Visitor counter, Heat Map, Conversion tracking, Search Rank

How to secure your intra-network from external attacks when connected to Internet

{jumi [ads/adsTop]}

In this article I would talk about securing a intra-network from external attacks. The intra-network could be a group of PCs connected to a switch and the switch in turn connected to an Internet Broadband modem. Now we could implement the required security in two ways. First secure all the PCs by loading desktop firewalls in them. Loading those PCs with anti virus software with latest updates. Further more , update the OS with all the required patches. However, we can not do much about the end users. Many a times we are faced with users who have got very little knowledge about computer networks in general. These users invariable would load softwares on to their machines which would comprise their security . One solution, could be that one takes away the administration rights from them and let them use the machine with user rights. Therefore, they would not be able to cause any damage to their system. However, this setup would require configuring each and every machine on the system. Further more, no users would like to be dictated how they should use their machine, after all they own it.

 

So whats the way out. Think of securing the perimeter. This way we need not secure each individual PC and the users are at liberty to do whatever they feel like with their machine, as they are the administrators themselves. As we have got only one gateway to the intra-network in terms of the Ethernet connectivity coming from the Broadband user, to engineer the above setup we could pass it through a Network Firewall. The resulting setup now would be , Ethernet data coming from the broadband router goes to the network firewall's WAN port, the intra-network gets connected to the LAN port of the Network firewall.

Fine, now that we have thought of placing a network firewall, lets see what all is available in the market. Well through money and you can pick up the best of Juniper and alike Firewall. But do we really need all that high end Network Firewall. The answer is , one could easily do a much better job with a Linux based Network Firewall. Did some one say Linux. And the first response one gets is anything but Linux or I have never used Linux etc. This article I have specially target towards those network administrators who have had no experience about Linux, what so ever. We would build a Network firewall and much more in a matter of time from scratch.

To start with get hold of an old PC having two LAN cards and atleast 256MB RAM, 2GB Hard-disk space. Keyboard, mouse and Monitor would be required only during the installation process.

 

Download the latest version of pfsense (Network Firewall ) iso image from http://pfsense.com/download/mirror.php?section=downloads  . Create a installation disk from the image file by burning it on to it using any CD/DVD writing software.


  Insert the disk into the CD drive and you would be offered with the following prompt.

Press enter

Enter I to install

Accept the settings

Go to Quick /Easy Install

 

If you are installing to a PC which would generally be the case, select Symmetric multiprocessing Kernel

After reboot default username is admin and password id pfsense

press F1 to start

Select n

Enter the name of ethernet interface connected to  WAN, this could be eth0/eth1 in your case. For this article I have installed pfsense in virtualbox where the interfaces have been identifies by the system  as em0 and em1.

Select y if the interface selection is correct

Select option 2 for setting interface IPs

Select y for configuring WAN via DHCP

I have selected IP address 192.168.2.1 for LAN

Enable DHCP server for LAN

I have selected the DHCP range from 192.168.2.100 to 200

Note the URL http://192.168.2.1 for web configuration

 


Now open your web browser and go to ip address of the LAN port of PfSense. In our example its http://192.168.2.1

 

Enable Secure shell for configuring the firewall by remotely logging in to the machine using a Linux shell

We need to install packages on to the base system to get the desired functionality.

the list of available packages has got many packages. We would be installing Squid and Squidguard packages.

Squid is a proxy server.Select Squid in the available list . Click the add package icon on the right.

 

The package installation would require Internet. The required package file would be downloaded by PfSense.

Once the files are downloaded, the system would install the package.

Similarly Squidguard has to be installed. Squidguard would give us the capability to filter traffic based on its URL.

Go to General parameters and setup Primary DNS Server as 4.2.2.2

 

There is an option to configure LAN and WAN interface if required using the Wen Configuration.

Select  Services and then Proxy Server to configure the squid proxy. Select proxy interface as LAN.  Click  on  allow users on the interface.

enter log directory as /var/squid/logs  . This would be required by the report generation package which we would install later. Select a proxy port. This port and the LAN IP of the PfSense would have to entered into all the machines to route their traffic to PfSense.

To configure Squidguard go the Services and select Squidguard. By default it would be disabled. We would have to click enable to start the Squidguard service

Select Blacklist. This would be required for enabling URL filtering.

 To check whether the services Squid and Squidguard have started go to Status and then to Services.

You would notice that the Squidguard service has not started. To start Squidguard a system reboot would be required. Reboot the machine using the Diagnostics.

Go to Status and then to Services. Check the status and verify all the services are running.

Click play to start Squid and then Squidguard

For URL filtering we need to supply a blacklist to the PfSense.  This list contains various groups which we can block as per our requirement.

We would be using a free Blacklist from http://www.shallalist.de/Downloads/shallalist.tar.gz

download and install. This would take considerable time , so be patient.

 

 

 

Now to achieve the desired URL filtering go to Common ACL in Squidguard.

