Wednesday, December 26, 2012

Open Source Firewall Solution... Day 1

So I've been wanting to do this project for along time but never can seem to find time to get it done.  Nor can I seem to get the hardware available when it is needed.  When people are entering the Information Security field, one of the toughest things to do is get experience working with some of the software and hardware systems out there.  So if you can't get the experience at work, build something at home!

The Final Goal

I am finally working on putting together a UTM (Unified Threat Management) network in my home.  What that means in a simple form is the ability to catch malicious activity as it is happening on my home network and put a stop to it.  It isn't just one product that does this though.  It typically is a layered security approach relying on input from a number of things.  For example; firewall logs, IDS/IPS (Intrusion Detection/Protection System), Client Anti-Virus alerts, and whatever other logs you may have  at your disposal.  The core component around this is a log management system and/or a SIEM (Security Information and Event Management) solution.  In small networks such things may not be needed, but if you enter an enterprise network with thousands of servers, workstations, and network hardware, managing events can be very cumbersome.  If not properly staffed, things may fall through the crack.  It doesn't even need to be malicious, it could be something as simple as a hard drive failure.  A simple log management solution will collect the logs from the many devices, but you still need to parse out the data and try to connect some dots.  The SIEM is the key, this will help with that and in some cases it can correlate the data with other logs that are being collected and can alert on suspicious activity.  So I never really got to put something like this together, since I am currently in a "hands off" position.  I get to plan it out on paper, make some recommendations bases on research, but someone else will be tasked to build it.  Frankly I like getting my hands dirty and I like having proof that I know what I am recommending.  So I look at building this stuff in my home lab.  On to the build....

What is needed to get started...

Using the following site for guidance: Build your own IDS Firewall with pfsense.  We will be using the open source firewall solution called pfSense.  My build is actually just the firewall with no guest wireless.  Hardware wise, I will be using a small Micro-ATX system I call my Shoebox.  It is running an atom processor intel board, 2GB of RAM, 250GB 2.5" SATA drive, and a CD-ROM.  It is about the size of a shoe box.  The Atom board runs pretty quiet as well, so if you don't have a dedicated network closet, no big deal.  The system also has two network cards.  It has the on-board NIC and a PCI based Intel Pro 1000.  If you want to follow the linked guide, you will need to have a dual port PCI NIC.

Day 1

Nothing to fancy here since I got started a little late.  You will need to have a keyboard and monitor for this part.  Afterwards is either the WebGUI or SSH.  I downloaded the USB boot image of pfSense and used physdiskwrite to image a 4GB flash drive from my Windows desktop.  For anything greater than 2GB, you will need to use the "-u" switch with the command and you will need to run the command prompt as Admin in order to see the drives.  pfSense is now bootable from the flash drive.  At that point I fired up Shoebox with the USB connected and followed the Default startup mode.  You can pretty much let it boot with the defaults.  It will take you through the interface configurations.  From here I strayed from the guide since I was not yet ready to connect to the "WAN" (my cable modem).  So I just popped the ethernet cable between each interface as I was prompted.  I did find that the auto-config was not exactly picking up the interface, so I had to manually enter the name.  You will see this during the first request to auto-configure ("a").  In my case the intel PCI NIC was "em0" and the RealTek on-board NIC was "re0".  Once the network configuration was complete, you will see the pfSense menu.  Before I proceeded, I reset the LAN interface since it uses 192.168.1.1 by default.  I switched it to reflect my current network but using option #2 from the menu - Set Interface(s) IP Address.  I then chose to install to hard drive.  Basically this part takes the information saved to RAM and builds the image to the local hard drive.  Use the Quick/Easy Install method.  My first attempt lead to some annoying boot errors with ACPI.

Installation completed and you are then given the default username/password and the WebGUI address https://<LAN_IP_Address/.  It will use a self-signed cert so you will see a warning when you first connect.  You can always add the cert to your trusted list or you can be a real go-getter and get your own trusted cert from a third party.  But that costs extra and I am a little lazy.  After finishing up changing the default admin password and adding a normal user for SSH access later on, I pretty much called it a night.  Tomorrow I will move the device to the WAN and test connectivity.  Then I will create some firewall rules and get SSH working (for internal use).  Stay tuned....