Global Open Versity ICT Labs Secure Network Defense using IPCop Firewall/Router v1.6
Global Open Versity
IT Security & Network Defense Hands-on Labs Training Manual
Install Guide IPCop Firewall/Router for Network Security with
Spam and Virus Protection
Kefa Rabah
Global Open Versity, Vancouver Canada
krabah@globalopenversity.org
www.globalopenversity.org
Table of Contents Page No.
INSTALL GUIDE IPCOP FIREWALL/ROUTER FOR NETWORK SECURITY WITH SPAM AND VIRUS
PROTECTION 3
1.0 Introduction 3
1.1 IPCop Firewall/Router Appliance 4
2.0 Historical Overview of IT Network Security 4
2.1 A Case for Multi-Layered Enterprise IT Security Network Defense 5
Network Diagram Configuration 7
Part 1: Install & Configure IPCop Firewall 8
Step 1: Install IPCop Firewall 8
Step 2: Test your Firewall Security from Outside your Private Network 24
Part 2: Install Internal PC (Virtual Machine 2) for Remote Administration of IPCop 26
Part 3: Testing IPCop Security using NMAP 28
Part 4: Installing Add-Ons to Extend IPCop Capability 30
Step: 1: Install & Configure URL Filter Add-on on IPCop 30
Step 2: Enable the Web Proxy 30
Step 3: Configure URL Filter 32
Step 4: Extending IPCop with Copfilter Add-on 35
Install & Configure Copfilter Add-on on IPCop 36
1. Enable HTTP Scanning 38
2. Enable AntiVirus (ClamAV, AVG, F-Prot) 38
3. Enable FTP Scanning 39
4. Enable POP3 Scanning (P3Scan) 39
5. Enabling Monitoring of Copfilter 40
6. Viewing Copfilter Status 41
Part 5: Checking IPCop Memory Usage 41
Part 6: Enable Intrusion Detection System (IDS) Monitoring on IPCop 42
Part 7: Install Zerina's OpenVPN Package for IPCop 43
Step 1: Install Zerina OpenVPN 43
1. Configure OpenVPN 44
1
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org ICT202 - Linux Enterprise Infrastructure Engineering Diploma
Global Open Versity ICT Labs Secure Network Defense using IPCop Firewall/Router v1.6
2. Generate OpenVPN Root/Host Certificates 44
3. Generate Client Certificates 45
Step 2: Install and Configure OpenVPN on the Client 46
Step 3: Connect to the Exchange Server 2k3 to check Email 48
Part 8: Troubleshooting Problem with Intrusion Detection (Snort) on IPCop Firewall 1.4.21 49
Part 9: Different IT Security Vulnerability Scanning and Testing Techniques 49
Step 1: Network Penetration Testing Methods 50
Step 2: Information Systems Security Assessment Framework (ISSAF) 51
Step 3: IT Risk & Vulnerability Testing Tools 51
1. Metasploit Framework 51
2. Nessus 51
Part 10: Need More Training on Linux: 52
Part 11: Hands-on Labs Assignments 52
A GOV Open Access Technical Academic Publications License
Enhancing education & empowering people worldwide through eLearning in the 21st Century
2
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org ICT202 - Linux Enterprise Infrastructure Engineering Diploma
Global Open Versity ICT Labs Secure Network Defense using IPCop Firewall/Router v1.6
Global Open Versity
IT Security & Network Defense Hands-on Labs Training Manual
Install Guide IPCop Firewall/Router for Network Security with Spam
and Virus Protection
By Kefa Rabah, krabah@globalopenversity.org Jan 20, 2010 GTI Institute
Project: Deploy secure network defense Solution for small enterprise (SMB) using IPCop firewall with
URLfilter, Copfilter and OpenVPN add-ons.