Expand the Target Rules List. By default its deny all. Change it to Allow all. We intend to block only traffic to certain groups such as porn sites etc while  allowing all other. If we do the other way around , ie, denying all by default and allowing only traffic to specific groups. We would end up spending a lot of time only configuring rules.

Here I have shown deny porn and allow all configuration. Similarly all groups which you want blocked can be selected as deny.

Notice the Target rules as !blk_BL_porn all. This implies, as the traffic would arrive, the firewall would check if the URL matches the ones for porn sites, if yes, it will be blocked. If no, it would be allowed.

Select do not allow IP address in URL. If not checked a user can open a site by supplying its IP address in the URL. So even if you would have blocked porn sites, a user who enters  http://206.161.206.131 can still access www.sexocean.com thereby defeating the URL filtering.

To keep an account of usage in terms of data download, sites accessed etc , we would require to identify a particular user. This can only be possible if the user supply  some credentials to access the proxy server. Go to Auth Settings and select local authentication method.

 

For local authentication method, we would require to create users

Now to generate report of the network usage we will install a package called Lightsquid.

To check the report go Status and then to Proxy reports.

configure the settings. Select language and reporting scheme as English and Demo respectively.

The lightsquid would require to capture some data before it can generate a report else it would give an error as under.

The changes required in the user PC are shown using Mozilla Firefox web browser. Similar settings would be required in chrome or Internet explorer.

Comments   

0 #169 실비보험비교사이트 2019-04-21 09:10
When I initially commented I clicked the "Notify me when new comments are added" checkbox and now
each time a comment is added I get several emails with the same comment.
Is there any way you can remove people from that service?
Cheers!

Here is my web-site; 실비보험비교사이트: http://www.xn--o39a10az45anibe0lukg0rbf4v3vu.kr/
Quote
0 #168 http://Momo-Tour.com 2019-04-16 11:07
III Palestra Brasileiro a Pressão alta.
Quote
0 #167 atasehir escort 2019-03-30 03:48
Howdy! I could have sworn I've been to this website before but after reading through some of the post I realized it's new
to me. Anyways, I'm definitely delighted I found it and I'll be bookmarking and checking
back often!
Quote
0 #166 govt vehicles 2019-03-24 07:23
I do not know if it's just me or if everybody else
experiencing problems with your website. It appears as though
some of the text within your posts are running off the
screen. Can someone else please provide feedback and let me know if this is happening to them as well?

This might be a issue with my browser because I've had this happen previously.
Thanks

Take a look at my web page ... govt vehicles: https://www.u-pull-it.com/can-flood-cars-be-repaired-how-to-rebuild-a-flood-car/
Quote
0 #165 자동차보험료비교견적사이트 2019-03-20 06:48
This post presents clear idea in favor of the new people of blogging, that in fact
how to do blogging and site-building.

Also visit my site 자동차보험료비교견적사이트: http://www.jjanglive.com/
Quote
0 #164 casino gsn 2019-03-19 20:51
Hi there! I simply would like to offer you a huge thumbs up for the excellent information you
have here on this post. I am returning to your web
site for more soon.
Quote
0 #163 자동차보험료비교견적사이트 2019-03-17 05:37
Thanks for a marvelous posting! I genuinely enjoyed reading it, you are a great author.I will ensure that I bookmark your blog and will come back later in life.

I want to encourage you to continue your great posts, have
a nice evening!

Feel free to visit my homepage - 자동차보험료비교견적사이트: http://www.xn--l89a4l15n2tf80fw6bj1g22q8gaq4b6z2aizt6ij.org/
Quote
0 #162 air fresheners toxic 2019-03-02 13:20
It's a shame you don't have a donate button! I'd definitely donate to
this fantastic blog! I guess for now i'll settle for bookmarking and adding your RSS feed to my Google account.
I look forward to new updates and will share this blog with my Facebook
group. Chat soon!

Take a look at my web-site :: air fresheners toxic: https://www.minds.com/blog/view/945365863529209856
Quote
0 #161 openload.co 2019-03-01 17:22
Hey! Do you use Twitter? I'd like to follow you if that
would be okay. I'm undoubtedly enjoying your blog and look forward to new updates.


my website :: jeep auto - openload.co: https://openload.co/f/bMM41qvckK4/Buy_vehicle_addons_onlinestwww.pdf,
Quote
0 #160 Karolin 2019-02-14 09:25
Antibiótico e também corticosteróide curado contra ?
Quote
0 #159 i want sex toys 2019-02-02 15:58
Hello just wanted to give you a quick heads up and let you know a few of the images aren't loading correctly.
I'm not sure why but I think its a linking issue.
I've tried it in two different internet browsers and both
show the same outcome.
Quote
0 #158 porn game site 2019-01-31 17:34
Excellent, what a weblog it is! This weblog presents helpful facts
to us, keep it up.
Quote

Add comment


Security code
Refresh