Basic Web Services
So far we have setup a basic firewall that allows you to share the Internet connection, as well as protect your network from Internet traffic. Now we will enhance the Firewall with Services that will allow for easy client setup, improve your Internet speed and filter out undesirable web pages or content that you may wish to remove. Ordinarily, companies charge quite a bit of money to provide these services (especially for content filtering), but here I will discuss how to setup these services using Mandrake Linux and it's web interface.
DHCP and Caching DNS
To automate the configuration of your network clients, you can enable the DHCP server service available on the firewall. DHCP (Dynamic Host Configuration Protocol) allows you to have the firewall automatically send the computers on your LAN the correct IP configuration values during bootup. So, instead of going to each machine and entering a separate IP address, subnet, DNS server and gateway machine, you can have the LAN computers get this information from your firewall. To set this service up, click on DHCP and enter the relevant information, it is pretty self explanatory.
To alleviate excess DNS lookups over your Internet connection, you can setup the firewall to act as a DNS server for your LAN. Doing this will enable the firewall to "cache" all of the nameserver lookups, so if multiple clients try to find the IP address for the same domain name, such as http://www.google.com/, the firewall will send the correct information without needing to access your Internet Service Provider's DNS server.
To enable the Caching DNS service, you simply need to enter the IP address of a forwarding DNS server. This will allow the firewall to query that DNS server if it does not have the information in it's cache. If for some reason the DNS service fails to start or gets mis-configured, simply shut off the service, login to the firewall and move the /etc/named.conf file to something else, such as /etc/named.bak and re-enable the service. The software will re-create a correct /etc/named.conf file to allow the service to work again.
Note: If you run a network utilizing Microsoft Active Directory, Microsoft Exchange Server, or any other newer Microsoft Server, you must utilize Microsoft's DHCP and DNS Services, otherwise you will have severe network slowdowns and communication errors.
Web Proxy and Filtering
One way to really speed up your Internet service is to provide a way to "cache" web pages at the firewall so that if multiple users go to the same sites, most of the images and other information will be retrieved from the firewall instead of the remote Web Server. Also when you implement a proxy or "caching" service, you can also utilize a site/content filter to deny access to certain remote sites, such as pornography or content, such as ads. Many companies produce products that will do this type of filtering, however, these products are quite expensive and IMO are no better than what the OSS community offers with these tools.
Another benefit of a Proxy or "Caching" Server is the ability to only provide Internet Access to people "authenticated" to use the Internet. Mandrake offers the ability to provide a "transparent" proxy, manual proxy or manual "authenticating" proxy using either locally created usernames, an LDAP user database or a SMB (Windows Domain) user database.
The "transparent" settings are just about the same as a "manual" setting, except that it simply adds a "Redirect" to port 3328 rule to your Shorewall settings for traffic coming from the LAN. So, I guess you could even have a "transparent authenticating" proxy if you really need one.
Using the web interface it is quite easy to enable the proxy server, simply click on the Web Proxy settings, then select the type of proxy, either manual, manual authenticating or transparent. The easiest is "transparent" because you will not have to adjust any settings on your clients to be able to use the proxy server, it will simply "just work".
Once you setup and enable the Web Proxy, you will notice that you now have the opportunity to configure both a URL Filter (SquidGuard) and a Content Filter (Dansguardian). When you start to implement each of these services, it is best to do things a step at a time, any misconfiguration could lead to your LAN computers not being able to access the Internet at all.
For those wishing to enable Squidguard here are a few tips. First, make sure you add your local network to the authorized network list (i.e. 192.168.0.0/24). If you plan to block quite a few sites, do not use the web based tools, instead go to a command line and manually add whatever you want to the database through simple text files. An easy way to do this would be to download an updated blacklists file from squidguard.org. Then, once these are downloaded, uncompress them in the root (/root) directory and add the contents of whatever list you want to ban to one the following files:
/usr/share/squidGuard-1.2.0/db/advertising/urls
/usr/share/squidGuard-1.2.0/db/advertising/domains
/usr/share/squidGuard-1.2.0/db/banneddestination/urls
/usr/share/squidGuard-1.2.0/db/banneddestination/domains
/usr/share/squidGuard-1.2.0/db/banneddestination/expressionsyou can do this with vi by "reading" the file in using the ":r /path/to/filename" command. The advertising directory will replace advertising content with a small dot(so an annoying error box will not show up), while the banneddestination directory will deny all access to the specified sites. Once this is done, you must change these text files to a SquidGuard database by issuing:
squidGuard -C allOne more thing, make sure that squid is both the owner and group of these files by executing the following command:
chown squid.squid /usr/share/squidGuard-1.2.0/db -RYour Proxy Server will now block these sites (after you restart squid). Unfortunately, there is another bug we must fix, so the "denied page" is not an access denied to the squidguard.cgi file, but instead the nice, somewhat informative blue/green Mandrake denied page.