Today, small and medium sized businesses (SMBs) are the backbone of the global economy – more-so in
the developed countries and recently emerging markets. However, with current global economic
meltdown, they’re all more inclined act cautious, they maintain a stable business and they are not subject
to the high demands of investors. But nevertheless, SMBs are affected by the current economic climate
even more so than larger businesses. This is why we see more and more businesses fall back to
consumer products to secure their IT environment in order to reduce costs and maintain ROI, they lower
their level of security. This is a dangerous compromise. However, there are great open source network
security solutions out there that when implemented correctly can go along way to keep the bad guys off
their network resources. In these series of IT Security & Network Defense Hands-on Labs Training, we’re
going to be looking at some of the software solutions that can easily be deployed to secure private
network resources.
The main goal of Copfilter is to provide a free and easy to use solution to filter and scan traffic from any
unsecure network, like the internet, for viruses and spam. It has been designed as a preconfigured and
easy to install add-on for the open source firewall IPCop
1.0 Introduction
Information security is commonly thought of as a process and not a product. However, standard security
implementations usually employ some form of dedicated mechanism to control access privileges and
restrict network resources to users who are authorized, identifiable, and traceable. And firewalls have
been keeping guard between the private network and Internet and; is as old as the Internet itself.
Firewalls are one of the core components of a network security implementation. Several vendors market
firewall solutions catering to all levels of the marketplace: from home users protecting one PC to data
center solutions safeguarding vital enterprise information. Firewalls can be stand-alone hardware
solutions, such as firewall appliances by Cisco, Nokia, and Sonicwall. Vendors such as Checkpoint,
McAfee, and Symantec have also developed proprietary software firewall solutions for home and business
markets.
Apart from the differences between hardware and software firewalls, there are also differences in the way
firewalls function that separate one solution from another. In this guide, we’ll only concentrate in SMB type
of network configuration with very limited or no budget to carter for exotic firewall infrastructure. However,
with the open source Linux based operating system you have a lot of choices for protection. And for this
lab session, we are going to use IPCop firewall.
3
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org ICT202 - Linux Enterprise Infrastructure Engineering Diploma
Global Open Versity ICT Labs Secure Network Defense using IPCop Firewall/Router v1.6
1.1 IPCop Firewall/Router Appliance
The IPCop project is a GNU/GPL project that offers an exceptional feature packed stand alone firewall to
the internet community. Its comprehensive web interface, well documented administration guides, and its
involved and helpful user/administrative mailing lists make users of any technical capacity feel at home. It
goes far beyond a simple ipchains / netfilter implementation available in most Linux distributions and even
the firewall feature sets of commercial competitors. It can be used not only to protect your internal network
(private network) from the external one (Internet) but also to set up a DMZ (DeMilitarized Zone) where you
can host, e.g., Web and FTP servers. The DMZ machines will be accessible through the public Internet
and can have limited access to services like a database server on the internal network. What’s more,
IPCop also bundles an IDS (Intrusion Detection System), which logs in possible intrusions or attacks
against your internal network or the firewall machine itself.
That is, IPCop is a cut-down Linux distribution that is intended to operate as a firewall, and only as a
firewall. It has some advanced firewalling features, including VPNs using IPSec. It’s a complete firewall
solution, taking control of the machine and replacing any other operating system that is installed.
Therefore, it is not similar to packages like ipchains or any of the GUI firewall administration tools. It is not
an additional security service you would run on your machine; rather, it is a complete operating system
and firewall administration kit in a box that the user would dedicate a single machine to house and run as
an Internet gateway. And that is the format we’re going following in this Hands-on training labs.
Today, firewalls have had to undergo a tremendous metamorphosis as a result of evolving threats. IPCop
is exemplary in offering such a range of default features and even further a large set of optional plug-ins
which can provide further functionality and its security capability as will see later in the text.
Some of IPCops impressive base install features include: secure https web-based GUI administration
system, SSH server for Remote Access, TCP/UDP port forwarding, DHCP Server, Proxying (Squid), DNS
Proxying, Dynamic DNS, Time Server, Traffic Shaping, Traffic/Systems/Firewall/IDS graphing, Intrusion
Detection (Snort), ISDN/ADSL device support and IPSec based VPN Support (FreeSWAN) with Control
Area and support for Check Point SecuRemote. As if these base features were not an astounding enough
there are dozens of add-ons which can further expand the functionality of your IPCop from Web Filtering
to Anti virus scanning.
