Networking strategy needed

[rfxcasey]

My network as it stands currently is as follows. I have several PCs sitting attached to a switch which is then attached to a dedicated firewall machine which is running Smoothwall 3.0 and acting as a router for that segment of my network. The firewall machine in turn is attached to a DSL modem/router. The DSL modem/router is attached to my ISP.

I have recently acquired a Dell poweredge server on which I have installed Debian server edition and proFTPd to host with. I inserted the server into my network by connecting it to the DSL modem/router so it is basically in parallel with the firewall machine and on it's own segment of the network. I can successfully connect to the server from my LAN and transfer files to and from the server to any of the other machines on my network using the servers internal IP. Then I hopped on the neighbor's WIFI signal with my laptop and can connected to my server using Filezilla and the DSL modem/router's external IP. It finds the server, connects, logs in, but when it does a LIST command I get a message that says "Server sent passive reply with unroutable address." I was using port 5686 and 5687 and have forwarded both ports in the virtual server section of my DSL modem/router. I have the passive ports set to 49153-65535 and have forwarded those as well. I have tried using active mode in Filezilla as well and I have the same problem where it hangs at the LIST command but I don't get the error message about the passive reply instead (if I remember correctly) it just times out after a while and says that the list command failed. Any advise on this would be great. Most of the time I have the server set up as the DMZ host in the DSL modem/router configuration.

I have a couple more questions. What would be the best way to proceed with this setup (once I get it working) to obtain a reasonable amount of security on my server? Should my server be on the DMZ of the DSL router/modem? If I put my firewall machine (which the server is NOT behind) on the DMZ instead would this cause any problems with people from the WAN trying to connect to my server machine? Should my server be put behind my firewall machine or is this going to cause more problems then it's worth. Should my server have it's own hardware firewall or would a software firewall suffice.

 

[zx10guy]

I generally don't allow naked FTP services to be fronted on the internet so I can't help you there.

But as far as security, my statement above gives you a hint as to why. FTP is inherently insecure unless you use some flavor of secure copy like SFTP or SCP which is secure copy over an SSH tunnel. I would do those two types as a baseline. I would NOT just leave the server in a DMZ as this will just present the entire server to the internet....meaning any listening port on the server will be accessible. Moving the server behind the firewall no your local subnet is more secure as you limit the number of ports your server is exposed to for external connections. The flip side is that those ports are still providing a gateway to your server. If a hacker smacks your server via an open port/port forward, the hacker now has total access to your private subnet as the server is now a launch point for internal attacks. The alternative is to isolate the server via a combination of VLANs and a separate subnet for the server. You would need to be able to place ACLs at the router interface for this new network segment. This setup provides isolation and makes it harder for an contamination or propagation of hacking attempts. Also, a deep level packet inspecting firewall would help in providing additional security. Firewalls which do this are primarily in the realm of higher end SMB/enterprise firewalls. Deep level packet inspecting firewalls do have their limitations as they cannot peer into a secure tunnel.

My choice which limits the number of things you have to do is to put up a VPN end point router/firewall. You don't need to add any port forward rules and hence would have maximum security as you're not poking holes on your perimeter defense. VPNs require a few things before someone can establish connectivity. Your server can be left on the private subnet and you won't have to worry about doing anything special to isolate the server.

 

[rfxcasey]

My choice which limits the number of things you have to do is to put up a VPN end point router/firewall. You don't need to add any port forward rules and hence would have maximum security as you're not poking holes on your perimeter defense. VPNs require a few things before someone can establish connectivity. Your server can be left on the private subnet and you won't have to worry about doing anything special to isolate the server.

Will this require another physical firewall, possibly between the server and the DSL modem/router? If I just refrain from putting the server on the DMZ of the DSL modem/router how much more secure would that be?

As for VPN I have wanted to learn how to set one up but never tried it before so I am a total noob concerning it. Can you give more details about what exactly I would have to do?

On a side note a friend on mine suggested putting my server behind my firewall and then putting my DSL modem/router into bridge mode so that the firewall is presented directly to the internet while also avoiding a double NAT situation. Then forward the appropriate ports to the server. Is this a good solution? My firewall is capable of stateful packet inspection.

 

[zx10guy]

Even though my home network and the networks I've built for work are anything but simple, I always subscribe to the KISS principle in keeping things simple. I haven't worked with the Smoothwall application so I can't comment there. My stance on these things is if you have to load a piece of network software on a PC or server, you're opening up too many variables for things to go wrong. In my mind, if you have an appliance dedicated for a particular task, this is usually best. With the Smoothwall, you need to figure out if VPN functionality is supported. If it is, you won't have to add additional physical NICs.

The way I would do it is to replace the Smoothwall with a router/firewall appliance capable of doing VPNs. You have to be absolutely certain your DSL modem/router is running as a pure modem. Otherwise things get real messy. The VPN end point would just connect to your modem and any VPN client connections would terminate directly to the router/firewall.

