25571254 deploy secure network defense solution for small enterprises using ipcop firewall v1 4

Global Open Versity, Vancouver Canada Secure Network Defense for SMB using IPCop Firewall v1.4

© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada www.globalopenversity.org ICT202 - Linux Enterprise Infrastructure Engineering Diploma

1

Global Open Versity IT Security & Network Defense Hands-on Labs Training Manual

Deploy Secure Network Defense for Small Enterprises using IPCop Firewall

Kefa Rabah

Global Open Versity, Vancouver Canada [email protected]

www.globalopenversity.org Table of Contents Page No.

DEPLOY SECURE NETWORK DEFENSE SOLUTION FOR SMALL ENTERPRISE USING IPCOP FIREWALL 3

1.0 Introduction 3

2.0 Historical Overview of IT Network Security 4 2.1 A Case for Multi-Layered Enterprise IT Security Network Defense 4

Network Diagram Configuration 6

Part 1: Install & Configure IPCop Firewall 8 Step 1: Install IPCop Firewall 8 Step 2: Test your Firewall Security from Outside your Private Network 25

Part 2: Install Internal PC (Virtual Machine 2) for Remote Administration of IPCop 26

Part 3: Testing IPCop Security using NMAP 29

Part 4: Installing Add-Ons to Extend IPCop Capability 31 Step: 1: Install & Configure URL Filter Add-on on IPCop 31 Step 2: Enable the Web Proxy 31 Step 3: Configure URL Filter 33 Step 4: Extending IPCop with Copfilter Add-on 36

Part 5: Checking IPCop Memory Usage 42

Part 6: Enable Intrusion Detection System (IDS) Monitoring on IPCop 43

Part 7: Install Zerina's OpenVPN Package for IPCop 44 Step 1: Install Zerina OpenVPN 44

Part 8: Troubleshooting Problem with Intrusion Detection (Snort) on IPCop Firewall 1.4.21 49

Part 9: Different IT Security Vulnerability Scanning and Testing Techniques 50 Step 1: Network Penetration Testing Methods 51 Step 2: Information Systems Security Assessment Framework (ISSAF) 52 Step 3: IT Risk & Vulnerability Testing Tools 52

1. Metasploit Framework 52 2. Nessus 52

mailto:[email protected]

http://www.globalopenversity.org/



2

Part 10: Need More Training on Linux: 53

Part 11: Hands-on Lab Assignments 53 © A GOV Open Access Technical Academic Publications License Enhancing education & empowering people worldwide through eLearning in the 21st Century



3

Global Open Versity IT Security & Network Defense Hands-on Labs Training Manual

Deploy Secure Network Defense Solution for Small Enterprise

using IPCop Firewall By Kefa Rabah, [email protected] Jan 20, 2010 SerengetiSys Labs Project: Deploy secure network defense Solution for small enterprise (SMB) using IPCop firewall with URLfilter, Copfilter and OpenVPN add-ons. Today, small and medium sized businesses (SMBs) are the backbone of the global economy – more-so in the developed countries and recently emerging markets. However, with current global economic meltdown, they’re all more inclined act cautious, they maintain a stable business and they are not subject to the high demands of investors. But nevertheless, SMBs are affected by the current economic climate even more so than larger businesses. This is why we see more and more businesses fall back to consumer products to secure their IT environment in order to reduce costs and maintain ROI, they lower their level of security. This is a dangerous compromise. However, there are great open source network security solutions out there that when implemented correctly can go along way to keep the bad guys off their network resources. In these series of IT Security & Network Defense Hands-on Labs Training, we’re going to be looking at some of the software solutions that can easily be deployed to secure private network resources.

1.0 Introduction Information security is commonly thought of as a process and not a product. However, standard security implementations usually employ some form of dedicated mechanism to control access privileges and restrict network resources to users who are authorized, identifiable, and traceable. And firewalls have been keeping guard between the private network and Internet and; is as old as the Internet itself. Firewalls are one of the core components of a network security implementation. Several vendors market firewall solutions catering to all levels of the marketplace: from home users protecting one PC to data center solutions safeguarding vital enterprise information. Firewalls can be stand-alone hardware solutions, such as firewall appliances by Cisco, Nokia, and Sonicwall. Vendors such as Checkpoint, McAfee, and Symantec have also developed proprietary software firewall solutions for home and business markets. Apart from the differences between hardware and software firewalls, there are also differences in the way firewalls function that separate one solution from another. In this guide, we’ll only concentrate in SMB type of network configuration with very limited or no budget to carter for exotic firewall infrastructure. However, with the open source Linux based operating system you have a lot of choices for protection. And for this lab session, we are going to use IPCop firewall. The IPCop project is a GNU/GPL project that offers an exceptional feature packed stand alone firewall to the internet community. Its comprehensive web interface, well documented administration guides, and its involved and helpful user/administrative mailing lists make users of any technical capacity feel at home. It

mailto:[email protected]

http://www.serengetisys.com/



4

goes far beyond a simple ipchains / netfilter implementation available in most Linux distributions and even the firewall feature sets of commercial competitors. IPCop is a cut-down Linux distribution that is intended to operate as a firewall, and only as a firewall. It has some advanced firewalling features, including VPNs using IPSec. It’s a complete firewall solution, taking control of the machine and replacing any other operating system that is installed. Therefore, it is not similar to packages like ipchains or any of the GUI firewall administration tools. It is not an additional security service you would run on your machine; rather, it is a complete operating system and firewall administration kit in a box that the user would dedicate a single machine to house and run as an Internet gateway. And that is the format we’re going following in this Hands-on training labs. Today, firewalls have had to undergo a tremendous metamorphosis as a result of evolving threats. IPCop is exemplary in offering such a range of default features and even further a large set of optional plug-ins which can provide further functionality and its security capability as will see later in the text. Some of IPCops impressive base install features include: secure https web-based GUI administration system, SSH server for Remote Access, TCP/UDP port forwarding, DHCP Server, Proxying (Squid), DNS Proxying, Dynamic DNS, Time Server, Traffic Shaping, Traffic/Systems/Firewall/IDS graphing, Intrusion Detection (Snort), ISDN/ADSL device support and IPSec based VPN Support (FreeSWAN) with Control Area and support for Check Point SecuRemote. As if these base features were not an astounding enough there are dozens of add-ons which can further expand the functionality of your IPCop from Web Filtering to Anti virus scanning.

2.0 Historical Overview of IT Network Security As attacks on enterprise grow more sophisticated and diverse; companies need to rethink their network defense and entire enterprise risk management strategies. Security for that matter is not only about protecting the network, but also the data. That requires a combination of tactics, from securing the network perimeter to encrypting data on mobile and storage devices. Today, many enterprises look at network as taking a layered approach. As security become more complex, businesses increasingly see a need for enterprise security strategies, as well as ways to collate information from the various tools and evaluate their performance. And they are grappling with new issues created by growing mobility and anywhere, anytime access – making the remote users the “new perimeter” frontier and not the firewall – thus increasing risk to enterprise resources. Therefore, getting the firewall configured correctly to allow road-warriors access to the private network is very critical.

