HackFest: Linux Firewall ISO's or "Debunking Cable/DSL Modem/Router Marketing Myths" - April 11, 2009

Lisa Kachold lisakachold at obnosis.com
Sat Apr 4 01:55:01 MST 2009


April HackFest: Firewall ISO's or Debunking Cable/DSL Modem/Router Marketing Myths

Join us at UAT.edu 2625 W. BASELINE RD., TEMPE, AZ 85283-1056
		|
		

Noon until 3PM (or whenever we all wander off) for a lab session centered around cable/DSL security and Linux box firewall engineering.

While we all totally love our WRT54's running http://openwrt.org/ and other teensy distro's, not everyone can configure an industry stable firewall solution from the command line, that provides real protection from all the various high level security issues we, as Linux users and implementers, must be cognizant of, while working professionally, or interacting in security and IRC community endeavors. DynamicDNS works wonderfully with a linux ISO firewall solution.

So we will build a Linux firewall from an ISO, onto a box with multiple network interfaces, configure it, then setup for various uses.

At the end of the day, we will have an enterprise ready firewall solution to "plug" to DSL or cable that can provide VPN, secure shell (using source and destination controls), various physically unique subnets, comprehensive logging, including SNORT/Squid (and more).  Can you say "HoneyPot"?

Are you dying for a nice 1000GB solution for your home network, but don't want to pay for a Cisco Business Solution (aka LinkSys)?  GigE Cards are cheap starting at about $24.00!
You can have as many cards (and even separate NAT networks) as your PCI bus allows!  Check for driver version in your distro before purchase.

This is a solution that cannot be easily fuzzed, buffer overflowed, or hijacked (unlike OpenWRT, Linksys and Netgear firmware), <caveat> when properly configured and maintained.  Script kiddies and bots will not be lurking out there waiting to pounce as soon as you reset the configuration or update the firmware; netcat/nmap scanners pretending to originate from China will be seriously disappointed when they meet with a three zone solution, comparable to Cisco 4500 (without all the known exploits inherent in the cisco IOS).

Easy peasy configuration wizards are all a part of such a multi-zone FOSS Linux firewall.  

Bring your old towers, extra network cards, and if you like, choose any security ISO to burn for installation on your box (be careful to note CD/DVD match to source) or just watch and work along with us as we build and demo various solutions:

1) LiveCD 
http://www.wifi.com.ar/english/cdrouter/

This is a sweet solution, since it's variously source static (they can't rootkit - you just reboot); configurations can be saved to Jumpdrive USB.  It's small and fast and runs a version of Shorewall.  Not sure of the robustness of the installation, or the driver list for your hardware - see the site for more information.  Plug members can always assist to get your Xorg.conf setup.  Bring your jumpdrive for persistent data you don't want to have to recreate all the time?
  
http://www.wifi.com.ar/download/livecdrouter/

This is not the state of the art solution SmoothWall is, but it does have it's s-hexy applications.  Many professionals carry one of these Firewall LiveCD's along with Knoppix, and BT4 in their tool kits, especially where they don't have DVD's in favor of CD's on old servers.

2) Ignalum
http://www.ignalum.com/downloads/index.php

3) SmoothWall 
http://www.smoothwall.org http://smoothwall.org/get/index.php
http://www.daniweb.com/tutorials/tutorial14094.html

http://downloads.sourceforge.net/smoothwall/smoothwall-express-3.0-install-guide.pdf

Solid well supported solution, hyped to be comparable to a CoyotePoint or Juniper/Cisco ACL; Smoothwall is certainly an OSI bottom up, industry standard tool that includes installation wizards for even the novice user!  A RFC compliant internal/external, no rev-arp, no-arp spoof, no multicast/Zeroconf/UPNP, URL injection controls, safe PPOE, no IGMP, GRE Tunnels, ptpp passthrough control, VOIP stun server setups, XSS stunnel outbound blocking; a firewall solution that can be deployed to provide more than blinky blinky blueness.

Smoothwall also supports Wireless cards.

4) IPCop 
Surprise guest presenter might be available to show us IpCop from his equipment.
http://www.ipcop.org/

5) Extra Credit
Extra credit discussion will include the very avante guard (go figure) concepts of "how to bypass the 'cable modem'" or how to create a single networked solution, requesting DHCP from cable and dsl providers while providing NAT directly (without the pass-through) to our internal network zone.

No OVERLY EXPENSIVE, UNDER FUNCTIONAL, proprietary daisy chained "modems/routers"?

6) Live Cast
We plan to  live cast the event for the shut ins, gas hoarders, and plug-sters living the good life in Po-Dunk Arizona.

7) Testing
If we have time, we might get it on via a BT3 mass hack to see what we can get into, while sharing the same network internally and externally.

References: 


General Hardware Requirements (from Ignalum)

      The following information represents the minimum hardware requirements necessary to successfully install (http://www.ignalum.com/downloads/index.php) Ignalum:

      
CPU:

      
NOTE:
The following CPU specifications are stated in terms of Intel
processors. Other processors (notably, offerings from AMD, Cyrix, and
VIA) that are compatible with and equivalent to the following Intel
processors may also be used with Ignalum Linux. 
Minimum: P6-class x86 CPU
 NOTE: Distro optimized for P6-class x86 CPUs (Pentium Pro/II,
Celeron 266-533MHz, original Athlon), and does not support older
processors.Recommended for text-mode: 200 MHz Pentium PRO or betterRecommended for graphical: 400 MHz Pentium II or better

      Hard Disk Space (NOTE: Additional space will be required for user data):
Custom Installation (Minimal): 620MBServer: 1.1GBPersonal Desktop: 2.3GBWorkstation: 3.0GBCustom Installation (Everything): 6.9GB

      Memory:
Minimum for text-mode: 64MBMinimum for graphical: 192MBRecommended for graphical: 256MB
A good used Dell with sufficient PCI card bus should be sufficient.  Remember not to be miserly when it comes to choosing hardware for your firewall, and remote access machine. 

Exploit References:  
http://www.gnucitizen.org/blog/flash-upnp-attack-faq/
http://www.gnucitizen.org/blog/hacking-with-upnp-universal-plug-and-play/
https://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=8676
http://www.asininemonkey.com/netgear-dg834gt-hacking.html
http://openwrt.org/
http://www.dd-wrt.com/
http://radar.oreilly.com/2008/06/hacking-tcpip-to-support-locat.html
http://www.linuxfocus.org/English/January2001/article144.shtml
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=hacking+netgear+router&btnG=Searc
http://mcse.mvps.org/legacy/howto.html
http://homepage.ntlworld.com/robin.d.h.walker/cmtips/basicset.html
http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0074.html
http://wareseeker.com/free-bypass-any-firewall/

Obnosis | (503)754-4452




PLUG Linux Security Labs 2nd Saturday Each Month at Noon - 3PM






_________________________________________________________________
Rediscover Hotmail®: Get e-mail storage that grows with you. 
http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Storage1_042009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090404/74be97b7/attachment.htm 


More information about the PLUG-discuss mailing list