Category:I802 Firewalls and VPN IPSec (2017): Difference between revisions

From ICO wiki
Jump to navigationJump to search
No edit summary
Lvosandi (talk | contribs)
 
(23 intermediate revisions by 3 users not shown)
Line 7: Line 7:
Lecturer: Lauri Võsandi
Lecturer: Lauri Võsandi


To register to this course send your SSH public key to Lauri
To register to this course send your SSH public key to Lauri and state which service you want to configure.


Grading bot is at http://193.40.244.178/static/bot.html


==Scenario==
==Scenario==
Line 20: Line 21:


==Hardware==
==Hardware==
School's infra provides with public subnet for 62 hosts:
* IPv4 address: 193.40.244.129-188
* Subnet: /26
* Gateway: 193.40.244.189
* DNS: 8.8.8.8
That network is physically routed to 413-6-16 port in room 413.


We have total of about 264GB of RAM and couple of terabytes of SSD storage:
We have total of about 264GB of RAM and couple of terabytes of SSD storage:


* Erik's box Sun 32GB, 2x 256GB SSD
* Marek's box HP Proliant G5 2x quadcore Xeon, 64G RAM, 2 NIC-s (hosts 130-139)
* Frank's box DELL 16GB, 2x 256GB SSD, 6 NIC
* Madis' box HP Proliant G5, 4x quadcore Opteron, 64GB RAM, 2 NIC-s (hosts 140-149)
* Madis' box HP Proliant G5, 4x quadcore Opteron, 64GB RAM, 2 NIC-s
* Erik's box Sun 32GB, 2x 256GB SSD (hosts 155-159)
* Marek's box HP Proliant G5 2x quadcore Xeon, 64G RAM, 2 NIC-s
* Lauri's box HP Proliant G5 2x quadcore Xeon, 64G RAM, 2 NIC-s, 4x 250G SSD (hosts 160-179)
* Lauri's box HP Proliant G5 2x quadcore Xeon, 64G RAM, 2 NIC-s, 4x 250G SSD
* Frank's box DELL 16GB, 2x 256GB SSD, 6 NIC (hosts 180-185)
* Another Sun box with 24G of RAM, dying harddisks
* Another Sun box with 24G of RAM, dying harddisks
* Reserved addresses 186-188


NB! Replace BIOS batteries; replace thermal paste
NB! Replace BIOS batteries; replace thermal paste


==Grading==
==Grading==
Line 45: Line 53:
* Configure Let's Encrypt certificates for your service if applicable (15p)
* Configure Let's Encrypt certificates for your service if applicable (15p)
* Add your service to monitoring at mon.momcorp.eu (15p)
* Add your service to monitoring at mon.momcorp.eu (15p)
* Enable log forwarding to log.momcorp.eu (15p)
* Enable log forwarding to log.momcorp.eu, if applicable configure auditing for your service (15p)
* Configure your service to send e-mails (mail.momcorp.eu) if applicable (15p)
* Configure your service to send e-mails (mail.momcorp.eu) if applicable (15p)
* Keep the service up and running through the semester (up to -20p)
* Keep the service up and running through the semester (up to -20p)
Line 55: Line 63:
* Configure your mobile device to connect to intranet using OpenVPN or IPSec (15p)
* Configure your mobile device to connect to intranet using OpenVPN or IPSec (15p)
* Configure your service to use authentication from AD (20p)
* Configure your service to use authentication from AD (20p)
We will start with services facing the public internet, see what's the worst that can happen in that case and later migrate some services to intranet only. Some services will retain connectivity to public internet due to their nature (eg OwnCloud, mailserver) and some services will be available only in the intranet (eg fileserver)


==Services==
==Services==
Line 61: Line 71:


* www.momcorp.eu - Install webserver/load balancer and create a homepage for the company and link to remaining sites. Olusiji
* www.momcorp.eu - Install webserver/load balancer and create a homepage for the company and link to remaining sites. Olusiji
* shop.momcorp.eu - Install Magento and add some fictive products like dark matter and neutron star. ???
* shop.momcorp.eu - Install Magento and add some fictive products like dark matter and neutron star. Sander
* wiki.momcorp.eu - Install MediaWiki, later integrate with AD. Peep
* wiki.momcorp.eu - Install MediaWiki, later integrate with AD. Peep
* blog.momcorp.eu - Install WordPress, later integrate with AD. Steven
* blog.momcorp.eu - Install WordPress, later integrate with AD. Steven
* chat.momcorp.eu - Install IRC server, provide  multiple channels for developers. Install some web based software for customer helldesk. Ardi
* chat.momcorp.eu - Install IRC server, provide  multiple channels for developers. Install some web based software for customer helldesk. Ardi
* ns1.momcorp.eu - Primary Bind9 installation, later also add DNSSEC. Erik
* ns1.momcorp.eu - Primary Bind9 installation, later also add DNSSEC. Erik J
* ns2.momcorp.eu - Secondary Bind9 installation in another physical host. ???
* ns2.momcorp.eu - Secondary Bind9 installation in another physical host. ???
* git.momcorp.eu - Gogs installation. ???
* git.momcorp.eu - Gogs installation. Farhan
* mon.momcorp.eu - Nagios monitoring. Nika
* mon.momcorp.eu - Nagios monitoring. Nika
* mail.momcorp.eu - Mailserver with Postfix (postfw, greylisting, dkim, spf, setup secondary mx), later with AD integration if exchange won't be used. Andris
* mail.momcorp.eu - Mailserver with Postfix (postfw, greylisting, dkim, spf, setup secondary mx), later with AD integration if exchange won't be used. Andris
* ca.momcorp.eu - Java servlet container, EJBCA installation for certificate management. ???
* ca.momcorp.eu - Java servlet container, EJBCA installation for certificate management. Masaki
* nas.momcorp.eu - Samba fileserver. Hindrek
* nas.momcorp.eu - Samba fileserver. Hindrek
* log.momcorp.eu - Graylog or similar for central logging. ???
* log.momcorp.eu - Graylog or similar for central logging. Kaspar, Sten-Erik
* vpn.momcorp.eu - OpenVPN gateway. Moira
* vpn.momcorp.eu - OpenVPN gateway. Moira
* cs.momcorp.eu - Teamspeak and/or gaming server for entertainment. Christopher


Additionally for each physical box listed under Hardware we could set up:
Additionally for each physical box listed under Hardware we could set up:
Line 83: Line 94:


* Mikus - Remote management: Puppet master, DSC, postfix with kerberos (and AD?)
* Mikus - Remote management: Puppet master, DSC, postfix with kerberos (and AD?)
* Christopher - Teamspeak or game server (quake3? openarena? doom, quake, openttd), if relevant later AD integration
* Strongswan gateway
* Strongswan gateway
* OpenVPN gateway, later AD integration
* OpenVPN gateway, later AD integration
Line 92: Line 102:
* web caches (varnish, squid, nginx)
* web caches (varnish, squid, nginx)
* load balancing (haproxy, nginx, simple roundrobin)
* load balancing (haproxy, nginx, simple roundrobin)


==Lectures==
==Lectures==
Line 98: Line 107:
Following lectures are planned:
Following lectures are planned:


7. sept - Intro, virtualization, containers etc. Relevant story [https://lauri.xn--vsandi-pxa.com/lan/virtualization.html here]
* 7. sept - Intro, virtualization, containers etc. Relevant story [https://lauri.xn--vsandi-pxa.com/lan/virtualization.html here]
14. sept - Network topology
* 14. sept - Network topology, bridges, tagging, trunking, subnetting, LAN, WAN
* 21. sept - iptables, ebtables, packet forwarding, DNAT, SNAT, routing tables, empheral ports, listening ports, slides [https://docs.google.com/presentation/d/1XMISOg88BJ0Dy8o3r8ZL9cxFT0oZZKDqPZ2EaWJRqFQ/edit?usp=sharing here]
* 28. sept - X.509 certificates, certificate authority, TLS, symmetric, asymmetric, keyexchange, Let's Encrypt, relevant slides [https://docs.google.com/presentation/d/1kqTyhhUu5CfwODmOTIC7odhlYfeEeJALTd4RX7XhPLE/edit?usp=sharing here]
* 30. nov - [https://docs.google.com/presentation/d/1aXtreUS2YD9vlsngVUSr_ZaXdrQv37zCRtc51TSGjPI/edit?usp=sharing AD auth]