2.1 A Case for Multi-Layered Enterprise IT Security Network Defense

In IT speak; security is a many-layered thing for most IT managers. This is basically because attacks may target network, workstation, server or application vulnerabilities. Blended threats combine multiple attack vectors – Trojan horses, spyware, worms and viruses, for example – in an attempt to outflank an organization’s defenses. And over the years, starting from the mid 80s and the birth of PCs, Data & Resources

Application Defenses

Host Defenses

Network Defenses

Perimeter Defenses

Ass

um

e P

rior

Layers

Fail

s

Data & Resources

Application Defenses

Host Defenses

Network Defenses

Perimeter Defenses

Ass

um

e P

rior

Layers

Fail

s

Fig. 1: Enterprise Security – Defense-In-Depth

http://www.snort.org/

http://www.freeswan.org/



5

the attack tools have been growing in sophistication, which require almost no technical skills to use, as depicted in Fig. 2. In response, enterprise erected a series of barriers on the principle that an attack that beats one security measure won’t get past other protections. This approach goes by several names: layered security, defense-in-depth – but the underlying premise is the same, see Fig. 1 The traditional thinking view of layered security places firewall at the outermost ring of the protection – guarding the corporate network from public network (the Internet) borne incursions, see Figs. 1 & 2. After the firewall, attention turns to network-based intrusion detection/prevention systems that aim to snuff out attacks that sneak through the firewall. Antivirus software and host-based intrusion detection/prevention systems protect servers and client PCs, providing still another layer.

Fig. 2: Typical Secure Internal Network Infrastructure Firewall – via filter rules (TCP, UDP, & ports) must be the gateway for all communications between trusted and untrusted and unknown networks (NWs). It is the choke point where all communication must pass through Perimeter network (NW) or DMZ which is put in place using: firewalls & routers – on the NW edge, permits secure communications between corporate NW and third-parties. It includes: DMZ, extranet, & intranets. Perimeter network is the key that enables many mission-critical NW services. It also offers a layer of protection for the internal NW in the event that one of Internet accessible servers is compromised Bastion Hosts: cannot initiate, on its own, a session request back to the private NW. Implies it can only forward packets that have already been requested by clients from internal private NW. To maintain secure communication and Private network protection, bastion hosts should have all appropriate up-to-date service packs (SP), hot fixes, and patches installed. System/network admins must also ensure that logging of all security-related events should also be enabled and regularly reviewed/analyzed to track both successful and unsuccessful security events. While emerging classes of tools may fend off attacks at multiple layers, there are pitfalls if the tools are not properly configured, managed or integrated with existing systems. In effect, chief information and security officers have to be jack of all trades to implement an effective layered security strategy. In overall, a



6

layered security strategy – built around numerous preventive controls – requires good perimeter defenses – i.e., you need to have host- and network-based intrusion detection integrated with other security solutions all the way down to the desktop level, also known as end-point. Current statistics indicate that a typical enterprise spends more than 5% of its IT budget on security, with expected growth in annual spending pegged at 9%, compared to 4% to 5% for IT overall. Today, most IT network security strategists prefer to define layers in terms of critical security processes – tasks such as vulnerability management and intrusion prevention. Process-based definitions like these don’t commit IT managers to a specific technology approach and also guard against redundant technology. For example, anti-spyware products entered the market a few years ago – as a product set distinct from antivirus; however, both support the same process. In this respect, one may wonder “what is so different about process of blocking spyware from the process of blocking viruses”. Currently, vendors such as Symantec have since consolidated anti-spyware and antivirus on the same desktop. This new approach, has given rise to increased emphasis on host security for so-called end-points such as servers and PCs so that these devices can defend themselves. These technologies include host-based intrusion protection systems (HIDS). For information more read: Developing IT Security Risk Management Plan. In this Hands-on Labs we’ll concentrate only on firewall part of layered network IT security infrastructure using IPCop firewall with URLfilter, Copfilter and OpenVPN add-ons. Hardware Pre-requisite IPCop installation generally runs for 25 minutes, and you can complete it with relatively modest hardware requirements such as a 386 processor with 32MB RAM and >300MB of disk, and 3 Network Cards (2 if there is no need for a DMZ). If you plan to utilize caching proxy, IDS or other add-ons, consider additional horsepower in terms of RAM/Processor. Solution: In this Hands-on Lab session, you’ll learn how to setup virtual network on VMware (you may also use any other virtual machines like MS VirtualPC, Linux Xen, or VirtualBox from Sun). Next you will learn how to initialize a virtual machine with three NIC adapters, which we’ll use to install & configure IPCop firewall. You’ll also learn how to install & configure a second virtual machine with WinXP to use for testing your firewalled network connectivity to public network (Internet), and also configure and update the as-installed IPCop. Finally you’ll have an opportunity to do the Hands-on Labs assignments to test what you have learned in this lesson. Once you’re done with this labs session you should have gained an experience and capability to enable you to plan design implement and deploy a simple but secure SMB network infrastructure. In this Hands-on lab, you’ll also learn how to extend IPCop’s functionality using URL filter to implement company policy about web surfing and internet access. Also you learn how to install and configure Copfilter to add web security functionality, like AntiVirus, safe web surfing, email scanning, FTP scanning for viruses. You’ll also learn how to setup and Metasplot and Nessus to test and audit your network security vulnerabilities.

Network Diagram Configuration It’s assumed that you have a good understanding of Linux operating system and its working environment. It’s also assumed that you know how to install windows XP on VMware.

http://www.scribd.com/doc/17657574/Developing-IT-Security-Risk-Management-Plan

http://www.urlfilter.net/download.html

http://www.copfilter.org/downloads.php



7

Figure 3 shows our network setup for pilot lab test session of our private SMB LAN, which we have configured using VMware with three NIC adapters attached to IPCop firewall (Virtual Machine 1). The eth2 (RED) is attached to the public side of the network and is receiving its IP address from DHCP server. The eth0 (GREEN) is configured with static IP address and is also the NIC that is attached to DHCP server which feed the dynamic IP address to the devices located within the private LAN via the VMnet2 virtual switch. The third NIC adapter, eth1 (ORANGE), is attached to DMZ network side. Virtual Machine 1 is running Linux based IPCop firewall.

Virtual Machine 1IPCop FirewallVirtual Machine 3

Web Server

Virtual Machine 2“Internal PC”

Virtual NIC

Virtual NIC Virtual NICVirtual NIC

Virtual network switchVMnet3

Virtual network switchVMnet2

192.168.2.0/24

192.168.3.0/24

eth2

eth0

eth1

Note: eth0 = 192.168.2.1 eth1 = 192.168.3.1 eth2 = DHCP

Internet

Modem

DMZ LAN

Internal LAN

© Global Open Versity, Vancouver Canadawww.globalopenversity.org

Fig. 3: Small Enterprise LAN, with test PC (Internal PC) added, and Web server in DMZ

Note: once you’re done with pilot testing and all is working great then you can migrate your setup to your production environment.



