1   Quick guide to NuFW.Live

Contents

1.1   License of this document

This document is copyrighted by INL ((c) 2008), and distributed under the Creative Commons by-nc-sa license. The full text of the license is available at http://creativecommons.org/licenses/by-nc-sa/3.0/legalcode

1.2   Welcome to NuFW.Live

Welcome to NuFW.Live. This is the demonstration CD of the authenticating firewall NuFW. For a complete testing, the following elements will be needed:

  • A computer which will act as a gateway and a firewall. A system with two network interfaces is a good choice,
  • A second computer which will be used as a client (it represents computers in your local network),
  • A connection to a distant server (or to the Internet),
  • A NuFW.Live CD for the gateway,
  • A NuFW client for the client computer or a second NuFW.Live CD to start the client computer with (the CD also contains a NuFW client).

Boot the gateway on the NuFW.Live CD. You will then have access to a graphical desktop and a web browser pointing to the current guide.

NuFW.Live is managed via a suite of web interfaces. All web interfaces share a navigation bar at the top of each page:

img/navbar-en.png

Navigation bar at the top of each page.

For an easy and successful test, please execute the following steps in order.

1.3   Backup

Before starting to use NuFW.Live, you have to know that after the next reboot of the live CD, you will loose all your work. It's better to start now to setup a backup system.

You can save your work on NuFW.Live to a hard disk to be able to restore it during a NuFW.Live session later (after rebooting or stopping and restarting the machine). For more information about this, please read the Backup documentation.

You can also simply save the configuration to a USB key. You can save your configuration anytime, but all changes made after the backup will be lost at next reboot.

1.4   Network configuration/validation

The first step is to validate the network configuration (after adapting it if needed), thanks to the page which can be reached via the Network tab.

img/interfaces-reseau-en.png

Network interface configuration.

If a DHCP server was available on the network when booting, NuFW.Live should have obtained a network address and the address of DNS servers. Check the IP addresses and modify them if needed.

In all cases, and even without any change, please validate network configuration by clicking on the Save and apply network configuration button.

Please also check the DNS servers configuration at the bottom of the same page.

1.5   Change distant access password

Click on the System tab and give a new password for distant access so as to prevent other people from modifying the configuration or the access rules of the firewall.

The login is always nufw and the default password is live.

img/mot-de-passe-en.png

Distant access password changing.

1.6   User directory

NuFW authentication needs a user directory. It is usually LDAP or a Windows domain. In NuFW.Live, users are simply system users of the live CD.

Two users have been initially defined (user1 et user2). Each of them belong to a group (respectively group1 and group2). These can be used to test authenticating rules. Their passwords are respectively user1 and user2.

You can easily add new users and groups via the KUser program. It can be reached via a direct link in bottom panel or via (Menu K->System).

img/icone-kuser-.png

KUser Icon.

img/kuser-en.png

KUser (to add, modify or suppress users and groups).

1.7   Build filtering rules with Nuface

Nuface is a firewall configuration tool: it allows you to define permissions according to criteria such as protocols, source networks, destination networks, but also user groups, in the context of the authenticating firewall NuFW.

Prior to any Nuface use, make sure you have validated the network configuration (Network tab).

1.7.1   Ruleset loading

First of all, load the acl ruleset. Nuface displays its statistics: number of rules, number of networks, etc... (see screenshot below).

img/nuface_init-fr.png

Initial Nuface display

The message "Nuface added the new networks definition" means your network definition has been properly added to the ruleset and the network objects were created at the same time. Now, follow the menu "objets > ressources", and you will find at least two network objects:

  • "INTERNET", IP 0.0.0.0/0: accept any IP address
  • "ETH0_interco_192.168.0.0/24", IP 192.168.0.0/24: your local network (of course, the address may differ depending of your configuration)

1.7.2   Rules definition

The default Nuface behavior is to block all traffic for any protocols. For a greater ease of use, NuFW.Live has some hardcoded rules:

  • Inbound connections:
    • Authorize 10 ping requests per second
    • Authorize TCP port 443 (HTTPS)
    • Authorize TCP port 4129 (NuFW client)
  • Outbound connections:
    • Authorize any traffic emitted by the firewall itself
  • Network address translation:
    • Activate MASQUERADING (transparent NAT)

To test the authenticating rules of NuFW.Live, we will create a minimal rule set to authorize HTTP traffic with NuFW authentication. We need two rules:

  • UDP 53 to authorize the dns service
  • TCP 80 to authorize the http service

Go into the menu acls and type dns in the field New ACL. Acknowledge (type enter or click on the button New), and you will obtain the ACL form:

img/nuface_saisie_acl-fr.png

ACL form.

