Lab 4: Firewall
You are the Network Security Administrator for an organization. You are responsible for the configuration of a firewall that segregates the enterprise network from the external network. You will strategically allow authorized incoming and outgoing traffic while denying all unauthorized traffic.
In this lab, we going to practice setting up a Smoothwallfirewall in a UMUC remote lab. Smothwall is a Linux kernel-based firewall. It has a rich graphics interface and it implements the firewall using UNIX/Linuxiptables. (See http://linux.die.net/man/8/iptables). The manual for the Smoothwall firewall can be found at: http://www.smoothwall.com/media/114580/AdvancedFirewall-admin.pdf. The exercise does not require you to read the entire manual. We are going to experiment with inbound and outbound traffic filteringaspects (Chapter 7) of the firewall.
The UMUC remote environment for this lab is shown in the figure below. Notice the firewall/router separates the100.100.0.X External network (virtual Internet) from the 198.168.1.x Enterprise machines. This firewall will be controlling the in- and out-bound traffic of the enterprise.
Step by Step Instructions for Performing the Lab Activity
Use the scripts in the traffic folder to test each rule.Test the functionality of your rule For example, use the FTP.sh script (on External Desktop > Scripts > Traffic >FTP.sh) to test the FTP setup.
- From the Virtual Machine screen, double click the console for Enterprise. Use root/aspring2013 credentials to logon to Enterprise. (Note: From the Jumpbox you can also remote to Enterprise. Double click VNC Viewer. Enter remote host address 10.5.14.110 > Click Connect and use aspring2013 as the password. But the console login gives you more “real estate,” and should be preferred.)
- This is Enterprise (Centos)
- Double click Firewall GUI
- Supply Username and Password and Click OK
- This is Firewall (Smoothwall)
- Click Networking > Outgoing. This is where you will configure rules to allow or deny network traffic from our internal Enterprise network to the External Virtual Internet.
- Notice the Interface Defaults section the current selection is “Blocked with Exceptions”. This means that all traffic from Enterprise network to External network that is not explicitly allowed is implicitly denied. This method of administering a firewall is known as maintaining a “Whitelist”. If we were to implicitly allow all network traffic except for explicitly denied protocols it is known as maintaining a “Blacklist”. In network administration maintaining a whitelist is considered best practice.
- Our Firewall has an interface on the Enterprise Internal network known as the Green Interface, and an interface on the External network known as the Red interface.
- Minimize Smoothwall and return to Enterprise desktop
- Double click Scripts > Double click Traffic.
- Each of the scripts in this folder will simulate 5 packets of traffic using their named protocol from the Enterprise network to the External network.
- Together we will enable HTTP traffic from Enterprise to External. HTTP is needed in order for users to browse websites on the internet. Double Click Web Browser
- Click the + button to open a new tab
- In the browser bar type 100.100.0.100 > Enter. Firefox should be unable to connect. Firewall is implicitly denying http traffic.
- Minimize Firefox and return to the Desktop > Scripts > Traffic Folder > Double Click HTTP.sh
- Select run in terminal
- Your output should look like this. We sent 5 packets to 100.100.0.100 and Firewall blocked them.
- Maximize or reopen Firefox to return to Firewall Click Networking > Outgoing
- In the “Add exception area” Leave Application as “User defined” type 80 at the Port. In Comment type “Allow HTTP to External”. Leave the Enabled checkbox checked. Click Add
- Current exceptions should have this entry:
- Open a new browser tab and go to 100.100.0.100 again. If this page came up you successfully allowed HTTP traffic from the Enterprise network to External.
- Return to Enterprise desktop > Scripts > Traffic > Double click http.sh > Run in Terminal
- Your output should now look like this. This means the HTTP packets successfully reached their destination at 100.100.0.100
- (50 Points) On your own you will now create 7 more rules on Firewall to allow the following protocols to reach the External network. Use the scripts in the traffic folder to test each rule.
- There are services hosted on the Enterprise network that require access from the External network. Your Enterprise has a single public IP Address, 100.100.0.1. By default Firewall blocks all incoming traffic on its public facing interface. You will configure port forwarding explicitly to allow traffic on specific ports to reach destinations on the Enterprise network, while denying traffic on all other ports.
- From the Virtual Machine screen, double click the console for External. Use root/aspring2013 credentials to logon to Enterprise. (Note: From the Jumpbox you can also remote to External. Double click VNC Viewer. Enter remote host address 10.5.14.11 > Click Connect and use aspring2013 as the password. But the console login gives you more “real estate,” and should be preferred.)
- This is External (Kali Linux)
- Double click the Web Browser on the desktop
- In the browser bar type infa620.umuc.com > enter. The browser should not be able to display the webpage
- Return to the External Desktop and open the Scripts folder >Traffic folder> HTTP.sh
- Select Run in Terminal
- Your output should look like this. Firewall is blocking traffic on port 80
- Get back to the Firewall GUI in the Enterprise (You may need to re-authenticate using root/aspring2013):
- Select Networking >Incoming
- Enter Port: 80 and Destination IP: 192.168.1.20 > Comment: Allow Traffic on Port 80 to Webserver > Leave Enabled Checkbox Checked > Click Add
- Your current rule should look like this:
- On External open the web browser and go to web address: infa620.umuc.com
- If you see this page you have successfully allowed External traffic access to your Enterprise webserver.
- On External desktop click Scripts > Traffic > http.sh > Run in Terminal
- Your output should look like this:
- This means that 5 packets successfully reached the webserver on the Enterprise network through Firewall.
- Score (50) On your own you will now 6 more port forwarding rules on Firewall to allow the following protocols to reach the proper address on the Internal network.