Recently, I spent a good amount of time installing the open source Network Access Control system PacketFence. There is one aspect of PacketFence that is far more valuable than all of the rest: Registration. The registration system included with PacketFence makes this system a fully viable solution for a lot of situations: corporations, cafes, institutions, businesses, wireless networks.
With the PacketFence registration system in place, every network enabled machine on your net will have to register before they can gain access to the outside world. Without registering, a machine will be blocked.
How PacketFence registration works
The PacketFence registration system is similar to those found within proprietary systems (i.e., Bluesocket, NoCatAuth). The authentication of users is based on HTTP authentication over SSL. This authentication can be handled with any of the models accepted by HTTP (i.e., LDAP, local, RADIUS). In this article, I'll show you how to use the simplest method -- local -- because it requires very little setup.
Author's environment
This article will cover setting up registration with PacketFence on an Ubuntu Server 6.06 installation. If you have yet to install PacketFence, please refer to the original article for help. As with much of the open source world, one of the nice aspects of using this software is that it does not require big iron. In fact, the system I'm using is installed on an older AMD 2075 MHz processor with 512 MB of RAM. It's not a dog, certainly, but compared to today's standards, it's getting a bit long in the tooth. The machine is also headless, so having SSH access will be required in my situation.
A few changes to start
There are a few minor tweaks to take care of; they will differ slightly from the original installation. Let's make sure we have the following modules using CPAN. First, as root user, enter the cpan -e command to get you to the CPAN command line. Now run the following:
install Date::Parse
install IPTables::IPv4
install Term::ReadKey
install IO::Socket::SSL
install Net::Telnet
install Net::Nessus::Client
install Net::Nessus::Message
install Net::Nessus::ScanLite
If you have already installed any of the above, you will get a message saying "XXX is already up to date" where XXX is the module name.
Add the line to the /usr/local/pf/conf/pf.conf file to enable SNORT. Now run the command which snort. This will tell you where your Snort executable is. It most likely will be located in /usr/sbin/snort. With that in mind, add the following: snort = /usr/sbin/snort under the [services] section.
One final configuration to check is in your php.ini file. In our installation, this file is located in the /etc/php5/apache2/ directory. Take a look around line 522 and make sure you see:
allow_url_fopen = On
If you don't see it, or it is set to Off, make the change.
You will also need to make sure you edit your time zone. The time zone data is found around line 574 and will look like:
date.timezone =
You will need to add your timezone. In my case, that is America/Louisville.
The final addition you must make is to install Bind. To do this, issue the command (either as the root user or using sudo) apt-get install bind.
With those final tweaks finished, you are ready to get started with registration.
Setting up authentication
The authentication process we'll use will be local. This means that we'll employ htpasswd to take care of the dirty work. Before you start this process, however, take a look at the /usr/local/pf/conf/templates directory. In that directory, you'll find a file called local.conf. The contents of this file look like:
AuthUserFile /usr/local/pf/conf/user.conf
AuthGroupFile /dev/null
AuthName "Local"
AuthType Basic
require valid-user
The line AuthUserFile /usr/local/pf/conf/user.conf is what you need to consider when you create the password file with htpasswd. Out of the box, that line will most likely not be set. If not, set it with the example I have above. That file, user.conf, will be the file we create with htpasswd.
Now understand that using local authentication will require creating users/passwords for every user. This can be very time-consuming if the number of users is large, so if you're within a large environment, consider using another authentication type. For the sake of simplicity, we'll use local.
We will initially run the htpasswd command using the -c flag to create the file. So first run will be:
htpasswd -c /usr/local/pf/conf/user.conf USERNAME
where USERNAME is the name of the first user. Upon issuing that command, you will be prompted twice for that user's password. This will be the username/password combination the user will use when they are prompted for PacketFence registration. Now you will have to create all usernames/password combos for every user. The next time you issue the command, you'll do so without the -c flag because the file is already created. So the remaining commands will look like:
htpasswd /usr/local/pf/conf/user.conf USERNAME
You are now ready to re-configure PacketFence for start.
Rerunning the configurator.pl script
When we first installed PacketFence, we did so by running the configurator.pl script in testing mode. This time we are going to run the configuator.pl script in Registration mode. To do this, cd to the /usr/local/pf directory and issue the command (as the root user) ./configurator.pl. Here's what that process will look like:
Checking existing configuration...
