30 Jul INFA 620 Lab 4: Firewall

Introduction

You are the Network Security Administrator for an organization. You are responsible for the configuration of a firewall that segregates the enterprise network from the external network. You will strategically allow authorized incoming and outgoing traffic while denying all unauthorized traffic.

In this lab, we going to practice setting up a Smoothwall firewall in a UMUC remote lab. Smothwall is a Linux kernel-based firewall. It has a rich graphics interface and it implements the firewall using UNIX/Linux iptables. (See http://linux.die.net/man/8/iptables). The manual for the Smoothwall firewall can be found at: http://www.smoothwall.com/media/114580/AdvancedFirewall-admin.pdf. The exercise does not require you to read the entire manual. We are going to experiment with inbound and outbound traffic filtering aspects (Chapter 7) of the firewall.

The UMUC remote environment for this lab is shown in the figure below. Notice the firewall/router separates the100.100.0.X External network (virtual Internet) from the 198.168.1.x Enterprise machines. This firewall will be controlling the in- and out-bound traffic of the enterprise.

Designed and written by Jeffrey Karlan Page 10 of 24

INFA 620 Firewall Lab Manual Copyright UMUC 2015 Page 8 of 36

INFA 620 Firewall Lab Manual

Copyright UMUC 2015

Page 22 of 23

Step by Step Instructions for Performing the Lab Activity

1) From the Virtual Machine screen, double click the console for Enterprise. Use root/aspring2013 credentials to logon to Enterprise. (Note: From the Jumpbox you can also remote to Enterprise. Double click VNC Viewer. Enter remote host address 10.5.14.110 > Click Connect and use aspring2013 as the password. But the console login gives you more “real estate,” and should be preferred.)

2) This is Enterprise (Centos)

3) Double click Firewall GUI

4) Supply Username and Password and Click OK

5) This is Firewall (Smoothwall)

6) Click Networking > Outgoing. This is where you will configure rules to allow or deny network traffic from our internal Enterprise network to the External Virtual Internet.

7) Notice the Interface Defaults section the current selection is “Blocked with Exceptions”. This means that all traffic from Enterprise network to External network that is not explicitly allowed is implicitly denied. This method of administering a firewall is known as maintaining a “Whitelist”. If we were to implicitly allow all network traffic except for explicitly denied protocols it is known as maintaining a “Blacklist”. In network administration maintaining a whitelist is considered best practice.

Our Firewall has an interface on the Enterprise Internal network known as the Green Interface, and an interface on the External network known as the Red interface.

8) Minimize Smoothwall and return to Enterprise desktop

9) Double click Scripts > Double click Traffic.

10) Each of the scripts in this folder will simulate 5 packets of traffic using their named protocol from the Enterprise network to the External network.

11) Together we will enable HTTP traffic from Enterprise to External. HTTP is needed in order for users to browse websites on the internet. Double Click Web Browser

12) Click the + button to open a new tab

13) In the browser bar type 100.100.0.100 > Enter. Firefox should be unable to connect. Firewall is implicitly denying http traffic.

14) Minimize Firefox and return to the Desktop > Scripts > Traffic Folder > Double Click HTTP.sh

15) Select run in terminal

16) Your output should look like this. We sent 5 packets to 100.100.0.100 and Firewall blocked them.

17) Maximize or reopen Firefox to return to Firewall Click Networking > Outgoing

18) In the “Add exception area” Leave Application as “User defined” type 80 at the Port. In Comment type “Allow HTTP to External”. Leave the Enabled checkbox checked. Click Add

19) Current exceptions should have this entry:

20) Open a new browser tab and go to 100.100.0.100 again. If this page came up you successfully allowed HTTP traffic from the Enterprise network to External.

21) Return to Enterprise desktop > Scripts > Traffic > Double click http.sh > Run in Terminal

22) Your output should now look like this. This means the HTTP packets successfully reached their destination at 100.100.0.100

23) (50 Points) On your own you will now create 7 more rules on Firewall to allow the following protocols to reach the External network. Use the scripts in the traffic folder to test each rule.

a. DNS

b. FTP

c. HTTPS

d. POP3

e. RDP

f. SMTP

g. Telnet

24) There are services hosted on the Enterprise network that require access from the External network. Your Enterprise has a single public IP Address, 100.100.0.1. By default Firewall blocks all incoming traffic on its public facing interface. You will configure port forwarding explicitly to allow traffic on specific ports to reach destinations on the Enterprise network, while denying traffic on all other ports.

25) From the Virtual Machine screen, double click the console for External. Use root/aspring2013 credentials to logon to Enterprise. (Note: From the Jumpbox you can also remote to External. Double click VNC Viewer. Enter remote host address 10.5.14.11 > Click Connect and use aspring2013 as the password. But the console login gives you more “real estate,” and should be preferred.)

26) This is External (Kali Linux)

27) Double click the Web Browser on the desktop

28) In the browser bar type infa620.umuc.com > enter. The browser should not be able to display the webpage

29) Return to the External Desktop and open the Scripts folder > Traffic folder > HTTP.sh

30) Select Run in Terminal

31) Your output should look like this. Firewall is blocking traffic on port 80

32) Get back to the Firewall GUI in the Enterprise (You may need to re-authenticate using root/aspring2013):

33) Select Networking > Incoming

34) Enter Port: 80 and Destination IP: 192.168.1.20 > Comment: Allow Traffic on Port 80 to Webserver > Leave Enabled Checkbox Checked > Click Add Comment by Chris J. Wade: It was not clear which was the source and which was the destination. SRC ports required and DST ports can be any

35) Your current rule should look like this:

36) On External open the web browser and go to web address: infa620.umuc.com

If you see this page you have successfully allowed External traffic access to your Enterprise webserver.

37) On External desktop click Scripts > Traffic > http.sh > Run in Terminal

Your output should look like this:

This means that 5 packets successfully reached the webserver on the Enterprise network through Firewall.

38) Score (50) On your own you will now 6 more port forwarding rules on Firewall to allow the following protocols to reach the proper address on the Internal network.

a. FTP – 192.168.1.30

b. DNS – 192.168.1.10

c. HTTPS – 192.168.1.20

d. POP3 – 192.168.1.30

e. RDP – 192.168.1.10

f. SMTP – 192.168.1.30

g. Telnet – 192.168.1.10

Use the scripts in the traffic folder to test each rule.Test the functionality of your rule For example, use the FTP.sh script (on External Desktop > Scripts > Traffic > FTP.sh) to test the FTP setup.

39) Your working firewall is configured, so you will export the firewall configuration to submit as proof of work. Please return to Enterprise Desktop.

40) Scripts > Show iptables Firewall.sh > Run in terminal > Password: > Enter > File > Save Contents

ow

41) Name your file yourLastName_Initial_Firewall_Config.txt (example: Smith_b__Firewall_Config.txt) > Save to Desktop

42) Places > INFA Share

43) Drag your Firewall Config.txt to the INFA Share Folder

44) Return to Jumpbox Desktop > Click INFA Share Folder, your Firewall Config.txt should be in that folder.

45) Open a Windows Explorer on the Jumpbox and locate the C drive on your local machine under “Other’

46) Drill down to C:\Users\yourname\Documents

47) Drag file from INFAShare on Jumpbox to Documents folder on your local machine. The screen below shows a file named, readme. But it should be the Firewall Configuration file, Smith_b__Firewall_Config.txt in our case. Submit this file to your LEO Lab 4 folder.

INFA 620 Firewall Lab Manual Copywright UMUC 2014 Page 11 of 24