Lab 1: Vyatta Firewalls - Overview
Lab 1: Vyatta Firewalls - Overview
Aim:
The aim of this lab is to introduce the DFET virtualisation teaching platform and VSphere
client access to your own virtual machines and to understand how to configure a Vyatta
firewall for NAT and firewall rules, demonstrating some fundamentals around network
security and device configuration.
Time to Complete:
4 hours (two supervise hours in the lab, and two additional unsupervised hours).
Activities:
• Complete Lab 1: Vyatta Firewall
Learning activities:
At the end of this lab, you should understand:
• How to access the vSoC Cloud, working with your own folder within CSN09112.
• How to launch virtual machines, such as your Ubuntu, Windows Server, and Vyatta ones.
• How to configure the network settings of the Ubuntu and Windows Server machines, as
well as using some basic Linux and Windows commands.
• How to configure the Vyatta firewall, for basic routing, NAT, and filtering - to grant or
block access to certain types of packets and protocols.
• How to use Wireshark to capture network packets for deep analysis, highlighting certain
details such as the difference between the Telnet and SSH services
• With the Vyatta firewall, how does the firewall protect against threats?
Our first task is to route through the Vyatta firewall to connect two networks. In the lab you
will be assigned two networks in the form:
10.10.x.0/24 10.10.y.0/24
Group Number:
http://asecuritysite.com/csn09112/prep
with Allocation C.
Note: Sometimes the network names are different, such as Eth3, Eth4 and Eth5. Assume that
the first network name is Public, the second is the Private network, and the third is the DMZ.
Use the network diagram in Figure 2, filling in the boxes with your addressing, the allocated
networks, subnets, and IP addresses, and use as reference, as you complete the lab.
Can you ping the 10.10.x.7 port from the host selected? Yes/No
F Select your Windows server (User: Administrator, Password: napier) and configure it
at 10.10.y.7 with a default gateway of 10.10.y.254 and a subnet mask of 255.255.255.0.
Can you ping the 10.10.y.7 port from the host selected? Yes/No
F From each of your hosts, can you ping the other host? Yes/No
Show configuration
Initially erase the configuration in the firewall, and reboot it, with:
cp /opt/vyatta/etc/config.boot.default /opt/vyatta/etc/config/config.boot
reboot
F Setup a few simple things, such as the hostname, a username and password, and so on:
$ configure
# set system host-name yourname
# set system login user yourname authentication plaintext-password yourpass
F Configure the firewall using the following commands (changing the x and y for your net):
$ configure
# set interfaces ethernet eth0 address dhcp
# set interfaces ethernet eth1 address 10.10.x.254/24
# set interfaces ethernet eth2 address 10.10.y.254/24
# set system gateway 10.221.3.254
Can you ping the 10.10.y.7 port from the host on 10.10.x.7? Yes/No
Can you ping the 10.10.x.7 port from the host on 10.10.y.7? Yes/No
Now run Wireshark on your hosts, and repeat. Examine you network trace, and determine the
successful ping request, and ping reply. Which ICMP type codes are used for the request and
the successful reply:
show configuration:
show interface:
Now delete the IP address on the eth1 interface on the firewall, and reassess:
Can you ping the 10.10.y.7 port from the host on the 10.10.x.7? Yes/No
Can you ping the 10.10.x.7 port from the host on the 10.10.y.7? Yes/No
Now run Wireshark on your hosts, and repeat. Examine you network trace, and determine the
unsuccessful ping request, and ping reply. Which ICMP type codes are used for the request
and the unsuccessful reply:
Note:
$ configure
# delete interfaces ethernet eth1 address 10.10.x.254/24
# commit
Now, reapply the IP address, and using the arp –a command, determine the MAC addresses
of the gateway adapter, and check this against the configuration of the firewall.
