Open source UTM on network perimeter protection

  • Tutorial
Hello, Khabrovchans!

Today I would like to share the experience of creating a device for protecting the network perimeter of a small organization based on open source solutions: the standard Linux NETFilter firewall with the Firewall Builder GUI, the Suricata intrusion detection and prevention system with the Snorby web interface and the OpenVPN remote access gateway on one virtual machine.

I hope this article will help young administrators in solving possible problems that may arise when installing open source network security solutions.

I invite everyone interested under cat.

What and where we will install

We will collect the UTM-solution (what UTM is, you can read here ), which combines the firewall, IPS and VPN-gateway.

The installation and configuration procedure is as follows:
• Installation and configuration of Snorby (web-based monitoring interface for Suricata), barnyard2 (utility for communication between Suricata and Snorby) and Suricata (in fact, IPS itself);
• Installing Firewall Builder (NETFilter graphical configuration interface), configuring firewall policies (ACL and NAT);
• Install and configure the OpenVPN server and client.

The security solutions themselves (NETFilter, Suricata, OpenVPN) were chosen because they are a kind of “classic” and very common, so if necessary you can find a bunch of information about setting up and working with them. We install graphical interfaces only for the convenience of configuration and monitoring, no more, if you wish, you can do without them.

The platform for our UTM solution will be a virtual server with Ubuntu 14.04 OS on board and the following configuration:
• 4 cores;
• 4 GB of RAM;
• 40 GB hard drive.

Those. To solve the problem of protecting the network perimeter of a small organization, the most average server in terms of characteristics is suitable.

Installation Suricata, Snorby, barnyard2

Before you start, it is better to upgrade:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

Install the necessary packages:
sudo apt-get install gcc g++ build-essential libssl-dev libreadline6-dev zlib1g-dev linux-headers-generic libsqlite3-dev libxslt-dev libxml2-dev imagemagick git-core libmysqlclient-dev mysql-server libmagickwand-dev default-jre ruby1.9.3

Install wkhtmltopdf:
sudo dpkg -i wkhtmltox-0.12.1_linux-trusty-i386.deb

Install gems:
sudo gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail text-format rack-mount rails sqlite3

Install Snorby:
sudo git clone /var/www/snorby

We edit the file /var/www/snorby/config/database.yml (if it is not there, you can edit * .example):
        snorby: &snorby
  		adapter: mysql
  		username: root
  		host: localhost

Editing the file /var/www/snorby/config/snorby_config.yml (if it is not there, you can edit * .example):
  		domain: localhost:3000
  		wkhtmltopdf: /usr/bin/wkhtmltopdf #путь может отличаться - /usr/local/bin/wkhtmltopdf
 		 domain: localhost:3000
  		wkhtmltopdf: /usr/bin/wkhtmltopdf
  		domain: localhost:3000
  		wkhtmltopdf: /usr/bin/wkhtmltopdf

We start the Snorby setup:
cd /var/www/snorby 
sudo bundle update activesupport railties rails
sudo gem install arel ezprint && sudo bundle install
sudo bundle exec rake snorby:setup

Mysql setup:
mysql -u root -p 
create user 'snorbyuser'@'localhost' IDENTIFIED BY 'новый_пароль';
grant all privileges on snorby.* to 'snorbyuser'@'localhost' with grant option;
flush privileges;

We return to editing the file /var/www/snorby/config/database.yml, where we enter the new user and password:
        snorby: &snorby
  		adapter: mysql
  		username: snorbyuser
  		password: новый_пароль
  		host: localhost

Install Apache2 and the necessary packages:
sudo apt-get install apache2 apache2-prefork-dev libapr1-dev libaprutil1-dev
sudo apt-get install libcurl4-openssl-dev
sudo service apache2 start

Setting passenger:
sudo gem install --no-ri --no-rdoc passenger
sudo /usr/local/bin/passenger-install-apache2-module -a

Create the file /etc/apache2/mods-available/passenger.load and write there:
        LoadModule passenger_module /var/lib/gems/1.9.1/gems/passenger-4.0.48/buildout/apache2/
     		PassengerRoot /var/lib/gems/1.9.1/gems/passenger-4.0.48
     		PassengerDefaultRuby /usr/bin/ruby1.9.1

Activation of modules:
sudo a2enmod passenger
sudo a2enmod rewrite
sudo a2enmod ssl
sudo chown www-data:www-data /var/www/snorby -R

Create the file / etc / apache2 / sites-available / snorby and write there:

        	ServerAdmin webmaster@localhost
        	ServerName snorby.local
        	DocumentRoot /var/www/snorby/public
                	AllowOverride all
                	Order deny,allow
                	Allow from all
                	Options -MultiViews

We activate the site:
sudo ln -s /etc/apache2/sites-available/snorby /etc/apache2/sites-enabled/snorby

Restart apache:
sudo service apache2 restart

From / var / www / snorby run:
sudo bundle pack && sudo bundle install --path vender/cache

In the /etc/apache2/sites-available/000-default.conf file, change the line:
DocumentRoot /var/www/

Making a test run snorby. In the folder / var / www / snorby run:
sudo bundle exec rails server -e production

We go to http: // localhost: 3000 and, if we see the login window, then we are on the right track.

Next, we will put directly Suricata itself.

