Firewall Configuration

Security+ Lab Series

Lab 11: Configuring a Network Based Firewall

Document Version: 2018-08-28

Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com NETLAB Academy Edition, NETLAB Professional Edition, NETLAB+ Virtual Edition, and NETLAB+ are registered trademarks of Network Development Group, Inc.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 2

Contents Introduction ........................................................................................................................ 3 Objectives............................................................................................................................ 3 Lab Topology ....................................................................................................................... 4 Lab Settings ......................................................................................................................... 5 1 Configuring ICMP on the Firewall ............................................................................... 6

1.1 Blocking ICMP Requests on pfSense .................................................................... 6 2 Redirecting Traffic to Internal Hosts on the Network .............................................. 11

2.1 Configuring pfSense to Allow a Port and Redirect Requests ............................. 11 2.2 Retargeted SSH Connection ............................................................................... 13

3 Configuring VPN on a pfSense .................................................................................. 15 3.1 Configuring VPN Server ...................................................................................... 15 3.2 Exporting VPN Client Data .................................................................................. 23 3.3 Configuring the VPN Client ................................................................................. 25 3.4 Connecting the VPN Client ................................................................................. 28 3.5 Managing VPN Connections ............................................................................... 29

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 3

Introduction In this lab, you will be conducting network security practices using the pfSense VM. Objectives

• Install and configure network components, both hardware and software-based, to support organizational security

• Given a scenario, implement secure network architecture

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 4

Lab Topology

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 5

Lab Settings The information in the table below will be needed to complete the lab. The task sections below provide details on the use of this information.

Virtual Machine

IP Address

Account

Password

DVL

10.1.1.10 /28 root toor

Kali

203.0.113.2 /29 root toor

pfSense eth0: 192.168.1.1 /24 eth1: 10.1.1.1 /28 eth2: 203.0.113.1 /29

admin pfsense

SecOnion 192.168.1.6 /24

soadmin mypassword

root mypassword

Ubuntu 192.168.1.50 /24

student securepassword

root securepassword

Win12R2 10.1.1.12 /28 administrator Train1ng$

Win16 192.168.1.100 /24

lab-user Train1ng$

Administrator Train1ng$

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 6

1 Configuring ICMP on the Firewall 1.1 Blocking ICMP Requests on pfSense 1. Launch the Ubuntu virtual machine to access the graphical login screen. 2. Log in as student with securepassword as the password.

3. Open a terminal window by clicking on the terminal icon located in the left menu

pane.

4. Send a ping request to the Kali system; 203.0.113.2. Type the command below

followed by pressing the Enter key. student@Ubuntu:~$ ping –c4 203.0.113.2

5. After a successful ping, launch the Kali virtual machine to access the graphical login

screen. 6. Log in as root with toor as the password. Open the Kali PC Viewer. 7. Open a new terminal window by clicking on the terminal icon located in the top

toolbar.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 7

8. From the Kali terminal, send a ping request to the Ubuntu system; 192.168.1.50. root@Kali-Attacker:~# ping –c4 192.168.1.50

9. After the successful ping, change focus to the Ubuntu system and open the Firefox

web browser.

10. In the address space, type http://192.168.1.1. Press Enter.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 8

11. Type the username admin and password pfsense. Click the Login button.

12. Once in the pfSense management graphical user interface, navigate to Firewall >

Rules.

13. While viewing the EXTERNAL_GW tab, click the + icon on the top-right to add a new

rule.

14. Click the drop-down box next to Action and select Block.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 9

15. Select ICMP as the Protocol selection.

16. Select Network as the Source Type and enter 203.0.113.0 in the address space

along with a /29 mask.

17. Leave all other options as defaults. 18. Click the Save button located towards the bottom of the page. 19. When brought back to the Firewall: Rules page, notice the warning message. Select

Apply Changes.

20. Select Close on the new warning message.

21. Verify that the firewall rules table represents exactly like the image below for the

EXTERNAL_GW interface.

