makes it obvious what
is being connecting
3.Define the “left” and “right” sides of the connection (These names have nothing to
do with direction, but are just used as references to differentiate the ends of a VPN The local side is typically on the left.) Input the IP address and subnet for your local SmoothWall on the left side, and the IP address and subnet of the remote SmoothWall on the right side
Figure 3.10 SmoothWall VPN Control Screen
Trang 74.Below that you enter the shared secret that is used to create the encryption This secret has to be the same on both firewalls being connected It should be protected and not passed through insecure means (for example, e-mail) Make your secret at least 20 characters long and comprised of lowercase, uppercase, and special char-acters to make your VPN as strong as it can be
5.You can also click on the compression box to make your VPN data stream smaller But keep in mind that this will eat processor cycles and might slow your VPN down more than the gain from less bandwidth
6.Make sure you click on the Enable box and then click on Add to add your VPN connection You will now see it on the main VPN Control page and it will come up immediately if the link it is associated with is up
7.You can also export the VPN settings to another SmoothWall to make for easier con-figuration and avoid data entry error on configuring additional VPN endpoints Simply click on Export and it will create a file called vpnconfig.dat You can then take this to your remote machine and go to the same page and select import SmoothWall will automatically reverse the entries for the remote end Your VPN is now ready to go Repeat this process for as many additional sites as you want to add
Additional Applications with the SmoothWall
This section is only a cursory overview of the basic functions of the SmoothWall There are other advanced functions covered in the documentation that accompanies SmoothWall
Figure 3.11 VPN Connections Screen
Trang 886 Chapter 3 • Firewalls
For details on setting up the other special services, such as the Web proxy or dynamic DNS, consult the administration manual All three documentation files are contained in the SmoothWall directory on this book’s CD-ROM in PDF format If you have a spare machine to dedicate to your firewall, SmoothWall Express lets you go beyond simple fire-wall functionality and provides a full security appliance for your network
Windows-Based Firewalls
None of the firewalls described in this chapter run on Windows Regrettably, there is a lack
of quality of firewall open source software for Windows Because Windows code is itself not open, it isn’t easy for programmers to write something as complex as a firewall, which requires access to operating system–level code With the addition of a basic firewall in Windows XP, there is even less motivation for coders to develop an open source alterna-tive This is unfortunate, because the firewall included with XP is fine for individual users, but it isn’t really up to the task of running a company gateway firewall There are commer-cial options available for Windows from companies such as Checkpoint However, even they are moving away from a purely Windows-based solution because of the underlying security issues with Windows If you need to use a Windows-based firewall solution, you will probably have to go to a commercial firewall, as there isn’t a good open source fire-wall for Windows This underscores the limitations and issues with closed source operat-ing systems
Trang 9Port Scanners
A firewall helps protect your network from the most basic attacks and is a mandatory tool for any network attached to the Internet Now that you have protected your network’s front door, we will examine tools to help you check your locks and windows to make sure that the openings in your network are secure
Looking at the OSI model of network communications again, you see that once a basic network connection has been established between two machines, an application uses that connection to perform whatever function the user requests The application could be
to download a Web page, send an e-mail, or log in interactively using Telnet or SSH
Chapter Overview
Concepts you will learn:
•TCP/UDP ports
•TCP fingerprinting
•How port scanning works
•Port scanning configuration
•Port scanning techniques
Tools you will use:
Nmap, Nmap for Windows, and Nlog
The Internet Assigned Numbers Authority (IANA) assigns TCP/UDP port numbers This little known but important organization keeps track of the many different standards and systems that make the Internet run Among its duties are handing out IP addresses and
Trang 1088 Chapter 4 • Port Scanners
delegating who is responsible for top-level domain names The IANA wields considerable power, albeit mostly behind the scenes Few people outside the engineering departments
of communications companies even know IANA exists, but it controls a big part of the Internet “real estate.” The IANA is also responsible for keeping a list of which services can be found on what network ports, assuming the application or operating system is com-pliant with these standards Of course, it behooves all companies making software to closely adhere to these standards; otherwise, their products may not work with other Inter-net-connected systems Table 4.1 lists some of the most commonly used TCP ports for server applications
A full list of port numbers appears in Appendix C You can also find the most current list at the IANA Web site (www.iana.org) Almost every major application has a port num-ber assigned to it Port numnum-bers range from 1 to 65,535 for both TCP services and UDP services Port numbers 0 to 1,023 are considered reserved for common applications These
services usually run as root or a privileged user and are called the well-known port
num-bers Port numbers from 1,024 to 65,535 can be registered with the IANA for specific applications These usually map to a specific service, but vendors don’t abide as strictly by these registrations as they do the reserved numbers
Finally there are ephemeral port numbers, which the operating system chooses at
random from the numbers above 1,024, usually high up in the range These are used for machines that connect on an ad-hoc basis to other machines For example, your machine would connect on a Web server on port 80 to download a Web page The server would see a connection coming in from a machine on some random port above 1,024 This way the server knows it is probably a user and not another application connecting to it It also uses the ephemeral port number to track the specific user and session For example, if you
OSI Layer Number Layer Name Sample Protocols