To fix this you must edit the "/etc/httpd/conf/commonhttpd2-naat.conf" file. Toward the end of the file, it will list the "/var/www-naat/cgi-bin" directory. You must add the following so the web server will have permission to use the SquidGuard cgi-bin directory.
AllowOverride All
Options ExecCGI
Order allow,deny
Allow from all
Finally, if you ever (accidentally) go back to the banned destination configuration page through the web interface, you must once again recreate the databases and change the ownership manually. As for configuring Dansguardian, please visit their website at http://www.dansguardian.org. In my experience, SquidGuard seems to be enough of a deterrent that Dansguardian is not needed.
Intrusion Detection
Using the web interface, you can enable both Snort and Prelude Intrusion Detection Systems. These IDS services work quite well, unfortunately, when you have an IDS on a computer directly connected to the Internet you will get quite a few false positives. So, weeding through the logfiles can quickly become a fulltime job. If you do plan on enabling the IDS on the firewall, it is best to also use a "helper" application that will allow you to just view "threats" on your machine, such as logwatch.
Optimally, if you do have a large network, it is best to place an IDS server somewhere on your LAN so you can monitor for any suspicious activity that somehow makes it through your firewall. For more information on how to do this, there are two books available from the Bruce Peren's Open Source series at http://phptr.com/perens. The titles are "Open Source Security Tools" and "Intrusion Detection with Snort".
Testing and enhancing your Firewall
Testing and enhancing your Firewall
Testing your Firewall
One of the final things you should do before implementing a firewall solution is to ensure you fully test it to make sure it does what it is supposed to. You should run these tests on both sides of the firewall, the Internet side, as well as the LAN side. In order to properly test your firewall, there are a few applications available. The first application you should use would be a port scanner to ensure your firewall rules are in place. The most popular port scanner, NMAP is available for nearly any Operating System at http://insecure.org/nmap.
Another other tool that you should run on your firewall would be a vulnerability scanner. These tools will scan your server for known vulnerabilities, such as ones "script kiddies" would take advantage of. You can get a good vulnerabilitiy scanner called Nessus for Linux/Unix based machines from http://www.nessus.org.
Enhancing your Firewall
One of the great things about utilizing Mandrake Linux 10.1 for your firewall is the fact that there are so many packages available for it. It is very simple to add additional tools that would be beneficial for you run. A few of them would be:
ntop- Network traffic probe - this package is accessed through a web interface. Once installed you must ensure that the "/usr/share/ntop" directory has correct permissions, then add the following to /etc/sysconfig/ntop - extra_args="-i eth0,eth1 -M" to allow ntop to monitor both network interfaces. Then simply open http://ipaddress:3000 in your browser to utilize the program.
mrtg- Multi Router Traffic Grapher will monitor the traffic load on your firewall, also available through a web interface.
netwatch- terminal based network watching program. Simply type in "netwatch -e eth1" at a prompt to watch all the traffic going through your LAN interface.
All of these packages can be easily installed by running a "urpmi packagename", then after they are configured you will be able to take advantage of the software. There are hundreds other packages you could take advantage of, such as squid-log analyzers, packet sniffers, etc., all of these are only an urpmi away.
Note: It is extremely easy to add additional services to your firewall, such as a Mail, FTP or a Web Server, however, it is strongly discouraged to run anything but the "bare minimum" services on a firewall computer.
So far we have setup a basic firewall that allows you to share the Internet connection, as well as protect your network from Internet traffic. Now we will enhance the Firewall with Services that will allow for easy client setup, improve your Internet speed and filter out undesirable web pages or content that you may wish to remove. Ordinarily, companies charge quite a bit of money to provide these services (especially for content filtering), but here I will discuss how to setup these services using Mandrake Linux and it's web interface.
