HackFest: Linux Firewall ISO's or "Debunking Cable/DSL Modem/RouterMarketing Myths" - April 11, 2009

Bryan O'Neal boneal at cornerstonehome.com
Sat Apr 4 19:51:19 MST 2009 

Why yes, I fit one of those qualifications for line item 6. I would love to
view the net cast when can I expect the details so I can put it on my
calendar?

  _____  

From: plug-discuss-bounces at lists.plug.phoenix.az.us
[mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of Lisa
Kachold
Sent: Saturday, April 04, 2009 1:55 AM
To: plug-discuss at lists.plug.phoenix.az.us
Subject: HackFest: Linux Firewall ISO's or "Debunking Cable/DSL
Modem/RouterMarketing Myths" - April 11, 2009


April HackFest: Firewall ISO's or Debunking Cable/DSL Modem/Router Marketing
Myths

Join us at UAT.edu 2625 W. BASELINE RD., TEMPE, AZ 85283-1056 | 

Noon until 3PM (or whenever we all wander off) for a lab session centered
around cable/DSL security and Linux box firewall engineering.

While we all totally love our WRT54's running http://openwrt.org/ and other
teensy distro's, not everyone can configure an industry stable firewall
solution from the command line, that provides real protection from all the
various high level security issues we, as Linux users and implementers, must
be cognizant of, while working professionally, or interacting in security
and IRC community endeavors. DynamicDNS works wonderfully with a linux ISO
firewall solution.

So we will build a Linux firewall from an ISO, onto a box with multiple
network interfaces, configure it, then setup for various uses.

At the end of the day, we will have an enterprise ready firewall solution to
"plug" to DSL or cable that can provide VPN, secure shell (using source and
destination controls), various physically unique subnets, comprehensive
logging, including SNORT/Squid (and more).  Can you say "HoneyPot"?

Are you dying for a nice 1000GB solution for your home network, but don't
want to pay for a Cisco Business Solution (aka LinkSys)?  GigE Cards are
cheap starting at about $24.00!
You can have as many cards (and even separate NAT networks) as your PCI bus
allows!  Check for driver version in your distro before purchase.

This is a solution that cannot be easily fuzzed, buffer overflowed, or
hijacked (unlike OpenWRT, Linksys and Netgear firmware), <caveat> when
properly configured and maintained.  Script kiddies and bots will not be
lurking out there waiting to pounce as soon as you reset the configuration
or update the firmware; netcat/nmap scanners pretending to originate from
China will be seriously disappointed when they meet with a three zone
solution, comparable to Cisco 4500 (without all the known exploits inherent
in the cisco IOS).

Easy peasy configuration wizards are all a part of such a multi-zone FOSS
Linux firewall.  

Bring your old towers, extra network cards, and if you like, choose any
security ISO to burn for installation on your box (be careful to note CD/DVD
match to source) or just watch and work along with us as we build and demo
various solutions:

1) LiveCD 
http://www.wifi.com.ar/english/cdrouter/

This is a sweet solution, since it's variously source static (they can't
rootkit - you just reboot); configurations can be saved to Jumpdrive USB.
It's small and fast and runs a version of Shorewall.  Not sure of the
robustness of the installation, or the driver list for your hardware - see
the site for more information.  Plug members can always assist to get your
Xorg.conf setup.  Bring your jumpdrive for persistent data you don't want to
have to recreate all the time?
  
http://www.wifi.com.ar/download/livecdrouter/

This is not the state of the art solution SmoothWall is, but it does have
it's s-hexy applications.  Many professionals carry one of these Firewall
LiveCD's along with Knoppix, and BT4 in their tool kits, especially where
they don't have DVD's in favor of CD's on old servers.