8

Part 1: Install & Configure IPCop Firewall To understand IPCop or any other Firewall let's take a look a very common scenario for small business. We need to provide internet access to all computers in the network and yet we want them all to be protected from outside access. The best access is transparent where the user behind firewall doesn't feel the presence of firewall when he accesses the internet. However external access must be blocked except where specifically allowed. IPCop shines in such setup. You can setup this configuration in just about over an hour. And the best part of all is that the client machines need nothing more than a simple configuration during setup wherein you specify that the IP address etc. information will be provided by DHCP.

Step 1: Install IPCop Firewall

To install IPCop firewall, perform the following procedure: 1. Hope over to IPCop website and download the latest package, which at the time of writing this lab

manual was "Latest installation ISO (i386 1.4.20) " 2. Once you have downloaded the IPCop ISO specific to your distribution, you have the option burning it

into CD or just by using the ISO package to install it from your virtual machine, in our case VMware. 3. Fire-up a new virtual machine and perform the initial configuration and setup to use ISO package,

ensure give the virtual machine three NIC adapters 4. Start the virtual machine, and you should be able to see the first IPCop installation screen as shown

Fig. 4. Hit the Enter key to commence installation.

http://sourceforge.net/apps/trac/ipcop/wiki

http://sourceforge.net/projects/ipcop/files/IPCop/ipcop-1.4.20-install-cd.i386.iso



9

Fig. 4: IPCop installation

5. From Fig. 5, select the desired Language and the click OK.

Fig. 5



10

6. From Fig. 6, click the OK to start installation.

Fig. 6 7. From Fig. 7, select thee CDROM/USB-KEY and then select OK to continue.



11

Fig. 7

8. From Fig. 8, hit OK to prepare the harddisk.

Fig. 8

9. From Fig. 9, the partitioning process is started.



12

Fig. 9

10. Since we’re not using data from backup to populate this new IPCop install, therefore, select Skip by using the Tab key to make the selection, and then click OK as shown in Fig. 10.

Fig. 10

11. From Fig. 11, the select Probe to enable IPCop install to probe all the available NIC adapters installed, and then click OK when done.



13

Fig. 11 12. From Fig. 12, IPCop has detected the first NIC card for the GREEN interface. Click OK to continue.

Fig. 12

13. From Fig. 13, enter the IP address for the GREEN interface, and then click OK to continue.



14

Fig. 13 14. As can be seen from Fig. 14, IPCop has been successfully installed. Remember to make a note port

numbers 81 and 445, and the respective URLs: http://ipcop:81 or for secure https://ipcop:445. Click OK to continue

Fig. 14 15. For the next successive screens choose your keyboard type and time zone.

http://ipcop:81/

https://ipcop:445/



15

16. From Fig. 15, accept the default hostname "ipcop", or change as desired, and then click OK to continue.

Fig. 15

17. For next screen, accept the default Domain name "localdomain", or change as desired, and then click OK to continue.

18. From Fig. 16, accept the default Protocol/Country selection, and then click "Disable ISDN", as we’re not going to use it.

Fig. 16

19. For the next screen, accept the default selection "Network Configuration type", and then click OK to continue.



16

20. Recall that we have three NIC adapters to be used by this firewall, therefore, we’ll choose "GREEN +

ORANGE + RED", and then click OK to continue, see Fig. 17.

Fig. 17

21. Recall that we have already assigned the GREEN interface an IP address. Now it’s time to assign the ORANGE and RED interfaces. Use the down-arrow key to "Drivers and card assignments", and then click OK to continue, see Fig. 18.

Fig. 18

22. From Fig. 19, we’re informed that the "ORANGE" and "RED" interfaces are UNSET. Click OK to continue.



17

Fig. 19

23. From Fig. 20, accept the default "ORANGE" selection to assign the unclaimed Ethernet card. Click OK to continue.

Fig. 20

24. Repeat the same on the next screen to assign the unclaimed "RED" Ethernet card, and then click OK to continue.

25. From Fig. 21, we’re informed that all the cards have been successfully allocated. Click OK to continue.



18

Fig. 21

26. From Fig. 22, accept the default selection "Address Settings", and then click OK to continue.

Fig. 22

27. From Fig. 23, select "DHCP" to set the RED interface public IP address, and then click OK to continue.



19

Fig. 23 28. From Fig. 24, go ahead and set the ORANGE interface with a static IP address, and then click OK to

continue.

Fig. 24 29. From Fig. 25 accept the default selection "DNS and Gateway Settings", and then click OK to

continue.



20

Fig. 25

30. From Fig. 26, if you had selected to use Internet DHCP with RED interface as in case, then you do not need enter the DNS and Gateway settings, leave them blank. Next, go ahead and click OK to continue.

Fig. 26

Note 1: For production network, the public Primary DNS server address and Default Gateway address would have been given to you by your ISP. Then in this case it would have been preferable to use Static IP address on your RED interface. Note 2: Failure to add the correct gateway IP address will prevent computers in the private LAN from accessing the Internet.



21

31. From Fig. 27, the DHCP server configuration, we’ll have the firewall to play the DHCP server role, so we’ll enable it by hitting the space bar. Set the Start Address and End Address as desired. Click OK to continue.

Fig. 27 32. From Fig. 28, we’re done adding all the required interfaces IP address, Gateway and DNS settings, so

we can now move out of this menu by clicking Done to continue.

Fig. 28



22

33. From Fig. 29, enter root user password. For security reason remember to use root password with good complexity!

Fig. 29 Note: when typing the password there will be no echo from the keyboard or movement of the cursor! So just go ahead and type the password and hit the Tab key to re-type it again.

34. For the next two screens, enter admin and backup users’ password. Again for security reason remember to use password with good complexity!

35. The Setup is complete, as shown in Fig. 30. Press OK to reboot the IPCop firewall.

Fig. 30



23

36. Once the virtual machine has rebooted, go ahead and login into the IPCop console as the user root user with root password you entered earlier during setup, as shown in Fig. 31.

Fig. 31: Login into the IPCop console using root user and password

37. Next, we want to check if all our interfaces were configured correctly. To do this, issue the "ifconfig" command to test each interface, i.e., eth0 (GREEN), eth1 (ORANGE) and eth2 (RED). And from Fig. 32, we can see that all the configurations were done correctly.

Fig. 32a: Ifconfig interface eth0 (GREEN)



24

Fig. 32b: Ifconfig interface eth1 (ORANGE)

Fig. 32c: Ifconfig interface eth2 (RED) 38. Now want to test all our interfaces connectivity using the PING command. So let’s see if we’re able to

ping all the network interfaces i.e., the GREEN interface "192.168.2.1"; on the DMZ ORANGE interface "192.168.3.1"; and on the RED interface "192.168.83.211", as shown in Fig. 33.

