Category:I802 Firewalls and VPN IPSec (2017)

From EIK wiki

Firewalls and VPN/IPSec

General information

ECTS: 4

Lecturer: Lauri Võsandi

To register to this course send your SSH public key to Lauri and state which service you want to configure.

Grading bot is at http://193.40.244.178/static/bot.html

Scenario

In this course we will attempt to set up a network similar to a corporate network with multiple offices, eg http://docplayer.it/docs-images/20/596222/images/25-0.png

Our virtual company's story is based on Mom's Friendly Robot Company.

We will use VPN software to connect subnets to each other and we will use VPN software to connect our personal computers to the intranet.


Hardware

School's infra provides with public subnet for 62 hosts:

  • IPv4 address: 193.40.244.129-188
  • Subnet: /26
  • Gateway: 193.40.244.189
  • DNS: 8.8.8.8

That network is physically routed to 413-6-16 port in room 413.

We have total of about 264GB of RAM and couple of terabytes of SSD storage:

  • Marek's box HP Proliant G5 2x quadcore Xeon, 64G RAM, 2 NIC-s (hosts 130-139)
  • Madis' box HP Proliant G5, 4x quadcore Opteron, 64GB RAM, 2 NIC-s (hosts 140-149)
  • Erik's box Sun 32GB, 2x 256GB SSD (hosts 155-159)
  • Lauri's box HP Proliant G5 2x quadcore Xeon, 64G RAM, 2 NIC-s, 4x 250G SSD (hosts 160-179)
  • Frank's box DELL 16GB, 2x 256GB SSD, 6 NIC (hosts 180-185)
  • Another Sun box with 24G of RAM, dying harddisks
  • Reserved addresses 186-188

NB! Replace BIOS batteries; replace thermal paste

Grading

If you don't know what to do pick a topic from the services list below. Send your SSH public key to Lauri and state which service you want to take care of.

Collect 100p in total to pass the course, note that there are opportunities to collect much more points in total:

  • Get the service up and running (15p)
  • Configure Let's Encrypt certificates for your service if applicable (15p)
  • Add your service to monitoring at mon.momcorp.eu (15p)
  • Enable log forwarding to log.momcorp.eu, if applicable configure auditing for your service (15p)
  • Configure your service to send e-mails (mail.momcorp.eu) if applicable (15p)
  • Keep the service up and running through the semester (up to -20p)
  • Keep the bad guys out from your servers (up to -30p)
  • Have a disaster recovery plan (up to -20p)
  • Configure layer3 firewall (15p)
  • Configure application firewall(s) if applicable
  • Configure your laptop to connect to intranet using OpenVPN and IPSec (15p)
  • Configure your mobile device to connect to intranet using OpenVPN or IPSec (15p)
  • Configure your service to use authentication from AD (20p)

We will start with services facing the public internet, see what's the worst that can happen in that case and later migrate some services to intranet only. Some services will retain connectivity to public internet due to their nature (eg OwnCloud, mailserver) and some services will be available only in the intranet (eg fileserver)

Services

To support our virtual company in everyday business we need to provide them with a variety of services:

  • www.momcorp.eu - Install webserver/load balancer and create a homepage for the company and link to remaining sites. Olusiji
  • shop.momcorp.eu - Install Magento and add some fictive products like dark matter and neutron star. Sander
  • wiki.momcorp.eu - Install MediaWiki, later integrate with AD. Peep
  • blog.momcorp.eu - Install WordPress, later integrate with AD. Steven
  • chat.momcorp.eu - Install IRC server, provide multiple channels for developers. Install some web based software for customer helldesk. Ardi
  • ns1.momcorp.eu - Primary Bind9 installation, later also add DNSSEC. Erik J
  • ns2.momcorp.eu - Secondary Bind9 installation in another physical host. ???
  • git.momcorp.eu - Gogs installation. Farhan
  • mon.momcorp.eu - Nagios monitoring. Nika
  • mail.momcorp.eu - Mailserver with Postfix (postfw, greylisting, dkim, spf, setup secondary mx), later with AD integration if exchange won't be used. Andris
  • ca.momcorp.eu - Java servlet container, EJBCA installation for certificate management. Masaki
  • nas.momcorp.eu - Samba fileserver. Hindrek
  • log.momcorp.eu - Graylog or similar for central logging. Kaspar, Sten-Erik
  • vpn.momcorp.eu - OpenVPN gateway. Moira
  • cs.momcorp.eu - Teamspeak and/or gaming server for entertainment. Christopher

Additionally for each physical box listed under Hardware we could set up:

  • Person responsible for the hypervisor on that box
  • Virtual machine with router OS - Mikrotik RouterOS, Vyatta, pfsense or just vanilla Debian with shell scripts

Other topics:

  • Mikus - Remote management: Puppet master, DSC, postfix with kerberos (and AD?)
  • Strongswan gateway
  • OpenVPN gateway, later AD integration
  • Exchange
  • failover/high availability (heartbeat)
  • db clusters/shards/replication (mysql/mariadb)
  • clustered filesystems/servers (clvm, corosync, fenced, gfs)
  • web caches (varnish, squid, nginx)
  • load balancing (haproxy, nginx, simple roundrobin)

Lectures

Following lectures are planned:

  • 7. sept - Intro, virtualization, containers etc. Relevant story here
  • 14. sept - Network topology, bridges, tagging, trunking, subnetting, LAN, WAN
  • 21. sept - iptables, ebtables, packet forwarding, DNAT, SNAT, routing tables, empheral ports, listening ports, slides here
  • 28. sept - X.509 certificates, certificate authority, TLS, symmetric, asymmetric, keyexchange, Let's Encrypt, relevant slides here
  • 30. nov - AD auth

Order to be determined:

  • OpenVPN
  • IPSec
  • TBD, there are a lot of topics to discuss

Firewall rules

You can load these rules by running iptables-restore command, pasting the rules to the terminal and pressing Ctrl-D.

To make rules persistent on your box install netfilter-persistent package, the rules will be stored at /etc/iptables/rules.v4

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -m comment --comment "Hide VPN addresses from LAN" -j MASQUERADE
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow returning packets" -j ACCEPT
-A INPUT -i eth1 -m comment --comment "Allow traffic from LAN" -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -m comment --comment "Allow loopback" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow ping" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "Allow SSH" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -m comment --comment "Allow Nika\'s Monitoring" -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow returning packets" -j ACCEPT
-A FORWARD -i tun0 -o eth1 -m comment --comment "Allow from VPN to LAN" -j ACCEPT
COMMIT

This category currently contains no pages or media.