by October 11, 2003 0 comments



IPCop is a free Linux distribution, which upon installation on a dedicated machine provides an up and running firewall. It can be used not only to protect your internal network (private network) from the external one (Internet) but also to set up a DMZ (DeMilitarized Zone) where you can host Web and FTP servers (say). These machines will be accessible through the Internet and can have limited access to services like a database server on the internal network. What’s more, IPCop also bundles an IDS (Intrusion Detection System), which logs in possible intrusions or attacks against your internal network or the firewall machine itself. 

In this article we setup IPCop on a network schema as shown in the diagram. The machine running IPCop essentially has two network interfaces (or network cards) — one connecting to the internal network and the other connecting to the external network. With IPCop, we can setup an optional third interface, which will connect to the DMZ network. In IPCop’s lingo, the interface connecting to the internal network is called GREEN interface and the ones connecting to the external and DMZ network are called RED and ORANGE interfaces respectively. 

From the network diagram, the following points must be noted:

  • Internal/private network is on 172.16.0.0 network
  • The DMZ is on the network 192.168.3.0
  • The external network is on 192.168.1.0
  • The machine running IPCop has three network cards. Two of them connect to hub/switch in the internal and DMZ network, while the third network card connects via a router to the external network 
  • The DMZ hosts a Web server and a FTP server
  • The internal network, amongst other machines, hosts a database server

Note: We are treating 192.168.1.0 as the external network or the Internet, so that we could test out the access control and intrusions easily within our test labs. In your case the router may be connected to the Internet instead of 192.168.1.0 network.

Besides restricting access, we have some specific requirements in our setup. We want the Web and the FTP server to be accessible from the external network without any compromise on the security of the internal network. Secondly, the Web server needs to connect to a database sitting in the internal network. This should again happen without compromising internal network security. 

The latter may be required, if suppose you are running an e-commerce website on the Web Server sitting at 192.168.3.2.

You may like the Web site to store the orders in a database which is readily accessible to your employees sitting in the internal network, so that they can process the orders. 

As apparent, the firewall machine, which is connected directly to the external network, may become the target of attack by a hacker. If the firewall machine is compromised a hacker may be able to sniff sensitive data flowing across your network, for example, the order information keyed in the e-commerce website. Manufacturers claim IPCop distribution is fairly secure with all the unwanted and vulnerable services shut off by default. But in the world of computer security, prevention may not be always better than cure. And for the cure you must know the disease. Here’s where an IDS comes to rescue. An IDS will log all the attempts made to break into the system, so that you can audit them, figure out any potential hazards and patch up your system. 

To sum up, in this article we configure IPCop to achieve the following:

  • Protect internal network from external 
  • Allow access to the servers in the DMZ from the external network
  • Allow the Web server in the DMZ to connect to the MySQL (say) database server running on the 
    machine 172.16.0.2 in the Internal network
  • Set up an IDS on the firewall

But first, let us install the IPCop distribution that we have given out on this month’s PCQuest
Essential CD. 

Installation
You can find the ISO image of IPCop distribution in the Linux directory under the Unlimited OS section. Burn the image onto a blank CD-R. For this you can use KonCD in Linux (refer to the article Writing CDs with KonCD, page 92 in the August 2003 PCQuest magazine), ISOCDRecorder (http://isorecorder.alexfeinman.com/ isorecorder.htm) in Win XP or your preferred CD writing application. 

Note that IPCop installs on the entire hard disk so any existing data on the disk will be lost. Boot off the machine – designated to run IPCop — using the IPCop CD. Follow the onscreen instructions. 

When prompted to enter the IP address for the GREEN interface, type in 172.16.0.1. For the Time zone select Asia/Calcutta. In the ISDN configuration menu, click on Disable ISDN. In this article we assume that you will be connecting to an external network through a preconfigured router. However IPCop can connect to an external network using dial-up modem and ISDN. Refer to the IPCop documentation at
http://www.ipcop.org/cgi-bin/twiki/
view/IPCop/IPCopDocumentationv01. 

In the Network configuration menu first select network configuration type. Select GREEN+ORANGE+RED in the subsequent screen. Next, select Drivers and card assignments in the Network configuration menu. The subsequent screen should show that one of the network cards have been assigned to the GREEN interface while cards for other interfaces are still UNKNOW. Click OK to change the settings. 