Fig. 33a: Ping interface eth0 (GREEN) – IP address "192.168.2.1"

Fig. 33b: Ping interface eth1 (ORANGE) – IP address "192.168.3.1"



25

Fig. 33c: Ping interface eth2 (RED) – IP address "192.168.83.211" from the Internet DHCP.

Note: from all the ping tests we’re able to get all the required replies back indicating they’re configured and communicating correctly as per their respective interfaces. So we know that the three interfaces are correctly connected to the Virtual Machine 1 holding IPCop firewall.

Step 2: Test your Firewall Security from Outside your Private Network

In this section we will test our firewall security using PING test again, however, this time round from outside our firewalled network. To perform this login into any computer that is not part of your network. In our case I am going to perform my ping test from my WinXP host machine (IP address 192.168.1.113) which is hosting my VMware virtual machines (i.e., the IPCop and Internal PC virtual machine2).

1. From Virtual Machine 1 (IPCop console), Fig. 3 ping WinXP host machine (IP address 192.168.1.113) not shown in the network diagram, you should be able to have connectivity without any problem, as shown in Fig. 34.

Fig. 34: Ping WinXP host machine– IP address "192.168.1.113"

2. Now from WinxXP host machine issue the ping test again, to the RED interface eth2 with IP address "192.168.83.211". Thus, if your firewall is working correctly, you should get connectivity without any problem, as shown in Fig. 35



26

Fig. 35

3. Next, from WinxXP host machine issue the ping test again, first to GREEN interface eth0 with IP address "192.168.2.1"; and then ORANGE interface eth1 with IP address "192.168.3.1", respectively. Again, if your firewall is working correctly, you should not be able to ping the eth0 and eth1 from outside the firewalled network. You should see "Request time out" or "Network unreachable", as shown in Fig. 36.

Fig. 36

Part 2: Install Internal PC (Virtual Machine 2) for Remote Administration of IPCop In this section we’re going to install the second virtual machine "Internal PC". So go ahead and fire-up a new virtual machine, which in case will be a Windows XP, however, you can use any Linux distro of your choice. Do ensure that the Internal PC is installed with its NIC adapter connected to VMnet2 switch. This is the machine that we’re going to use to test and configure IPCop through it’s web-based administration GUI. The new virtual machine should be able to receive its IP address dynamically through the firewall’s DHCP server we configured during IPCop installation.



27

1. Login into your Internal PC and perform the following procedures 2. Ping any public domain to test if we’re able to access the Internet from the internal private network,

e.g., ping www.google.com, as shown in Fig. 37.

Fig. 37 3. Next, fire-up your favorite browser and from the Address bar type: https://192.168.2.1:445.

Accept the security warning regarding the security certificate.

4. From Fig. 38, click then Connect button and then login using admin credentials.

Fig. 38: IPCop Web Administration GUI

5. After logging in, we need to check for and install updates to bring our firewall system up-to-date with

the latest security updates. 6. To do this, perform the following procedure: Go to Systems Update Download new updates,

and then perform the following procedure (see Fig. 39):



28

1. Click the Download button to download "ipcop-1.4.21-update.i386.tgz.gz" file at the time of writing and save it in your favorite folder

2. Click the Browse button and locate and select the file, and then click Upload button. 3. Finally click Apply now to complete updating the IPCop firewall system.

Fig. 39: Updating IPCop firewall system 7. Now, click Status SYSTEM STATUS to view which Services and other systems activities, as

shown in Fig. 40.

Fig. 40: View system services and other system activities



29

Part 3: Testing IPCop Security using NMAP Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are avalable for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), and a utility for comparing scan results (Ndiff). 1. Run NMAP Test

Now let’s NMAP against the public IP on the firewall from another computer outside our private network to test the firewall this is what came up. To do this, perform the following procedure: 1. Login into a machine outside the private network 2. Now, hope over to nmap.org and download the latest Nmap package for Windows in case "nmap-

5.20-setup.exe", at the time of writing. 3. Click Run and Run again when prompted, and then read and Accepted the license. 4. From Fig. 41, select the components to install, in case we selected all, and then click Next. 5. On the next screen, click install and services and then click Finish to complete then installation.

Fig. 41

http://nmap.org/data/COPYING

http://nmap.org/zenmap/

http://nmap.org/ncat/

http://nmap.org/ndiff/

http://nmap.org/dist/nmap-5.20-setup.exe

http://nmap.org/dist/nmap-5.20-setup.exe



30

6. Once the installation is completed, click Start Programs Nmap Nmap – Zenmap GUI 7. Next, enter the IP address of Internet facing IP address "192.168.83.211", i.e., the RED NIC

adapter, eth2, and then click Scan, as shown in Fig. 42.

Fig. 42: Performing Nmap scan on the RED NIC adapter.

firewall is filtering traffic sent to the public 8. As can be observed from Fig. 42 above, NMAP confirms the

IP (RED). The nice thing with IPCop it is a stateful firewall. 9. For best security we need to disable ping responses from the RED interface using IPCop's web GUI

under the Firewall tab | Firewall Options | Save, as shown in Fig. 43.

Fig. 43: Disabling ping response on RED interface.

You’re done with NMAP installation and using it to test our IPCop firewall.



31

Part 4: Installing Add-Ons to Extend IPCop Capability As you may recall IPCop was primarily designed to be a firewall but there are numerous add-ons which does extend IPCop's functionality and security capability. In this section you’re going to learn how install and configure Add-Ons to extend IPCop’s capability.

Step: 1: Install & Configure URL Filter Add-on on IPCop

The URL filter Add-on allows IPCop firewall to not only act as a proxy server but a web content filter as well as to help enforce a company's Internet use policy. Access to inappropriate sites whether they be YouTube, job search or just not work-related will be denied automatically at the firewall. The URL filter is free to download and use. 1. Login into your IPCop Web-admin GUI, wee need to enable SSH, to allow us to transfer files securely

into IPCop systems. Go to the System SSH Access Check the box and then click Save.

2. Download and Install WinSCP, which we’re going to use to transfer fires into IPCop system. Ensure that you installed the Explorer version for ease of use.

3. Download and Install URL Filter Add-on at the time of writing "ipcop-urlfilter-1.9.3.tar.gz" and place it on the Desktop.

4. To complete the install, I’ll connect to IPCop via Remote Access, click Start Program WinSCP WinSCP. Use. Hostname: ipcop, Port Number: 222 for SSH access and use the root credentials

and then click Login button. Click Yes when prompted. Charge to IPCop’s /tmp directory, then drag and drop the "ipcop-urlfilter-1.9.3.tar.gz" file into the directory.

5. Now login to IPCop’s Console and change into the /tmp directory, and Untar the downloaded file, as shown in Fig. 44.

Fig. 44 6. Next change into the unpacked "ipcop-urlfilter" directory, and then run the install, as follows:

# cd ipcop-urlfilter

# ./install

Click yes to proceed. The install process begins and will scroll through the installation process and verify that the installation was successful. After the installation is completed, go back and disable the SSH access to IPCop by unchecking it. The rest of the configuration will be done using IPCop’s Web GUI.

Step 2: Enable the Web Proxy

7. Login to the IPCop's Web GUI and under Services tab; you should see a new link for the URL filter (you may need to refresh the Web page.) indicating it’s successfully installed, however, it will not be actively filtering web access yet.

http://winscp.net/eng/download.php#download2

http://www.urlfilter.net/download.html



32

8. Now to have the IPCop's Web proxy use this content filter, we need to enable it first. You can activate the URL filter; click Services tab and then select Proxy server and then checkmark the following options, as shown in Fig. 45:

Enabled on Green: This turn on the Web Proxy

Transparent on Green: This silently redirects Web traffic to be processed by the web proxy

Log Enabled: Create a log file of all usage, even when it is blocked

Finally, under URL filter heading, checkmark Enabled to activate it.

Note 1: Here we wanted the Web content filter to always be enabled even if computer geek users manage to change the proxy settings within the browser. As long as all of the computer's on the LAN are using this firewall as their gateway it will always force Internet access traffic to pass through the web content filter. Note 2: To enable web content filter, both Enable on Green and Transparent on Green must be checked. Leaving the Transparent on Green unchecked will still provide web content filtering as long as it has been set in the web browser's proxy settings. Note also that we have used the default proxy port of 8080. Click Save to apply the changes, as shown in Fig. 45.

Fig. 45: Enabling Proxy Services



33

Step 3: Configure URL Filter

In this section, we now need to configure the URL filter. To do this, perform the following procedure:

1. Again login to the IPCop admin GUI page, if you done so yet.

2. Next, got the URL filter administrative web page, by clicking the Service tab again and then select URL Filter; and then scroll down to URL filter maintenance heading. We now need to download the latest update of blocked sites. The URL filter by default comes with a small block list that is out of date, and therefore, needs to be immediately updated before using it, see Fig. 46.

3. To update the filter list scroll down to the Automatic blacklist update heading, and select how often the blacklist is updated. You can set it to Weekly, which is fine for most applications. All four of the blacklist update sources are free. However, you may opt for a commercial backlist available for a fee from URLblacklist for which you will choose Custom source URL option.

Using larger blacklist like University of Toulouse or Shalia Secure Services will increase the number of filter categories to choose from.

Fig. 46: Setting Automatic blacklist update

Clicking Update now will download the latest lists. Be patient it does take some time, depending on your network bandwidth. When completed, you need to refresh the page, after which you should be able to see an expanded lists of categories to choose from.

4. The URL filter is highly configurable with many options, and its simple web filter is easy to setup. Simple click the block categories as desired, e.g., in our case we have selected to block: porn, ads, gamble, hacking, spyware, and jobsearch., as shown in Fig. 47.

http://www.urlblacklist.com/



34

Fig. 47

5. Now that we’re done with blocking sites that enforces company web use policy – we need way to notify users via a warning page – in the event that a user "accidentally" surfs these sites against company policy.

Key Advanced Settings

There are a few additional settings that most network admin do make the firewall more robust. To this scroll down, and perform the following tasks, see also Fig. 48:

1. Under Block page settings headings, we need to enable the following:

• Sow category on block page: When a page is blocked, this will show the user what web filter category is enforced to cause the site to be blocked.

• Show URL on the block page: This will show the actual address that triggered the filter.

• Show IP on the block page: This list the actual IP address of the page visited.

2. Under Advanced settings heading, we need to enable the following:

• Block "ads" with empty window: in the event that an ads category is enabled, this will be replaced with a blank picture rather than the typical (what?)

• Block sites accessed by its IP: This will block any user trying to access any site using IP address e.g., http://10.10.1.4 instead of domain name. Almost no legitimate web sites by there IP address.



35

• Enable log: This setting when enabled ensures that users’ web visits are logged.

4. Finally, don't forget to click on the Save and restart button to apply and effect all the changes.

Fig. 48: Performing additional URL filter settings.

6. Now, anyone surfing to sites which are blocked will get this message on their monitor screen, as shown Fig. 48. To test this, enter any URL or domain name related to a blocked category.

In this case a user has been denied access to the website, because he tried to search for a job on accompany computer, which is set to block "jobsearch" category under a company policy. In this case employees for this respective company are not allowed to use computer non-work relateted use, e.g., search for job while at work using company’s computers.



36

Fig. 48: A web user denied access to a job search website due to company web use policy. 7. You’re done with URL filter installation configuration and settings. In the next section we’re going to further extend IPCop firewall capability by installing Copfilter, which comes with an impressive list security programs like antivirus to keep watch on your network.

Note: At this point before continue with the next section it may be necessary to backup your current status of your IPCop, as we’re going to do more installation and configuration of the system.

Step 4: Extending IPCop with Copfilter Add-on

The main goal of Copfilter is to provide a free and easy to use solution to filter and scan traffic from any unsecure network, like the internet, for viruses and spam. It has been designed as a preconfigured and easy to install add-on for the open source firewall IPCop Copfilter is a package of various open source traffic filtering software and tools, customized and built to work together smoothly. All included proxies filter traffic transparently, which means that no client reconfiguration is necessary.

http://www.copfilter.org/



37

It scans POP3 and SMTP emails for viruses and spam. Instead of a virus infected emails, a user will receive virus notification messages containing details about originally sent emails, which can also be quarantined if desired. Spam emails will be tagged as spam by inserting the following text into the subject field: *** SPAM *** With this procedure any email client will be able to use its own message filtering rules to automatically delete or move these spam messages into a different folder for a later review. HTTP and FTP traffic will also be scanned for viruses. If a virus is found, access to that web page or file will be denied. Figure 49 shows the network diagram of an IPCop machine running Copfilter:

Fig. 49: Network diagram of an IPCop machine running Copfilter

Install & Configure Copfilter Add-on on IPCop We now need to download install and configure Copfilter add-on on IPCop. To do this, perform the following procedure: 1. Login to the IPCop’s web admin GUI and then ensure that you enable SSH access to allow uploading

of Copfilter. 2. Hope over and download Copfilter, at the time of writing we used copfilter-0.84beta3a.tgz which the

author considers the most stable and place it in your favourite browser 3. Fire-up your WinSCP and login using SSH access, and then move the downloaded file into the /tmp

directory:

# cd /tmp # tar –xzvf copfilter-0.84beta3a.tgz # cd copfilter-0.84beta3a # ./install # [y/N] y

http://www.copfilter.org/

http://www.copfilter.org/downloads.php



38

Reboot the systems after installation is successfully completed for the changes to take effect. Note: On rebooting, the systems might report some errors, as shown in Fig. 50. Hitting enter on the terminal brought up the login prompt. The problem was the e-mail address where to send reports was still not set.