The most important fields are :

  • Source
  • Target
  • Protocol
  • Auth (user group used for NuFW authentication)
  • Decision

For our dns ACL, enter:

  • Source: your local network (ETH0_interco...)
  • Target: "Internet"
  • Protocol: "DNS_client"
  • Auth: leave empty; we do not authenticate the UDP flows with the available client software for this release.
  • Decision: (keep the ACCEPT verdict)

To save your ACL parameters, click on the button Apply.

Come back to the ACL page by clicking on the page title. Create a second ACL called http. Enter the same parameters as for the dns ACL, excepted for these ones:

  • Protocol: "HTTP"
  • Auth: "group1"

Save with the button Apply.

1.7.3   Load the rules into the firewall

Now that our rules are defined, we just need to apply them.

Go back to the home page, menu action. In the Firewall rules section, click on Save and apply rules (the checkbox With NuFW authentication must be checked). The ruleset is saved at the same time.

1.7.4   Accept ping outbound

Because the NuFW.Live gateway blocks any outbound traffic (except from the gateway itself), we must authorize protocols explicitly.

If you wish to authorize outbound pings, you must create a new ACL. Go back to Nuface and reload the "acl" ruleset (if your session has not expired, the ruleset is still open). In the Acls page, create a rule named ping with the following parameters:

  • Source: your local network (ETH0_interco...)
  • Target: "Internet"
  • Protocol: "ICMP_ping"
  • Auth: do not use authentication, because NuFW does not support the ICMP protocol

1.8   Client connection for authenticated access

Now that the NuFW gateway is configured, we will connect a client machine to it. You will need a NuFW agent on every workstation in your local networks so as to authenticate the network traffic from the users going through your firewall (see the NuFW algorithm in this article: http://www.nufw.org/download/Misc18_Nufw.pdf or http://www.nufw.org/Principes.html).

As of today, there are NuFW clients for Microsoft Windows (2000/XP and Vista), Linux, MacOS X and BSD systems. INL offers a proprietary client (NuWINc) for the proprietary operating system Microsoft Windows. The clients for free operating systems (GNU/Linux and xBSD) are free software released under the GPL v2 license. These free clients are packaged for several distributions, notably Debian, Ubuntu and Mandriva Corporate Server 4.

You can download the clients from www.inl.fr (in particular the demonstration client NuWINc for Microsoft Windows) or www.nufw.org.

To run tests of an authenticated connexion from a user to an external resource, you need another computer, linked to your NuFW.Live gateway (either directly or through a hub or a switch, but without any NAT between the client and the gateway). On this client computer, launch either NuWINc (if the computer is under Windows) or NuApplet (if the computer is under Linux). For simplicity, you can boot a PC on a second NuFW.Live CD, since it includes NuApplet (the graphical client for Linux). NuApplet's icon looks like a yellow and black shield and is located in the KDE's quick launch bar at the bottom of the screen.

Before using the NuFW client, make sure the network is correctly configured on the client machine so that the outbound traffic goes through the NuFW.Live gateway. If you use a NuFW.Live CD for the client machine, you can configure the network with the Network tab: enter the name and network address of the local network through which you will contact the NuFW.Live gateway, and an IP address for the client machine, belonging to this network. In the default route field, enter the IP address of the NuFW.Live gateway, then click on Save and apply the network configuration. Also check the address of the DNS server at the bottom of the same page.

img/nuapplet-preferences-en.png

NuApplet's preferences dialog.

The parameters to enter into NuFW clients are:

  1. Hostname: address IP of the NuFW.Live gateway

    After applying this configuration, you may have to click on the NuApplet icon at the bottom right of the screen to authenticate.

  2. Next, for authentication:

    • Username: user1 (or another user already defined)
    • Password: user1 (or the other user's password)
img/nuapplet-dialog-auth-en.png

NuApplet's authentication dialog.

Note: The user1 account belongs to the group group1 that we used for the authenticating rule in Nuface.

1.9   Connection tests

Now that you configured the NuFW client, it must be connected to the NuFW server and the icon on the bottom right must be green. If it is yellow, right-click on it and choose Connect.

You can test an HTTP connection to a web server on the Internet or on a local network different from the one which the client machine is directly connected to. The HTTP connexion should be accepted.

To experiment a blocked connection, you can test an HTTP connection while the NuFW client is not connected (to disconnect the client, right-click on the client's icon near the lower left corner of the screen, then click on Disconnect), or connected as a user who does not belong to the authorized group (e.g. user2). In the case of an HTTP connection while the NuFW client is not connected, the log message is UNAUTHENTICATED DROP ; you can indeed check the logs in the Nulog tool (see below).

