Combat Virtual Threats with IPCop Firewall

Firewall-with-ipcop

This article is an introduction to the special firewall distribution, IPCop.

In today’s world, dependence on the Internet has reached such a level that without it, the day-to-day work of many organisations will come to a standstill. As everybody is aware, when we connect to the Internet, a public IP address is assigned, which is used to access the Internet, and of course, can be used to track the actions from that IP address. The Indian IT Act 2000 and its amendments make the IP address holder responsible for all activities it has been used for. Thus, the management of a company that has subscribed to the Internet connection is responsible for all activities running on its IP address. This applies not only to the management team members, but to all authorised and unauthorised users accessing the Internet using that subscribed IP address.

This 24×7 use of the Internet, business dependence on it, and emerging cyber laws have escalated the need to control and monitor Internet access like never before. The first step towards establishing this control is, of course, a network-based firewall. Please refer to Diagram 1 for a typical example of an internal network connected to the Internet using an ADSL router. Good and properly configured anti-virus software, with a personal firewall, will meet the security requirements of most individual users who connect to the Internet. However, for any organisation where multiple users on a network access the Internet, it is absolutely necessary to look beyond these measures and opt for a network-based firewall.

Large corporations with IT security budgets rely on commercially available firewalls for secure and controlled Internet access. These security products can be put to use very effectively to restrict Internet access, as per the company policy. However, they require continuous investment first to purchase and install the product, followed by yearly renewals. For the management of small and medium-sized organisations, this may be a luxury.

Operation
A typical network firewall is installed between the internal network and the Internet; thus, all traffic between them passes through the firewall. For Internet connections via an ADSL modem, the firewall will be installed between the internal network and the ADSL modem, whereas for an Internet connection with an Ethernet connection, the firewall will replace the modem or router as depicted in Diagram 2. The firewall analyses everything passing through, and based on the configured policy, let’s through only safe traffic.
Various client computer systems request data from application servers simultaneously. A port number is used to differentiate this traffic. A client requesting data from the server uses the destination port number of the corresponding service. For example, a computer system requesting HTTP data will use port 80.
The traffic could use one of the following two protocols:

  • Transmission Control Protocol (TCP), which guarantees delivery of the data, is reliable but has larger headers to accommodate the handshake signals and flags required for assured delivery.
  • User Datagram Protocol (UDP), which does not guarantee delivery of the data, but has a smaller header. Here, higher-level protocols may take care of assured delivery.

 Both TCP and UDP protocols have 65535 ports each (2 to the power of 16, port 0 unused). Ports up to 1024 are reserved. For example, well known TCP ports are HTTP (80), HTTPS (443), FTP (21), telnet (23), whereas UDP port 53 is reserved for the DNS service.

A firewall uses this port number to identify the traffic. In the HTTP example mentioned above, the firewall reads HTTP traffic to port 80, and passes it to the Internet only if it matches the desired policy. Unwanted websites and content as defined in the policy will be dropped. Typical functions of a network firewall can be classified into traffic control and others, as shown below.
Traffic control functions are:

  • Access from the Internet to the internal network
  • Website access from the internal network to the Internet
  • Download of various file types such as audio/video
  • Port-wise access from the internal network to the Internet
  • Bandwidth control

Since all traffic between the internal network and the Internet passes via the firewall, it is the best point to provide various other functions such as:

 

  • A VPN gateway between two networks connected via the Internet
  • A VPN server for remote clients connecting to the internal network
  • Authentication of local users for Internet access
  • Generation of traffic graphs
  • Logging Internet access

Why IPCop?
For a long time, the open source community has provided many options for network firewalls by releasing various distributions. They provide security and ease of configuration, and can be installed on practically any minimal-configuration computer system. The most important factor for SMBs is that these distros are free (under a GNU license) and do not require yearly renewals. One of the best of these is the IPCop firewall, which has a long history—it was forked from Smoothwall in 2001. Various releases followed, the most popular being IPCop version 1.4.21 (the last stable version available).
The default v 1.4.21 had limited functionality, but was flexible enough to allow installation of various add-ons to enhance it to commercial-grade firewalls. A few of the popular IPCop add-ons, and their functions, are listed in Table 1.

Add-on Function
BlockOut-Traffic (BOT Port-by-port blocking of traffic from the internal network to the Internet
Zerina Integrate OpenVPN server functionality in IPCop for remote client connection
AdvProxy To increase functionality of the default proxy available in IPCop
URL Filter Used to block unwanted domains, URLs and files

Installing IPCop with these add-ons converts the basic distribution to a fully functional firewall, which also includes free (and paid) updates for website blacklists. Installing add-ons requires additional configuration work. Administrators used to face various problems while installing, configuring and upgrading the add-ons. In particular, taking back-ups of various add-ons’ settings was cumbersome, since IPCop’s backup was only for the default settings (without add-ons). Also, new computer hardware, especially most of the network cards, SATA hard disks and flash drives were no longer compatible with IPCop 1.4.21.

IPCop Ver 2.0.x
The latest IPCop release, 2.0.x, addresses these difficulties. It incorporates BOT, Zerina and AdvProxy add-ons. URL Filter is also incorporated, but is expected to be fully functional in release 2.1. The latest release, as of January 1, 2013, is 2.0.6, which also includes drivers for the latest computer hardware and supports installation on flash drives as well.