22. Change focus to the Kali system and navigate to the terminal window.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 10

23. Attempt to ping the Ubuntu system. root@Kali-Attacker:~# ping –c4 192.168.1.50

24. Leave the terminal window open for the next task.

After 1-2 minutes, notice that 4 packets were transmitted and 0 were received, resulting in an unsuccessful ping attempt. The new firewall rule is effective.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 11

2 Redirecting Traffic to Internal Hosts on the Network 2.1 Configuring pfSense to Allow a Port and Redirect Requests 1. While on the Kali system, enter the command below to scan for open ports on the

firewall appliance.

root@Kali-Attacker:~# nmap 203.0.113.1

2. Change focus to the Firefox window on the Ubuntu system. 3. In the pfSense management interface, navigate to Firewall > NAT.

4. On the Firewall: NAT: Port Forward interface, click the + icon on the top-right to add

a new rule.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 12

5. While on the Firewall: NAT: Port Edit interface, make the following changes:

a. Change Destination port range to SSH for both “from” and “to” from the drop-down menu.

b. Change Redirect Target IP to 192.168.1.50.

c. Change Redirect Target Port to SSH from the drop-down menu.

d. Click the Save button located towards the bottom of the page.

6. For the new configuration to take place, click the Apply changes button.

7. When the warning message appears, click the Close button.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 13

2.2 Retargeted SSH Connection 1. Change focus to the Kali system and initiate a quick scan against the firewall

appliance using the terminal. root@Kali-Attacker:~# nmap 203.0.113.1

2. Verify the SSH configuration made on the firewall by typing the following command.

If prompted for a password, enter securepassword. root@Kali-Attacker:~# ssh 203.0.113.1

Notice the change of open ports on the system; SSH is now open.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 14

3. Confirm you are on the correct system by using the following command. root@Ubuntu:~# ifconfig

4. Type the command below to determine the default gateway. root@Ubuntu:~# route

5. Determine what ports are accessible on the internal network when attempting to

scan the firewall appliance. root@Ubuntu:~# nmap 192.168.1.1

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 15

3 Configuring VPN on a pfSense 3.1 Configuring VPN Server 1. Change focus to the Ubuntu system and focus on the Firefox web browser. If you

are not already logged into the pfSense firewall management interface, do so now. 2. While logged in, navigate to System > Cert Manager.

3. On the System: Certificate Authority Manager page, while on the CAs tab, click on

the + icon.

4. A new page should open; fill in the necessary fields.

a. Descriptive Name: MyCA

b. Method: Create an internal Certificate Authority

c. Key Length: 2048 bits

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 16

d. Lifetime: 3650 days

e. Distinguished name: i. Country Code: US

ii. State or Province: Texas iii. City: Austin iv. Organization: XYZ v. Email Address: admin@xyz.corp

vi. Common Name: internal-ca

f. Click Save.

5. Add a server certificate this time by navigating to the Certificates tab.

6. To add a new certificate, click on the + icon.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 17

7. A new page should open; select the drop-down menu next to Method and select Create an internal Certificate.

8. Fill in the necessary fields:

a. Descriptive Name: VPNServerCert

b. Certificate authority: MyCA

c. Key Length: 2048 bits

d. Certificate Type: Server Certificate

e. Lifetime: 3650 days

f. Distinguished Name: i. Country Code: US

ii. State or Province: Texas iii. City: Austin iv. Organization: XYZ v. Email Address: admin@xyz.corp

vi. Common Name: openvpn.xyz.corp

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 18

g. Click Save.

9. Navigate to System > User Manager.

10. On the System: User Manager page, click the + icon to create a new user.

11. Fill in the necessary fields:

a. Username: bob

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 19

b. Password: bpassx

c. Full name: Bob

d. Check the box next to Click to create a user certificate (more options will appear):

i. Descriptive name: bob_cert ii. Certificate Authority: MyCa

iii. Key Length: 2048 bits iv. Lifetime: 3650 days

e. Click Save.

12. Navigate to VPN > OpenVPN.

13. While on the OpenVPN: Server page, click on the Wizards tab.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 20

14. A new page appears; select Local User Access for Type of Server. Click Next.

15. On the next page, select MyCA as the Certificate Authority. Click Next.

16. Next, select VPNServerCert as the Certificate. Click Next.

17. On the next page, fill in all necessary fields as mentioned below (if the field is not

mentioned, leave its default setting):

a. Interface: INTERNAL_GW

b. Protocol: UDP

c. Local Port: 1194

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 21

d. Description: myVPNServer

e. Cryptographic Settings: i. TLS Authentication: Checked

ii. Generate TLS Key: Checked iii. DH Parameters Length: 2048 bit iv. Encryption Algorithm: AES-128-CBC (128-bit) v. Hardware Crypto: No Hardware Crypto Acceleration

f. Tunnel Settings: i. Tunnel Network: 172.16.1.0/24

ii. Redirect Gateway: Checked iii. Local Network: 10.1.1.0/28 iv. Concurrent Connections: 10 v. Compression: Enabled without Adaptive Compression

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 22

g. Client Settings:

i. Dynamic IP: Checked

ii. Address Pool: Checked

h. Click Next.

18. On the Firewall Rule Configuration page, fill in the necessary fields:

a. Firewall Rule: Checked b. OpenVPN rule: Checked c. Click Next.

19. On the final configuration page, select Finish.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 23

3.2 Exporting VPN Client Data 1. While logged in the pfSense webConfigurator, navigate to VPN > OpenVPN if not

already. 2. Click on the Client Export tab.

3. Verify the configurations:

a. Remote Access Server: myVPN_Server UDP:1194

b. Host Name Resolution: Interface IP Address

c. Very Server CN: Automatic …

d. Use Random Local Port: Checked

e. Certificate Export Options: Check the box to Use a password to protect the pkcs12 file.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 24

i. Type bpassx in both fields.

4. Scroll down towards the bottom where the Client Install Packages table is presented.

Underneath the Export column, click on the Archive link for Standard Configurations.

5. A download message appears. Select Save File and click OK.

The file will be saved in the /home/student/Downloads directory by default.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 25

3.3 Configuring the VPN Client 1. While on the Ubuntu system, open a terminal and type the command below to

change to the Downloads directory. student@Ubuntu:~$ cd /home/student/Downloads

2. Unzip the downloaded zip file. student@Ubuntu:~/Downloads$ unzip pfsense-udp-1194-bob-config.zip

3. Open the Network Manager by clicking on the network icon located on the top

pane and navigate to VPN Connections > Configure VPN.

4. On the Network Connections window, confirm you are on the VPN tab. Click on the Import button.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 26

5. In the File Manager window, select Downloads from the menu on the left. Double- click on the pfsense-udp-1194-bob folder.

6. Select the pfsense-udp-1194-bob.ovpn file and click the Open button.

7. In the new pop-up window, set the Gateway to 192.168.1.1.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 27

8. Confirm that the Authentication Type is configured to Password with Certificate (TLS).

9. Type bob in the User name field.

10. Type bpassx in the Password field.

11. Confirm that the file pfsense-udp-1194-bob.p12 occupies the entry for User

Certificate, CA Certificate, and Private Key.

12. Type bpassx in the Private Key Password field.

13. Leave everything else in their default settings.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 28

14. Verify that the configurations reflect the image below. Click the Save button.

15. Close the Network Connections window. 3.4 Connecting the VPN Client 1. Connect using the VPN settings by clicking on the Network Manager icon on the top

pane and navigate to VPN Connection > pfsense-udp-1194-bob.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 29

2. Verify the VPN tunnel and the IP address given by entering the command below in a terminal.

student@Ubuntu:~/Downloads$ ifconfig

3.5 Managing VPN Connections 1. Once connected to the VPN server, switch to the Firefox web browser and navigate

back to the pfSense Web Configurator. 2. When logged in as admin, navigate to Status > System Logs from the top menu pane.

Lab 11: Configuring a Network Based Firewall

8/28/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 30

3. On the new page, select the OpenVPN tab.

4. Notice the steps per bob’s authentication to the VPN server.

5. Navigate to Status > OpenVPN.

6. Notice how the current active VPN connections are listed here.

7. The lab is now complete; you may end the reservation.