Laboratory assignment 5 Sunscreen firewall Applied Computer Security B, 5p DTAB80

Transcription

1 1/5 Laboratory assignment 5 Sunscreen firewall Applied Computer Security B, 5p DTAB80 IN GENERAL SUNSCREEN...2 Reading...2 Download...2 Installing...2 Configuration...3 Start...5 Testing...5 In the laboratory report...5 IN GENERAL Se the document "About laboratory in general"

2 2/5 5.1 SUNSCREEN In this assignment you will download, install and configure Sunscreen. you will also test it by letting another group try to log in to your machine. You will also scan the machine using Nmap and Nessus. READING Read the first three chapters and the chapter about using the command line interface the Sunscreen documentation. Especially about the ssadm-command and about policies. DOWNLOAD Download SunScreen_3.2.tar.gz and SUNWeu8os.tar.gz from ftp.netlab.itm.miun.se. Guestftp is accessed trough port 2021: 1. ftp ftp.netlab.itm.miun.se Username: anonymous Password: nlabxx 3. When logged in, go to the right directory: cd pub/sunscreen/ 4. Use the command get the_filename to download a file, use mget * to get all files in the current directory. INSTALLING 1. Unzip and untar the downloaded files. This will give you two directories, one with sunscreen and one with the SUNWeu8os-package. 2. Place the SUNWeu8os-directory under /var/spool/pkg and run the command: > pkgadd (If pkgadd is run without parameters it will look in /var/spool/pkg for packages an ask you if you want to install them. Note: When it is installed it may ask you again to install it, if so, choose quit.) 3. Go into the SunScreen directory and run the command: >./install -nodisplay During the installation you will be asked some questions. Use "Typical install". When finished you can look at the installation details, do so and save it. 4. Log in as root and run: > ssadm configure You will be given some questions, choose: - Screen type: 1 - Local administration - Security Level: 2. Secure (routing screen only) - Name Resolution: DNS Domain Name Service

3 3/5 5. Comment away the rows $LIB_DIR/run_httpd start $LIB_DIR/ssadmserver start > /dev/console 2>&1 in the file /usr/lib/sunscreen/lib/ss_boot to stop remote administration through the web. You will only administer Sunscreen by the command prompt, therfore stop the webserver from starting. This can be done by renaming the webserver-start script. > mv /etc/rc3.d/s50apache /etc/rc3.d/no_s50apache Reboot the machine: > init 6 CONFIGURATION Note: In the following example the hostname is nlabxx and the username is tiger. You will of course use your own names. 6. Log in as root and find out the active policy: > ssadm active Active configuration: nlabxx default Initial.1 Activated by tiger on Fri Dec 3 21:41: Copy the active policy to one of your own to work with: ssadm policy -c Initial yourownpolicyname 8. Go into editing mode and list the existing rules. > ssadm edit yourownpolicyname Loaded common objects from registry version 1 Loaded policy from yourownpolicyname version 1 1 common localhost * ALLOW 2 rip * * ALLOW To see what's in the service common you write: edit > list service common common GROUP tcp all upd all syslog dns rpc all nfs prog icmp all rip ftp rsh real audio pmap udp all.... Rule 2 seems unnecessary, delete it: edit > del rule 2 Add the IP-addresses that should be able to access a particular service(eg. ssh) edit > add service ssh SINGLE FORWARD tcp PORT 22 edit > add address nlabxx HOST XX edit > add address netlab RANGE Start adding rules edit > add rule ssh netlab localhost ALLOW LOG SUMMARY

4 4/5 Add a DENY-rule that maches everything, this is called a clean-up. Meaning, everything not having an ALLOW-regel should be stopped. We also turn on logging to see everything that is denied by the firewall. edit > add rule * * localhost DENY LOG DETAIL To get some traceability on outbound traffic you can turn on logging on rule 1: edit > replace rule 1 common localhost * ALLOW LOG SUMMARY If your unlucky and there are Windows machines in network, you will soon find out that most of your log will be filled with a lot of rubbish. Therefore, we add a deny rule before the clean-up. edit> add rule netbios * * DENY 1 common localhost * ALLOW LOG SUMMMARY 2 ssh netlab localhost ALLOW LOG SUMMARY 3 * * localhost DENY LOG DETAIL 4 netbios * * DENY The rules are not in the correct order: edit> move rule common localhost * ALLOW LOG SUMMMARY 2 ssh netlab localhost ALLOW LOG SUMMARY 3 netbios * * DENY 4 * * localhost DENY LOG DETAIL 9. Save and verify that the syntax is correct: edit > save Saved common objects to Registry version 2 Saved policy to yourownpolicyname version 2 edit > verify Configuration verified successfully (not activated) edit > quit

5 5/5 START 10. Activate the policy: > ssadm activate yourownpolicyname Configuration activated successfully on nlabxx 11. Depending on diskspace, you may need to change the maximum size of the log file. Here it is set to 50 MB. (Unfortunately, these changes doesn't seem to take effect without restarting Sunscreen. Use etc/rc2.d/s63sunscreen {start stop} for this.) > ssadm logstats Log size (bytes ) : 1040 Log maximum size (bytes): Log loss count (records): 0 Cleared at : Fri Dec 3 21:41: > ssadm edit yourownpolicyname Loaded common objects from Registry Version 2 Loaded policy from yourownpolicyname version 2 edit > add screen nlabxx CDP RIP DNS LOGSIZE 50 edit > save Save common objects to Registry Version 3 Saved policy to yourownpolicyname version 3 edit > verify Configuration verified successfully (not activated). edit > quit > ssadm activate yourownpolicyname Configuration activated successfully on nlabxx. 12. IF you want to read the log file: > ssadm log get ssadm logdump t a i 13. If you want to backup the policy: > ssadm backup > a_filename To create a more readable text file you can do like this: > more a_filename > a_textfile.txt TESTING Let other groups try to login on your machine using telnet, ftp, ssh and sftp. Both from IP-adresses allowed to connect and not. Also ask someone to scan your machine using Nmap and Nessus. IN THE LABORATORY REPORT The installation details, the readable parts of the backup, interesting parts of the log file and the results of the test should be in attachments. In the actual report, describe the settings you have done, with explanations why. Describe what you have tested and the results of the test.