Order to be determined:
Order to be determined:


* iptables, ebtables, route
* OpenVPN
* X.509 certificates, TLS, symmetric, asymmetric, keyexchange, relevant slides [https://docs.google.com/presentation/d/1kqTyhhUu5CfwODmOTIC7odhlYfeEeJALTd4RX7XhPLE/edit?usp=sharing here]
* IPSec
* TBD, there are a lot of topics to discuss
 
==Firewall rules==
 
You can load these rules by running iptables-restore command, pasting the rules to the terminal and pressing Ctrl-D.
 
To make rules persistent on your box install netfilter-persistent package, the rules will be stored at /etc/iptables/rules.v4
 
<syntaxhighlight lang="iptables">
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
 
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
 
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -m comment --comment "Hide VPN addresses from LAN" -j MASQUERADE
COMMIT
 
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow returning packets" -j ACCEPT
-A INPUT -i eth1 -m comment --comment "Allow traffic from LAN" -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -m comment --comment "Allow loopback" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow ping" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "Allow SSH" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -m comment --comment "Allow Nika\'s Monitoring" -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow returning packets" -j ACCEPT
-A FORWARD -i tun0 -o eth1 -m comment --comment "Allow from VPN to LAN" -j ACCEPT
COMMIT
</syntaxhighlight>

Latest revision as of 17:11, 11 December 2017

Firewalls and VPN/IPSec

General information

ECTS: 4

Lecturer: Lauri Võsandi

To register to this course send your SSH public key to Lauri and state which service you want to configure.

Grading bot is at http://193.40.244.178/static/bot.html

Scenario

In this course we will attempt to set up a network similar to a corporate network with multiple offices, eg http://docplayer.it/docs-images/20/596222/images/25-0.png

Our virtual company's story is based on Mom's Friendly Robot Company.

We will use VPN software to connect subnets to each other and we will use VPN software to connect our personal computers to the intranet.


Hardware

School's infra provides with public subnet for 62 hosts:

  • IPv4 address: 193.40.244.129-188
  • Subnet: /26
  • Gateway: 193.40.244.189
  • DNS: 8.8.8.8

That network is physically routed to 413-6-16 port in room 413.

We have total of about 264GB of RAM and couple of terabytes of SSD storage:

  • Marek's box HP Proliant G5 2x quadcore Xeon, 64G RAM, 2 NIC-s (hosts 130-139)
  • Madis' box HP Proliant G5, 4x quadcore Opteron, 64GB RAM, 2 NIC-s (hosts 140-149)
  • Erik's box Sun 32GB, 2x 256GB SSD (hosts 155-159)
  • Lauri's box HP Proliant G5 2x quadcore Xeon, 64G RAM, 2 NIC-s, 4x 250G SSD (hosts 160-179)
  • Frank's box DELL 16GB, 2x 256GB SSD, 6 NIC (hosts 180-185)
  • Another Sun box with 24G of RAM, dying harddisks
  • Reserved addresses 186-188

NB! Replace BIOS batteries; replace thermal paste

Grading

If you don't know what to do pick a topic from the services list below. Send your SSH public key to Lauri and state which service you want to take care of.

Collect 100p in total to pass the course, note that there are opportunities to collect much more points in total:

  • Get the service up and running (15p)
  • Configure Let's Encrypt certificates for your service if applicable (15p)
  • Add your service to monitoring at mon.momcorp.eu (15p)
  • Enable log forwarding to log.momcorp.eu, if applicable configure auditing for your service (15p)
  • Configure your service to send e-mails (mail.momcorp.eu) if applicable (15p)
  • Keep the service up and running through the semester (up to -20p)
  • Keep the bad guys out from your servers (up to -30p)
  • Have a disaster recovery plan (up to -20p)
  • Configure layer3 firewall (15p)
  • Configure application firewall(s) if applicable
  • Configure your laptop to connect to intranet using OpenVPN and IPSec (15p)
  • Configure your mobile device to connect to intranet using OpenVPN or IPSec (15p)
  • Configure your service to use authentication from AD (20p)