Installing the necessary packages:
sudo apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libcap-ng-dev libnet1-dev mysql-client
sudo dpkg -i libmysqlclient16_5.1.73-0ubuntu0.10.04.1_i386.deb
sudo tar xvfz libnfnetlink-1.0.1.tar.bz2
sudo ./configure && sudo make && sudo make install

Yaml installation:
sudo tar xvfz yaml-0.1.3.tar.gz
cd yaml-0.1.3
sudo ./configure && sudo make && sudo make install

Install barnyard2:
sudo tar xvfz barnyard2-1.9.tar.gz
cd barnyard2-1.9
sudo ./configure --with-mysql && sudo make && sudo make install

Install suricata:
sudo apt-get install suricata
sudo cp /etc/suricata/suricata-debian.yaml /etc/suricata/suricata.yaml
cd /etc/suricata
sudo wget
sudo tar xvfz emerging.rules.tar.gz

In the /etc/suricata/suricata.yaml file, change the lines:
    default-rule-path: /etc/suricata/rules/
	HOME_NET: "[ip_адрес/маска]" 			# пример "[]"

Configuring barnyard2:
sudo cp downloads_folder/barnyard2-1.9/etc/barnyard2.conf /etc/suricata/

Change the lines in the /etc/suricata/barnyard2.conf file:
    config reference_file:      /etc/suricata/reference.config
	config classification_file: /etc/suricata/classification.config
	config gen_file:            /etc/suricata/rules/
	config sid_file:            /etc/suricata/rules/
	output database: log, mysql, user=snorbyuser password=новый_пароль dbname=snorby host=localhost sensor_name=sensor1

The final touch and everything should work:
sudo mkdir /var/log/barnyard2
sudo iptables -I FORWARD -j NFQUEUE
sudo suricata -c /etc/suricata/suricata.yaml -q 0

If you go again to http: // localhost: 3000 , then we will see the dashboard and information on some events.

This completes the IPS setup.

Install FWBuilder and configure iptables

Download the latest build from the link .

Install the necessary package:
sudo apt-get install libqt4-gui

Install FWBuilder:
sudo dpkg -i fwbuilder_5.1.0.3599-ubuntu-precise-1_i386.deb

Launch FWBuilder and create the Firewall element. To do this, click Create new firewall and fill out the fields:

Now configure the interfaces:

Create the minimum necessary set of rules:

In principle, everything is pretty clear, so you can create rules for your needs further.

When the rules are ready, click Install, enter the login / password and gateway address:

This is the end of the firewall setup.

Install and configure OpenVPN

Install OpenVPN and easy-rsa:
sudo su
apt-get install openvpn easy-rsa

Create the keys:
mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa
mv /etc/openvpn/easy-rsa/easy-rsa /etc/openvpn/easy-rsa/2.0
cd /etc/openvpn/easy-rsa/2.0
nano vars

Change the line at the end of the file:
    export KEY_COUNTRY="RU"
	export KEY_PROVINCE="Moscow"
	export KEY_CITY="Moscow"
	export KEY_ORG="IT"
	export KEY_EMAIL="test@lab.local"
	export KEY_OU="Security Department"
	export KEY_NAME="UTM"

cp openssl-1.0.0.cnf openssl.cnf
. ./vars
./build-key-server server
openvpn --genkey --secret keys/ta.key
cp -r /etc/openvpn/easy-rsa/2.0/keys/ /etc/openvpn/

Create the server configuration file:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn
gunzip -d /etc/openvpn/server.conf.gz
nano /etc/openvpn/server.conf

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route"
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0 
tls-timeout 120
auth SHA1
max-clients 1
status /var/log/openvpn/openvpn-status.log
verb 3
mute 20

mkdir /var/log/openvpn

Create the client configuration file:
mkdir /etc/openvpn/ccd
nano /etc/openvpn/ccd/client

We enable routing on the gateway if it is not enabled:
in the /etc/sysctl.conf file, uncomment # net.ipv4.ip_forward = 1, then
sudo sysctl -p

Restart OpenVPN:
openvpn restart

Creating client keys:
cd /etc/openvpn/easy-rsa/2.0
. ./vars
./build-key client
./build-key-pass client

From the folder /etc/openvpn/easy-rsa/2.0/keys we take the files ca.crt, dh2048.pem, client.crt, client.key, ta.key, they are useful for the client.

We go to the client machine (I used Windows XP) and install OpenVPN Client .
After installation, you need the files ca.crt, dh2048.pem, client.crt, client.key, ta.key that we created on the server and copied to the / config folder in the directory where OpenVPN Client is installed (I have C: \ Program Files \ OpenVPN \ config).

Now it remains to create a config for the client. In the / config folder, create the client.ovpn file with the following contents:
dev tun
proto udp
remote 1194
resolv-retry infinite
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\client.crt"
key "C:\\Program Files\\OpenVPN\\config\\client.key"
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 1
auth SHA1 # по-умолчанию. Можно MD5
cipher BF-CBC
remote-cert-tls server
status "C:\\Program Files\\OpenVPN\\log\\openvpn-status.log"
log "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
verb 3
mute 20

Now you can try to connect to the server.

This completes the configuration of UTM, we hope that the article will be useful to you.

Thank you all for your attention!

Glebov Maxim

Also popular now: