SuSELinux FirewallonCD2
1st edition 2002 Copyright © This publication is intellectual property of SuSE Linux AG. Its contents can be duplicated, either in part or in whole, provided that a copyright label is visibly located on each copy. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SuSE Linux AG, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.
Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Introduction SuSE Firewall on CD 2 . . . . . . . . . . . . . System Requirements . . . . . . . . . . . . . Network Planning . . . . . . . . . . . . Security Policy and Communication Analysis Security Policy . . . . . . . . . . . . . . Communication Analysis . . . . . . . . Typical Firewall Setups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Firewall Administration System (FAS) iv 33 Logging in as fwadmin . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Starting the Firewall Administration System . . . . . . . . . . . . . . . . 34 Using the FAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Initial Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . 34 Creating a New Configuration . . . . . . . . . . . . . . . .
Log File Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 The Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Evaluating the Log Files . . . . . . . . . . . . . . . . . . . . . . . . 102 The IP Filter Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 102 The Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 104 Mail Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Certificate Management . . . . . .
5 IPsec Client on Windows XP and Windows 2000 131 Exporting the Required Certificates . . . . . . . . . . . . . . . . . . . . . 131 Importing the Certificates in Windows . . . . . . . . . . . . . . . . . . . 131 Configuring the Required Snap-Ins . . . . . . . . . . . . . . . . . . 132 Importing the Client Certificate . . . . . . . . . . . . . . . . . . . . 132 Making a Note of Important Certificate Data . . . . . . . . . . . . . 133 Configuring the IPsec Connection . . . . . . . . . . . . . . . . . . . .
8 Support, Maintenance, and Patch Management 149 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Accessing the SuSE Maintenance Web . . . . . . . . . . . . . . . . 149 Getting Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Support and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Support Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Commercial Support . . . . . . . . . . . . . . . . . . . . . . . . . .
Kernel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Configuration Options in /etc/squid.conf . . . . . . . . . . . . . . 179 Squid and Other Programs . . . . . . . . . . . . . . . . . . . . . . . . . 179 SquidGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Cache Report Generation with Calamaris . . . . . . . . . . . . . . 181 More Information on Squid . . . . . . . . . . . . . . . . . . . . . . . . . 182 C Network Security 183 Masquerading and Firewalls . .
Preface Many thanks to Jürgen Scheiderer, Carsten Höger, Remo Behn, Thomas Biege, Roman Drahtmüller, Marc Heuse, and Stephan Martin. The SuSE Firewall on CD 2 The SuSE Firewall on CD is a tool package allowing set up of a firewall solution for your network. It helps with the related configuration, monitoring, and administration chores. The complete functionality of the SuSE Firewall on CD is based on Open Source programs specially selected and enhanced for this purpose.
1 Introduction Introduction The importance of the Internet, the communication possibilities provided, and the information-gathering options offered seem to grow every day. The number of companies and individuals with access to this worldwide network is growing steadily. However, connecting to the Internet often introduces some security concerns that should not be underestimated. The SuSE Firewall on CD can minimize and control the risks involved. SuSE Firewall on CD 2 . . . . . . . System Requirements .
Most companies rely on their own networks to exchange and process missioncritical information for in-house purposes, such as an intranet, databases, and e-mail. Without the proper protection mechanisms in place, all this data would be widely available to the outside world as soon as the local network was connected to the Internet — something that could obviously cause alot of damage, especially for companies. It’s easy to run a secure computer system.
The first firewall was a non-routing UNIX host connected to two different networks: one network interface was connected to the Internet and the other one to a private LAN. To reach the Internet from within the private network, users had to log in to the UNIX firewall server before they could access any outside host. To do so, they would start, for example, an X Window–based browser on the firewall host then export the window to the display of their workstation.
our case, is based on the concept of an application-level gateway combined with IP packet filtering. The firewall’s routing and gateway capabilities are turned off by default, but can be enabled as required. All requests accepted and processed by the firewall are handled at the application level. The package supports the most important Internet protocols: SMTP, FTP, HTTP, HTTPS, DNS, and VPN.
1 ELSA Quickstep 1000 PCI Introduction Generic HFC 2BDSO PCI SCSI Host Adapters: 53c7,8xx: NCR 53c7,8xx (old driver) AM53C974: AM53/79C974 BusLogic: BusLogic DAC960: Mylex DAC-960/DAC1100 a100u2w: Initio INI-A100U2W aacraid: Adaptec RAID advansys: AdvanSys aha152x: Adaptec 1505/151x/152x/2825 aha1542: Adaptec 154x aha1740: Adaptec 1740 aic7xxx: Adaptec 274x/284x/294x atp870u: ACARD AEC-671X cciss: Compaq CISS Array cpqarray: Compaq SMART2 RAID dc395x_trm: Tekram Tekram DC395U/UW/F, DC315/U dpt_i2o: DPT I
psi240i: PSI-240i qlogicfas: Qlogic FAS qlogicfc: QLogic ISP 2100 SCSI-FCP qlogicisp: QLogic ISP 1020 qlogicpti: PTI Qlogic ISP Driver seagate: Seagate ST-02/Fut.
depca: DEPCA,DE10x,DE200,DE201,DE202,DE422 dmfe: DM9102 PCI Fast Ethernet e100.o: EtherExpress PRO/100 (Intel driver) e1000.o: Intel(R) PRO/1000 Gigabit Server Adapter e2100: Cabletron E21xx Introduction dgrs: Digi Intl.
smc9194: SMC 9194 tlan: Compaq Netelligent 10/100/NetFlex 3 tulip: DEC Tulip (DC21x4x) PCI via-rhine: VIA VT86c100A Rhine-II wd: Western Digital WD80x3 yellowfin: Packet Engines Yellowfin Gigabit Network Planning Before beginning the installation of the Adminhost and the configuration of the firewall, consider your network layout. The diagrams in the following section provide some ideas for layout options.
1 Security Policy Introduction The security policy provides the basis for working with all programs, hosts, and data. In addition, it outlines how to guarantee the monitoring of security guidelines and how internal or external breaches of this policy are handled. To draft a security policy, it is best to produce a communication analysis. To this end, the following topics are of utmost importance: An analysis of your security requirements is necessary.
smtp http https internal icmp external i. e. i. e. i. e. i. e. i. e. x x – – x – – – – x – – x x – – x – – – – – – Protocol Client host1 host2 host3 ... hostn ftp ssh ... With the help of such a communication matrix, obtain an overview of the communication constellations within the network. This simplifies the configuration of your network and error analysis. Typical Firewall Setups This section gives a brief overview of the most typical firewall setups.
1 Introduction Figure 1.2: Simple Setup Figure 1.3: Effective and Manageable Setup stops any illegal requests at the packet level. Packets allowed through are passed to the first firewall host, which operates at the application level and uses packet filtering rules to control access to the DMZ, to the second firewall host, and to the internal network beyond. This second firewall is a packet filtering proxy machine protecting the internal network.
2 It is no easy task to administer, maintain, and monitor a firewall. Above all, the importance of monitoring the firewall should not be underestimated. This is why the SuSE Firewall on CD includes the SuSE Adminhost for Firewall, which helps with configuring, administering, and maintaining the firewall. Installation of the SuSE Adminhost for Firewall Configuring the Network with YaST2 . . . . . . Manual Network Configuration . . . . . . . . . The User fwadmin for the FAS . . . . . . . . .
After installing the SuSE Adminhost for Firewall, the Firewall Administration System (FAS) is available. The FAS is a tool with a graphical administration interface allowing menu-driven configuration of the SuSE Firewall on CD. Configurable tools are available for monitoring the firewall that can perform tests of the firewall, evaluate the log files, and monitor network traffic.
depending on which area is activated, make a selection or cycle through a list. With ↵ , the selected command is carried out — the action shown on the active button. With Space , entries can be marked. In addition, most actions can be started with the key combination Alt + the underlined letter. Tip Here and in the following dialogs, YaST2 is just collecting information. Later, YaST2 displays the information it has collected.
Figure 2.1: YaST2: Keyboard Layout and Time Zone Now test your keyboard. By clicking with the mouse or using Tab , activate the entry line and type in letters there. Especially test ‘y’, ‘z’, and special characters. The second item is a list of countries in a tree structure (continent/country/region). Select your country or region from these. YaST2 finds the appropriate time zone. Use ‘Next’ to proceed to the next dialog window.
2 SuSE Adminhost for Firewall Figure 2.2: YaST2: Preparing the Hard Disk Step 2 One of the following situations could occur: If the hard disk is not empty, YaST2 shows all existing partitions on the hard disk as well as ‘Use entire hard disk’. Free, unpartitioned storage space at the “end” of the hard disk is also displayed and is automatically preselected. YaST2 can use further space for SuSE Linux, but only if it is contiguous — partitions can only be released for further use “from behind”.
Once the installation starts and all requirements have been fulfilled, YaST2 partitions and formats the necessary hard disk space on its own. The entire hard disk or the available partitions are split up for SuSE Linux into the three standard partitions: a small partition for /boot (about 16 MB) as close as possible to the beginning of the hard disk, a partition for swap (128 MB), and all the rest for / (root partition).
2 Note Note If you press ‘Next’, the installation will start. Confirming Settings and Starting the Installation Review all the settings made until now. To make changes, cycle through the windows with ‘Back’. If you press ‘Next’, you are asked again for confirmation (in green) to start the installation with the settings as shown. After confirming with ‘Yes — install’, YaST2 begins setting up the system.
resolution, color resolution, and repetition rate frequency are selected for the monitor and a test screen is displayed. Note Check the settings before accepting. If you are not sure, consult the documentation for your graphics card and monitor. Note If the monitor is not detected, select your model from the list provided. If you have an unknown model, enter the settings by hand or have the data loaded from a “driver disk” provided with your monitor. Consult the documentation for your monitor.
2 SuSE Adminhost for Firewall Figure 2.4: YaST2: Network Configuration Configuration Files This section provides an overview of the network configuration files. It explains their purpose as well as the format used. /etc/rc.config The majority of the network configuration takes place in this central configuration file. When making changes via YaST or when running SuSEconfig after the file has been modified manually, most of the following files are automatically generated from these entries.
Figure 2.5: YaST2: Configuring the Name Server consisting of the IP address, the fully qualified host name, and the host name (e. g., earth) is entered into the file. The IP address must be at the beginning of the line. The entries should be separated by blanks and tabs. Comments are always preceded by the ‘#’ sign. # # hosts This file describes a number of host name-to-address # mappings for the TCP/IP subsystem. It is mostly # used at boot time when no name servers are running.
2 File 2: /etc/networks /etc/host.conf Name resolution — the translation of host and network names via the resolver library — is controlled by this file. This file is only used for programs linked to the libc4 or the libc5. For current glibc programs, refer to the settings in /etc/nsswitch.conf. A parameter must always stand alone in its own line and comments preceded by a ‘#’ sign. Table 2.1 shows the parameters available.
An example for /etc/host.conf is shown in File 3. # # /etc/host.conf # # We have named running order hosts bind # Allow multiple addrs multi on # End of host.conf File 3: /etc/host.conf /etc/nsswitch.conf With the GNU C Library 2.0, the “Name Service Switch” (NSS) became more important. See the man page for nsswitch.conf or, for more details, The GNU C Library Reference Manual, Chapter "System Databases and Name Service Switch". Refer to package libcinfo, series doc. In the /etc/nsswitch.
aliases ethers group hosts netgroup networks passwd protocols rpc services shadow Mail aliases implemented by sendmail; see also the man page for aliases. Ethernet addresses. For user groups, used by getgrent; see also the man page for group. For host names and IP addresses, used by gethostbyname and similar functions. Valid host and user lists in the network for the purpose of controlling access permissions; see also the man page for netgroup. Network names and addresses, used by getnetent.
files db nis nisplus dns compat directly access files, for example, to /etc/aliases. access via a database. NIS Only usable by hosts and networks as an extension. Only usable by passwd, shadow, and group as an extension. Table 2.3: Configuration Options for NSS “Databases” also it is possible to trigger various reactions with certain lookup results; details can be found in the man page for nsswitch.conf. /etc/nscd.
2 File 5: /etc/resolv.conf YaST enters the given name server here. /etc/HOSTNAME Here is the host name without the domain name attached. This file is read by several scripts while the machine is booting. It may only contain one line where the host name is mentioned. This file will also automatically be generated from the configuration in /etc/rc.config. SuSE Adminhost for Firewall # /etc/resolv.conf # # Our domain search cosmos.com # # We use sun (192.168.0.1) as name server name server 192.168.0.
/etc/init.d/ nfsserver /etc/init.d/sendmail /etc/init.d/ypserv /etc/init.d/ypbind Starts the NFS server. Controls the sendmail process depending on the configuration in /etc/rc.config. Starts the NIS server depending on the configuration in /etc/rc.config. Starts the NIS client depending on the configuration in /etc/rc.config. Table 2.4: Some Start-Up Scripts for Network Programs The User fwadmin for the FAS Figure 2.
2 SuSE Adminhost for Firewall Assign a password for the firewall admin user here. This password must be at least five characters in length. In the next screen, define a “pass phrase” and repeat this in the following field (see Figure 2.7). Figure 2.7: Entering an SSH Passphrase for the Admin User This prepares the basic installation of the SuSE Adminhost for Firewall. Follow the progress of the installation on the screen.
Then start the YaST2 Control Center and select ‘Install Patch CD’. Follow the instructions there. When the installation is finished, restart the FAS daemon with the command rcfasd start. The extra VPN functionality is now available.
3 FAS is the graphical administration interface used to create the configuration floppy for the SuSE Firewall on CD. FAS supports multiple users and is able to administer several different configurations. In addition, statistics can be generated and log files evaluated conveniently using FAS. Logging in as fwadmin . . . . . . . . . . . . . . Starting the Firewall Administration System . . Using the FAS . . . . . . . . . . . . . . . . . . . Log File Analysis . . . . . . . . . . . . . . . . .
Logging in as fwadmin After installation, the system boots to the graphical login. Log in here as the user fwadmin and use the corresponding password. The desktop of the user fwadmin opens. Starting the Firewall Administration System This is a client and server system, consisting of the GUI and the fasd server daemon. The fasd (fas daemon) manages the various configurations, makes modifications, and checks entries for correctness. The front-end accepts user data and forwards it to the server.
3 Firewall Administration System (FAS) Figure 3.2: Creating a New Configuration on CD and, for this reason, is checked for its suitability with the program cracklib. Select a password that cannot be guessed, so do not use your own date of birth, street name, or the name of your favorite star. It should not be too short, but still be quick to type, so no one can see what you enter. Use a mixture of uppercase and lowercase letters as well as digits.
Figure 3.3: Creating a New Account Creating a New Configuration A configuration is created on the inital login. To create additional new configurations, select ‘Configuration’ ➝ ‘New Configuration’. A window appears in which to specify a name for the configuration. Also provide a description of the configuration. This description can be used to explain the purpose of the configuration and to document who has changed what in the configuration when.
3 Firewall Administration System (FAS) Figure 3.
SSH Admin Login (login for the administrator with SSH) Time Synchronization (configuration of xntpd to synchronize computer time with a time server) Example, Inc. This text uses an example configuration of a fictitious company. Only the configuration for the company’s headquarters in Nuremberg is described. If the configuration in a branch is significantly different from this, it is pointed out in a short note.
3 The Setup The following infrastructure is required for the business to operate: 1 FTP server in the DMZ in Nuremberg 1 FTP mirror in the DMZ in Frankfurt 1 central web server in the DMZ in Nuremberg 1 central mail server in the DMZ in Nuremberg 1 CVS server in the DMZ in Nuremberg 20 Linux or Windows workstations in Munich 50 Linux or Windows workstations in Frankfurt 80 Linux or Windows workstations in Nuremberg Firewall Administration System (FAS) Example, Inc.
80.80.80.1. The DNS service is available from the provider under the IP addresses 123.123.123.123 and 123.123.123.124. The following entries have already been made: www.example.com ftp.example.com mail.example.com cvs.example.com = = = = 80.80.80.2 + example.com 80.80.80.2 80.80.80.2 + MX record 80.80.80.12 Because hosts addressed via proxy services of the firewall do not require public IP addresses, two networks are administrated in the DMZ: 80.80.80.8/255.255.255.248 192.168.8.8/255.255.255.
3 Network Policies A virtual network for heads of department: 192.168.10.0/255.255.255.192 A virtual network for staff: 192.168.10.64/255.255.255.192 192.168.10.128/255.255.255.192 192.168.10.192/255.255.255.192 The networks in Frankfurt and Munich are divided accordingly. This results in the following: All hosts with IP addresses 192.168.x.1 to 192.168.x.63 have full Internet access.
Basics In ‘Basics’, either disable the root password completely (default) or set it. As a safety precaution, repeat the root password (see Figure 3.7). If you do not set a root password, logins directly to the firewall host as root are not possible. Access is then only possible via ssh and RSA keys, assuming SSH is configured. Check ‘Enable serial console’ to enable connection of a serial console from which the firewall can be controlled. Also choose between an American or Figure 3.
3 Firewall Administration System (FAS) Figure 3.8: Configuring the Hard Disk Disk Swap Space: Size of the swap partition, such as 128 M Further Options Activate or deactivate ‘Use /var on Disk?’ to set whether /var should be on the hard disk. Enable IDE DMA: Enables DMA for IDE. If you are using the e-mail proxy, using caching for the HTTP proxy, or want to save messages to the hard disk, the hard disk must be configured and /var activated.
Figure 3.9: Network Interfaces 1. Make these settings in the ethernet dialog (Figure 3.11 on the facing page): Interface Names are automatically allocated in sequence, but can be changed. Virtual If required, enter a virtual device name in the field next to this. IP address IP address to assign to the interface. Netmask The netmask for the IP address. Direction internal or external. Is the interface connected to the intranet, to the DMZ, or to the Internet? Confirm the settings with ‘Ok’.
3 Firewall Administration System (FAS) Figure 3.10: Selecting Network Interfaces Figure 3.11: Ethernet Interface 2. The configuration dialog for DSL is divided into two parts: the DSL configuration and the ethernet configuration.
conf for DSL. This file is involved with the resolution of host names by the resolver library and contains the domain of the host and the IP address of the name server. Interface Name Enter the interface for DSL here. ppp0 is the default, but can be changed. Enter the following settings for the ethernet configuration: Device The name of the ethernet device Local IP A local IP address is given here, which can be retained. You only need to change this value if a real network exists with this address.
3 Interface’s Phone Number (MSN) Enter the phone number of the ISDN device (MSN). Provider’s Phone Number Phone number of the provider Phone Number for dial-in Dial in phone number Firewall Administration System (FAS) Figure 3.12: ISDN Configuration — Part 1 Maximum Dial Attempts Maximum number of dial attempts These details are required under ‘Interface Configuration’: Encapsulation Choose here between syncppp and rawip. Interface Enter the interface name.
Figure 3.13: ISDN Configuration — Part 2 Routing In a dialog like Figure 3.14 on the next page), view, create, and modify routes. ‘Add’ creates a new route. Use ‘Edit’ to modify an existing route. With ‘Delete’, remove a set route from the list. Routes are configured in Figure 3.15 on page 50). The following settings can be made: Destination Which network or host should the route address? Enter the network address (e. g., 192.168.0.0). Gateway If desired, enter the IP address for the gateway.
3 Firewall Administration System (FAS) Figure 3.14: Routing Dialog Netmask The relevant netmask. Interface Select the interface to use. Save your settings with ‘Ok’. Stop the configuration with ‘Cancel’. Host Name and Name Server Settings Configure the host name, domain, and name server as shown in Figure 3.16 on page 51. Firewall Host Name Enter the name of the firewall host. Avoid names like gateway or firewall. Firewall Domain Enter the name of the domain to which the firewall belongs.
Figure 3.15: Routing In the next entry line, the search lists are specified, for example, your-company-inc.com. If you now click ‘Finish’, the base configuration is completed. The message appears briefly on the screen to this effect. If conflicts or problems in the configuration are detected, you will see a corresponding error message here. The Example, Inc., Configuration Page 1/5 of the Base Setup The administrator should be able to log indirectly to the firewall in Nuremberg via console.
3 Firewall Administration System (FAS) Figure 3.16: Host and Domain Configuration Only entire hard disks can be used. Individual partitions cannot be configured. In our example, the hard disk is the master on the second IDE bus. Therefore, hdc is entered as the device. A swap space serves to store data from the main memory temporarily on the hard disk, if this is required. 128M is used in our example. Since an IDE hard disk is being used, it makes sense to activate DMA.
Now the network card (eth1) leading to the DMZ is configured. It should be responsible for a subnet of the public IP addresses. How this subnet is made available externally (announced) is discussed in the Kernel Runtime Setup module. Network type Device name IP address Netmask Direction = = = = = ethernet eth1 80.80.80.14 255.255.255.
3 fw-nbg example.com As the name server, the firewall should use the internal DNS server. Then the firewall will also know the names of the internal hosts. Name Server IP Addresses: = 192.168.10.65 In the domain research list, both the publicly known domain as well as the internal domain must be given. Domain Search List: example.com nbg-example.com IP Filter and NAT When configuring the IP Filter and NAT module, choose between expert configuration and normal configuration.
Figure 3.17: IP Forward Dialog Masquerading The same entry fields are available in ‘Masquerading’ (see Figure 3.18 on the next page). Masquerading is a special form of NAT (Network Address Translation). With it, IP packets sent are given the sender address of the router. Destination NAT The abbreviation NAT stands for Network Address Translation. Destination NAT means that the destination address of the packet is changed.
3 Firewall Administration System (FAS) Figure 3.18: Masquerading Dialog Destination Port For ‘From:’, enter the destination port. For ‘To:’, define a series of ports. Redirect Address Specify the IP address to which the packet is redirected. Redirect Port Enter the port to which packets are redirected. ICMP to Firewall ICMP (Internet Control Message Protocol) is used for error analysis in the network. ICMP send messages describing the error states of IP, TCP, or UDP datagrams.
Figure 3.19: Dialog for Destination NAT Source Address Enter the source IP address. Destination Address Select the destination address. ICMP Select the message type. Logging Activate logging of access violations with the ‘Log Access Violation’ check box (on by default). The Example, Inc., Configuration IPFilter Configuration This is the most time-consuming part of the configuration. In this module, you should know exactly what effects the entries have. 1.
3 Firewall Administration System (FAS) Figure 3.20: Dialog for ICMP Address the internal DNS server from the DMZ Protocol UDP Local address 192.168.8.8/255.255.255.248 Remote address 192.168.10.65 from Port 53 to Port 53 Protocol Local address Remote address from Port to Port UDP 80.80.80.8/255.255.255.248 192.168.10.65 53 53 make the CVS server in the DMZ accessible from everywhere Protocol TCP Local address 0.0.0.0/0.0.0.0 Remote address 80.80.80.
POP3 access to the work Protocol Local address Remote address from Port to Port mail server for clients from the internal net- IMAP access to the work Protocol Local address Remote address from Port to Port mail server for clients from the internal net- SMTP access to the work Protocol Local address Remote address from Port to Port mail server for clients from the internal net- TCP 192.168.10.0/255.255.255.0 192.168.8.10 110 110 TCP 192.168.10.0/255.255.255.0 192.168.8.10 143 143 TCP 192.168.10.
TCP 192.168.10.0/255.255.255.192 0.0.0.0 1 65535 Protocol Local address Remote address from Port to Port UDP 192.168.10.0/255.255.255.192 0.0.0.0 1 65535 Protocol Local address Remote address ICMP 192.168.10.0/255.255.255.192 0.0.0.0 3. Destination NAT Destination NAT rules are not required at Example, Inc. Kernel Runtime Setup 3 Firewall Administration System (FAS) Protocol Local address Remote address from Port to Port The Kernel Runtime Setup is a matter for professionals.
Figure 3.21: Kernel Runtime Settings System Logging In this dialog, shown in Figure 3.22 on the next page, configure the behavior of the Syslog daemon. You have the option of sending the output of the syslogd to the text console ‘Log to /dev/tty9’ ( Ctrl + Alt + F9 ), to the hard disk ‘Log to hard disk’, and to a log host. Enter one or more IP addresses of hosts to which the logs should be written. These hosts must be configured to accept the logs.
3 Firewall Administration System (FAS) Figure 3.22: Settings for Syslog Daemon nation for the log files: 192.168.10.254. ‘Enable Log and Traffic Evaluation’ is activacted. DNS Forwarder In this dialog, shown in Figure 3.23 on the next page, name service forwarding is configured. Detailed explanations of DNS and bind8 can be found in DNS — Domain Name Service on page 157. Enter the IP address of the host to which name service requests should be forwarded.
Figure 3.23: DNS Configuration rules generated automatically and specify the IP addresses of the hosts to write to the file hosts.allow. The Example, Inc., Configuration Page 1/2 of the DNS Configuration The proxy for DNS is only set up for an internal host. This should be the internal name server. Two name server addresses have been made available by the provider, which are used as forwarders. Requests will be forwarded to these name servers. Forwarder: 123.123.123.123 123.123.123.
3 Firewall Administration System (FAS) Figure 3.24: DNS Access Configuration Page 2/2 of the DNS Configuration ‘Configure IP filter rules automatically’ must be activated for the necessary iptables rules to be generated. Now, which IP addresses may use the DNS proxy should be defined. In Example, Inc., in Nuremberg, this is only the internal DNS server. Access allowed for: 192.168.10.65 FTP Proxy — External If you are operating your own FTP server, make the corresponding settings here, as in Figure 3.
Figure 3.25: Configuration of the FTP Server FTP proxy port Port on which the FTP proxy is addressed, normally port 21. Viewed from the outside, this turns your firewall into the FTP server. Ask your provider to make an alias entry in the DNS for your firewall, for example, ftp.mycompany.com Maximum Clients Maximum number of FTP clients that can be connected to the FTP server at any one time. Port reset PASV By default, this check box is activated so passive FTP mode is selected.
FTP server port Port on which the FTP server is listening. Normally, this is port 21. Click ‘Next’ to continue to the second mask of the dialog, illustrated in Figure 3.26. Have the IP filter rules generated automatically by activating the corresponding checkbox. In the selection field, enter the IP addresses and networks that should have access to the FTP service. With ‘Finish’, complete the configuration.
You will not expect many clients to want access to the FTP service at the same time. To avoid an overloaded line, the maximum number of clients who can be logged in at the same time is restricted to 20. The options ‘Port reset PASV’ and ‘Same address’ must only be modified in special cases and should remain activated. Finally, make the address of the real FTP server known to the firewall: FTP Server IP Address: 192.168.8.
3 Firewall Administration System (FAS) Figure 3.27: Configuration of the Internal FTP Proxy Port reset PASV By default, this check box is activated, so passive FTP mode is selected. In passive mode, the FTP client asks the server which ports to use. The client then opens this port for data transfer. If you deactivate the check box, data transfer takes place in active mode, which means the client sends a request to the FTP server, which then opens a port for data transfer to the client.
In the second mask, shown in Figure 3.28), configure access to the internal FTP proxy. By default, automatic generation of filter rules is activated. Select the IP addresses that should be given access. Select ‘Finish’ to complete the configuration. Figure 3.28: Access to the Internal FTP Proxy The Example, Inc., Configuration Page 1/2 Internal FTP Proxy Configuration Only a few basic settings are made here. As usual, the corresponding rules are generated automatically.
3 Page 2/2 Internal FTP Proxy Configuration Access allowed for: 192.168.10.0/24 Generic TCP Proxy rinetd is used as the generic proxy. This is software that accepts a connection on one interface and forwards the incoming data with another interface to a different machine. This is port-dependent. It is really the routing of TCP connections on the application level. rinetd can only route connections across one channel. It cannot be used as an FTP proxy because an FTP connection uses two channels.
Figure 3.29: Configuration of the Generic Proxy and asterisk (‘*’). The wild card ‘?’ stands for any character at all. Asterisk ‘*’ represents any number of any characters. If one or more allow attributes are set for a rule, all connections that do not match any of these attributes are immediately rejected. The same thing is the case for the deny attributes. Incoming TCP connections from a source address that matches a deny rule are immediately rejected. Others are allowed.
3 Firewall Administration System (FAS) Figure 3.30: Redirect Settings for rinetd The Example, Inc., Configuration Generic TCP Proxy In Example, Inc., new sales representatives do not always have access to the intranet from the beginning. For them to be able to read and send mail when away, the services pop3s and imaps are set up on the mail server. 1. Redirect Settings Bind address Bind port Connect address Connect port 80.80.80.2 995 192.168.8.10 995 2.
allow Pattern activated 80.80.60.* 3. IP Filter Configuration No further restrictions need to be made in the “IP Filter Configuration” tab. Only the standard access remains to be configured: IP Filter Access allowed for: activated activated 80.80.60.0/24 Configure IP Filter rules automatically Log access violation In addition, a second similar role must be inserted. The only difference from the previous rule is in the port number. Both Bind port and Connect port are set to the value 993 for imaps.
3 Firewall Administration System (FAS) Figure 3.31: Configuration of the External HTTP Proxy The Example, Inc., Configuration Page 1/2 HTTP Proxy — External The external HTTP proxy has to know on which port the Web server can be accessed. HTTP Proxy Port 80 The basic configuration of the firewall rules can again be generated automatically by activating ‘Auto listen to’. All that is left are the forwarding rules for the proxy. In this way, requests to http://www.example.
Figure 3.32: Access to the External HTTP Proxy to 0.0.0.0/0.0.0.0. Configuring the HTTP Proxy for Internal Connections In the ‘HTTP Proxy — Internal’ module, configure the proxy for the users of the internal network. This dialog is shown in Figure 3.33 on the facing page. HTTP Proxy Port The default HTTP port for internal requests is set to 3128.
3 Firewall Administration System (FAS) Figure 3.33: Configuration of the Internal HTTP Proxy Transparent Proxy Because HTTP requests from clients normally arrive on port 80 so are ignored by the proxy, these requests can be redirected to port 3128. For this, ‘Transparent Proxy’ must be activated. Caching If HTTP requests are repeated, activate the option ‘Caching?’ to avoid duplicate processing of valid pages. Specify the size of the cache in the corresponding entry field.
Figure 3.34: Define ACLs url_regex Details of URL address using regular expressions. proto (protocol) Specify the appropriate protocol here. src (source) Defines source addresses. dst (destination) Details of destination addresses. port Details of the port. method Details of the method, such as CONNECT, POST, or GET. srcdomain Name of the source domain. dstdomain Name of the destination domain. srcdom_regex Name of the source domain using regular expressions.
Add Add the new ACL to the list of already created ACLs. Delete Delete ACLs with this button. When you have finished the entries, confirm with ‘Next’. Arranging ACLs Firewall Administration System (FAS) Edit If you click ‘Edit’, a window opens in which to enter or modify values valid for the ACL selected. 3 Figure 3.35: Arrange ACLs Find various ways of setting up rules (ACL) on this module page, shown in Figure 3.35. The settings for ‘ACL’ and ‘negate ACL’ are linked with AND.
Define, via ‘Negate ACL’, an ACL to use in negated form. A new rule is integrated with ‘Add’. It is then be listed in the list field of defined ACLs. With the black arrow keys, move a selected rule up or down in the list. To edit rules, click the corresponding rule in the list field. The settings appear in the upper part. Modify these and apply the changes with ‘Change’. To delete rules, select the appropriate rule and click ‘Delete’.
3 Firewall Administration System (FAS) Figure 3.36: Content Filter Dialog allow allows the selected tag/attribute. log creates an entry in the log file, which can be later used for creating filter strategies. log,allow creates an entry in the log file and allows the selected tag attribute. replcont replaces the tag or attribute and continues to evaluate it. replabort replaces the tag or attribute then stops evaluating it.
makes sense to enter something else here if you have chosen ‘replcont’, ‘replabort’, ‘replskip’, or ‘replendskip’ as the action. Click ‘Add’ to generate the rule and add it to the list field. To edit a filter rule, select it from the list field by clicking it. The values are then displayed in the top half of the window. Modify the values and confirm the changes by clicking ‘Edit’. To delete filter rules, select them from the list field and click ‘Delete’.
3 Firewall Administration System (FAS) Figure 3.37: Mime Type Filter Enter the appropriate HTTP port of the provider is entered in ‘Parent Proxy Port’. Refer to Figure 3.38 on the next page. Confirm the settings with ‘Next’. Access Configuration At the end of this module you can again activate the automatic configuration of IP filter rules and switch on logging of access violations. As usual, select IP addresses from the list for which access should be granted (see Figure 3.39 on page 83).
Figure 3.38: Configuration of the Internal HTTP Proxy Proxy Mode Cache MB Cache activated activated 1000 Tip Transparent Proxy and Caching Because a transparent proxy is set up, there is no need to configure the proxy on the respective clients. Through caching, clients have the advantage that pages already in the cache are displayed more quickly. Tip Page 2/7 HTTP Proxy — Internal At this point, ACLs (Access Control Lists) are defined.
3 Firewall Administration System (FAS) Figure 3.39: Access to the Internal HTTP Proxy The values for the ACL are entered by selecting them then editing them. As the value, the network 192.168.10.0/24 should be entered. Page 3/7 HTTP Proxy —- Internal The ACL generated is added to the configuration here. Mark ACL ➝ Nuremberg internal and insert it with Add. The rules are processed from top to bottom. The order here is important.
Page 7/7 HTTP Proxy — Internal The proxy should only be used by clients from the internal network. For this reason, access is restricted to this network: IP Filter activated Access allowed for: 192.168.10.0/24 IPsec VPN Tunnel Use the VPN connection module to set up VPN networks. These virtual private networks can be regarded as a tunnel between two hosts that runs through the Internet. This tunnel knows nothing about the information transmitted in it.
3 Firewall Administration System (FAS) Figure 3.40: Select the Local Certificate General Settings This dialog is shown in Figure 3.42 on page 87. Assign a name for the connection. This makes it easier to identify the connection if you set up several tunnels. A connection name may only contain letters, digits, underscores, and hyphens. Decide if the SuSE Firewall on CD should open a connection to another VPN server when it boots (Client mode) or it should wait for incoming VPN connections (Server Mode).
Figure 3.41: Available Certificates VPN Connection The ‘VPN connection’ tab is shown in Figure 3.43 on page 88. Under ‘Local Configuration’, activate the check box ‘Route a subnet’ if a local subnet should be routed. If the check box is activated, specify the subnet to contact with an incoming VPN connection. For ‘Subnet’, the network must be in a different IP address range than that on the remote side.
3 Firewall Administration System (FAS) Figure 3.42: VPN: General Settings A shared key is a random string. Quotation marks (") may not occur in the shared key. Every connection can have its own shared key, but it must be the same at both ends of a tunnel. Transmitting the shared key must take place in a secure manner, because anyone who knows this key can authenticate himself at the VPN gateway and obtain access. For this reason, it is preferable to use X.509 certificates.
Figure 3.43: VPN Connection To define a rule, first select the transmission protocol: tcp, udp, or icmp. If you select tcp or udp, you only need to specify the destination port or port range. If you enter icmp, choose the message type from the list. Activate ‘Log Access Violation’, if desired. Masquerading In this dialog, activate masquerading for the collection, as shown in Figure 3.46 on page 91. This is only possible, however, if a local subnet is routed, but not a remote one.
3 Firewall Administration System (FAS) Figure 3.44: Authentication for a VPN Connection When satisfied with all the dialogs, click ‘Ok’. Information about setting up VPN on Windows clients can be found in IPsec Client on Windows XP and Windows 2000 on page 131. The Example, Inc., Configuration To configure the IPSec module, the required certificates must first be generated. This is done in ‘Modules’ ➝ ‘Certificate Management’. First, a ROOT CA must be generated.
Figure 3.45: Filter Rules for a VPN Connection Common Name E-mail Address Organizational unit Organization Locality State Country Days CA Password Verify CA Password Key size RootCA admin@example.com edv Example, Inc.
3 Common Name E-mail Address Organizational unit Organization Locality State Country CA Password Certificate Password Verify Certificate Password Key size Firewall Administration System (FAS) Figure 3.46: Masquerading for a VPN Connection Firewall-nbg admin@example.com edv Example, Inc.
Figure 3.47: Destination NAT for VPN Connections Page 1/2 IPSec VPN Tunnel First, the certificate for Nuremberg is selected. To do this, click ‘Select Certificate’ and select the certificate Firewall-nbg. The password in the example configuration is Firewall. Page 2/2 IPSec VPN Tunnel Now the connections to the other branches and to the sales representatives are configured. 1. General Settings The firewall in Nuremberg is the master.
The location in Frankfurt has the IP 100.100.100.2. The Frankfurt subnet should also be available in Nuremberg: Fixed IP Address IP Address Remote Subnet Subnet Address activated 100.100.100.2 activated 192.168.11.0/24 3. Authentication Authentication should take place with the certificates. For this reason, the field “Authenticate with X.509 Certificates” is activated. With ‘Select’, the Frankfurt certificate “Firewall-fam” must be selected. 4. IP Filter The branch in Frankfurt is considered trustworthy.
1. General settings Connection Name Connection Type SalesReps Wait for the connection (Server Mode) Settings for PFS Setting, Key Life Time, and Key Replacement Tries remain unchanged. 2. VPN Connection The sales representative should have access to the internal network. The settings for this are as follows: Local Subnet Subnet Address activate Route a Subnet 192.168.10.0/24 All dial-up takes place with dynamic IP addresses. Therefore, Road Warrior is activated. 3.
3 Firewall Administration System (FAS) Figure 3.48: Configuration of Mail Relay — Dialog 1 ISP Relay Activate this check box to forward all outgoing e-mails to the SMTP server of your Internet service provider. Enter the IP address of the SMTP server of your provider. With ‘Next’, continue the second part of the mail relay configuration. This is shown in Figure 3.49 on the next page.
Figure 3.49: Configuration of Mail Relay — Dialog 2 With ‘Next’, complete the configuration of the mail relay. The Example, Inc., Configuration Page 1/2 Mail Relay The mail server of Example, Inc., listens to the IP address 192.168.8.10. It must be determined for which domains it should accept e-mails and to where it should send outgoing mails: Internal Mail Server Relay the Following Domains: ISP relay: 192.168.8.10 example.com activated 80.80.80.
proxy. With the netmask, this is reduced to a single computer: 192.168.8.10/32 All other parameters for Example, Inc., remain in their default settings. Administration via SSH In this module, configure SSH access for the firewall administrator. For the encrypted connection to the firewall machine, the corresponding SSH keys are entered here. More detailed information about SSH can be found in SSH — Secure Shell, the Safe Alternative on page 190.
sion 2 of SSH, the files id-dss.pub and id-rsa.pub are involved. Select them and the key appears in the list (see Figure 3.51). Figure 3.51: Import Key Enter a key by copying and pasting. If you click ‘Add Key’, a dialog opens. In the text field, enter your “ssh-public-key” and confirm with ‘Ok’. The scheme now appears in the lower list. With ‘Delete Key’, remove a selected key. Allow password authentication in emergencies by activating the corresponding check box.
3 The Example, Inc., Configuration Remote access to the firewall should be possible only by the Adminhost via SSH. To enable this, the firewall must have the public key of the administrator. To do this, select ‘Import key’ and choose either id_rsa.pub (SSH2) or identity.pub (SSH1). If required, both SSH versions can be supported. To be extremely cautious, deactivate the fallback to “password authentication” by unchecking SSH password. Page 2/2 Administration via SSH At Example, Inc.
Figure 3.52: Specifying the NTP Time Server Assuming you have activated the forwarding of log files for all active firewall configurations to the Adminhost, this module provides convenient access to all recorded accesses and sender statistics of the networks monitored. In the left-hand side of the window, see an overview of all active configurations whose log files have been transferred to the Adminhost. Click the directory of the configuration for which to view the log analysis.
SYSLOG Configuration Name of the current configuration Description A short description of the data recorded Available Statistics and Log Files In a table, see which files can be analyzed and what type of data are contained there. The information page provides a rough overview of the available data. By clicking the desired statistics in the left-hand side of the window, see the data either in graphic form or as a list that can be searched.
Evaluating the Log Files Log files often become very large, depending on the type of data recorded and the duration of recording. With the search mask of the Log File Analyzer, restrict the extent of the data to analyze. Fill out the mask then click ‘Show’ to display data in the lower part of the window filtered according to the search criteria. Using ‘First Page’, ‘Previous Page’, ‘Next Page’, and ‘Last Page’, browse through the pages of the display.
3 Firewall Administration System (FAS) Figure 3.53: IP Filter Statistics Blocked Packet Report A pie chart shows the proportion of packets blocked grouped by source IPs. The blocked packets are also shown in table form, sorted according to the number of blocked packets. Log Prefix Report As with the ‘Block Packet Report’, the report is a pie chart in which the number of blocked packets for individual log prefixes is shown. The table is sorted by the number of packets blocked.
Domain Report This report is similar to the ‘Organization Report’, however, sorting is done according to domain extensions, such as .com. Packet Size Report In an overview in table form, the size of blocked packets is listed with their number and the percentage of the overall amount. Interface Report The amount of packets arriving and blocked packets are displayed by the name of the interface.
3 Firewall Administration System (FAS) Figure 3.54: Interface Statistics Certificate Management Access the certificate management module in FAS with ‘Tools’ ➝ ‘Certificate Management’. Close certificate management with ‘Finish’ from the same menu. Certificates for encryption when using IPSec with X.509 certificates can be generated, imported, and managed. In the main window, shown in Figure 3.55 on the following page, already existing certificates listed.
Figure 3.55: List of Certificates have them signed. You can also generate your own CA and sign your certificates yourself. This is sufficient for most purposes. Creating a Certificate Authority You can only run this dialog once. The CA is globally valid for all configurations generated on this Adminhost. All certificates created are signed with it. Select ‘Certificate Management’ ➝ ‘Create CA’. A dialog appears, which you should fill out completely.
After you have made all necessary settings, confirm with ‘Ok’. If the creation of the Certificate Authority (CA) runs successfully, you will see a message to that effect. Confirm by clicking on ‘Ok’. Creating a Certificate Now you can create certificates signed with your CA. Select ‘Certificate Management’ ➝ ‘Create Certificate’. A dialog window like Figure 3.56 on the next page appears in which to enter the necessary details for a new certificate.
Figure 3.56: Dialog for Creating Certificates Exporting Certificates Select ‘Certificate Management’ ➝ ‘Export Certificate’. There are three different formats in which a certificate can be exported: PEM, DER, and PKCS12. To save the certificate in the PEM or DER format, select the certificate to export then select ‘Certificate Management’ ➝ ‘Export Certificate’. In the dialog that appears, choose the location to which to save and enter a name for the file. Choose the format: DER or PEM.
3 Saving the Configuration The configuration is saved on the hard disk under /var/lib/fas//configs//floppy/ No normal user on the Adminhost can read this configuration. Only root has the permissions to do this. To create a floppy, insert one into the floppy drive, select the configuration to save, then select ‘Configuration’ ➝ ‘Write Floppy’. Now the floppy is written.
online help. To leave the file editor, select ‘Finish’ from the menu. Save your modifications to configuration files by pressing ‘Finish’. Testing the Configuration The configuration created with the administration program still needs to be tested before it is used. To do this, start the firewall is started without any connection to the Internet or intranet. Connect the firewall directly to the Adminhost with a crossover cable. Tests for the packet filter can be simply carried out using a port scanner.
It is very important to document the configuration, the tests conducted, and their results. Keep a record of what is allowed or denied by the configuration and how this is guaranteed. Using such documentation helps find and remedy possible configuration errors. The documentation is also required for auditing the firewall. Monitoring the Firewall A firewall without continual monitoring is only effective to a limited extent. A number of tools are available on the Adminhost for monitoring the firewall.
4 The Live CD for the SuSE Firewall on CD is the executable part of the firewall. It is a minimal SuSE Linux, designed with security criteria in mind. This affects the programs available and the kernel itself. The SuSE Firewall on CD is an “Application Level Gateway”, meaning that, for security reasons, there should be no routing of IP packets. Forwarding requests to services is handled by applications (proxies). Hardware Requirements Description . . . . . . . . Services on the Firewall .
Using proxies and not forwarding IP packets are not enough to prevent undesired Internet IP packets from reaching the intranet or vice versa. This firewall functionality is adopted by the kernel packet filter configured by iptables(8). This is where the Live CD comes into play. The operating system and all the applications are located on a CD — on a read-only file system. A RAM disk, where the Live CD is mounted, is generated when booting. The original system can simply be restored by rebooting the machine.
4 Description Services on the Firewall SuSE Live CD for Firewall The SuSE Linux Live CD for Firewall is a live file system CD from which all the applications run directly. Theoretically, the firewall host could be operated without a hard disk. However, a hard disk for the cache and spool directories is required by proxy services, such as Squid or postfix. A hard disk is also required if you want to save the syslogd log messages locally.
pppoed DSL support fasfw FAS net filter script syslogd Daemon for system logging iptables Packet filter cron and logrotate Rotation of local log files To complete the range of services offered on the firewall, the following software packages are also available on the Live CD, but use them at your own risk. cipe VPN tunnel software pptpd MS VPN tunnel server (point-to-point tunneling protocol daemon) cron Daemon use to run commands on a set schedule, normally used for log rotation.
4 iptables 1. a basic operation with which the rule is inserted. This is typically run with the command /sbin/iptables -A. 2. the identification of the packet 3. a description of the packet to treat 4. a description of what should happen to the packet once it is found Inserting Rules SuSE Live CD for Firewall A typical iptables filter rule is very simple in theory. It normally consists of four parts: There is a range of options available for manipulating filter rules.
Figure 4.1: Course of a Packet with iptables PREROUTING, OUTPUT, and POSTROUTING. Figure 4.1 attempts to illustrate the interplay of nat and filter tables. Note Course of a packet All packets must pass through both a nat and a filter table before they can reach a computer program. Note The program iptables has an implicit parameter -t [filter] that, by default, is applied to the filter table. To address another table, specify it with the -t [table name] option.
4 Protocol type: TCP, UDP, ICMP SuSE Live CD for Firewall Source port Destination port ICMP type Source address Destination address Interface: eth0, ppp0, etc. Inversion Protocol type Protocols may be specified with their numerical protocol type or, for the special cases TCP, UDP, and ICMP, with their names. These names are not case-specific, so TCP is the same as tcp. A list of names together with their corresponding numbers can be found in /etc/protocols.
ICMP Because ICMP packets do not use any port numbers, other selection criteria must be used. A list of possible parameters can be obtained with the command iptables -p icmp --help. Some frequently used types: Name Number echo-reply destination-unreachable source-quench echo-request time-exceed parameter-problem 0 3 4 8 11 12 Source and destination address This feature is somewhat critical from a security point of view, because IP addresses can be reset at any time on a computer.
Subsequent Treatment of Packets (Targets) ACCEPT Pass the packet to the next control point in the diagram. DROP Drop the packet without generating a return message to the sender. This is a good target for remote packets that you do not want to accept. LOG Log the path of the packet. REJECT Reject the packet as with DROP. Normally with REJECT, an “ICMP port unreachable” error message is generated, so the sender does not have to wait for a time-out.
Figure 4.2: Comparing IPSec and SSL the network can be encrypted as well as the communication between single computers or subnetworks. It is no problem to connect masqueraded private subnetworks and networks with real Internet IP addresses if the address ranges of the two networks do not overlap. If there are not enough real IP addresses available, masquerade the internal network with private IP addresses as defined in RFC 1918: 10.0.0.0 172.16.0.0 192.168.0.0 10.255.255.255 172.31.255.255 192.168.255.
VPN does not protect against attacks from the Internet. It can prevent unauthorized access to data, but “Denial of Service” attacks and Trojan Horses are still possible. The risk increases if a host communicates with the VPN and the local network. Therefore, the following two recommendations should be taken seriously: If the firewall host is also the VPN gateway, it needs to be monitored intensively. No normal users should be able to log in to the firewall host.
Squid Squid is an HTTP proxy that offers extensive configuration options. Control over the network clients’ access to the web is implemented by means of ACLs (access control lists). The internal HTTP proxy Squid can be configured to be either transparent or non-transparent. In non-transparent mode, the protocols http, https, and ftp are supported. In transparent mode, only http is supported. More detailed information about Squid can be found in Proxy Server: Squid on page 167.
4 External to Internal SSH openSSH enables use of a shell on a remote host with an encrypted connection. chroot, compartment, Kernel Capabilities To raise the security level on the firewall, the services on the Live CD run in a chroot environment. The program compartment is also used. Setting capability bits in the kernel additionally increases the security of system applications.
with an ext2 file system and contain the label "SuSE-FWFloppy". Without this label, the configuration floppy is not recognized. The FAS (Firewall Administration System) on the Adminhost creates the file system and the label automatically. The configuration floppy is loaded while the Live CD is booted. Creating the Configuration Disk The configuration floppy disk can be created on the Adminhost with FAS. Under ‘Configuration’, select ‘Create floppy disk’.
/etc/ipsec.d/ Contains certificates and configuration files. /etc/named/ Contains the zone files of the name server. /etc/named.conf Contains the configuration of bind8. /etc/named/master/ Contains the master zone files. /etc/named/slave/ Contains the slave zone files. 4 SuSE Live CD for Firewall If necessary, additional options can be passed to the module, such as the IRQ or the IO addresses of the hardware used. Lines beginning with ‘#’ are ignored.
/etc/rc.config SuSE Linux central configuration file. /etc/rc.config.d/ This directory contains files used when services are started, for example: /etc/rc.config.d/i4l\_hardware.rc.config Configuration of the ISDN card. /etc/rc.config.d/i4l\_rc.config Dialing parameters of the ISDN interface. /etc/rinetd.conf Configuration file for the generic proxy rinetd. /etc/resolv.conf Configuration file for the resolver library. Includes details of the name server and of the search list. /etc/route.
4 Caution Caution /etc/squid.conf Configuration file for the HTTP proxy Squid. /etc/ssh/ Contains the configuration files for openssh: ssh_config and sshd_config. /etc/syslog.conf Configuration of the syslog daemon. Read the man pages man 5 syslog.conf, man 8 syslogd, and man 3 syslog. The log host and the messages to log are entered in this file. The entry for the log host should appear as follows: SuSE Live CD for Firewall No password may be specified for any existing users apart from root.