DHCP and Caching DNS
To automate the configuration of your network clients, you can enable the DHCP server service available on the firewall. DHCP (Dynamic Host Configuration Protocol) allows you to have the firewall automatically send the computers on your LAN the correct IP configuration values during bootup. So, instead of going to each machine and entering a separate IP address, subnet, DNS server and gateway machine, you can have the LAN computers get this information from your firewall. To set this service up, click on DHCP and enter the relevant information, it is pretty self explanatory.
To alleviate excess DNS lookups over your Internet connection, you can setup the firewall to act as a DNS server for your LAN. Doing this will enable the firewall to "cache" all of the nameserver lookups, so if multiple clients try to find the IP address for the same domain name, such as http://www.google.com/, the firewall will send the correct information without needing to access your Internet Service Provider's DNS server.
To enable the Caching DNS service, you simply need to enter the IP address of a forwarding DNS server. This will allow the firewall to query that DNS server if it does not have the information in it's cache. If for some reason the DNS service fails to start or gets mis-configured, simply shut off the service, login to the firewall and move the /etc/named.conf file to something else, such as /etc/named.bak and re-enable the service. The software will re-create a correct /etc/named.conf file to allow the service to work again.
Note: If you run a network utilizing Microsoft Active Directory, Microsoft Exchange Server, or any other newer Microsoft Server, you must utilize Microsoft's DHCP and DNS Services, otherwise you will have severe network slowdowns and communication errors.
Web Proxy and Filtering
One way to really speed up your Internet service is to provide a way to "cache" web pages at the firewall so that if multiple users go to the same sites, most of the images and other information will be retrieved from the firewall instead of the remote Web Server. Also when you implement a proxy or "caching" service, you can also utilize a site/content filter to deny access to certain remote sites, such as pornography or content, such as ads. Many companies produce products that will do this type of filtering, however, these products are quite expensive and IMO are no better than what the OSS community offers with these tools.
Another benefit of a Proxy or "Caching" Server is the ability to only provide Internet Access to people "authenticated" to use the Internet. Mandrake offers the ability to provide a "transparent" proxy, manual proxy or manual "authenticating" proxy using either locally created usernames, an LDAP user database or a SMB (Windows Domain) user database.
The "transparent" settings are just about the same as a "manual" setting, except that it simply adds a "Redirect" to port 3328 rule to your Shorewall settings for traffic coming from the LAN. So, I guess you could even have a "transparent authenticating" proxy if you really need one.
Using the web interface it is quite easy to enable the proxy server, simply click on the Web Proxy settings, then select the type of proxy, either manual, manual authenticating or transparent. The easiest is "transparent" because you will not have to adjust any settings on your clients to be able to use the proxy server, it will simply "just work".
Once you setup and enable the Web Proxy, you will notice that you now have the opportunity to configure both a URL Filter (SquidGuard) and a Content Filter (Dansguardian). When you start to implement each of these services, it is best to do things a step at a time, any misconfiguration could lead to your LAN computers not being able to access the Internet at all.
For those wishing to enable Squidguard here are a few tips. First, make sure you add your local network to the authorized network list (i.e. 192.168.0.0/24). If you plan to block quite a few sites, do not use the web based tools, instead go to a command line and manually add whatever you want to the database through simple text files. An easy way to do this would be to download an updated blacklists file from squidguard.org. Then, once these are downloaded, uncompress them in the root (/root) directory and add the contents of whatever list you want to ban to one the following files:
/usr/share/squidGuard-1.2.0/db/advertising/urls
/usr/share/squidGuard-1.2.0/db/advertising/domains
/usr/share/squidGuard-1.2.0/db/banneddestination/urls
/usr/share/squidGuard-1.2.0/db/banneddestination/domains
/usr/share/squidGuard-1.2.0/db/banneddestination/expressionsyou can do this with vi by "reading" the file in using the ":r /path/to/filename" command. The advertising directory will replace advertising content with a small dot(so an annoying error box will not show up), while the banneddestination directory will deny all access to the specified sites. Once this is done, you must change these text files to a SquidGuard database by issuing:
squidGuard -C allOne more thing, make sure that squid is both the owner and group of these files by executing the following command:
chown squid.squid /usr/share/squidGuard-1.2.0/db -RYour Proxy Server will now block these sites (after you restart squid). Unfortunately, there is another bug we must fix, so the "denied page" is not an access denied to the squidguard.cgi file, but instead the nice, somewhat informative blue/green Mandrake denied page.
