The following article attempts to address the topic of security policy making using the example of firewall and DNS. It can be used in your company in its entirety or as a model for further development.
Firewall
1.Firewall is designed to increase the security of your organization by using:
- Block unauthorized access attempts (control and restrict access to the internal network).
- Inspection of network traffic at multiple levels (m.in. firewall conducts control based on IP addresses, direction and status of connections, protocols and applications, individual users).
- Create safety zones and model traffic characteristics between them.
- Hide the internal organization and structure of the network.
- Monitor safety zones to generate appropriate alarms.
- Collect logs about events and provide opportunities to create statistics and reports.
2. At the agd.com outside traffic is limited to access to its public website outside at port 443. The administrative part of the page is only available from the internal network on port 8080. The dns service is available on port 53. In addition, an intra-company connection to a mail server on port 110, port 3306 for database connections, and a connection to port 2020 to ssh for remote server administration are open.
3. The following procedure is addressed to network administrators and must not be disclosed to unauthorized persons:
- The detailed iptables script is latent and is located in a safe on the 8th floor of building A. Use it if you make changes to your firewall configuration. The principal administrator of the network is the person authorized to do so.
The firewall is configured with a script for iptables which looks like this:
#!/bin/sh
##############################################################################
IPTABLES=iptables
PATH="/usr/sbin"
# Server Address
SERVER="192.168.1.3"
# Administrator computer address
ADMIN="192.168.1.10"
# Address space of our web and the card I support
WEW_NET="192.168.1.0/24"
WEW_DEV="eth0"
# Exit address - external and service card
ZEW_NET="0/0"
ZEW_DEV="eth1"
# TCP services that we want to pass
TCP_IN="ssl,dns" # 443, 53
TCP_OUT="ssl,dns" # 443, 53
# UDP services, which pass through
UDP_IN="443"
UDP_OUT=""
# ICMP services that we want to pass
ICMP_IN=""
ICMP_OUT=""
#################################################################################
# We remove previous regulations
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
# Setting the default policy
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
# Save all our traffic in the logs
$IPTABLES -A INPUT -j LOG -m limit --limit 15/hor
$IPTABLES -A OUTPUT -j LOG -m limit --limit 15/hour
$IPTABLES -A FORWARD -j LOG -m limit --limit 15/hour
# Load the possibility of following the links
modprobe ip_conntarck
modprobe ip_conntarck_ftp
# Turn off the answers to pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Protection against Smurf attacks
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# We put on protection against ICMP error communication
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enables logging of strange packages (spoofed. source routed. redirects)
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# We do not accept IP datagram with "source route" option
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# We do not accept ICMP redict packages that can change our routing boards
echo "0" /proc/sys/net/ipv4/conf/all/accept_redirects
# All cards will not be used packages from sowing other than those
# from the routing array
echo "1" /proc/sys/net/ipv4/conf/all/rp_filter
# We allow packages to run around our computer
# that is, unlock petle return LOOPBACK
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# We allow the use of protocols in passive on mode
$IPTABLES -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
# Unlock services on the server for other coming from outside
#$IPTABLES -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
#$IPTABLES -A INPUT -p udp -s 0/0 --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --sport 443 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 --sport 443 -j ACCEPT
# Unlock sewer services for a given IP address - COMP see above definitions of TCP_IN, UDP_IN
#$IPTABLES -A INPUT -p tcp -s $KOMP -m multiport --dport $TCP_IN -j ACCEPT # protocol tcp
#$IPTABLES -A INPUT -p udp -s $KOMP -m multiport --dport $UDP_IN -j ACCEPT # protocol udp
#$IPTABLES -A INPUT -p udp -s $KOMP --dport 137:139 -j ACCEPT # protocol udp
# We allow everything from a given IP address – administration from this address J
$IPTABLES -A INPUT -s $KOMP -j ACCEPT # therefore the above rules are off
# access to DNS
$IPTABLES -A INPUT -p tcp -s 0/0 --sport 53 -d $SERWER -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 --sport 53 -d $SERWER -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp -s $SERWER -d 0/0 --dport 53 -j ACCEPT
#$IPTABLES -A OUTPUT -p udp -s $SERWER -d 0/0 --dport 53 -j ACCEPT
# We close packages with the birth address set to our
$IPTABLES -A INPUT -i $WEW_DEV -s $SERWER -j DROP # Land attack
# Packets with non-rutoved, multicast, and reserved addresses
$IPTABLES -A INPUT -i $WEW_DEV -s 10.0.0.0/8 -j DROP #class A
$IPTABLES -A INPUT -i $WEW_DEV -s 172.16.0.0/12 -j DROP #class B
# $IPTABLES -A INPUT -i $WEW_DEV -s 192.168.0.0/16 -j DROP #class C - this is what we use
$IPTABLES -A INPUT -i $WEW_DEV -s 224.0.0.0/4 -j DROP #multicast
$IPTABLES -A INPUT -i $WEW_DEV -d 224.0.0.0/4 -j DROP #multicast
$IPTABLES -A INPUT -i $WEW_DEV -s 240.0.0.0/5 -j DROP #reserved
$IPTABLES -A INPUT -i $WEW_DEV -s 127.0.0.0/5 -j DROP #lo
- We save this script with 700 access rights and run on the server.