2.0 Historical Overview of IT Network Security
As attacks on enterprise grow more sophisticated and diverse; companies need to rethink their network
defense and entire enterprise risk management strategies. Security for that matter is not only about
protecting the network, but also the data. That requires a combination of tactics, from securing the
network perimeter to encrypting data on mobile and storage devices. Today, many enterprises look at
network as taking a layered approach. As security become more complex, businesses increasingly see a
need for enterprise security strategies, as well as ways to collate information from the various tools and
evaluate their performance. And they are grappling with new issues created by growing mobility and
anywhere, anytime access – making the remote users the “new perimeter” frontier and not the firewall –
thus increasing risk to enterprise resources. Therefore, getting the firewall configured correctly to allow
road-warriors access to the private network is very critical.
4
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org ICT202 - Linux Enterprise Infrastructure Engineering Diploma
Global Open Versity ICT Labs Secure Network Defense using IPCop Firewall/Router v1.6
2.1 A Case for Multi-Layered Enterprise IT Security Network Defense
In IT speak; security is a many-layered thing for most IT
managers. This is basically because attacks may target
Assume Prior Layers Fails
network, workstation, server or application vulnerabilities.
Blended threats combine multiple attack vectors – Trojan Perimeter Defenses
horses, spyware, worms and viruses, for example – in an
Network Defenses
attempt to outflank an organization’s defenses. And over
the years, starting from the mid 80s and the birth of PCs, Host Defenses
the attack tools have been growing in sophistication,
which require almost no technical skills to use, as depicted Application Defenses
in Fig. 2. In response, enterprise erected a series of
barriers on the principle that an attack that beats one Data & Resources
security measure won’t get past other protections. This
approach goes by several names: layered security, Fig. 1: Enterprise Security – Defense-In-Depth
defense-in-depth – but the underlying premise is the
same, see Fig. 1
The traditional thinking view of layered security places firewall at the outermost ring of the protection –
guarding the corporate network from public network (the Internet) borne incursions, see Figs. 1 & 2. After
the firewall, attention turns to network-based intrusion detection/prevention systems that aim to snuff out
attacks that sneak through the firewall. Antivirus software and host-based intrusion detection/prevention
systems protect servers and client PCs, providing still another layer.
Fig. 2: Typical Secure Internal Network Infrastructure
Firewall – via filter rules (TCP, UDP, & ports) must be the gateway for all communications between trusted and
untrusted and unknown networks (NWs). It is the choke point where all communication must pass through
Perimeter network (NW) or DMZ which is put in place using: firewalls & routers – on the NW edge, permits
secure communications between corporate NW and third-parties. It includes: DMZ, extranet, & intranets. Perimeter
5
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org ICT202 - Linux Enterprise Infrastructure Engineering Diploma
Global Open Versity ICT Labs Secure Network Defense using IPCop Firewall/Router v1.6
network is the key that enables many mission-critical NW services. It also offers a layer of protection for the internal
NW in the event that one of Internet accessible servers is compromised
Bastion Hosts: cannot initiate, on its own, a session request back to the private NW. Implies it can only forward
packets that have already been requested by clients from internal private NW. To maintain secure communication
and Private network protection, bastion hosts should have all appropriate up-to-date service packs (SP), hot fixes,
and patches installed. System/network admins must also ensure that logging of all security-related events should
also be enabled and regularly reviewed/analyzed to track both successful and unsuccessful security events.
While emerging classes of tools may fend off attacks at multiple layers, there are pitfalls if the tools are not
properly configured, managed or integrated with existing systems. In effect, chief information and security
officers have to be jack of all trades to implement an effective layered security strategy. In overall, a
layered security strategy – built around numerous preventive controls – requires good perimeter defenses
– i.e., you need to have host- and network-based intrusion detection integrated with other security
solutions all the way down to the desktop level, also known as end-point. Current statistics indicate that a
typical enterprise spends more than 5% of its IT budget