The VPN technology I use the most and am most familiar with is IPSEC. Without getting into the boring and long details, IPSEC establishes a tunnel via two "phases." The first phase or phase 1 is IKE negotiation. IKE (internet key exchange) is when the two peers confirm each other's identity. At enterprise levels, people usually use some sort of certificate which is passed between the two peers. At the personal or SMB level, the use of pre-shared keys is the norm. Other things have to line up during this phase for a successful negotiation like whether SHA or MD5 hashing is used along with the encryption level of your Diffie Hellman group. A lot of this has to do with the cryptography of IPSEC and I have to admit I barely understand the mechanics behind. After phase 1 comes phase 2. Phase 2 is where the encryption is set up and the data in the packet is encrypted. The cryptography used in this is anything from DES to AES 256 bit. The more common and more secure encryption algorithms used are 3DES and AES 256. Of course, with higher level cryptography comes higher processor demands. This part is referred to as ESP (encapsulating security payload.)

As you can see there's a lot that goes on with an IPSEC tunnel and why many organizations use this as their means of securing remote access. There are other new methods out right now which provide much of the security features of IPSEC but don't have as much restrictions. IPSEC requires a client to be run on the remote box for remote client connections. To get around this, a new VPN technology has been developed called VPN over SSL or as Cisco calls it WebVPN. This technology allows the tunnel to be built over an SSL connection. There are a bunch of flavors of how this works but the various manufacturers have the same type of functionality. Netgear has an SSL VPN concentrator you can insert into your network. It would only require a port forward of 443 to make it all work.

 

[rfxcasey]

On a side note a friend of mine suggested putting my server behind my firewall and then putting my DSL modem/router into bridge mode so that the firewall is presented directly to the internet while also avoiding a double NAT situation. Then forward the appropriate ports to the server. Is this a good solution? My firewall is capable of stateful packet inspection.

 

[zx10guy]

I mentioned this scenario in my first post in this thread. Yes, you can do this and it's better than dropping the server naked on a DMZ. But even though your firewall does SPI, I'm a bit dubious as to whether this firewall does deep level packet inspection. SPI does not equal deep level packet inspection. SPI stands for stateful packet inspection which only ensures the traffic in bound lines up with any outbound sessions and vice versa. It does not probe into the actual packet payload to ensure nothing malformed has been inserted by a hacker. As I said before, when you set up any port forward rules on your firewall, you've essentially poked holes in your perimeter protection. This presents some level of risk. How much risk is acceptable is entirely up to you.

 

[rfxcasey]

The smoothwall http://smoothwall.org/ is a linux based OS that is compiled with the sole purpose of turning a computer into a dedicated appliance. It's capable of stateful packet inspection and setting up VPNs and a whole lot more. If I understand correctly many of the hardware firewall use an embedded version of linux already. It essentially turns a PC into the equivalent of a several thousand dollar hardware firewall. Check it out for yourself, it's super slick. There is another one called Untangle that my buddy uses which he has been very satisfied with. Either way the overall consensus is the Smoothwall is very good. That and I don't have $$$$ to spend on a cisco firewall.

 

[rfxcasey]

So even if you only forward a port to your server, and you give your server limited access to your internal network, AND run a software firewall on all your other internal machines, they are still subject to attack? How would one do that? I need to learn a LOT more about this stuff.

 

[zx10guy]

Open source does have it's place but some times, you gotta go with a place where they have dedicated staff and experience. There's a reason why these commercial companies are still in business. When I was talking about converting over a PC to an appliance, you have to consider the other aspects of this conversion. Whether the NIC you are using is supported. What about the various things on your motherboard? What happens when a hard drive fails? An appliance is just that...an appliance. All of my network gear has no moving parts. But I digress.....

Yes. Having a port-forward is a hole you poke through your firewall to give access to something which is normally blocked. Let's say you do set up a rule to allow FTP...port 21 traffic through your firewall. Now I don't claim to be an expert hacker but I have discussed these scenarios with those who are. A hacker probes your IP or listens to traffic originating to and from your network in the public space. This hacker discovers there's an active port 21 opening at your IP. So this hacker does some probing and reconnaissance. Just because you intend in your port forward rules to set up forwarding on port 21 for FTP traffic, doesn't mean that it's only going to be used for this. If I wanted to, I could make my web server listen on port 21 and that same port forward rule for port 21 traffic is now handling HTTP traffic. There are a few things, the hacker can do to gleen what OS or platform you are running and based on this information can formulate an attack package to compromise your box. This is why deep packet inspection firewalls earn their weight in gold. The firewall has to be able to look into the contents of the packet to determine if there is any funny business happening with the session. So in my example of shoving HTTP traffic down port 21 wouldn't work as the firewall would see this as suspicious and unusual behavior. The firewall would block this session from continuing.

