HackFest: Linux Firewall ISO's or "Debunking Cable/DSL Modem/RouterMarketing Myths" - April 11, 2009

Sun Apr 5 01:01:19 MST 2009

Saturday (see that little blerb below) is the hackfest.

I will try to get it going again for you all shut-ins!

Obnosis | (503)754-4452

PLUG Linux Security Labs 2nd Saturday Each Month at Noon - 3PM

From: boneal at cornerstonehome.com
To: plug-discuss at lists.plug.phoenix.az.us
Subject: RE: HackFest: Linux Firewall ISO's or "Debunking Cable/DSL	Modem/RouterMarketing Myths" - April 11, 2009
Date: Sat, 4 Apr 2009 19:51:19 -0700

Why yes, I fit one of those qualifications for line item 6. I 
would love to view the net cast when can I expect the details so I can put it on 
my calendar?

From: plug-discuss-bounces at lists.plug.phoenix.az.us 
[mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of Lisa 
Kachold
Sent: Saturday, April 04, 2009 1:55 AM
To: 
plug-discuss at lists.plug.phoenix.az.us
Subject: HackFest: Linux 
Firewall ISO's or "Debunking Cable/DSL Modem/RouterMarketing Myths" - April 11, 
2009

April HackFest: Firewall ISO's or Debunking Cable/DSL Modem/Router 
Marketing Myths

Join us at UAT.edu 2625 W. 
BASELINE RD., TEMPE, AZ 85283-1056 | 

Noon until 3PM (or whenever we all wander off) for a lab session 
centered around cable/DSL security and Linux box firewall 
engineering.

While we all totally love our WRT54's running 
http://openwrt.org/ and other teensy distro's, not everyone can configure an 
industry stable firewall solution from the command line, that provides real 
protection from all the various high level security issues we, as Linux users 
and implementers, must be cognizant of, while working professionally, or 
interacting in security and IRC community endeavors. DynamicDNS works 
wonderfully with a linux ISO firewall solution.

So we will build a Linux 
firewall from an ISO, onto a box with multiple network interfaces, configure it, 
then setup for various uses.

At the end of the day, we will have an 
enterprise ready firewall solution to "plug" to DSL or cable that can provide 
VPN, secure shell (using source and destination controls), various physically 
unique subnets, comprehensive logging, including SNORT/Squid (and more).  
Can you say "HoneyPot"?

Are you dying for a nice 1000GB solution for your 
home network, but don't want to pay for a Cisco Business Solution (aka 
LinkSys)?  GigE Cards are cheap starting at about $24.00!
You can have 
as many cards (and even separate NAT networks) as your PCI bus allows!  
Check for driver version in your distro before purchase.

This is a 
solution that cannot be easily fuzzed, buffer overflowed, or hijacked (unlike 
OpenWRT, Linksys and Netgear firmware), <caveat> when properly configured 
and maintained.  Script kiddies and bots will not be lurking out there 
waiting to pounce as soon as you reset the configuration or update the firmware; 
netcat/nmap scanners pretending to originate from China will be seriously 
disappointed when they meet with a three zone solution, comparable to Cisco 4500 
(without all the known exploits inherent in the cisco IOS).

Easy peasy 
configuration wizards are all a part of such a multi-zone FOSS Linux 
firewall.  

Bring your old towers, extra network cards, and if you 
like, choose any security ISO to burn for installation on your box (be careful 
to note CD/DVD match to source) or just watch and work along with us as we build 
and demo various solutions:

1) LiveCD 

http://www.wifi.com.ar/english/cdrouter/

This is a sweet 
solution, since it's variously source static (they can't rootkit - you just 
reboot); configurations can be saved to Jumpdrive USB.  It's small and fast 
and runs a version of Shorewall.  Not sure of the robustness of the 
installation, or the driver list for your hardware - see the site for more 
information.  Plug members can always assist to get your Xorg.conf 
setup.  Bring your jumpdrive for persistent data you don't want to have to 
recreate all the time?

http://www.wifi.com.ar/download/livecdrouter/

This is not the state 
of the art solution SmoothWall is, but it does have it's s-hexy 
applications.  Many professionals carry one of these Firewall LiveCD's 
along with Knoppix, and BT4 in their tool kits, especially where they don't have 
DVD's in favor of CD's on old servers.