Fig. 50: Errors reported during reboot after Copfilter installation. Hit enter and proceed to login.

4. Login to the IPCop web admin GUI, and proceed to correct the email problem by going into the Email link from Copfilter menu, as shown in Fig. 51.

Fig. 51: To correct the errors, configure the email settings as desired.

5. Reboot the systems again after configuring the Email link on Copfilter. 6. This time round you shouldn’t any errors unless your messaging server is not working correctly.



39

1. Enable HTTP Scanning

7. Next, let’s go ahead and activate some of the security programs that we want to use via Web GUI and then selecting Copfilter tab. Let’s enable HTTP Scanning to protect internal private network users’ web wandering, as shown in Fig. 52. Next, scroll down and click Save settings (and restart service) button.

Fig. 52: Enabling HTTP Scanning on Copfilter.

2. Enable AntiVirus (ClamAV, AVG, F-Prot)

8. To enable AntiVirus protection; click Copfilter ANTIVIRUS, and then enable settings as shown in Fig. 53. Remember to update the virus database by click update clamd now button.

Fig. 53: Enabling AntiVirus settings.

Scroll down and click Save settings (and restart service) button.



40

3. Enable FTP Scanning

9. Next, we need to protect users’ who download files using FTP protocol. Click Copfilter tab FTP Filter, as shown in Fig. 54

10. Now, for maximum protection, we need to enable FTP Scanning through Copfilter by enabling it on the GREEN and ORANGE network. Next, click Save settings (and restart service) button.

Fig. 54: Enabling FTP Scanning settings. 4. Enable POP3 Scanning (P3Scan)

The Post Office Protocol Version 3 (POP3) is the industry standard for receiving email. The goal of our configuration is to block spam/malware from being received via our email clients. To do this, perform the following procedure: 1. To access these setting go to Copfilter POP3 FILTER configuration, to access POP3 Scanning

(P3Scan), as shown in Fig. 55. The following options detail those to be turned ON and all others will be left in the default OFF configuration.

• Enable P3scan on incoming traffic on GREEN: ON • Enable P3scan on incoming traffic on ORANGE: ON • Add Copfilter Comment to Email Header: ON • Quarantine Spam if … ***: OFF • Tag Spam in Emails and modify the subject: ON • Stop Virus email and send virus notification instead: ON • Send a copy of virus notification to Email address ON • Quarantine virus infected emails: ON • Remove emails in quarantine if older than (in days): 7 • Finally, click on Save settings (and restart service)



41

Fig. 55: Enabling POP3 Filter on Copfilter

will be an aggressive stance on scanning, dropping and

. Enabling Monitoring of Copfilter

Copfilter tab Monitoring, and then change Monitor all

Note: The net effect of this configurationnotifying you of the spam/malware, before it reaches your internal network

5

To enable Copfilter monitoring, clickenable service to on. Next, click Save settings (and restart service) button, as shown in Fig. 56. This service enables you to monitor the core services of the Copfilter application. It provides you some resilience by automatically restarting applications should they fail.

Fig. 56: Enabling monitoring on Copfilter



42

6. Viewing Copfilter Status

11. Finally, we need to view the settings that we have enabled under Copfilter Add-on. shown in Fig. 57.

n.

12. To do this, click Copfilter tab Status, to access the Copfilter status web page, asFrom here you can manage the settings as desired.

13. You’re done with Copfilter installation and configuratio

Fig. 57: Viewing Copfilter status.

Note: You may enable other Copfilter service as desired.

Part 5: Checking IPCop Memory Usage ality of IPCop, we also need to keep an on the memory

. To do this, click Status tab System. There is 40% increase in memory usage after enabling

as a virtual machine, adding more memory is as easy as editing

astructure, click VM menu

Now that we managed to expand the functionusage to ensure that our firewall systems is staying healthy. 1

security programs under Copfilter. 2. Since we’re running IPCop firewall

the virtual machine’s settings, i.e., no more need to open a physical box! 3. Shutdown the IPCop virtual machine, then from the VMware Machine infr

Settings and then from the Hardware tab, click Memory and then adjust memory settings as desired, in our case we have set it to 1.5G.



43

Part 6: Enable Intrusion Detection System (IDS) Monitoring on IPCop n enable IDS setting as 1. To enable IDS on IPCop, click Services tab Intrusion Detection and the

shown in Fig. 58. 2. To utilize Sourcefire VRT Certified Rules, you need to register on www.snort.org. Activate you’re your

Account via the link emailed to you. 3. Go to USER REFERENCES, press button and copy the 40 characters Oink "Get Oink Code"

Code and past it on the empty text box space next to Oink Code:, as shown in Fig. 58. 4. Click the Save button, and then click Refresh update ruleset button 5. You’re done.

Fig. 58: Enabling IDS on IPCop.

Cop virtual machine just in case you may want to restore it in

"HTTP::Response=HASH(0x82a3c14)->code registered md5",

.

Note 1: Remember to backup you IPcase a catastrophic system failure.

Note 2: In case of error like then check the solutions at the end of this Hands-on Lab.

The final system Services running is now as shown in Fig. 59. 6

http://www.snort.org/



44

Fig. 59: Services running on IPCop.

You’re done with lab assignment for now. However, you may continue to explore and expand the functionality of your IPCop machine as desired.

Part 7: Install Zerina's OpenVPN Package for IPCop In this section of this Hands-on Labs, I’ll walk through setting up a basic VPN server that would work for most people that want constant access to their files or want to take advantage of being secure no matter where they are, i.e., anywhere anyplace anytime access, there is an IPCop module called Zerina that set ups OpenVPN on IPCop. While IPCop does come with a built-in VPN server, by using OpenVPN you will be able to leverage the nice GUI clients that are available for it.

Step 1: Install Zerina OpenVPN

To install Zerina’s OpenVPN, perform the following procedure from the InternalPC (Virtual Machine 2): 1. Login to the IPCop’s Web Admin GUI and enable SSH, this will allow us to use WinSCP to upload

OpeneVPN package into IPCop system. 2. Hope over and download the ZERINA installer and save it to one of your favorite directory. At the time

of writing this article, we downloaded "ZERINA-0.9.7a14-Installer.tar.gz" 3. Now use WinSCP to upload the downloaded file into /tmp directory, and then issue the following

command

# cd /tmp # tar –xzvf ZERINA-0.9.7a14-Installer.tar.gz # ./install

The addon is now installed.

http://www.zerina.de/

http://www.openvpn.eu/index.php?id=36&L=0

http://www.openvpn.eu/index.php?id=36&L=0



45

Troubleshooting: If you encounter a problem during Zerina installation with IPCop versioning, it’s because Zerina installer does a version check. Open the "install" file with your favorite Text editor and change the relevant line. This has been discussed here before and a search on "1.4.21" and "Zerina" would have got you this information. OpenVPN is copyright and trade mark of OpenVPN Technologies, Inc., a Delaware corporation in US.

