April HackFest: Firewall ISO's or Debunking Cable/DSL Modem/Router Marketing
Myths
Join us at UAT.edu 2625 W. BASELINE RD., TEMPE, AZ 85283-1056
|
Noon until 3PM (or whenever we all wander off) for a lab session centered
around cable/DSL security and Linux box firewall engineering.
While we all totally love our WRT54's running http://openwrt.org/ and other
teensy distro's, not everyone can configure an industry stable firewall
solution from the command line, that provides real protection from all the
various high level security issues we, as Linux users and implementers, must be
cognizant of, while working professionally, or interacting in security and IRC
community endeavors. DynamicDNS works wonderfully with a linux ISO firewall
solution.
So we will build a Linux firewall from an ISO, onto a box with multiple network
interfaces, configure it, then setup for various uses.
At the end of the day, we will have an enterprise ready firewall solution to
"plug" to DSL or cable that can provide VPN, secure shell (using source and
destination controls), various physically unique subnets, comprehensive
logging, including SNORT/Squid (and more). Can you say "HoneyPot"?
Are you dying for a nice 1000GB solution for your home network, but don't want
to pay for a Cisco Business Solution (aka LinkSys)? GigE Cards are cheap
starting at about $24.00!
You can have as many cards (and even separate NAT networks) as your PCI bus
allows! Check for driver version in your distro before purchase.
This is a solution that cannot be easily fuzzed, buffer overflowed, or hijacked
(unlike OpenWRT, Linksys and Netgear firmware), <caveat> when properly
configured and maintained. Script kiddies and bots will not be lurking out
there waiting to pounce as soon as you reset the configuration or update the
firmware; netcat/nmap scanners pretending to originate from China will be
seriously disappointed when they meet with a three zone solution, comparable to
Cisco 4500 (without all the known exploits inherent in the cisco IOS).
Easy peasy configuration wizards are all a part of such a multi-zone FOSS Linux
firewall.
Bring your old towers, extra network cards, and if you like, choose any
security ISO to burn for installation on your box (be careful to note CD/DVD
match to source) or just watch and work along with us as we build and demo
various solutions:
1) LiveCD
http://www.wifi.com.ar/english/cdrouter/
This is a sweet solution, since it's variously source static (they can't
rootkit - you just reboot); configurations can be saved to Jumpdrive USB. It's
small and fast and runs a version of Shorewall. Not sure of the robustness of
the installation, or the driver list for your hardware - see the site for more
information. Plug members can always assist to get your Xorg.conf setup.
Bring your jumpdrive for persistent data you don't want to have to recreate all
the time?
http://www.wifi.com.ar/download/livecdrouter/
This is not the state of the art solution SmoothWall is, but it does have it's
s-hexy applications. Many professionals carry one of these Firewall LiveCD's
along with Knoppix, and BT4 in their tool kits, especially where they don't
have DVD's in favor of CD's on old servers.
2) Ignalum
http://www.ignalum.com/downloads/index.php
3) SmoothWall
http://www.smoothwall.org http://smoothwall.org/get/index.php
http://www.daniweb.com/tutorials/tutorial14094.html
http://downloads.sourceforge.net/smoothwall/smoothwall-express-3.0-install-guide.pdf
Solid well supported solution, hyped to be comparable to a CoyotePoint or
Juniper/Cisco ACL; Smoothwall is certainly an OSI bottom up, industry standard
tool that includes installation wizards for even the novice user! A RFC
compliant internal/external, no rev-arp, no-arp spoof, no
multicast/Zeroconf/UPNP, URL injection controls, safe PPOE, no IGMP, GRE
Tunnels, ptpp passthrough control, VOIP stun server setups, XSS stunnel
outbound blocking; a firewall solution that can be deployed to provide more
than blinky blinky blueness.
Smoothwall also supports Wireless cards.
4) IPCop
Surprise guest presenter might be available to show us IpCop from his equipment.
http://www.ipcop.org/
5) Extra Credit
Extra credit discussion will include the very avante guard (go figure) concepts
of "how to bypass the 'cable modem'" or how to create a single networked
solution, requesting DHCP from cable and dsl providers while providing NAT
directly (without the pass-through) to our internal network zone.
No OVERLY EXPENSIVE, UNDER FUNCTIONAL, proprietary daisy chained
"modems/routers"?
6) Live Cast
We plan to live cast the event for the shut ins, gas hoarders, and plug-sters
living the good life in Po-Dunk Arizona.
7) Testing
If we have time, we might get it on via a BT3 mass hack to see what we can get
into, while sharing the same network internally and externally.
References:
General Hardware Requirements (from Ignalum)
The following information represents the minimum hardware requirements
necessary to successfully install (http://www.ignalum.com/downloads/index.php)
Ignalum:
CPU:
NOTE:
The following CPU specifications are stated in terms of Intel
processors. Other processors (notably, offerings from AMD, Cyrix, and
VIA) that are compatible with and equivalent to the following Intel
processors may also be used with Ignalum Linux.
Minimum: P6-class x86 CPU
NOTE: Distro optimized for P6-class x86 CPUs (Pentium Pro/II,
Celeron 266-533MHz, original Athlon), and does not support older
processors.Recommended for text-mode: 200 MHz Pentium PRO or betterRecommended
for graphical: 400 MHz Pentium II or better
Hard Disk Space (NOTE: Additional space will be required for user data):
Custom Installation (Minimal): 620MBServer: 1.1GBPersonal Desktop:
2.3GBWorkstation: 3.0GBCustom Installation (Everything): 6.9GB
Memory:
Minimum for text-mode: 64MBMinimum for graphical: 192MBRecommended for
graphical: 256MB
A good used Dell with sufficient PCI card bus should be sufficient. Remember
not to be miserly when it comes to choosing hardware for your firewall, and
remote access machine.
Exploit References:
http://www.gnucitizen.org/blog/flash-upnp-attack-faq/
http://www.gnucitizen.org/blog/hacking-with-upnp-universal-plug-and-play/
https://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=8676
http://www.asininemonkey.com/netgear-dg834gt-hacking.html
http://openwrt.org/
http://www.dd-wrt.com/
http://radar.oreilly.com/2008/06/hacking-tcpip-to-support-locat.html
http://www.linuxfocus.org/English/January2001/article144.shtml
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=hacking+netgear+router&btnG=Searc
http://mcse.mvps.org/legacy/howto.html
http://homepage.ntlworld.com/robin.d.h.walker/cmtips/basicset.html
http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0074.html
http://wareseeker.com/free-bypass-any-firewall/
Obnosis | (503)754-4452
PLUG Linux Security Labs 2nd Saturday Each mo...@noon - 3PM
_________________________________________________________________
Rediscover HotmailĀ®: Get e-mail storage that grows with you.
http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Storage1_042009---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