- Then, when you run the firewall script, you enable log storage. To do this, type the following code at the end of the /etc/syslog.conf file:
*.* /dev/tty12
*.* /var/log/firewall
- Restart the syslogd daemon:
# killall -HUP syslogd
- From now on in the file /var/log/firwall (also on console 12 – alt +12) we will have all system logs.
4. Changes to the firewall configuration can only be made by the main network administrator. This is done by requesting 43 downloads from network administrators, which must be approved by the it's chief it manager.
5. Changes to the firewall configuration can only be requested by managers of individual IT departments.
6. If a firewall hangs, network administrators are responsible for resetting the firewall, or in the extreme case of a surge to a backup server.
7. Do not make changes to the firewall configuration based on an unverified request.
8. Any updates to your operating system and the applications you use should be installed as soon as they appear. If this statement interferes with the operation of critical production systems, updates should be made whenever possible.
9. The validation of the settings should be audited quarterly by network administrators.
- It can be done using the nmap tool from the external network command:
nmap -p 1-65535 -T4 -A -v firma.com -Pn
- The result should be as follows:
Nmap scan report for agd.com (x.x.x.x)
Host is up (0.00047s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped
443/tcp open tcpwrapped
- In the event of non-compliance, report this fact to the primary network administrator who is responsible for causing the vulnerability.
dns
1. DNS configuration security is based on three basic principles:
- The server should match anyone with only a domain that they support;
- Answer each question ONLY on the network you support;
- Allows you to transfer your domains ONLY to your downstream servers;
2. Dns configuration changes can only be made by the root network administrator. This is done by requesting 45 downloads from network administrators, which must be approved by the chief IT manager.
3. Only managers of individual IT departments can request changes to the DNS configuration.
4. Do not make changes to the firewall configuration based on an unverified request.
5. If dns hangs, network administrators are responsible for resetting the network, or in the extreme case of a surge to a backup server.
6. Any updates to your operating system and the applications you use should be installed as soon as they appear. If this statement interferes with the operation of critical production systems, updates should be made whenever possible.
7. The following configuration is addressed to network administrators and must not be disclosed to unauthorized persons:
At dns agd.com is based on BIND dns and looks like this:
- Before the global options section of named.conf.options, you must define who can query the server for any domain:
- Next, you need to configure settings for who can ask for our domain:
- Particular attention should be paid to the Allow Transfer Directive, which can reveal all entries in our domain. If we do not have backup servers, we block this option as in the entry above.
- The next step is to audit the correctness of the configuration.
- For this purpose, we can use the dig tool.
- We check the blocking of polling our server for other addresses, doing so from another network:
dig @ip_naszego_serwera jakieś_inne_ip
- the result of the action should be similar to the following:
<>> DiG 9.3.2 <> > @agd.com wp.pl A
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<- opcode: QUERY, status: REFUSED, id: 65151
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
- We check the possibility of domain transfer through an external server:
dig agd.com AXFR
- The result of the action should be similar to the following:
<>> DiG 9.3.2 <> > agd.com AXFR
;; global options: printcmd
; Transfer failed.
- In the event of non-compliance, report this fact to the primary network administrator who is responsible for causing the vulnerability.