2) Ignalum
http://www.ignalum.com/downloads/index.php

3) SmoothWall 
http://www.smoothwall.org http://smoothwall.org/get/index.php
http://www.daniweb.com/tutorials/tutorial14094.html

http://downloads.sourceforge.net/smoothwall/smoothwall-express-3.0-install-g
uide.pdf

Solid well supported solution, hyped to be comparable to a CoyotePoint or
Juniper/Cisco ACL; Smoothwall is certainly an OSI bottom up, industry
standard tool that includes installation wizards for even the novice user!
A RFC compliant internal/external, no rev-arp, no-arp spoof, no
multicast/Zeroconf/UPNP, URL injection controls, safe PPOE, no IGMP, GRE
Tunnels, ptpp passthrough control, VOIP stun server setups, XSS stunnel
outbound blocking; a firewall solution that can be deployed to provide more
than blinky blinky blueness.

Smoothwall also supports Wireless cards.

4) IPCop 
Surprise guest presenter might be available to show us IpCop from his
equipment.
http://www.ipcop.org/

5) Extra Credit
Extra credit discussion will include the very avante guard (go figure)
concepts of "how to bypass the 'cable modem'" or how to create a single
networked solution, requesting DHCP from cable and dsl providers while
providing NAT directly (without the pass-through) to our internal network
zone.

No OVERLY EXPENSIVE, UNDER FUNCTIONAL, proprietary daisy chained
"modems/routers"?

6) Live Cast
We plan to  live cast the event for the shut ins, gas hoarders, and
plug-sters living the good life in Po-Dunk Arizona.

7) Testing
If we have time, we might get it on via a BT3 mass hack to see what we can
get into, while sharing the same network internally and externally.

References: 

General Hardware Requirements (from Ignalum) The following information
represents the minimum hardware requirements necessary to successfully
install (http://www.ignalum.com/downloads/index.php) Ignalum: 
CPU: 
NOTE: The following CPU specifications are stated in terms of Intel
processors. Other processors (notably, offerings from AMD, Cyrix, and VIA)
that are compatible with and equivalent to the following Intel processors
may also be used with Ignalum Linux. 


*	Minimum: P6-class x86 CPU
NOTE: Distro optimized for P6-class x86 CPUs (Pentium Pro/II, Celeron
266-533MHz, original Athlon), and does not support older processors. 

*	Recommended for text-mode: 200 MHz Pentium PRO or better 

*	Recommended for graphical: 400 MHz Pentium II or better

Hard Disk Space (NOTE: Additional space will be required for user data):


*	Custom Installation (Minimal): 620MB 

*	Server: 1.1GB 

*	Personal Desktop: 2.3GB 

*	Workstation: 3.0GB 

*	Custom Installation (Everything): 6.9GB

Memory:


*	Minimum for text-mode: 64MB 

*	Minimum for graphical: 192MB 

*	Recommended for graphical: 256MB


A good used Dell with sufficient PCI card bus should be sufficient.
Remember not to be miserly when it comes to choosing hardware for your
firewall, and remote access machine. 

Exploit References:  
http://www.gnucitizen.org/blog/flash-upnp-attack-faq/
http://www.gnucitizen.org/blog/hacking-with-upnp-universal-plug-and-play/
https://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&s
id=8676
http://www.asininemonkey.com/netgear-dg834gt-hacking.html
http://openwrt.org/
http://www.dd-wrt.com/
http://radar.oreilly.com/2008/06/hacking-tcpip-to-support-locat.html
http://www.linuxfocus.org/English/January2001/article144.shtml
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%
3Aofficial&q=hacking+netgear+router&btnG=Searc
http://mcse.mvps.org/legacy/howto.html
http://homepage.ntlworld.com/robin.d.h.walker/cmtips/basicset.html
http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0074.html
http://wareseeker.com/free-bypass-any-firewall/

Obnosis <http://www.obnosis.com/>  | (503)754-4452
PLUG <http://http//plug.phoenix.az.us>  Linux  <http://uat.edu/> Security
Labs 2nd Saturday Each Month at Noon - 3PM



  _____  

Rediscover HotmailR: Get e-mail storage that grows with you. Check it out.
<http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_St
orage1_042009>  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090404/0d900de0/attachment.htm

More information about the PLUG-discuss mailing list