Secure Network

secure-network

When can a network be considered more or less secure?

Tools to protect yourself

There are many tools that are used to protect against external intruders: firewall, fail2ban, vmam.

Firewall

In a network the information exchanged can be of various nature and a given node may not always want to allow this information to be visible to all the other nodes in the network or to receive information of any type from the other nodes.

The task of the firewall is to filter the information coming and going from a node, establishing what information is accepted by which nodes and what personal information to share with other nodes on the network.

The main command for configuring your firewall is iptables.

# iptables -t table command chain rule-specification [options]

iptables is very useful if you want to protect your server, but at the level of a network then the rules are starting to get a little too many.

There are a variety of software that interface or wrap iptables; one of my favorites is ufw.

$ sudo ufw enable
$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow https

With these simple four commands, I enabled a firewall and three particular ports: 22 (ssh), 80 (http) and 443 (https).

Another tool that I find very useful for interfacing with iptables is firewall-cmd.

Once we configured our firewall with our rules, we protected our network from possible attacks. But is that enough? Let’s say that one of the servers in my network is a webserver and therefore, we have enabled the http and https protocol (ports 80 and 443 respectively). How do we spot possible attacks on these ports?

Fail2ban

To protect a webserver, mail, ssh, ftp or directory server from possible attacks on firewall openings, we need to use another type of tool. fail2ban is a very useful tool to automate the protection of our servers.

Here is a list of the most important features available in Fail2ban:

  • client/server
  • multithreaded
  • Gamin support
  • autodetection of the date/time format
  • wildcard support in logpath option
  • support for a lot of services (sshd, apache, qmail, proftpd, sasl, asterisk, etc)
  • support for several actions (iptables, tcp-wrapper, shorewall, mail notifications, etc)

For install fail2ban, follow this:

$ git clone https://github.com/fail2ban/fail2ban.git
$ cd fail2ban
$ sudo python setup.py install 
$ apt-get install fail2ban 	# debian based installation
$ yum install fail2ban 		# red hat based installation 

Fail2ban is composed of 2 parts: a client and a server. The server is multi-threaded and listens on a Unix socket for commands. The server itself knows nothing about the configuration files. Thus, at start-up, the server is in a “default” state in which no jails are defined. fail2ban-server should not be used directly except in case of debugging.

fail2ban-client is the frontend of Fail2ban. It connects to the server socket file and sends commands in order to configure and operate the server. The client can read the configuration files or can simply be used to send a single command to the server using either the command line or the interactive mode.

For more information, see the docs.

So, now we have protected our network with a firewall, our services with fail2ban. But what if the attacker is in our physical network via LAN or Wi-Fi?

vmam

To protect against attacks on our network, the only option is to accept who can access our network selectively. For this type of task, we need three things: an LDAP server, a Radius server and a vmam server.

vmam is a server-side application. Work with an open source LDAP server or Active Directory. Basically it creates mac-address users that represent the network card of a machine and associates these users with LDAP groups that represent the various VLANs specified created on their own network architecture (wi-fi, switches, routers, firewalls, etc.), centralized wired and wireless management, with 802.1X support. In addition, based on its configuration, it can also associate computer accounts with this group to allow access to the network by spending the credentials of the computer account.

The installation of vmam is very simple. With pip:

# pip install vmam

vmam has two modes: automatic and manual.

In manual mode, mac-addresses are managed from the command line using the vmam mac command. The mac command has options to add, remove and disable the mac-addresses that can access the network.

In automatic mode, mac-addresses are managed by contacting LDAP server and taking the last machines (variable in the configuration file) that contacted the LDAP server from N seconds, minutes, hour or days, depending on the needs and policies decided. This mode is activated by launching vmam start on the command line.

For more details, see the docs.

Conclusion

In the end, with only three tools, we protected the network, the servers and the services they offer, from remote and even local attackers connected to our network.

Protecting ourselves effectively not only gives us the ability to expose our services to the outside world, but gives us greater control and awareness of our network.