So once a hacker owns your box sitting on your internal network, this box now has layer 2 access to everything....a hacker's dream. So now this hacker can launch all sorts of probes on your internal network and come up with a topology of how your network is laid out along with what devices you are running on it. You're now depending on that software firewall you have protecting your clients.

I'm surprised at how much a hacker can get into various things on even a securely built network. The saying goes is as long as your device is connected on a network, it's vulnerable. As I said before, how much risk you're willing to assume depends on you.

In my home network, I have some servers hosting things I port forward to it through just a basic SPI firewall setup. The difference is these servers are sitting on a dedicated DMZ type subnet. Still protected to some extent by the SPI firewall but nothing else sits on the same subnet which I care about. My wired network with my network file server sits behind a firewall which does not allow anything inbound to that subnet. Hence no holes being poked through. My network is structured by the principles of security enclaves which each have varying degrees of security and access. If a virus or hack outbreak happens on one of these security enclaves, the spread and scope gets confined to only a section of my network.

 

[rfxcasey]

OK so what if your server and hardware firewall are on the same subnet behind your DSL modem with it's own firewall enabled? And then port forward only to the IP of your server. Is this the same thing as putting the server behind the hardware firewall and then putting it on the DMZ of said hardware firewall? I guess this would place it between the hardware firewall and the DSL modem. What would the difference be. I assume this is still inherently insecure?

 

[zx10guy]

I don't understand what you're asking. If you are talking about enabling your DSL modem to be a router with some firewalling and then having another firewall appliance hanging off your DSL modem then your server, no, this isn't more secure.

No matter how you spin it, if you port-forward, you have a hole in your firewall security. Period. The most secure firewall is one which has ZERO exceptions for untrusted public connections to internal private addresses. But firewalls are designed so they allow inside to outside traffic. To get around this behavior, port forwards were created. You are bypassing the basic function of a firewall by allowing traffic from an untrusted source to enter into your internal network. If the traffic was from a trusted environment space, you wouldn't need a firewall, right? But if you are under the impression that you can increase security by adding multiple firewalls between the source client to your server, you are sadly mistaken. Having one firewall between client and server has the same effect as having 100000000000000000000000 firewalls between them. The only difference is you've increased your administration headaches and system complexity by creating double, triple, quadruple, etc, etc NATs.

As I've said above, the only way to mitigate security risks with port-forwards is to have a proper network design.

 

[rfxcasey]

No I think you misunderstood. I mean a firewall then your server and another firewall on the same subnet behind your first firewall. The second firewall would effectively protect you internal network but the server would not be behind it. The DSL router/modem firewall would serve to protect your server while the rest of your network would be behind a second firewall.

Oh well I thought with the first firewall you could forward a port only to the IP of the server. If a hacker wanted to get past your second firewall that guards your internal network all the ports from that stage would be blocked. Though as you say it would create a double NAT condition for you internal network and a bit more of an administering headache.

When describing how a hacker might attempt to break in you lead me to the impression that software firewalls are not very good. Can you elaborate on that a little.

 

[zx10guy]

Yes. That would be a good way to secure your network with your elaboration. There are some other risks which are still present doing this but I would say worrying about those scenarios is like having a meteor hit you. In fact this is similar to how I have my network at home set up.

The double NAT is not a big deal unless you're looking to port forward down to something behind the second firewall which would defeat the purpose of setting up this configuration. You would only have to point your default gateway to the first firewall on the second firewall.

As far as software firewalls go, I'm not an expert on them. I just get a sense from my interactions with some of my coworkers who are security/penetration experts that some are better than others.

 

[rfxcasey]

Thanks a lot! Great conversation.

 

[rfxcasey]

You seem like a smart guy, and while I have your attention let me ask you this. I have set up my network as we discussed. The DSL modem/router has my firewall box and my server directly behind it. I have enabled the firewall option in the DSL router and have forwarded port 21 to the IP of my server. I have NAT enabled and there is an option to for dynamic dns where I have entered my no-ip information. From within the network using the IP of the server I can log into it. But if I try to enter the dns *****.myftp.org using port 21 though Filezilla it seems like it is trying to log me into the router because I see the server message as fireware ***** and asks me for a user name and password. It seemed like it was half working before because I would get the correct server message ******.myftp.org and let me log in to the server but then when the list command would come up it would just get stuck there and then eventually say directory list failed or something similar. I have tried opening port 20 as well as the passive port range but I am getting no love. I am trying to run this in passive mode but active wasn't working either. Do you think I need to make the server port trigger the passive port range? I think I already tried that but I'm gonna mess with it again tonight when I get home. This is driving me a little nutz. Sorry if some of this is generalized.