2) 
Ignalum
http://www.ignalum.com/downloads/index.php

3) 
SmoothWall 
http://www.smoothwall.org 
http://smoothwall.org/get/index.php
http://www.daniweb.com/tutorials/tutorial14094.html

http://downloads.sourceforge.net/smoothwall/smoothwall-express-3.0-install-guide.pdf

Solid 
well supported solution, hyped to be comparable to a CoyotePoint or 
Juniper/Cisco ACL; Smoothwall is certainly an OSI bottom up, industry standard 
tool that includes installation wizards for even the novice user!  A RFC 
compliant internal/external, no rev-arp, no-arp spoof, no 
multicast/Zeroconf/UPNP, URL injection controls, safe PPOE, no IGMP, GRE 
Tunnels, ptpp passthrough control, VOIP stun server setups, XSS stunnel outbound 
blocking; a firewall solution that can be deployed to provide more than blinky 
blinky blueness.

Smoothwall also supports Wireless cards.

4) 
IPCop 
Surprise guest presenter might be available to show us IpCop from 
his equipment.
http://www.ipcop.org/

5) Extra Credit
Extra 
credit discussion will include the very avante guard (go figure) concepts of 
"how to bypass the 'cable modem'" or how to create a single networked solution, 
requesting DHCP from cable and dsl providers while providing NAT directly 
(without the pass-through) to our internal network zone.

No OVERLY 
EXPENSIVE, UNDER FUNCTIONAL, proprietary daisy chained 
"modems/routers"?

6) Live Cast
We plan to  live cast the 
event for the shut ins, gas hoarders, and plug-sters living the good life in 
Po-Dunk Arizona.

7) Testing
If we have time, we might get it on 
via a BT3 mass hack to see what we can get into, while sharing the same network 
internally and externally.

References: 

General Hardware 
Requirements (from Ignalum) The following information represents the minimum 
hardware requirements necessary to successfully install 
(http://www.ignalum.com/downloads/index.php) Ignalum: 
CPU: 
NOTE: The 
following CPU specifications are stated in terms of Intel processors. Other 
processors (notably, offerings from AMD, Cyrix, and VIA) that are compatible 
with and equivalent to the following Intel processors may also be used with 
Ignalum Linux. 

  Minimum: P6-class x86 CPU
NOTE: Distro optimized for P6-class x86 CPUs 
  (Pentium Pro/II, Celeron 266-533MHz, original Athlon), and does not support 
  older processors.
  Recommended for text-mode: 200 MHz Pentium PRO or better
  Recommended for graphical: 400 MHz Pentium II or betterHard Disk 
Space (NOTE: Additional space will be required for user data):

  Custom Installation (Minimal): 620MB
  Server: 1.1GB
  Personal Desktop: 2.3GB
  Workstation: 3.0GB
  Custom Installation (Everything): 6.9GBMemory:

  Minimum for text-mode: 64MB
  Minimum for graphical: 192MB
  Recommended for graphical: 256MB
A good used Dell with 
sufficient PCI card bus should be sufficient.  Remember not to be miserly 
when it comes to choosing hardware for your firewall, and remote access machine. 

Exploit References:  

http://www.gnucitizen.org/blog/flash-upnp-attack-faq/
http://www.gnucitizen.org/blog/hacking-with-upnp-universal-plug-and-play/
https://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=8676
http://www.asininemonkey.com/netgear-dg834gt-hacking.html
http://openwrt.org/
http://www.dd-wrt.com/
http://radar.oreilly.com/2008/06/hacking-tcpip-to-support-locat.html
http://www.linuxfocus.org/English/January2001/article144.shtml
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=hacking+netgear+router&btnG=Searc
http://mcse.mvps.org/legacy/howto.html
http://homepage.ntlworld.com/robin.d.h.walker/cmtips/basicset.html
http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0074.html
http://wareseeker.com/free-bypass-any-firewall/

Obnosis | 
(503)754-4452
PLUG Linux 
Security Labs 2nd Saturday Each Month at Noon - 3PM

Rediscover Hotmail®: Get e-mail storage that grows with you. Check it out.
_________________________________________________________________
Rediscover Hotmail®: Get e-mail storage that grows with you. 
http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Storage1_042009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090405/2acf24fa/attachment.htm 