We will start with services facing the public internet, see what's the worst that can happen in that case and later migrate some services to intranet only. Some services will retain connectivity to public internet due to their nature (eg OwnCloud, mailserver) and some services will be available only in the intranet (eg fileserver)

Services

To support our virtual company in everyday business we need to provide them with a variety of services:

  • www.momcorp.eu - Install webserver/load balancer and create a homepage for the company and link to remaining sites. Olusiji
  • shop.momcorp.eu - Install Magento and add some fictive products like dark matter and neutron star. Sander
  • wiki.momcorp.eu - Install MediaWiki, later integrate with AD. Peep
  • blog.momcorp.eu - Install WordPress, later integrate with AD. Steven
  • chat.momcorp.eu - Install IRC server, provide multiple channels for developers. Install some web based software for customer helldesk. Ardi
  • ns1.momcorp.eu - Primary Bind9 installation, later also add DNSSEC. Erik J
  • ns2.momcorp.eu - Secondary Bind9 installation in another physical host. ???
  • git.momcorp.eu - Gogs installation. Farhan
  • mon.momcorp.eu - Nagios monitoring. Nika
  • mail.momcorp.eu - Mailserver with Postfix (postfw, greylisting, dkim, spf, setup secondary mx), later with AD integration if exchange won't be used. Andris
  • ca.momcorp.eu - Java servlet container, EJBCA installation for certificate management. Masaki
  • nas.momcorp.eu - Samba fileserver. Hindrek
  • log.momcorp.eu - Graylog or similar for central logging. Kaspar, Sten-Erik
  • vpn.momcorp.eu - OpenVPN gateway. Moira
  • cs.momcorp.eu - Teamspeak and/or gaming server for entertainment. Christopher

Additionally for each physical box listed under Hardware we could set up:

  • Person responsible for the hypervisor on that box
  • Virtual machine with router OS - Mikrotik RouterOS, Vyatta, pfsense or just vanilla Debian with shell scripts

Other topics:

  • Mikus - Remote management: Puppet master, DSC, postfix with kerberos (and AD?)
  • Strongswan gateway
  • OpenVPN gateway, later AD integration
  • Exchange
  • failover/high availability (heartbeat)
  • db clusters/shards/replication (mysql/mariadb)
  • clustered filesystems/servers (clvm, corosync, fenced, gfs)
  • web caches (varnish, squid, nginx)
  • load balancing (haproxy, nginx, simple roundrobin)

Lectures

Following lectures are planned:

  • 7. sept - Intro, virtualization, containers etc. Relevant story here
  • 14. sept - Network topology, bridges, tagging, trunking, subnetting, LAN, WAN
  • 21. sept - iptables, ebtables, packet forwarding, DNAT, SNAT, routing tables, empheral ports, listening ports, slides here
  • 28. sept - X.509 certificates, certificate authority, TLS, symmetric, asymmetric, keyexchange, Let's Encrypt, relevant slides here
  • 30. nov - AD auth

Order to be determined:

  • OpenVPN
  • IPSec
  • TBD, there are a lot of topics to discuss

Firewall rules

You can load these rules by running iptables-restore command, pasting the rules to the terminal and pressing Ctrl-D.

To make rules persistent on your box install netfilter-persistent package, the rules will be stored at /etc/iptables/rules.v4

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -m comment --comment "Hide VPN addresses from LAN" -j MASQUERADE
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow returning packets" -j ACCEPT
-A INPUT -i eth1 -m comment --comment "Allow traffic from LAN" -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -m comment --comment "Allow loopback" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow ping" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "Allow SSH" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -m comment --comment "Allow Nika\'s Monitoring" -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow returning packets" -j ACCEPT
-A FORWARD -i tun0 -o eth1 -m comment --comment "Allow from VPN to LAN" -j ACCEPT
COMMIT

This category currently contains no pages or media.