Existing configuration found, upgrading
Would you like to modify the existing configuration [y|n]
y
Would you like to use a template configuration or custom [t|c]
t
Which template would you like:
1) Test mode
2) Registration
3) Detection
4) Registration & Detection
5) Registration, Detection & Scanning
6) Session-based Authentication
Answer: [1|2|3|4|5]: [1|2|3|4|5|6]
5
Setting option scan to template value enabled
Setting option dhcpdetector to template value enabled
Setting option mode to template value passive
Setting option isolation to template value disabled
Setting option testing to template value disabled
Setting option detection to template value enabled
Setting option registration to template value enabled
Setting option auth to template value local
Setting option skip_mode to template value window
Setting option skip_window to template value 2w
Setting option aup to template value disabled
Setting option skip_reminder to template value 1d
Setting option pass to template value packet
Setting option ssl to template value enabled
Setting option user to template value admin
Setting option port to template value 1241
Setting option registration to template value enabled
Setting option host to template value 127.0.0.1
Loading Template: Warning PacketFence is going LIVE - WEAPONS HOT
Enabling host trapping! Please make sure to review conf/violations.conf and disable any violations that don't fit your environment ** NOTE: The configuration can be a bit tedious. If you get bored, you can always just edit /usr/local/pf/conf/pf.conf directly ** What is my management interface? (default: eth0) [eth0|?]:
eth0 - ok? [y|n]
y
What is its IP address? (default: 192.168.1.29 [?]):
192.168.1.29 - ok? [y|n]
y
What is its mask? (default: 255.255.255.0 [?]):
255.255.255.0 - ok? [y|n] y
What is my gateway? (default: 192.168.1.1 [?]):
192.168.1.1 - ok? [y|n] y
TRAPPING CONFIGURATION
What is my monitor interface? (default: eth1) [eth0|?]: eth0
eth0 - ok? [y|n] y
ALERTING CONFIGURATION
Where would you like notifications of traps, rogue DHCP servers, and other sundry goods sent? (default: root@mydomain.com[?]):
root@mydomain.com - ok? [y|n] y
What should I use as my SMTP relay server? (default: mail.mydomain.comt [?]):
mail.mydomain.com - ok? [y|n] y
Please review conf/pf.conf to correct any errors or change pathing to daemons
After starting PF, use bin/pfcmd or the web interface (https://ubuntu.:1443) to administer the system
Committing settings...
Enjoy!
After all of that, you are ready to start PacketFence. To do so issue the command /usr/local/pf/bin/start and you should see the following:
Checking configuration sanity...
service|command
config files|start
iptables|start
httpd|start
pfmon|start
pfdetect|start
named|start
snort|start
PacketFence is now up and running and ready for registration.
Registering a machine
The first thing you are going to want to do is gather the MAC addresses of any device on your network that is network-enabled but not a computer (i.e., Routers, printers, or hubs). You will have to manually register those devices. To do this, you will use the /usr/local/pf/bin/pfcmd command like so:
/usr/local/pf/bin/pfcmd node edit 00:e0:4d:0d:94:a2 status="reg",pid=NAME
Make sure you use a name that is unique to the device. Now that device will be registered and will have access.
Now any computer that tries to access the outside network will find themselves on the registration screen (Figure A).
You can configure the Acceptable Use Policy through the PacketFence Web administration tool.
The users will have to select the type of authentication from the drop-down list. In our instance, they will accept Local. When they do (and select Register) they will be greeted with a login screen like the one in Figure B.
Figure BYou can configure the Acceptable Use Policy through the PacketFence Web administration tool.
The users will have to select the type of authentication from the drop-down list. In our instance, they will accept Local. When they do (and select Register) they will be greeted with a login screen like the one in Figure B.
Figure B
The admin is not a good user to use for registration.
Once the user enters a valid username/password combination, the user will then be required to allow the system to scan for vulnerabilities. In the warning screen, they must press the Scan button to allow the system to scan. Once the scan is successful, the user will be greeted with the Registration Successful screen, similar to the one in Figure C.
Figure C
Even though registration was successful, the user still has to press the Complete Registration button to enable network access.
Once the user hits the Complete Registration button, they'll see a screen telling them that network access is being enabled. Once they see that screen, they are good to go.
Further configurations
It is wise to take your PacketFence configuration further by using the Web-based administration tool. To access this, point your browser to https://IP_OF_PacketFence_SERVER:1443 and you will user the admin password you set up during installation. From there, you can fine-tune your PacketFence installation.
Open source to the rescue
PacketFence does, via open source, what many applications costing hundreds to thousands of dollars do. On top of this, many of the proprietary solutions are not nearly as configurable as PacketFence. Even though PacketFence can be a bit daunting both in installation and configuration, it is worth it if you are looking for another layer of security for your network.
Source: http://techrepublic.com
BY:
Amresh Anjan
_______________________________________________________________________________
Norton Internet Security 2008
The Right Tool for the Job?
Windows computers require protection from a wide variety of common viruses and spyware programs, not to mention unwanted intrusions. Novice users are particularly vulnerable to system infections and identity theft. Does Norton Internet Security 2008 effectively address all these issues?
No comments:
Post a Comment