4. When done with OpenVPN installation, do ensure that you have disabled SSH.

5. Head back to http://192.168.2.1:81, click VPN tab, and then select OpenVPN. You will see the screen as shown in Fig. 60. This page has all of the configuration options for OpenVPN.

1. Configure OpenVPN

6. Now set up the following:

• Check the box next to "OpenVPN on Red", which is the external connection you want OpenVPN to listen on.

• Change "Local VPN Hostname/IP" to a different IP Range (i.e., 192.168.83.211) • Change "OpenVPN Subnet" to the appropriate settings for your IP range • Change "Protocol" to TCP. • Check the box next to "LZO-Compression" • Click Save

Fig. 60: Configuring OpenVPN on IPCop

7. Next, from Fig. 60, click the Advanced Server Options screen and under the Additional Push

Route section, in the first box type in the IP / Subnet of your Remote IPCop GREEN network. There are 6 boxes, in our case, I’ll only fill the 1st box, as follows:

GREEN Subnet: 192.168.0.0/255.255.255.0 Click: Saved Advanced Options

2. Generate OpenVPN Root/Host Certificates

8. Click Generate Root/Host Certificates button to generate the certificates. Complete the required and optional fields as desired, see Fig. 61. When done click the Generate Root/Host Certificates again.

http://www.openvpn.net/



46

Fig. 61: Generating Root/Host Confiscates

2. Generate Client Certificates

9. Scroll down and click on the "Add" button "Roadwarrior Client status and control" heading. If you are using the stable version you can only click Roadwarrior, so just click the "Add" button again. Fill out the form to generate an OpenVPN certificate for the computer that you want to access the VPN, see Fig. 62. Click on the Save button when done

Fig. 62: Generating Roadwarrior client confiscates



47

Note 1: On the OpenVPN configuration page, under the Roadwarrior Client status and control heading, after you have created a client connection profile, you will see the icons next to it on the right-hand side, as shown in 63. You can download it by clicking the Diskette icon.

Fig. 63

Note 2: Click the icon to the left of the info icon, and save the .zip file in favorite folder. You’ll need to get this file to the client/remote computer (e.g. via USB memory stick or email).

10. Now that everything is set up, click on the "Start OpenVPN" button to start the OpenVPN server. If everything is set up correctly the status will change to "Running".

Step 2: Install and Configure OpenVPN on the Client

In this section we’re going to install and configure OpenVPN on the Client machine (Roadwarrior machine). To do this, perform the following procedure: 1. Hope over and download and install OpenVPN, in our case we’re going to setup on Windows, so we’ll

download OpenVPN GUI as it allows the user to start and stop OpenVPN from a taskbar icon. (Linux/Unix users can either download and compile OpenVPN or download it via their package managers.)

2. Click to download "openvpn-2.0.9-gui-1.0.3-install.exe" at the time of writing; and then click Run and Run again and follow the OpenVPN Setup Wizard shown in Fig. 64 to complete the installation.

Fig. 64

Note: When done you should see an additional icon on your Task bar.

http://openvpn.se/

http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe



48

Unzip OpenVPN client package

3. Take the client package that you saved in Step 2 item 9, and unzip the contents into your OpenVPN client config directory, i.e., probably located at: "C:\Program Files\OpenVPN\config".

4. Extra these files in the C:\Program Files\OpenVPN\config folder on your client computer. Open

the ".ovpn" file in a text editor verify that the ‘remote’ line IP Address points to your external IP; if it’s not change as desired. If you have a dynamic IP address, then I would suggest signing up for a dynamic DNS service like DynDNS.org (which IPCop has an update client for) and replacing the IP with your DynDNS address.

5. Connect to the VPN Server on IPCop

Make sure that OpenVPN is running on the IPCop virtual machine or box, and that you are connected to the Internet. Right-click on the OpenVPN icon and click Connect, as shown in Fig. 65. Enter password we set in

Step 2, list 9, and you should be connected, and the icon should change to .

Fig. 65 6. OpenVPN should connect to your firewall and assign you an internal IP address in the range

"10.231.132.0" range by default. From this point you can browse your home computers just like you were sitting at home

7. To test your connectivity to the Private network, ping the Internal PC from the Roadwarrior Remote client machine, and as can be seen in Fig, 66, we are able to have connectivity without any problem.

Fig. 66

http://www.dyndns.org/



49

Connect to the Exchange Server 2k3 to check Email 8. You can even connect to the Exchange Server 2003 to check and manage your emails while on the

road, as shown in Fig. 67.

Fig. 67: Accessing Email while on the road. You’re now done with installing and configuring OpenVPN on IPCop firewall Stay tuned as I’ll continue to add more info and hands-on labs!

Part 8: Troubleshooting Problem with Intrusion Detection (Snort) on IPCop Firewall 1.4.21 To solve the problem when updating issue error: "HTTP::Response=HASH(0x82a3c14)->code registered md5", 1. In case you encountered any problem after installing & setting up Intrusion Detection with Surcefire

VRT Certified Rules using Oink Code, and when you tried to Refresh update list, if you see the following error messages:

• When running update the Error is:

HTTP::Response=HASH(0x82a3c14)->code registered md5

1. When running download the Error is:



50

HTTP::Response=HASH(0x82a3c68)->code

The reason is that currently snort.org publishes rules now on current branch that are no more compatible with snort-2.6.1.5

We have manually added the current branch, to - date it is 2. You can find on snort if you have your account on snort.org under My Account-->My Oinkcodes along with the code (You must have account at snort to access code and use snort in IPCop).

Solution: it is a manual fixation in the code.

2. Open the /usr/local/bin/snortrules.pl in a Text editor.

root@ipcop:~ # /etc/snort # nano /usr/local/bin/snortrules.pl

3. Change the value from 2.6 to 2.8 at line no 54.

my $rulesbranch="2.8"; # version should match snort branch version

2. Save to effect the changes. 3. Click Save click Apply now click Refresh update list click Download new ruleset.

Note: It should work, no update rule-set failure or MD5 checksum error. You’re done with IPCop firewall setup and configuration. In the next session, you’ll learn how to test and audit your network security defence and vulnerability effectiveness.

Part 9: Different IT Security Vulnerability Scanning and Testing Techniques

1. Security testing service can provide different levels of security assurance as shown in Fig. 68.

2. Vulnerability scanning typically uses automated systems. It requires minimal hands-on intervention in the qualification and assessment of vulnerabilities. This is a fast and inexpensive way to ensure that no obvious vulnerabilities exist, but it doesn’t provide the granular analysis found in a full manual test.

3. Network security assessment sits between vulnerability assessment and full penetration testing and utilizes an effective blend of tools. It requires qualified and trained security analysts.

