Security - Firewall Configuration
Security - Firewall Configuration
Firewall Configuration
Jump Server
• A jump server is a hardened system on a network specifically used to access devices in a separate
security zone.
• An intermediary device responsible for funneling traffic through firewalls using a supervised
secure channel
• For someone outside the network to access protected resources inside the network, they first
connect to the jump host, and their activities to the internal services are performed via that
connection.
• Because of specific monitoring and hardening, a jump server can act as a safer alternative than
allowing direct outside access.
Proxy Servers
• Proxy server can be used to filter out undesirable traffic and prevent employees
from accessing potentially hostile websites.
• A proxy server takes requests from a client system and forwards them to the
destination server on behalf of the client
Proxy Servers - Types
• Forward proxy operates to forward requests to servers based on a
variety of parameters, as described in the other portions of this
section.
• Forward proxies can be used to bypass firewall restrictions, act as a
cache server, and change your IP address (more useful before
widespread adoption of NAT).
Why to use ?
To avoid state or institutional browsing restrictions - Some governments, schools, and other organizations use firewalls to
give their users access to a limited version of the Internet. A forward proxy can be used to get around these restrictions, as
they let the user connect to the proxy rather than directly to the sites they are visiting.
To block access to certain content - Conversely, proxies can also be set up to block a group of users from accessing certain
sites. For example, a school network might be configured to connect to the web through a proxy which enables content
filtering rules, refusing to forward responses from Facebook and other social media sites.
To protect their identity online - In some cases, regular Internet users simply desire increased anonymity online, but in
other cases, Internet users live in places where the government can impose serious consequences to political dissidents.
Only the IP address of the proxy server will be visible.
Reverse Proxy
Load balancing - A popular website that gets millions of users every day may not be able to handle all of its incoming site
traffic with a single origin server. Instead, the site can be distributed among a pool of different servers, all handling
requests for the same site. In this case, a reverse proxy can provide a load balancing solution which will distribute the
incoming traffic evenly among the different servers to prevent any single server from becoming overloaded. In the event
that a server fails completely, other servers can step up to handle the traffic.
Protection from attacks - With a reverse proxy in place, a web site or service never needs to reveal the IP address of their
origin server(s). This makes it much harder for attackers to leverage a targeted attack against them, such as a DDoS attack.
Instead the attackers will only be able to target the reverse proxy, such as Cloudflare’s CDN, which will have tighter security
and more resources to fend off a cyber attack.
Firewalls
• A firewall can be hardware, software, or a combination of both whose purpose is
to enforce a set of network security policies across network connections.
• It is much like a wall with a window: the wall serves to keep things out, except
those permitted through the window.
• The DHCP service enabled into PfSense will lease ip addresses for:
• Network A : range from 192.168.10.10 - 192.168.10.100
• Network B : range from 192.168.20.10 - 192.168.20.100
•On each network there is attached one computer, specifically :
• Kali Linux computer with IP address: 192.168.10.10
• Ubuntu computer with IP address: 192.168.20.10
Preparation of Virtual Lab
• The Virtual Lab will contain a PfSense virtual machine, containing three network adapters. First adapter will
be used for the WAN (to get connected with internet) for that reason its going to be assigned as “Bridge
Adapter”.
• Two other network adapters will be set as Internal Network, inet1 for Network A (LAN1), and inet2 for
Network B (LAN2) specifically.
• Other virtual machines will be set up as Internal Network, inet1 for Kali Linux and inet2 for Ubuntu. Due to
this configuration Kali Linux VM will be part of LAN1 and Ubuntu VM part of LAN2
PfSense Firewall
• Advantages
PfSense : Installation and configuration of pfSense
• A fresh copy of pfSense can be downloaded using the official website of pfSense :
https://www.pfsense.org/download/
• It comes with two options, pfSense Community edition which is a free option and the Pro edition available
for a license payment. In this lab a pfSense Community Edition will be used as it includes all necessary tools
to configure and manage the firewall.
• Install the pfSense into VirtualBox using the ISO file by just following simple steps on the screen (more
information: https://www.ceos3c.com/pfsense/install-pfsense-on-virtualbox/)
• Configure WAN:
1. Set a DHCP or manual IP address for the WAN
• Configuration of LAN :
1. Set an IP address for the LAN: 192.168.10.1
2. Enter the SM bits: 24
3. Answer “y” to the question for enabling DHCP
server on LAN
4. Configure the range: 192.168.10.10 –
192.168.10.100
• Following the previous steps will make possible the connection between LAN
hosts (Ubuntu and KaliLinux) and the firewall.
• A user-friendly management interface may be used by entering the local IP
address of pfSense connected to the specific LAN (which also serves as Gateway):
• In Ubuntu, access pfSense using the IP address: 192.168.20.1
• In Kali Linux, access pfSense using the IP address: 192.168.10.1
Login
Username: admin
Password: pfsense
Accessing the pfSense firewall using GUI (Graphical User Interface)
• A myriad of helpful configurations can be done using the GUI of pfSense starting from
changing the view of dashboard to configuration of VPN or snort IDS.
• The image shows the configuration of DHCP server into LAN1 making possible
connection of other devices in this LAN with the firewall.
• Set an available range for each network that doesn’t interfere with the
Subnet (192. 168.10.0), pfSense connected interface IP
address(192.168.10.1) or broadcast address(192.168.10.255), thus the
range could be : 192.168.10.2 – 192.168.10.254 .