The following screens will show you the unclaimed network cards — that is network cards which haven’t been assigned to any interface. Follow the onscreen instructions and assign the remaining two network cards to the ORANGE and RED interface. 

Next, in the Network configuration menu select Address settings. Select ORANGE interface in the subsequent screen and key in 192.168.3.1 for the IP address. 

Next, select the RED interface. In the subsequent screen, select Static. We have opted for Static because as per our set the RED or external interface of the IPCop machine is having a static IP address — namely 192.168.2.1. Type in this IP address in the text field on the Red Interface screen. As said above, IPCop can also be set to dial-up in which case the IP address of the external interface may be dynamic. 

On the Network configuration menu, select DNS and Gateway settings. For the primary and secondary DNS enter the IP address of the DNS server that can resolve names on the external network. In case the external network is Internet, the IP address of the DNS servers will be provided by your ISP (Internet Service Provider). For the Default gateway, type in 192.168.2.2 — the IP address of the internal interface of the router. 

Finally click on Done on the Network configuration menu. IPCop can provide dynamic IPs to the machines on your internal network. It can provide DHCP services. If you want to enable it, mark Enabled on the DHCP server configuration screen and type in the Start and End address — say 172.16.0.2, 172.16.0.254 as per our setup. For this article we did not use the DHCP services and assigned static IPs to the machines in the internal network. The subsequent screen will prompt you to assign the password for the root, setup and admin users. Then, you will be prompted for a reboot. Upon a reboot, your firewall should be up and running. Setup the hubs, switches and the router, and connect the IPCop machine to the various interfaces as shown in the diagram. 

Configure IPCop
The default installation of IPCop to protect the internal network IPCop distribution uses the popular Netfilter or iptables firewall package for Linux. If you still want to manipulate the predefined rules, you can login to IPCop Linux machine using the root account and manipulating the rules using iptables commands. A discussion on iptables and its commands is out of the scope of this article. You can refer to http://www.netfilter.org/ for the same. IPCop can be configured
using a browser-based interface. Launch a web browser on one of the machine in the internal network
and key in one of the following URLs:
http://172.16.0.1:81 or https://172.16.0.1:445 (for secure SSL based connection).

Allow access to server at DMZ
One of the obvious ways to allow access to the servers in the DMZ is to relax the firewall rules through commands. An easier (through IPCop) method to achieve this is port forwarding. Port forwarding is a set up wherein request coming to a machine at a specific port can be mapped to a port on some other machine. We will use this feature to map the request coming at 192.168.2.1 at port 80 to 192.168.3.2 at port 80. Launch IPCop’s browser interface as explained above. Click on Services.

In the authentication box that pops up, enter Admin and the corresponding password that you specified during the installation.

Click on port forwarding and the type in the following:

Source Port: 80
Destination IP: 192.168.3.2
Destination Port: 80
Remark: Access to web server in DMZ

Click on Add. Similarly you can add port forwarding to other services by changing the destination IP and the source and destination port — as specific to the service. Install or start a Web server on 192.168.3.2 machine and you should be able to access the web pages hosted on the server from the external network. 

Database access from DMZ
Suppose the MySQL database is running on the machine 172.16.0.2 at port 3306 (the default port of MySQL). Using IPCop we can specifically allow the machine in the DMZ to connect to the MySQL server at port 3306. On the browser based interface of 
IPCop click on Services>dmz pinholes. Enter the following:

Source IP: 192.168.3.2
Destination IP: 172.16.0.2
Destination Port: 3306

Click on Add. Henceforth, a web site running on 192.168.3.2 can connect and update the database residing at 172.16.02 through a server side script like PHP, ASP or
JSP. 

Log intrusions
By default, IDS is not enabled in IPCop. To enable IPCop, click on System>intrusion detection system. Check the option Snort and click on Save. IPCop provides intrusion detection through an open source intrusion detection system named Snort.

Once the IDS is enabled, attempts for intrusion are logged in and can be seen through the browser-based interface by clicking on Logs>intrusion detection system. 

To analyze an ongoing intrusion, you will have to refresh the Logs>intrusion detection system page by clicking the Refresh
utton in the browser. 

Besides the above-mentioned features, IPCop also includes a proxy server and can be setup for VPN connections. Through System>Updates page, you can keep your IPCop installation updated and patched up against vulnerabilities — through the Internet. For more information refer to the site
www.ipcop.org.

Shekhar Govindarajan

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<