Friday, April 22, 2016

Firewall knock operation, autherize network access by authentication

Normally we create firewall rules according to our need and network structure by allow some portion or specific host to access some services such http, ssh, telnet, ftp, smtp, pop3, imapd, etc. behind firewall. the rules is stay open for always. so those services can be detected by scan the network. and it is open for attacks as well.

So fwknop is designed to make it harder for attacker to detect services running inside our network, or attack against them. They are a client/server software. The server is monitoring and processing Single Packet Authorization (SPA) packets that are generated by its clients. after authenticating and decrypting a valid SPA packet, it will modify a firewall or ACL policy to allow the desired access. And it will remove those rules after a configured timeout.


*** setup information ***
- fwknop server eth0 ip: 192.168.202.25/24
                           eth1 ip: 192.168.23.1/24

- server behind it ip: 192.168.23.2/24
- fwknop client ip: 192.168.202.1/24
- port allowed both on fwknop server and server behind it:
 tcp/80,tcp/8080,tcp/8081,tcp/23,tcp/21
-diagram
fwknop client --> fwknop server --> server

-as it is a firewall we must enable ip_forwarding
$ sudo python -c "import os;os.system('echo 1 > /proc/sys/net/ipv4/ip_forward')"

*** fwknop server ***
1- install the fwknop-server package
 $ sudo apt-get install fwknop-server

2- configure fwknop access policy with on file /etc/fwknop/access.conf and will we use KEY_BASE64 and HMAC_KEY_BASE64  on client to get authorization from server, and 600s (10minute), the access rule we delete, so client will need to authentication again.

SOURCE        192.168.0.0/16
OPEN_PORTS    tcp/80,tcp/8080,tcp/8081,tcp/23,tcp/21
KEY                   goodpassword
FW_ACCESS_TIMEOUT     600
REQUIRE_SOURCE_ADDRESS    Y
KEY_BASE64          RE9OVF9DSEFOQUdFTUVfRVZFUgo=
HMAC_KEY_BASE64     RE9OVF9DSEFOQUdFTUVfTkVWRVIK



3- configure fwknop configuration  file /etc/fwknop/fwknopd.conf
PCAP_INTF                   eth0;
ENABLE_IPT_FORWARDING       Y;


4- configure router firewall policy to explicitly deny by default both INPUT and FORWARD policy
$ sudo iptables -P INPUT DROP
$ sudo iptables -P FORWARD DROP

5- the the fwknop-server
$ sudo fwknopd -a /etc/fwknop/access.conf -c /etc/fwknop/fwknopd.conf

*** fwknop client ***
on client (192.168.202.1)
1- to access port 80 on fwknop server 192.168.202.25, use the following command
$ fwknop -A tcp/80 --use-hmac -a 192.168.202.1 -D 192.168.202.25 --key-base64-hmac RE9OVF9DSEFOQUdFTUVfTkVWRVIK --key-base64-rijndael RE9OVF9DSEFOQUdFTUVfRVZFUgo=

after you execute the command the fwknop server will create an iptables rule and allow the client 1921.68.202.1 to access, so now you can access the http port 80 to the server 192.168.202.25 for 10 minute, then it will delete the rule and you have to execute the command again.

2- to access port 23 on the server behind fwknop server 192.168.202.23, use the following command
$  fwknop -A tcp/23 --use-hmac -N 192.168.23.2:23 -a 192.168.202.1 -D 192.168.202.25 --key-base64-hmac RE9OVF9DSEFOQUdFTUVfTkVWRVIK --key-base64-rijndael RE9OVF9DSEFOQUdFTUVfRVZFUgo=

and now you can telnet to server 192.168.23.2 from the client
~$ telnet 192.168.23.2                                                          
Trying 192.168.23.2...                                                          
Connected to 192.168.23.2.
Escape character is '^]'.

MikroTik v5.20
Login: 




------------
some command to operate fwknop server
- to terminate fwknop daemon
$ sudo fwknopd --kill

- check its status
$ fwknopd --status
Detected fwknopd is running (pid=4609).


- delete all firewall rule that fwknop create
$ kwknopd --fw-flush 

- list all firewall rule that fwknop create
$ fwknopd --fw-list-all



No comments:

Post a Comment