Advertisment

Open Source Apps: Using ClearOS to secure your network gateway

author-image
PCQ Bureau
New Update

There are several approaches one can take to secure your corporate network from external threats; one way is to have one in all gateway server (or UTM) that can scan data at the point of entry/exit. Now even if you have decided about the UTM, the next obvious question that would strike you is-- how much money can you spend? And can you find out tried and tested open source solutions with features comparable to any paid solution. When we thought on these lines we came up with ClearOS, a gateway level server that has almost every feature one can think of and comes in different flavors, and most importantly the basic package is freely downloadable. To download latest version of this gateway software, simply visit www.clearfoundation.com and go to the download section, that can be located at 'software>ClearOS Download Center'. The size of the ISO is around 700 MB. Once downloaded, burn this ISO to CD and you are ready with software installation.

Advertisment

Test setup

As the name suggests ClearOS is a gateway server and the fact we are focusing on security features we should place this server at the point of entry/exit. In our sample setup we used AMD Phenome machine with 4 GB of RAM and 1 TB of HDD and most importantly with two network cards. We connected this machine directly to our router via first network card. Next we connected our machine with ClearOS to a switch and finally connected all test machines to the switch.

Installation

Advertisment

For installation simply boot machine with ClearOS ISO and fill in a few details and you are done. During installation here are few important steps where user input is required. The first important window that might baffle you is 'System Mode' where you have option to select either 'Gateway' or 'Standalone'. Here the gateway mode is the one that would need two network cards; the system in this mode would act as firewall and server on local network. On the other hand, in a standalone mode, system would act as a server on local network. In this test setup, as we are looking into security aspect we have used the gateway mode. After this screen, there are few screens that would ask you simple network configurations, if name sever is missing you can keep that field blank and move ahead.



Advertisment

Next window would ask you about LAN IP; this is the address of the LAN side of the gateway server. Enter whatever subnet you need (192.168.1.1 in our case). Once network configurations have been checked you are asked to enter a root password. We have used default partitioning for this setup. ClearOS comes as a modular package and by default only 'Graphical Console' is selected for installation. Select relevant options from the software modules window that you wish to install. Once you are done with it installation would start. As soon as installation is over there is a login screen which would start a wizard that would require you to input few details including organization details, time zone, domain name etc.

Alternatively just open browser on any LAN side machine and point it to https://192.168.1.1:81, you have to manually change IP address of this machine to correct subnet (for first time). ClearOS also allow you to automate these steps by acting as DHCP sever for LAN, just start this service and all LAN machines would automatically configure their network settings.

Advertisment

Last thing you need to do before you start configuring ClearOS is to register it with ClearCenter. Simply click on red link on the page or click on 'ClearCenter>Register System'. This would ask you to enter login details which in turn can be obtained by creating a new account.

Network settings

To simplify network configuration, there need to be two types of links, one facing WAN (denoted by External) which ideally should be static and other LAN facing link connected to switch. Now to start DHCP services as mentioned above click on 'Network>DHCP Server' and click on start service, you have to restart your gateway server once to start DHCP services. One can restart machine from browser itself by clicking on 'System>Settings>Shutdown-Restart'.

Advertisment

Enabling web proxy and content filtering

To start web proxy in ClearOS click on 'Gateway>Web Proxy' and then click on 'Start' and 'To Auto' button, from this window you can also make changes regarding cache size, maximum downloadable file size, etc..To test this feature we changed 'Maximum Download File Size' to 5 MB and enabled transparent mode and content filter. We also started content filtering services by clicking on 'Gateway>Content Filtering' and again click on 'Start' and 'To Auto' button. To test if these settings really work we tried to find out an alternative web proxy, which has become a favorite way of bypassing firewall to access blocked content, then we tried to download a file sized more than 5 MB. In both cases ClearOS behaved as expected and blocked access.

Advertisment

Time based access control

One can also impose time based access to Internet, to configure this just go to 'Gateway>Access Control' and define a time period within which you want your users to access Internet. Click on 'Add/Edit Time Period' tab and define days and time, then give name to this scheme ('office' in our case).

Next step is to click 'Add/Edit Access Control' tab and define a rule, for testing purpose we created a rule that allowed access within a time period of a particular IP, when we tried to access Internet from that machine outside the given time limit we were not allowed access.

Antimalware and Intrusion detection settings

Even in basic package one gets a fair bit of protection, click on 'Gateway>Antimalware' and configure your Antivirus and Antiphishing rules. And for intrusion detection and prevention go to 'Gateway> Intrusion Detection', intrusion detection is done using 1500 detection rules while one can exempt defined IP's from detection list all this is done automatically. ClearOS uses open source ClamAV solution as antivirus and antiphishing engine that updates regularly for new virus signatures all this is free of cost. Finally one can also define download and upload speed using this package, click on 'Gateway>Bandwidth' and define upload/download speeds.

Advertisment