/opt the contents of the /opt directory on the configuration floppy are copied to the running system in /opt. The user can store his files in this directory. /root/, /root/.ssh/, /root/.ssh/authorized_keys This file contains the RSA public key of the fwadmin user on the Adminhost. In the FAS, specify which keys to copy to /root/.ssh/authorized\_keys. This enables the user fwadmin to log in on the firewall as root. RSA keys, protected by an additional pass phrase, handle user authentication.
5 You can configure the connection manually with the program ipseccmd.exe (Windows XP) or ipsecpol.exe (Windows 2000), which should be included in your Windows installation. This is a command-line utility, so is very difficult to use. You can also configure the connection with MMC (Microsoft Management Console). However, it is recommended to use ipsec.exe for the configuration of the IPsec connection in Windows XP or Windows 2000, since this tool handles the main bulk of the work.
to connect to Windows 2000. The ServicePack2 is available from http: //www.microsoft.com/windows2000/downloads/servicepacks/sp2/ sp2lang.asp. For Windows 2000, you also need ipsecpol.exe. Find it in the Resource Kit or at http://agent.microsoft.com/windows2000/techinfo/reskit/ tools/existing/ipsecpol-o.asp. Note Normally, this program is installed to C:/ProgramFiles/ ResourceKit. However, since this is a command-line program, copy it to a directory that contains executable files.
5 Importing a Root Certificate Select the certificate store ‘Trusted Root Certification Authorities’. Click ‘Next’ then ‘Finish’. If the import process was successful, it will be confirmed in a box. Click ‘OK’. Making a Note of Important Certificate Data In the MMC, click ‘File’ ➝ ‘Save’. Save your configuration with the proposed name at the proposed location. In the MMC, open the ‘Personal Certificates’ folder then the ‘Certificates’ subfolder. You will see the certificate for the client.
Editing ipsec.conf Go to the directory C:\ProgramFiles\IPsec. Open the file ipsec.conf with an editor. Adjust the data following the syntax in example 6. conn left=%any right= rightsubnet= rightca= network=auto auto=start pfs=yes File 6: Syntax of File ipsec.conf Find an example configuration in 7.
5 Closing the Connection SuSE Linux – Firewall on CD2 IPsec Client on Windows XP and Windows 2000 To deactivate the IPsec filters and the tunnel, enter IPSEC.exe -delete. Create desktop link for this command, if desired.
6 On the Adminhost, you created a configuration for the Live CD using FAS or manually created a configuration floppy. In this section, learn how to test this configuration then start the firewall machine. Requirements for Successful Implementation . . . . . . . . Booting the Firewall Host . . . . . . . . . . . . . . . . . . . Testing the Firewall . . . . . . . . . . . . . . . . . . . . . .
Requirements for Successful Implementation First, check to see if your host boots using the configuration set up. Also see if the selected services start and are available for use. Next, check to see if the IP filter of the kernel is working as configured. Booting the Firewall Host 1. Start the host then open the BIOS setup program. Check the settings for the time and date. It needs to be set to GMT. 2. Configure the boot sequence so the host boots from the CD first — if possible, only from the CD. 3.
Only when every single test has been successfully completed can you start the firewall. Document all tests conducted. First, connect a laptop or other computer to the firewall host to simulate an external network. Then, close the connection to the internal network and establish a connection to the Internet. If possible, test your firewall from the outside. Check your setup. Internal Testing 6 Implementing the Firewall and process requests properly.
External Testing Test externally to see if the available services are working. For instance, if you can send e-mails to the internal network. You should be able to see in the postfix messages in /var/log/mail on the firewall host whether the e-mails were accepted and could be delivered to the internal mail server. Check to see if the packet filter is working. This can be verified by a port scanner.
7 Help Help In this chapter, find information about creating a setup concept for a firewall solution in your network using the SuSE Firewall on CD. Also find information about using the services of SuSE Linux AG to have a plan drawn up tailored to your specific needs. Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . Detecting Attacks . . . . . . . . . . . . . . . . . . . . . . . Recommended Reading . . . . . . . . . . . . . . . . . . . .
Troubleshooting Find help here if the Adminhost cannot be installed or if the Live CD is not booting. Problems Installing the Adminhost If you have trouble installing the Adminhost, SuSE Linux Installation Support is available free of charge. First, check the support database. Here, find a realm of information about a variety of installation problems. A keyword search helps find relevant information. The support database is available at http://sdb.suse.de.
Test, using ps, whether the process is available — if it can be accessed. If services are not accessible, check your log files. Look for messages about why a particular service was not started or whether an unauthorized party has been attempting to make use of the service. Test from several clients whether the firewall host is accessible and whether the proxies are responding.
Recognizing an Intrusion First, understand which actions are defined as intrusions. Unfortunately, it is normal these days that a host connected to the Internet will be scanned for open and vulnerable ports. It is just as common that ports recognized as vulnerable (such as POP3, qpopper, rpc-mountd, smtp, or sendmail) are attacked. Most of these attacks are carried out by “script kiddies”. Prefabricated “exploits” published on relevant web sites (e. g., http://www. rootshell.com) are used.
Draw up a process table when setting up the firewall that can later serve as a basis for comparison. 7 Help List all running processes with ps and search for processes that do not typically occur in normal firewall operation. Check the running processes for links to unusual TCP or UDP ports. See if the packet filter rules were changed. Compare all configuration files with the original configuration.
External Attacks Inform the system administrator responsible for the address block (via postmaster or the domain’s abuse address). The report of an incident or attack should contain enough information to ensure that the other party can investigate the problem. However, consider that your contact person could be the one who has carried out the attack. Here is a list of possible information to provide.
7 Examples: Examine the log files for messages of the IP filter. Help Log in to the console. Search for certain unusual IP addresses (frequently occurring rejection of packets that correspond to IP addresses on one or more port numbers). Find out exactly what happened. Using FAS, examine the log files according to definable criteria. Sometimes, it is unclear what to look for until you find it.
Recommended Reading D. Brent Chapman & Elizabeth D. Zwicky: Building Internet Firewalls, 2nd edition, O’Reilly 2000. Maximum Linux Security, SAMS 1999. Robert L. Ziegler: Linux Firewalls, New Riders 1999.
8 Maintenance With SuSE Maintenance, always have the most up-to-date patches and security fixes for your SuSE Linux Business product available. For your system to remain up-to-date, you need to check regularly for new patches on the SuSE Maintenance Web. Your purchase of SuSE Firewall on CD includes protected access to the SuSE Maintenance Web for twelve months after the date of registration. Accessing the SuSE Maintenance Web Register your product online at http://support.suse.de/en/ register/.
Patches for the Admin CD There are two possibilities here: Via the SuSE Maintenance Web Log in to the SuSE Maintenance Web and download patches individually (see the above URL). Under ‘Products’, select the SuSE Firewall on CD— Adminhost or, if you have installed the VPN module, Adminhost with VPN, then choose the needed patches. Detailed documentation is available for each patch.
As soon as a new ISO file appears for the Live CD, you will be sent a new Live CD, regardless of whether you have already downloaded the file. If several ISO files appear within a short period of time, for example, because several different security holes have been discovered at short intervals, you will be sent the most recent Live CD to appear. Because it takes a number of days to produce and send the CD, it would not make sense to send several no longer up-to-date CDs.
speed sets the speed of the burning process -eject ejects the CD after burning is completed Find more options in the man page for cdrecord (man cdrecord). Support and Services Support Conditions Scope of Installation Support The installation support can assist with installing your SuSE Linux system. This also applies to the central system components that allow for fundamental operation. It includes: Installation of the SuSE Linux base system on a host from the “Admin CD for Firewall”.
Processing: SuSE Linux AG — Support — Deutschhernnstr. 15-19 D-90429 Nürnberg weekdays Commercial Support Even if an operating system comes with all the necessary facilities, it will only be a viable alternative for use in the corporate environment in combination with professional and qualified support services. SuSE guarantees this kind of service for Linux. All information about this can be found at the central support portal for SuSE Linux: http://www.suse.
D-90429 Nürnberg Tel: +49-911-740-53-0 Fax: +49-911-740-53-479 E-mail: suse@suse.
8 Feedback SuSE makes every effort to construct a Linux system that meets the wishes of our customers as closely as possible. We therefore appreciate any criticism of our CD or of this book as well as suggestions for future projects. We think this the best way to correct errors and to maintain the high quality standards of SuSE Linux. Send feedback any time through our web site: www.suse.de/feedback.
. suse-security@suse.com — Discussion of security issues in SuSE Linux . suse-security-announce@suse.com — Announcement of securityrelated errors and updates . suse-sparc@suse.com — SuSE Linux on Sparc processors To subscribe to a list, send an e-mail message to hLISTNAMEi-subscribe@suse.com. An automatic response will be sent back that you will need to confirm. For hLISTNAMEi, substitute the name of the mailing list to which to subscribe, for example, suse-announce-subscribe@suse.
A DNS (Domain Name Service) is needed to resolve domain and host names into IP addresses. This chapter describes how to configure the name server BIND9. It includes information about the configuration files named.conf. Starting the Name Server BIND . . . . . . . . . . . . . . . The Configuration File /etc/named.conf . . . . . . . . . . For More Information . . . . . . . . . . . . . . . . . . . . .
Starting the Name Server BIND The name server BIND is already preconfigured in SuSE Linux, so you can easily start it right after installing the distribution. If you already have a functioning Internet connection and have entered 127.0.0.1 as name server for the local host in /etc/resolv.conf, you should normally already have a working name resolution without having to know the DNS of the provider. BIND carries out the name resolution via the root name server, a notably slower process.
File 8: Forwarding Options in named.conf Adjust the IP addresses to your personal environment. After options follows the zone, “localhost”, “0.0.127.in-addr.arpa”, and “.” entries. At least entries from “type hint” should exist. Their corresponding files never have to be modified, as they function in their present state. Also, be sure that a “;” follows each entry and that the curly braces are properly set. If you have made changes to the configuration file /etc/named.
}; zone "0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; }; zone "." in { type hint; file "root.hint"; }; File 9: A Basic /etc/named.conf This example works for both BIND8 and BIND9, because no special options are used that are only understood by one version or the other. BIND9 accepts all BIND8 configurations and makes note of options not implemented at start-up. Special BIND9 options are, however, not supported by BIND8.
allow-transfer ! *; ; controls which hosts can request zone transfers. This example cuts them off completely due to the ! *. Without this entry, zone transfers can be requested anywhere without restrictions. statistics-interval 0; In the absence of this entry, BIND8 generates several lines of statistical information in /var/log/messages. Specifying 0 suppresses these completely. Otherwise the time in minutes can be given here.
Zone Entry Structure zone "my-domain.de" in { type master; file "my-domain.zone"; notify no; }; File 11: Zone Entry for my-domain.de After zone, the name of the domain to administer is specified, my-domain.de, followed by in and a block of relevant options enclosed in curly braces, as shown in File 11. To define a “slave zone”, the type is simply switched to slave and a name server is specified that administers this zone as master (but can also be a “slave”), as shown in File 12. zone "other-domain.
allow-update { ! *; }; This options controls external write access, which would allow clients to make a DNS entry — something which is normally not desirable for security reasons. Without this entry, zone updates are not allowed at all. Note that with the above sample entry, the same would be achieved because ! * effectively bars any clients from such access.
Line 1: $TTL defines the standard TTL that applies for all the entries in this file, here 2 days. TTL means “time to live”. Line 2: The SOA control record begins here: The name of the domain to administer is world.cosmos in the first position. This ends with a ‘.’, because otherwise the zone would be appended a second time. Alternatively, a ‘@’ can be entered here. Then, the zone would be extracted from the corresponding entry in /etc/named.conf.
Line 10: The MX record specifies the mail server that accepts, processes, and forwards e-mails for the domain world.cosmos. In this example, this is the host sun.world.cosmos. The number in front of the host name is the preference value. If there are multiple MX entries, the mail server with the smallest value is taken first and, if mail delivery to this server fails, an attempt will be made with the next higher value.
Line 1: $TTL defines the standard TTL that applies to all entries here. Line 2: ’Reverse lookup’ should be activated with this file for the network 192.168.1.0. Since the zone is called ’1.168.192.in-addr.arpa’ here, it is, of course, undesirable to add this to the host name. Therefore, these are all entered complete with domain and ending with ’.’. The rest corresponds to the previous example described for world.cosmos. Line 3–7: See the previous example for world.cosmos.
B Proxy Server: Squid Proxy Server: Squid The following chapter describes how caching web sites assisted by a proxy server works and what the advantages of using Squid are. The most popular proxy cache for Linux and UNIX platforms is Squid.
What is a Proxy Cache? Squid acts as a proxy cache. It behaves like an agent that receives requests from clients, in this case web browsers, and passes them to the specified server provider. When the requested objects arrive at the agent, it stores a copy in a disk cache. Benefits arise when different clients request the same objects: these will be served directly from the disk cache, much faster than obtaining them from the Internet, and, at the same time, saving overall bandwidth for the system.
B Multiple Caches Choosing the appropriate topology for the cache hierarchy is very important, because it should not increase the overall traffic on the network. For example, in a very large network, it is possible to configure a proxy server for every subnetwork and connect it to a parent proxy, connected in its turn to the proxy cache from the ISP.
The question remains as to how long all the other objects stored in the cache should stay there. To determine this, all objects in the cache are assigned three different states: 1. FRESH: When this object is requested, it is sent without comparing it to the the original object on the web to see if it has changed. 2. NORMAL: The original server is queried to see if the object has changed. If it changed, the cache copy is updated. 3.
requests per second = 1000 / seek time requests per second = = = 1000 / (seek time / number of disks) 000 / (12/3) 250 requests per second In comparison to using IDE or SCSI disks, SCSI is preferable. Newer IDE disks, however, have similar seek times as SCSI and, together with DMAcompatible IDE controllers, increase the speed of data transfer without considerably increasing the system load.
time of a hard disk, about 10 milliseconds, with the 10 nanoseconds access time of the newer RAM memories) Every object in RAM memory has a size of 72 bytes (for “small” pointer architectures like Intel, Sparc, or MIPS. For Alpha, it is 104 bytes). If the average size of an object on the Internet is about 8 KB and we have 1 GB disk for the cache, we will be storing about 130,000 objects, resulting in close to 10 MB RAM only for meta data.
If you have made changes in the configuration file /etc/squid. conf, instruct Squid to load the changed file. Do this by entering rcsquid reload or restart Squid with rcsquid restart. Also, the command rcsquid status is important. With it, determine whether the proxy is running. With rcsquid stop, halt Squid. The latter can take a while, since Squid waits up to half a minute (shutdown_lifetime) before dropping the connections to the clients then will write its data to the disk.
If you have updated an earlier Squid version, it is recommended to edit the new /etc/squid.conf and only apply the changes made in the previous file. If you try to implement the old squid.conf again, you are running a risk that the configuration will no longer function, because options are always being modified and new changes added. General Configuration Options http_port 3128 This is the port where Squid listens for client requests. The default port is 3128, but 8080 is also common.
cache_store_log /var/squid/logs/store.log path for log message emulate_httpd_log off If the entry is set to on, obtain readable log files. Some evaluation programs cannot interpret this, however. client_netmask 255.255.255.255 With this entry, mask the logged IP addresses in the log files to hide the clients’ identity. The last digit of the IP address will be set to zero if you enter 255.255.255.0 here. Proxy Server: Squid These three entries specify the path where Squid will log all of its actions.
Squid will make a note of the failed requests then refuse to issue new ones, although the Internet connection has been reestablished. In a case such as this, change the minutes to seconds then, after clicking on Reload in the browser, the dial-up process should be reengaged after a few seconds. never_direct allow To prevent Squid from taking requests directly from the Internet, use this command to force connection to another proxy. You need to have previously entered this in cache_peer.
http_access allow localhost http_access deny all Another example, where the previously defined ACLs are used: The group teachers always has access to the Internet, while the group students only gets access Monday to Friday during lunch time. http_access deny localhost http_access allow teachers http_access allow students lunch time http_access deny all B Proxy Server: Squid should always be http_access deny all.
ident_lookup_access allow hacl_namei With this, you will manage to have an ident request run through for all ACL-defined clients to find out each user’s identity. If you apply all to the hacl_namei, this will be valid for all clients. Also, an ident daemon must be running on all clients. For Linux, install the pidentd package for this purpose. For Windows, there is free software available to download from the Internet.
B Kernel Configuration In the entry corresponding to Networking Options, select ‘Network Firewalls’ then the options ‘IP: firewalling’ and ‘IP: Transparent proxying’. Now, save the new configuration, compile the new kernel, install it, reconfigure LILO if necessary, and restart the system. Configuration Options in /etc/squid.conf Proxy Server: Squid First, make sure that the proxy server’s kernel has support for transparent proxies. Otherwise, add this option to the kernel and compile it again.
SquidGuard is a free (GPL), flexible, and ultra fast filter, redirector, and “access controller plugin” for Squid. It lets you define multiple access rules with different restrictions for different user groups on a Squid cache. SquidGuard uses Squid’s standard redirector interface. SquidGuard can be used for the following: limit the web access for some users to a list of accepted or well known web servers or URLs. block access to some listed or blacklisted web servers or URLs for some users.
redirect_program /usr/bin/squidGuard There is another option called redirect_children configuring how many different “redirect” (in this case SquidGuard) processes are running on the machine. SquidGuard is fast enough to cope with lots of requests (SquidGuard is quite fast: 100,000 requests within 10 seconds on a 500MHz Pentium with 5900 domains, 7880 URLs, 13780 in sum).
Another powerful cache report generator tool is SARG (Squid Analysis Report Generator), included in series n. Further information on this can be found in the relevant Internet pages at http://web.onda.com.br/orso/ More Information on Squid Visit the home page of Squid: http://www.squid-cache.org/. Here, find the Squid User Guide and a very extensive collection of FAQs on Squid. The Mini-Howto regarding transparent proxies in the package howtoen, under /usr/share/doc/howto/en/mini/TransparentProxy.
C Network Security Network Security This chapter provides detailed information about several aspects of network security. It begins with information about masquerading. SSH is a protocol for remote logins over an encrypted connection. The last section provides more detailed information about general security issues. Masquerading and Firewalls . . . . . . . . . . . . . . . . . SSH — Secure Shell, the Safe Alternative . . . . . . . . . . Security and Confidentiality . . . . . . . . . . . . . . . . .
Masquerading and Firewalls Owing to its outstanding network capabilities, Linux is becoming more widespread as a router operating system for dial-up or dedicated lines. “Router,” in this case, refers to a host which has more than one network interface and transmits any packets not destined for one of its own network interfaces to another host communicating with it. This router is often called a gateway.
C Note Note As soon as one of the hosts sends a packet destined for an Internet address, this packet is sent to the network’s default router. The router needs to be configured to actually forward such packets. SuSE Linux does not enable this with a default installation for security reasons. Set the variable IP_FORWARD, defined in the file /etc/rc.config, to IP_FORWARD=yes.
For such a connection, there would be no entry in the table because, the entry itself is only created if an internal host opens a connection with the outside. In addition, any established connection is assigned a status entry in the table and this entry cannot be used by another connection. A second connection would require another status record.
SuSEfirewall C Network Security allowed through. This gateway or proxy pretends to be the actual client of the server. In a sense, such a proxy could be considered a masquerading host on the protocol level used by the application. One example for such a proxy is Squid, an HTTP proxy server. To use Squid, the browser needs to be configured to communicate via the proxy, so that any HTTP pages requested would be served from the proxy cache rather than directly from the Internet.
For a firewall without masquerading, only set this to yes if you want to allow access to the internal network. Your internal hosts need to use officially registered IPs in this case. Normally, however, you should not allow access to your internal network from the outside. FW_MASQUERADE (masquerading): Set this to yes if you need the masquerading function. Note that it is more secure to have a proxy server between the hosts of the internal network and the Internet.
FW_SERVICES_TRUSTED_TCP (firewall): Here, specify the port addresses which may be used by the “trusted hosts”. For example, to grant them access to all services, enter 1:65535. Usually, it is sufficient to enter ssh as the only service. FW_SERVICES_TRUSTED_UDP (firewall): Just like above, but for UDP ports. C Network Security For example: "172.20.0.0/16 172.30.4.2" means that all hosts which have an IP address beginning with 172.20.x.x, along with the host with the IP address 172.30.4.
SSH — Secure Shell, the Safe Alternative In these times of increasing networks, accessing a remote system also becomes more common. Regardless of the activity, the person accessing the system must be authenticated. Most users should know by now that the user name and password are only intended for individual use. Strict confidence pertaining to personal data is usually guaranteed between the employer, computer center, or service provider.
newbie@earth:~ > ssh sun"uptime; mkdir tmp" newbie@sun’s password: 1:21pm up 2:17, 9 users, load average: C Network Security Following successful authentication, work from the command line there or use interactive applications. If the local user name is different from the remote user name, log in using a different login name with ssh -l augustine sun or ssh augustine@sun. Furthermore, ssh offers the option of running commands on another system, as does rsh.
The SSH Daemon (sshd) — Server-Side To work with the SSH client programs ssh and scp, a server, the SSH daemon, has to be running in the background. This waits for its connections on TCP/IP port 22. The daemon generates three key pairs when starting for the first time. The key pairs consist of a private and a public key. Therefore, this procedure is referred to as public key–based. To guarantee the security of the communication via SSH, only the system administrator can see the private key files.
SSH Authentication Mechanisms Now the actual authentication will take place, which, in its simplest form, consists of entering a password as mentioned above. The goal of SSH was to introduce a secure software that is also easy to use. As it is meant to replace rsh and rlogin programs, SSH must also be able to provide an authentication method good for daily use. SSH accomplishes this by way of another key pair generated by the user. The SSH package also provides a help program, ssh-keygen, for this.
ssh-agent, which retains the private keys for the duration of an X session. The entire X session will be started as a child process of ssh-agents. The easiest way to do this is to set the variable usessh at the beginning of the .xsession file to yes and log in via a display manager such as KDM or XDM. Alternatively, enter ssh-agent startx. Now you can use ssh or scp as usual. If you have distributed your private key as described above, you are no longer prompted for your password.
Additional information can be found in the manual pages for each of the programs described above and also in the files under /usr/share/doc/ packages/openssh. Security and Confidentiality Basic Considerations C Network Security users in an existing SSH connection. The SMTP and POP3 host must be set to localhost for this.
using a network link In all these cases, a user should be authenticated before accessing the resources or data in question. A web server might be less restrictive in this respect, but you still would not want it to disclose all your personal data to any surfer out there. On a SuSE system, a few tweaks are sufficient to make it boot right into your desktop without even asking for a password, but, in most cases, that would not be such a good idea, as anybody could change data or run programs.
Networks make it easier for us to access data remotely, but they do this with the help of network protocols which are often rather complex. This might seem paradoxical at first, but is really indispensable if you want to remotely control a computer or to retrieve data from it no matter where you are. It is necessary to have abstract, modular designs with layers that are more or less separate from each other. We rely on such modular designs in many daily computing situations.
This is a general rule to be observed, but it is especially true for the user root who holds the supreme power on the system. User root can take on the identity of any other local user without being prompted for the password and read any locally stored file. For an attacker who has obtained access to local resources from the command line, there is certainly no shortage of things that could be done to compromise the system.
The Boot Procedure Configure your system so it cannot be booted from a floppy or from CD, either by removing the drives entirely or by setting a BIOS password and configuring the BIOS to allow booting from a hard disk only. Normally, a Linux system will be started by a boot loader, allowing you to pass additional options to the booted kernel. This is crucial to your system’s security.
directory. The purpose of these files is to define special permissions, such as world-writable directories or, for files, the setuser ID bits, which means the corresponding program will not run with the permissions of the user that has launched it, but with the permissions of the file owner, root in most cases. An administrator may use the file /etc/permissions.local to add his own settings. The variable PERMISSION_SECURITY, set in /etc/rc.
“Format string bugs” work in a slightly different way, but again it is the user input which could lead the program astray. In most cases, these programming errors are exploited with programs executed with special permissions — setuid and setgid programs — which also means that you can protect your data and your system from such bugs by removing the corresponding execution privileges from programs. Again, the best way is to apply a policy of using the lowest possible privileges (see Section C on page 199).
Network Security Local security is concerned with keeping different users on one system apart from each other, especially from root. Network security, on the other hand, means that the system needs to be protected from an attack originating in the network. The typical login procedure requiring a user name and a password for user authentication is a local security issue. However, in the particular case of logging in over a network, we need to differentiate between both security aspects.
Apart from that, ssh (secure shell) can be used to completely encrypt a network connection and forward it to an X server transparently without the encryption mechanism being perceived by the user. This is also called X forwarding. X forwarding is achieved by simulating an X server on the server side and setting a DISPLAY variable for the shell on the remote host.
posted on the security mailing lists. They can be used to target the vulnerability without knowing the details of the code. Over the years, experience has shown that the availability of exploit codes has contributed to more secure operating systems, obviously due to the fact that operating system makers were forced to fix the problems in their software.
Many of the attacks mentioned are carried out in combination with a DoS. If an attacker sees an opportunity to abruptly bring down a certain host, even if only for a short time, it will make it easier for him to push the active attack, because the host will not be able to interfere with the attack for some time. DNS Poisoning C Network Security Finally, we want to mention “spoofing”, an attack where packets are modified to contain counterfeit source data, mostly the IP address.
very good way to protect your systems against problems of all kinds is to get and install the updated packages recommended by security announcements as quickly as possible. SuSE security announcements are published on a mailing list to which you can subscribe by following the link http://www. suse.de/security. The list suse-security-announce@suse.de is a first-hand source of information regarding updated packages and includes members of SuSE’s security team among its active contributors.
Compare the netstat results with those of a thorough port scan done from outside your host. An excellent program for this job is nmap, which not only checks out the ports of your machine, but also draws some conclusions as to which services are waiting behind them. However, port scanning may be interpreted as an aggressive act, so do not do this on a host without the explicit approval of the administrator.
the end, only you can know which entries are unusual and which are not. Use tcp_wrapper to restrict access to the individual services running on your machine, so you have explicit control over which IP addresses can connect to a service. For more information regarding tcp_wrappers, consult the man pages for tcpd and hosts_access. Design your security measures to be redundant: a message seen twice is much better than no message at all.
D YaST 2 Copyright (c) 1995 - 2001 SuSE GmbH, Nuernberg (Germany) YaST 2 Copyright (c) 2002 SuSE Linux AG, Nuernberg (Germany) The object of this licence is the YaST2 (Yet another Setup Tool 2) program, the name YaST, together with SuSE Linux, the Linux Distribution of SuSE Linux AG, all programme derived from YaST2 and all works or names derived in full or in part thereof together with the use, application, archiving, reproduction and passing on of YaST2, all programs derived from YaST2 and all works deri
programmes are observed. The use of YaST2, even if a modified version is used, does not exempt in particular the Licensee from the duty to take due care with regard to the licence terms of the packages or programmes installed through YaST2 or works based on it. 2. Processing All programmes derived from YaST2 and all works derived from it in full or parts thereof are to be filled on the opening screen with the clear information Modified Version.
4. Guarantee No guarantee whatsoever is given for YaST2 or for works derived from it and SuSE Linux. The SuSE Linux AG guarantee only covers fault-free data carriers. SuSE Linux AG will provide YaST2 and SuSE Linux “as it is” without any guarantee whatever that it is fit for a specific purpose or use. In particular SuSE is not liable for lost profit, savings not made, or damages from the claims lodged by third parties against the Licensee.
E GNU General Public License Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Foreword The licenses for most software are designed to take away your freedom to share and change it.
the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have.
1. You may copy and distribute verbatim copies of the Program’s source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License.
only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
No Warranty 11. Because the program is licensed free of charge, there is no warranty for the program, to the extent permitted by applicable law. Except when otherwise stated in writing the copyright holders and/or other parties provide the program “as is” without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality and performance of the program is with you.
published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc.
Index A ACLs - arranging . . . . . . . . . . . . . . . . . . . . . . . . . 77 - defining . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Adminhost . . . . . . . . . . . . . . . . . . . . . 6, 10, 15–32 - FAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 - installing . . . . . . . . . . . . . . . . . . . . . . 16–22 - troubleshooting . . . . . . . . . . . . . . . . . . 142 administering - SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 - tools . . . . . . . . . .
- ntp.conf . . . . . . . . . . . . . . . . . . . . . . . . . - pam.d . . . . . . . . . . . . . . . . . . . . . . . . . . . - permissions . . . . . . . . . . . . . . . . . . . . . - permissions.local . . . . . . . . . . . 127, - postfix . . . . . . . . . . . . . . . . . . . . . . . . . . . - ppp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - proxy-suite . . . . . . . . . . . . . . . . . . . . . . - rc.config . . . . . . 23, 128, 173, 185, - rc.config.d . . . . . . . . . . . . . . . . . . . . .
- proxy filters . . . . . . . . . . . . . . . . . . . . . . 78 httpf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 - need for . . . . . . . . . . . . . . . . . . . . . . . . . . 16 I N ifconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 implementing - requirements . . . . . . . . . . . . . . . . . . . . 138 installing - Adminhost . . . . . . . . . . . . . . . . . . . .
R root - password . . . . . . . . . . . . . . . . . . . . . . . . . 20 routing - masquerading . . . . . . . . . . . . . . . . . . . 184 RPM - security . . . . . . . . . . . . . . . . . . . . . . . . . . 207 S scripts - cipe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 - init.d . . . . . . . . . . . . . . . . . . . . . . . . 29, 129 · inetd . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 · network . . . . . . . . . . . . . . . . . . . . . . . 29 · nfsserver . . . . . . . . . . . .
upgrading - VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 users - fwadmin . . . . . . . . . . . . . . . . . . . . . . . . . . 34 xntpd V YaST2 - VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31, - configuration . . . . . . . . . . . . . . . . . . . . . - masquerading . . . . . . . . . . . . . . . . . . . . - NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 84 88 88 W web service - proxies . . . . . . . . . . . . . . . . . . . . . .