1.10   Network log analysis with Nulog

The web interface Nulog offers a view on connections going through the firewall. On Nulog's home page only blocked connections are shown be default, but you can apply other filters.

Every Nulog page includes a vertical bar on the left, offering links and general information, like the number of users connected to NuFW with a client, and a direct link to the list of packets (see the figure below).

img/nulog-barre-en.png

Vertical bar on the left of every Nulog page.

Click on the link Last packets list. If you have tested an HTTP connection with a client connected to NuFW, you should see at least an accepted packet on this page, like in the figure below. The accepted packet is displayed on a green or blue background (we will explain later about the color). The last column indicates the type of decision for the packet.

img/nulog-auth-accept-en.png

Last packets list: an accepted authenticated packet.

To get more information about a particular packet, you can view the details associated with this packet by clicking on the icon in the first column of the table, here representing a user (since the packet was authenticated):

img/nulog-icone-user-.png

Icon representing a user, to get to the details page for the packet.

The figure below gives an example of the details page about an accepted authenticated packet. The information specific to the authenticating firewall NuFW are "user information" and "Additional information", which includes the operating system and the application used by the user to send the packet.

img/nulog-details-paquet-auth-en.png

Details page of an accepted authenticated packet.

If you have tested an HTTP connection going through the firewall from the client machine without being connected (authenticated) to NuFW, that is a connection blocked for lack of authentication, you can see the packets on an orange background, with the log message default UNAUTHENTICATED DROP. The icon for these packets reprensents a simple network and not a user, because those packets have not been authenticated, since the NuFW client was not connected. The figure below shows the list of the last packets with new packets which have been blocked.

img/nulog-unauth-drop-en.png

Unauthenticated dropped packets.

If you view the details of this kind of packet, the special NuFW information is missing because the packet was not authenticated (see figure below).

img/nulog-details-unauth-drop-en.png

Details of an unauthenticated dropped packet.

A third type of application of an authenticating rule is the blocking of an authenticated packet emitted by a user who does not have the right to access the requested resource. To test this type, connect your NuFW client as the user user2 (password user2) and try a new HTTP connexion through the firewall NuFW.Live. Dropped authenticated packets will then show up in the list of last packets, like on the figure below.

img/nulog-auth-drop-en.png

List with dropped authenticated packets emitted by the user user2 who does not have the right to access the requested resource. The decision is DROP.

Note that an accepted packet is first displayed on a green background when the connection is still active, then on a blue background when the connection is closed. When the connection is closed, the date of the packet becomes that of the connection closing and the packet goes up in the list (which is sorted by date):

img/nulog-paquet-remonte-en.png

An accepted packet gone up the list after the connection was closed.

The Nulog home page includes the list of the last blocked users and the list of the last blocked TCP packets:

img/nulog-resume-bloques-en.png

List of the last blocked users and list of the last blocked TCP packets.

1.11   Handling active connections with Conntrack

The Conntrack tool allows you to display, search and kill active connections. For instance, if a user launched a very long download and you want to stop it at once on the firewall, you can check the checkbox Kill (last column) corresponding to this connection and click on the button Kill.

The first line of the table includes text zones so that you can enter search criteria. To run the search after entering one or more criteria, click on the button ok.

img/conntrack-fr.png

Simple example of active connections.

1.12   Beyond NuFW.Live

You have tested the network flow authenticating features of a NuFW firewall.

You can use the authenticating firewall in a company network because NuFW is brought professionnal support by INL, the company which has developped it from the start. NuFW is the only implemented authenticating firewall which does not rely on the association between an IP or MAC address and a user, thus it is an excellent way to enforce a strict security policy by bringing the notion of user. NuFW is the only solution which allows to build filtering rules based on users on multi-user machines, or to connect to a user directory without giving up anything security-wise.

INL offers different kinds of services for the whole suite of components used in this LiveCD (NuFW, Nuface, Nulog...).

These services are mainly:

  • Training
  • Certification
  • Integration
  • Development
  • Support

INL also offers the NuWINc agents to be able to use NuFW from workstations under proprietary operating systems (Microsoft Windows).

You may also contact either INL of Mandriva for the Mandriva Corporate Server 4 distribution which includes NuFW and all the tools around it. Mandriva offers some support for the whole solution.

Last, INL has packaged and included these tools in a hardware firewall (UTM box) called EdenWall, which is entirely configurable through web interfaces. EdenWall is designed for companies with a need for a totally integrated box. On top of the authenticating filtering brought by NuFW, Edenwall benefits from tools like protocol analysis, antivirus relaying or web proxy with user-defined whitelisting. A presentation of EdenWall is available on http://www.edenwall.com.