To fix this you must edit the "/etc/httpd/conf/commonhttpd2-naat.conf" file. Toward the end of the file, it will list the "/var/www-naat/cgi-bin" directory. You must add the following so the web server will have permission to use the SquidGuard cgi-bin directory.
AllowOverride All
Options ExecCGI
Order allow,deny
Allow from all
Finally, if you ever (accidentally) go back to the banned destination configuration page through the web interface, you must once again recreate the databases and change the ownership manually. As for configuring Dansguardian, please visit their website at http://www.dansguardian.org. In my experience, SquidGuard seems to be enough of a deterrent that Dansguardian is not needed.
Intrusion Detection
Using the web interface, you can enable both Snort and Prelude Intrusion Detection Systems. These IDS services work quite well, unfortunately, when you have an IDS on a computer directly connected to the Internet you will get quite a few false positives. So, weeding through the logfiles can quickly become a fulltime job. If you do plan on enabling the IDS on the firewall, it is best to also use a "helper" application that will allow you to just view "threats" on your machine, such as logwatch.
Optimally, if you do have a large network, it is best to place an IDS server somewhere on your LAN so you can monitor for any suspicious activity that somehow makes it through your firewall. For more information on how to do this, there are two books available from the Bruce Peren's Open Source series at http://phptr.com/perens. The titles are "Open Source Security Tools" and "Intrusion Detection with Snort".
Testing and enhancing your Firewall
Testing and enhancing your Firewall
Testing your Firewall
One of the final things you should do before implementing a firewall solution is to ensure you fully test it to make sure it does what it is supposed to. You should run these tests on both sides of the firewall, the Internet side, as well as the LAN side. In order to properly test your firewall, there are a few applications available. The first application you should use would be a port scanner to ensure your firewall rules are in place. The most popular port scanner, NMAP is available for nearly any Operating System at http://insecure.org/nmap.
Another other tool that you should run on your firewall would be a vulnerability scanner. These tools will scan your server for known vulnerabilities, such as ones "script kiddies" would take advantage of. You can get a good vulnerabilitiy scanner called Nessus for Linux/Unix based machines from http://www.nessus.org.
Enhancing your Firewall
One of the great things about utilizing Mandrake Linux 10.1 for your firewall is the fact that there are so many packages available for it. It is very simple to add additional tools that would be beneficial for you run. A few of them would be:
ntop- Network traffic probe - this package is accessed through a web interface. Once installed you must ensure that the "/usr/share/ntop" directory has correct permissions, then add the following to /etc/sysconfig/ntop - extra_args="-i eth0,eth1 -M" to allow ntop to monitor both network interfaces. Then simply open http://ipaddress:3000 in your browser to utilize the program.
mrtg- Multi Router Traffic Grapher will monitor the traffic load on your firewall, also available through a web interface.
netwatch- terminal based network watching program. Simply type in "netwatch -e eth1" at a prompt to watch all the traffic going through your LAN interface.
All of these packages can be easily installed by running a "urpmi packagename", then after they are configured you will be able to take advantage of the software. There are hundreds other packages you could take advantage of, such as squid-log analyzers, packet sniffers, etc., all of these are only an urpmi away.
Note: It is extremely easy to add additional services to your firewall, such as a Mail, FTP or a Web Server, however, it is strongly discouraged to run anything but the "bare minimum" services on a firewall computer.
Conclusion
A firewall is one of the first things that you must consider when securing a network. There are many products available to handle this job, ranging from "Linux on a floppy" firewalls and low-cost "home firewall" devices, all the way to highly expensive Cisco Pix firewalls. However, if you want full functionality, Mandrake offers an easy to use web interface coupled with all the features you could want in a firewall (including VPN services), plus the expandability that comes with a complete commercial Linux distribution. All for a price that will not break your budget.
Link Teman :
Agus Santoso
Anita Sri Srep
Nur Hayati
Sigit Efendi
Sumber : http://www.flexbeta.net/main/printarticle.php?id=87
Labels: jaringan
0 Comments:
<< Home | << Add a comment