Installation
Please refer to the June 2012 issue for the installation instructions of IPCop 2.0.4. Start by downloading the ISO image of the latest stable release (2.0.3) from http://ipcop.org/download.php. Burn it on a CD. IPCop installation is very simple and straightforward. You require a computer system with a minimum of two Ethernet cards, 512 MB RAM, a hard disk or flash drive, and a CD-ROM drive for installation. Start the installation by booting from the IPCop CD. The first screen greets you with the IPCop mission statement: The bad packets stop here; press Enter at the boot: prompt. Select the desired language; an information dialogue box tells you that pressing Cancel will reboot the system. Continue by clicking OK. Select the type of keyboard, the time zone, and enter the correct date and time, if required. Select the hard disk on which to install IPCop. Beware that all data on this disk will be erased. Then click OK to continue.

Here, a very interesting screen greets you, irrespective of whether the installation is on the hard disk or on flash. Select the desired disk type from Flash/Disk. The installer will make the required file systems and swap space, ask whether you have an older backup to be restored, and complete the installation.
Reboot the system to continue to configure the box. Enter the host name and domain name, before selecting the Red (Internet) interface type and Ethernet card. Note that here you can configure any Ethernet card to any interface. In the earlier version, the first detected Ethernet was always assigned to Green, and it was tricky to change it later. Also, to identify the card easily, you can set it in LED blinking on mode. Assign Green and Red cards, and enter the Green IP address and subnet mask. Also, select the Red type such as Static, PPPoE, etc. You may enable DHCP if desired, and enter root, admin and backup passwords to complete this part of the configuration.

Configuration
Reboot the system and wait till you see the login: screen (which can be used to log in as the root user). Use a client computer browser to open https://IPCopIP:8443 and authenticate yourself as the admin with the earlier defined password. The first step is to complete the set-up by configuring the Internet. This trial set-up uses PPPoE on the Red interface. Proceed to Network > Dialup, and enter the PPPoE username and password. From the Home screen (System > Home), click the Connect button to connect to the Internet. Configure the IPCop Green IP as the default gateway and DNS in the client TCP/IP settings. That is all… you can now start browsing securely.

The next important step is to upgrade from 2.0.3 to the latest release. Start by checking whether new updates are available— go to the System > Update page. Select Refresh Update List and check for the availability of new updates. Do apply all the available patches. After updates, IPCop will be upgraded to the latest version 2.0.6 (as of January 1, 2013).

A very helpful diagnostics screen, especially for flash installations, is the Memory section of the Status > System status page, which tells you whether sufficient memory is available. Flash-based IPCop installations stop functioning if the Ramdisk memory is full. IPCop supports alert emails; configure the required email settings to enable the feature.
One of the interesting features built into IPCop 2.0.x is traffic accounting, which monitors traffic volume.

The Services > Proxy menu is one of the most important configuration menus of IPCop. In this menu, configuring an upstream proxy allows IPCop to access the Internet via an external proxy server. This will be required for Internet connections requiring proxy connectivity or in a local environment. If required, the username and password for the proxy server can also be configured here.
IPCop can allow clients to access the Internet in the following two ways:
Transparent proxy: This enables all the requests from the Web browser to be forwarded to the Internet, requiring no browser re-configuration. In this mode, URLFilter settings control the HTTP traffic. However, HTTPS traffic goes unfiltered. Also, there is a possibility of users bypassing the URL filter mechanism.
Non-transparent proxy: This requires manual configuration of all browsers to use the Green IP address and proxy port of IPCop. Running in non-transparent mode, coupled with blocking of direct HTTPS requests, ensures filtering of this and HTTP traffic via URLFilter. A proxy working in non-transparent mode terminates all connections to the Internet. Further, it initiates a separate connection to the Internet. Thus, there is no direct connection from the client system to the Internet, isolating the client system.
The default firewall settings enable all traffic from Green to Red. This menu also embeds a popular add-on for the earlier version, Block Outgoing Traffic. The GUI has changed slightly for the embedded BOT.

Caution: Be careful while you configure this; you may inadvertently open the firewall completely for Red to Green traffic.

IPCop generates and displays various logs, on a last  come-first-display basis, by default. Frequently, the most recent logs are relevant and require to be seen. The Logs > Logs Settings page gives us a selection to reverse the chronological order of the log display. This menu also configures a time-frame to archive logs and summaries. The log information can also be passed on to a syslog server by specifying its IP address and protocol.
IPCop enables viewing of various logs, which are also valuable for troubleshooting. Important options include Proxy, OpenVPN, DNS, Red logs, etc. An interesting Red log for the PPPoE connection is Waiting for PADO Packets followed by Red can not establish connection.    Most of the time, this spells an ISP-side error; just log a maintenance call.
Various other setting options include browsing time restrictions, download throttling to the specified download speed limit, enabling only specified browsers to access the Internet, integration with Windows AD to allow AD authenticated access, and so on. To sum up, IPCop 2.0 provides a robust firewall, which can be configured to browse the Internet securely. Being available under the GNU license, it is free for all, and is in use widely across the world. So, happy browsing!

All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherwise noted.
Open Source For You is powered by WordPress, which gladly sits on top of a CentOS-based LEMP stack.

Creative Commons License.