4. Full penetration testing involves multiple attack vectors to compromise the target environment. Within the security community penetration testing is considered an ‘art’

https://www.snort.org/account/oinkcode



51

Penetration Testing

Network Assessment

Vulnerability Scanning

Cost/Time

Assessment Depth

Internal Network

DMZ

Internet

- Border routers- Firewalls- IDS (Intrusion Detection System)- IPS (Intrusion Prevention System)- VPN devices- Software architecture- DMZs and screened subnets- Hosts

Network Security Areas

- Border routers- Firewalls- IDS (Intrusion Detection System)- IPS (Intrusion Prevention System)- VPN devices- Software architecture- DMZs and screened subnets- Hosts

Network Security Areas

Fig. 68: Cost of performing network vulnerability testing

Step 1: Network Penetration Testing Methods

1. Enterprise security analyst should perform penetration testing and vulnerability assessments based on proven security methodologies (e.g., ISSAF and OSSTMM) and industry recognized best practices e.g., ITIL and ISO_17799. There are three types of approaches to penetration testing:

• zero-knowledge test • full knowledge test • partial knowledge test

2. The target organization must decide what type of test is the best according to their IT security needs.

i. Zero-knowledge attack (black box): the penetration team has no real information about the target environment and must generally begin with information gathering. This type of test is obviously designed to provide the most realistic penetration test possible.

ii. Partial knowledge test (partial black box): the target organization provides the penetration

test team with the type of information a motivated attacker could be expected to find, and saves time and expense. To conduct a partial knowledge test, the penetration team is provided with such documents as policy and network topology documents, asset inventory, and other valuable information.

iii. Full-knowledge attack (white box): the penetration team has as much information about the

target environment as possible. This approach is designed to simulate an attacker who has intimate knowledge of the target organization’s systems, such as a current or former employee.



52

Step 2: Information Systems Security Assessment Framework (ISSAF)

The ISSAF is intended to comprehensively report on the implementation of existing controls to support IEC/ISO 27001:2005(BS7799), Sarbanes Oxley SOX-404, COBIT, SAS70 and COSO, thus adding value to the operational aspects of IT related business transformation programs. Rationale: It provides a useful framework and comes with a detailed documentation for penetration testing. In particular, in reference to section S - Web Server Security Assessment , section T - Web Application Security Assessment, section U – Web Application Security Assessment - SQL injections, section V - Source Code Auditing.

Step 3: IT Risk & Vulnerability Testing Tools

There are two very powerful open source tools that can be used for IT Risk & Vulnerability Assessments, these are: Metasploit Framework, Nessus, and FoundScan (see also Fig. 69).

1. Metasploit Framework

• What is it? The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

• What does it do? The Metasploit Framework consists of tools, libraries, modules, and user interfaces. The basic function of the framework is a module launcher, allowing the user to configure an exploit module and launch it at a target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a shell to interact with the payload.

2. Nessus

Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools. Nessus employs the Nessus Attack Scripting Language (NASL), a simple language that describes individual threats and potential attacks. Nessus has a modular architecture consisting of centralized servers that conduct scanning, and remote clients that allow for administrator interaction. Administrators can include NASL descriptions of all suspected vulnerabilities to develop customized scans. Significant capabilities of Nessus include:

• Compatibility with computers and servers of all sizes. • Detection of security holes in local or remote hosts. • Detection of missing security updates and patches. • Simulated attacks to pinpoint vulnerabilities. • Execution of security tests in a contained environment.

http://www.ruby-lang.org/



53

• Scheduled security audits. The Nessus server is currently available for UNIX, Linux and FreeBSD. The client is available for UNIX- or Windows-based operating systems.

Part 10: Need More Training on Linux: Are you having trouble understanding or comprehending the working of Linux OS, if so, then check out some of our introductory courses on Linux at: Global Open Versity, Vancouver Canada.

Part 11: Hands-on Lab Assignments Use Figs. 3 and 70 to help you with your Hands-on labs:

1. Install and configure DNS server for your private network placed within the DMZ LAN 2. Install configure a messaging server for your network placed within the private LAN with mail relay

placed in DMZ. 3. Install and configure a Web server for your network placed within the DMZ LAN 4. Install and configure a LAMP server for your network placed within the private LAN 5. Install and configure a CRM server for your network placed within the private LAN 6. Finally ensure that all systems are able to connect and communicate seamlessly. 7. Enable & Configure VPN access for company road warriors to access the private network. 8. Install & setup Metasplot and Nessus and use them to test and audit your network. ----------------------------------------------- Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in several fields of Science & Technology, IT Security Compliance and Project Management, and Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance your educating and career goals using the latest innovations and technologies.

ICT202 - Linux Enterprise Infrastructure Engineering Diploma

This is an advance Linux course for IT professionals, Network Infrastructure Engineers in enterprise business information technology (IT) strategy & development. The goal of this course is to equip students and IT professionals with advance Linux skills required in enterprise infrastructure planning, design, development, implementation and deploying complex network infrastructure. In this course you will learn how to install and configure Linux OS. Design & implement a DNS master & slave servers for redundancy. Deploy virtual domains suitable for ISP solution. Configure DHCP and Firewall solutions. Design & Install & Deploy Secure Apache Tomcat AS. Design & Implement OpenLDAP or OpenDS infrastructure for Single-Sign-On (SSO). Deploy Sendmail, Postfix & Zimbra messaging systems. Install Email clients Thunderbird & Evolution. Deploy JBoss & JPortal infrastructure. Integrate Samba with Windows Active Directory & Mac OSX infrastructure for SSO. GlassFish & SAML on Linux, Deploy Moodle LMS. Deploy SugarCRM. Upon completion of this course you will have gained advance knowledge and skills at expert competency with capability to deploy complete medium enterprise level network infrastructure solution. Or start your own ISP business or Linux consultancy services. PREQ: BM103, BM200, CIS102, CIS105, CIS107, CIS200, CIS202/CIS402, & CIS204.Donate and help others bridge the digital divide

Enhancing experiential education to all through eLearning in the 21st Century

http://www.globalopenversity.org


http://www.linkedin.com/in/krabah

http://www.serengetisys.com/




54

Internet

DMZ Network

FTP Server

Web Server

IPCop Firewall

Switch 6 - Rm 300Win-Vista

Win7

Linux

Mac OSX Server: Win2k8 AD

Internal Private LANLinuxRHE5

SambaServer

InternalWi-FiWi-Fi

SSO Access toNetwork Resources

Switch 1

Public IP addressInternet Wi-Fi

Switch 3

Switch 2

Switch 4 - Rm 301 Switch 5 - Rm 302

Note: Add network devices to switches 3 & 4 or any other part of the network as desired.

Dbase

Terminal

Messaging Server

WinXP

Business Partners Access

192.168.0.0/24

192.168.10.0/24

© January 20, 2007 Global Open Versity, Vancouver Canadawww.globalopenversity.org

IDS

IDS IDS

Fig. 70: A more practical network

25571254 deploy secure network defense solution for small enterprises using ipcop firewall v1 4

Documents