Can you access the Web server on the 10.10.y.7 from 10.10.x.7? Yes/No
Can you access the Web server on the 10.10.x.7 from 10.10.y.7? Yes/No
As before, disable the IP address on the eth1 port, and reapply (make sure you refresh the
cache on the browser):
Can you access the Web server on the 10.10.y.7 from 10.10.x.7? Yes/No
Can you access the Web server on the 10.10.x.7 from 10.10.y.7? Yes/No
F Run an nmap scan from the Windows host to the Linux one. What ports are open on
the Linux host:
F Run an nmap scan from the Linux host to the Windows one. What ports are open on
the Windows host:
Commands:
nmap –sS 10.1.1.0/24
C Setting up NAT
Now we need to setup NAT to map the addresses on the DMZ and the private network to an
address taken from the public network. We are using NAT overloading (or NAT masquerade)
which will map the private addresses to a public address (taken from eth0).
nameserver 10.221.3.254
# save
# exit
$ reboot
You can now reboot the firewall (use the command reboot), and login with your new
username and password.
Now restart Wireshark on the Linux install. Next enable the Telnet server on the Vyatta
firewall with:
Using the TCP Stream trace on the Wireshark trace. What can you observe from the stream?
Can you see the password for the login?
Note:
sudo wireshark
Now restart Wireshark on the Linux install. Next enable the SSH server on the Vyatta
firewall with:
Using the TCP Stream trace on the Wireshark trace. What can you observe from the stream?
Can you see the password for the login?
Check to see if you have a Kali instance in your group folder. If so, complete the following:
From your Kali instance, can you ping each of the interfaces on the firewall: Yes/No
From your Kali instance, can you ping each of the interfaces on the hosts: Yes/No
Now setup the default gateway of your Kali host to be the IP address of your eth0 port on
your firewall. Are you now able to ping your Ubuntu and Windows machines?
E Firewalling
The Vyatta firewall uses zones to define security regions. In this case we can setup public,
dmz and private. Then we apply firewall rules to define how the traffic between the zones is
filtered. In this case we will only setup the traffic between the dmz and private, with two
rules: dmz2private and private2dmz. Possible filtering is to allow connections on certain
ports from private to dmz, but block all connections that are initiated in the dmz for the
private region. Figure 3 outlines the setup.
Now try to access services from the Windows instance to the Linux one:
Web Yes/No
Telnet Yes/No
FTP Yes/No
SMTP Yes/No
Now we will allow only established connections from the DMZ to the private network:
Then we will accept connections on port 80 and 443 from the private network to the DMZ:
set firewall name private2dmz description "private to DMZ"
set firewall name private2dmz rule 1 action accept
set firewall name private2dmz rule 1 state established enable
set firewall name private2dmz rule 1 state related enable
set firewall name private2dmz rule 10 action accept
set firewall name private2dmz rule 10 destination port 80,443
set firewall name private2dmz rule 10 protocol tcp
Now we have zones of public, dmz and private, and rules of dmz2private and private2dmz.
To apply the rules to zones we complete with:
Commit this, and try and connect from each of the networks to the other:
From the Linux machine on the private network access the following services on the
Windows server in the DMZ:
Web Yes/No
Telnet Yes/No
FTP Yes/No
SMTP Yes/No
Web Yes/No
Telnet Yes/No
FTP Yes/No
SMTP Yes/No
Now enable Telnet, FTP and SMTP from the private network to the DMZ.
Enable Wireshark on the Windows host, and observe the trace when you nmap from the
Linux host. What can you observe:
Enable Wireshark on the Linux host, and observe the trace when you nmap from the
Windows host. What can you observe:
Note. You can test whether the port is open by using telnet on the given port number:
Test FTP: telnet 10.10.x.7 21
Test Telnet: telnet 10.10.x.7 23
Test HTTP: telnet 10.10.x.7 80
Test SMTP: telnet 10.10.x.7 25
Check to see if you have a Kali instance in your group folder. If so, complete the following:
From your Kali instance, Can you ping each of the interfaces on the firewall: Yes/No
From your Kali instance, Can you ping each of the interfaces on the hosts: Yes/No
E DoS Protection
A particularly difficult area to protect against is Denial of Service (DoS). The Vyatta firewall
has protection for this, where it limits the number of connections over a given amount of
time. Now let’s limit the number of Web connections to 5 in 10 seconds:
Commit this.
F Appendix
Now restart Wireshark on the Linux install. Next enable the DHCP server for the Linux host
on the Vyatta firewall with:
sudo dhclient –r
sudo dhclient
What is the IP address that was allocated to the Linux instance from the DHCP server:
What is the data packet that is sent to release the IP address from the interface:
IP addresses used:
UDP ports used:
Bootstrap Message:
What is the handshake that is used to gain the IP address from the DHCP server: