Advertisment
Implementation Guides

Secure and Monitor your Internet Gateway

author-image
PCQ Bureau
New Update

An Internet gateway is one of the most important elements on the network as it lets the users on your network access Internet through your broadband connection. It's, therefore, critical that this gateway is secure and well managed, as users can misuse the bandwidth and choke it up. In this article, we're going to show you how to set up such a secure and well-managed Internet gateway on PCQLinux 2004, which offers a good combo of monitoring solutions to keep an eye on the bandwidth as well as usage by all users on the network. We set up PCQLinux 2004 on an ordinary P4 2.8 GHz machine with 512 MB RAM. This configuration is sufficient for a network with up to 50 users. On top of this, we've used bandwidth-monitoring and intrusion-detection software such as Ntop, Bandwidthd and

Arpwatch. 

Advertisment
Direct Hit!
Applies to: CIOs and network administrators
USP: Make your gateways secure and become aware about your users' Net habits
Primary Link:

 www.ntop.org
Google keywords:

ntop, bandwidthd, arpwatchm spoofing, nat 
On PCQEssential CD: system\labs\gateway

Out of these, Arpwatch comes pre-installed with PCQLinux 2004, while you have to install the other two. We've given both 



of them as well as its other dependants on this month's PCQEssential CD. 

Enabling routing 



The first thing you will need to start with is to enable routing for the network interfaces on your machine. We did this using Webmin, which comes pre-installed with PCQLinux 2004. All you have to do is go to http://127.0.0.1:10000 and go to the Networking tab there. Then select the 'Network Configuration' button. Here, select the 'Routers and Gateways' button and then first select the Yes button in front of the link that says 'Act as Router?' Then, in the 'Static Route' option, fill all the details about your

external interface. For example, if the device connected to your external interface is eth0, and the address of the external network is 172.16.x.x, then the line you will have to enter will be something like this

Advertisment

eth0 172.16.0.0 255.255.0.0 172.16.1.15

If you'd like to have more information about this topic, then watch our feature on how to monitor and troubleshoot your network and Internet gateway on this month's PCQLive CD.

Here the last field is the IP address of the gateway sitting on the external network. Similarly, enter the details about the 



internal network on the next line. Here the only difference will be that you don't have to provide gateway's address.Another thing you have to do is to set the firewall settings, which also can be done using Webmin. Once all this is done, restart your network using the following command.

Advertisment

#service network restart

Monitoring



For carrying out monitoring activity on the network install two software-Bandwidthd and Ntop-on the gateway. This is a better bet for smaller networks than setting up a separate monitoring server, as it reduces the network traffic that would other wise have been generated. Let's now see how to install and

configure these software.

Setting up Ntop



This is one of the most popular open-source network-monitoring software, which is very easy to install. First of all, copy the ntop.tar.gz file from this month's PCQEssential CD on to your hard disk. 

Advertisment

Then login as root and create a new user called ntop. All this can be done using the following commands.

#cp ntop.tar.gz /



#su root (provide the password when asked)


#adduser ntop


#passwd ntop

Ntop gives detailed reports on the usage of your Internet bandwidth. Here you can see one such report
Advertisment

After the user has been created, open the Ntop source tar ball and install it as follows. 

#tar —zxvf ntop.tar.gz



#cd ntop


#./configure


#make


#make install


That's it. Ntop is installed and ready to run. To start Ntop, just run the following command.

Advertisment

#ntop —i ethx —w

Here '—i' switch lets you define the interface on which you want to start monitoring and the '—w' switch defines which port the Ntop interface should open. The default port is 3000. This will be used if you don't use the —w switch, so the address to access Ntop from a Web browser will be http://127.0.0.1:3000. You can also run Ntop on 'https' (secure http) by using —W (note the capital letter) switch. 

For example, if you want Ntop to run on the localhost without secure http and on the external interface with https, then the command will be something like this.

Advertisment

#ntop —i eth0 —w 127.0.0.1:3000 —W 192.168.3.11:3001

Using Ntop is also very easy. The interface is pretty much self-explanatory. So even if you have a little knowledge of

networking, you can comfortably interpret all the reports generated by Ntop.

Setting up bandwidthd



This tool reveals the amount of bandwidth used by the users connected to your network. It, thus, helps in keeping track of bandwidth usage for every user. Installing this is also pretty simple, if you solve the dependency problems beforehand. Bandwidthd has two main dependencies-gd and

libpng. 

Use webmin to enable your gateway to act as a router, and then specify the IP addresses of all interfaces

We have given out the exact version of the dependencies you will need, on this month's PCQEssential CD. Copy all of them to your hard drive and start installing. 

First of all, install gd with the following commands.

#cp gd-2.0.33.tar.gz /



#tar —zxvf gd-2.0.33.tar.gz


#cd gd-2.0.33


#./configure


#make && make install


Then install libpng using the rpm that we have provided on the CD. Issue the following commands to install.

#cp libpng-1.2.5-7.i386.rpm /



#rpm —ivh libpng-1.2.5-7.i386.rpm

This would solve all your dependencies. Now copy the bandwidthd tar ball and install it like this.

#cp bandwidthd-2.0.1.tar /



#mv bandwidthd-2.0.1.tar.gz


#tar —zxvf bandwidthd-2.0.1.tar.gz


#cd bandwidthd-2.0.1


#./configure


#make && make install



Running the above commands will install bandwidthd . But you will still have to do some more configurations. First create a virtual host in your Apache server for it. For this, open Webmin and go to Servers>Apache. Now either you can create a new virtual host, or if you don't have any Web server running on the default host then you can just enter into your default host's 



setting (at the bottom of the Webmin screen) and just change the document path to '/usr/local/bandwidthd/htdocs' and then restart your Apache server. After this you have to set bandwidthd to watch for your network. For this open the file called '/usr/local/bandwidthd/etc/ bandwidthd.conf' and search for the 'subnet' variable. In front of this variable enter the network and subnet address of your network. For example if you want bandwidthd to keep an eye on a class C network, which has a network address of 192.168.3.0, enter the values as shown in the command below.

This tool gives you a quick overview of all the bandwidth

hoggers on your network

The IDS will send you e-mail alerts everytime it detects a

network intrusion

subnet 192.168.3.0/16

You also have to configure the device through which you want to watch. For this, find for the variable called 'dev' and in front of it write the device name such as eth0 for LAN interface one. But there is a slight problem with bandwidthd. When you restart the machine or just restart bandwidthd, then by default all previous logs are flushed and it start monitoring from the scratch. To avoid this problem, you can do one more thing in this file. Look for the

variables 'output_cdf' and 'recover_cdf' and change their default values from 'false' to 'true'. It will start saving the logs under

htdocs/log.cdf. Save and exit the file, and start bandwidthd with the following command. 

#/usr/local/bandwidthd/bandwidthd 

You can now access your bandwidthd reports at http://127.0.0.1

Setting up the IDS



We are not going to build an IDS, instead we will use something very small in footprint and available with all the Linux versions, called Arpwatch. It is a small command runs to send alerts to e-mail IDs whenever it finds any arp-related activities on the network such as, new stations added into the network or any kind of IP flip-flop (which happens whenever some one tries to run any IP spoofing software in the network). 

So by using this you have an eye on each and every arp incident happening in your network. To run it issue the following command: 

#arpwatch -e email@domain.com

Where the first part is the command and the second part is the e-mail ID on which you want to get the alerts. But here you may face some problems. 

Since the machine where you might be running the command will be a standard machine without any Internet mail-server 



installed into it, most of the mail servers where you will be sending the alerts might identify the alert mail sent by Arpwatch as
spam. 

And they might send it to the bulk folder or might even directly drop the mail. We tried the Arpwatch alerts to our own mail server, which didn't even let it enter our mailbox. Yahoo sent the mail to the Bulk folder. 

Only Rediff allowed the mail completely and we received it without any problem. 

If you want to go further then you can configure the SMS alerts available in most of the free mail servers today (such as Yahoo and Rediff) and get the alerts on your cellphone instantly as SMSes. But remember these messages will cost you Re 1 per message and

Arpwatch is capable of sending quite a few messages per day depending on the type of your network usage. 



One more thing to note here is that when you run it for the first time it will discover all the PCs and send you e-mail for each 


discovery. So remember not to activate your SMS alert at this time or you will end up shelling a huge amount of money 


unnecessarily. 

Anindya Roy

Advertisment