How to secure your intra-network from external attacks when connected to Internet

  • Print

{jumi [ads/adsTop]}

In this article I would talk about securing a intra-network from external attacks. The intra-network could be a group of PCs connected to a switch and the switch in turn connected to an Internet Broadband modem. Now we could implement the required security in two ways. First secure all the PCs by loading desktop firewalls in them. Loading those PCs with anti virus software with latest updates. Further more , update the OS with all the required patches. However, we can not do much about the end users. Many a times we are faced with users who have got very little knowledge about computer networks in general. These users invariable would load softwares on to their machines which would comprise their security . One solution, could be that one takes away the administration rights from them and let them use the machine with user rights. Therefore, they would not be able to cause any damage to their system. However, this setup would require configuring each and every machine on the system. Further more, no users would like to be dictated how they should use their machine, after all they own it.

 

So whats the way out. Think of securing the perimeter. This way we need not secure each individual PC and the users are at liberty to do whatever they feel like with their machine, as they are the administrators themselves. As we have got only one gateway to the intra-network in terms of the Ethernet connectivity coming from the Broadband user, to engineer the above setup we could pass it through a Network Firewall. The resulting setup now would be , Ethernet data coming from the broadband router goes to the network firewall's WAN port, the intra-network gets connected to the LAN port of the Network firewall.

Fine, now that we have thought of placing a network firewall, lets see what all is available in the market. Well through money and you can pick up the best of Juniper and alike Firewall. But do we really need all that high end Network Firewall. The answer is , one could easily do a much better job with a Linux based Network Firewall. Did some one say Linux. And the first response one gets is anything but Linux or I have never used Linux etc. This article I have specially target towards those network administrators who have had no experience about Linux, what so ever. We would build a Network firewall and much more in a matter of time from scratch.

To start with get hold of an old PC having two LAN cards and atleast 256MB RAM, 2GB Hard-disk space. Keyboard, mouse and Monitor would be required only during the installation process.

 

Download the latest version of pfsense (Network Firewall ) iso image from http://pfsense.com/download/mirror.php?section=downloads  . Create a installation disk from the image file by burning it on to it using any CD/DVD writing software.


  Insert the disk into the CD drive and you would be offered with the following prompt.

Press enter

Enter I to install

Accept the settings

Go to Quick /Easy Install

 

If you are installing to a PC which would generally be the case, select Symmetric multiprocessing Kernel

After reboot default username is admin and password id pfsense

press F1 to start

Select n

Enter the name of ethernet interface connected to  WAN, this could be eth0/eth1 in your case. For this article I have installed pfsense in virtualbox where the interfaces have been identifies by the system  as em0 and em1.

Select y if the interface selection is correct

Select option 2 for setting interface IPs

Select y for configuring WAN via DHCP

I have selected IP address 192.168.2.1 for LAN

Enable DHCP server for LAN

I have selected the DHCP range from 192.168.2.100 to 200

Note the URL http://192.168.2.1 for web configuration

 


Now open your web browser and go to ip address of the LAN port of PfSense. In our example its http://192.168.2.1

 

Enable Secure shell for configuring the firewall by remotely logging in to the machine using a Linux shell

We need to install packages on to the base system to get the desired functionality.

the list of available packages has got many packages. We would be installing Squid and Squidguard packages.

Squid is a proxy server.Select Squid in the available list . Click the add package icon on the right.

 

The package installation would require Internet. The required package file would be downloaded by PfSense.

Once the files are downloaded, the system would install the package.

Similarly Squidguard has to be installed. Squidguard would give us the capability to filter traffic based on its URL.

Go to General parameters and setup Primary DNS Server as 4.2.2.2

 

There is an option to configure LAN and WAN interface if required using the Wen Configuration.

Select  Services and then Proxy Server to configure the squid proxy. Select proxy interface as LAN.  Click  on  allow users on the interface.

enter log directory as /var/squid/logs  . This would be required by the report generation package which we would install later. Select a proxy port. This port and the LAN IP of the PfSense would have to entered into all the machines to route their traffic to PfSense.

To configure Squidguard go the Services and select Squidguard. By default it would be disabled. We would have to click enable to start the Squidguard service

Select Blacklist. This would be required for enabling URL filtering.

 To check whether the services Squid and Squidguard have started go to Status and then to Services.

You would notice that the Squidguard service has not started. To start Squidguard a system reboot would be required. Reboot the machine using the Diagnostics.

Go to Status and then to Services. Check the status and verify all the services are running.

Click play to start Squid and then Squidguard

For URL filtering we need to supply a blacklist to the PfSense.  This list contains various groups which we can block as per our requirement.

We would be using a free Blacklist from http://www.shallalist.de/Downloads/shallalist.tar.gz

download and install. This would take considerable time , so be patient.

 

 

 

Now to achieve the desired URL filtering go to Common ACL in Squidguard.

Expand the Target Rules List. By default its deny all. Change it to Allow all. We intend to block only traffic to certain groups such as porn sites etc while  allowing all other. If we do the other way around , ie, denying all by default and allowing only traffic to specific groups. We would end up spending a lot of time only configuring rules.

Here I have shown deny porn and allow all configuration. Similarly all groups which you want blocked can be selected as deny.

Notice the Target rules as !blk_BL_porn all. This implies, as the traffic would arrive, the firewall would check if the URL matches the ones for porn sites, if yes, it will be blocked. If no, it would be allowed.

Select do not allow IP address in URL. If not checked a user can open a site by supplying its IP address in the URL. So even if you would have blocked porn sites, a user who enters  http://206.161.206.131 can still access www.sexocean.com thereby defeating the URL filtering.

To keep an account of usage in terms of data download, sites accessed etc , we would require to identify a particular user. This can only be possible if the user supply  some credentials to access the proxy server. Go to Auth Settings and select local authentication method.

 

For local authentication method, we would require to create users

Now to generate report of the network usage we will install a package called Lightsquid.

To check the report go Status and then to Proxy reports.

configure the settings. Select language and reporting scheme as English and Demo respectively.

The lightsquid would require to capture some data before it can generate a report else it would give an error as under.

The changes required in the user PC are shown using Mozilla Firefox web browser. Similar settings would be required in chrome or Internet explorer.