ABOUT
Visit BalaBit site
Archive for June, 2012
A couple of firewalls: from pfSense to Zorp
For years I was using miniature PowerPC and ARM machines as gateway for my SoHo network. A normal Linux install using openSUSE or Debian, with iptables, proxies, sometimes an IDS or even a torrent server to seed openSUSE alpha/beta/release CDs. While it was fun, these machines were never intended to do this job, additional Ethernet interfaces were on USB, could not keep up with today’s broadband speed increase, and did not like the near 7/24 operation. Now I got a chance to try a machine, designed to be run 7/24, passive cooling and multiple Ethernet ports, so a real gw machine, an eBox 3310mx instead of some nice hacks.
As a FreeBSD maniac, the first firewall distribution I tested on the machine was pfSense. In addition to being a flexible and powerful firewall and routing platform, it can be extended with many add-on packages for IDS (Snort), VoIP, caching proxy (squid), etc. All these arrive with convenient and uniform web interface extensions to the base web GUI.
Using pfSense I had some mixed results. The machine is based on the Vortex86 SoC, which also includes an Ethernet port. In theory FreeBSD is supported, in practice it did not work, only the additional two Ethernet ports. On the other hand, this was the fastest networking stack on the machine: I often measured faster downloads than theoretical maximum on my ADSL line.
As I also wanted to test a three Ethernet setup, so I also downloaded a Linux based firewall distribution. I was recommended to try ZeroShell, but after a few hours I gave up on installation. Then I tried IPCop, a simple, easy to use firewall distribution. Still it had many more features and yet easier to use than my SoHo router box. It has some nice graphs, traffic shaping, VPN connections, a lot more flexible firewall and logs about network activity. On the other hand, while there was support for the on chip Ethernet, its speed was less than optimal.
The best Linux experience I had on the machine was using it with Debian. Installation was quick and easy. Network speed was close to theoretical maximum on each interface. And as it’s a general purpose distribution, I could easily add NAS functionality using USB hard drives and necessary software.
Talking about Debian, I have some good news for you: Zorp GPL packages are available for Debian, as it was announced on the Zorp mailing list recently. This makes installation of Zorp GPL a lot more easy on many different versions of Debian and Ubuntu. Still not as easy as the web GUI based firewall distributions I tested, but thanks to its proxy based architecture, it can provide a lot stricter and fine tuned protection than any others I tested. For details on how to get started read announcement or the maintainers blog.
ELSA and syslog-ng PE
ELSA is one of the largest software projects outside BalaBit, which utilizes the patterndb pattern matching technology in syslog-ng. As an open source app, utilizes syslog-ng OSE at its heart. ELSA is used by network security professionals to gather enormous amount of information about what’s happening on their networks and search it with google like response times.
Recently somebody asked, if it’s possible to store digitally signed logs using ELSA. While it’s not possible using the mysql storage, syslog-ng PE has this functionality using its logstore technology. Of course, using the logstore has the drawback of storing logs twice, but it also has some advantages, like encryption or optional time stamping.
So once I could allocate a little time, I gave ELSA and syslog-ng PE a try. I used Ubuntu 10.04 and syslog-ng PE 4.2 in my tests, and with some minor quirks I was able to replace OSE with PE and add logstore support to the configuration. For details, check the ELSA wiki at https://code.google.com/p/enterprise-log-search-and-archive/wiki/UsingSyslog_NGPremiumEdition It should work in fairly similar way on all platforms supported by ELSA.
Learning SCB: the fun way
Learning a new and complex software, like SCB, is difficult, even if it has a fantastic documentation. I started learning SCB this way, reading the docs from page one. Then I learned, that we have just finished preparing a brand new e-learning based training material, which also includes webex consultations and an exam at the end (commercial, available for customers and partners, register here). And instead of using rdesktop from my laptop, I got a chance to use a real thin client to access servers through SCB: a small PC which fits in a hand.
Of course, course using the e-learning training does not mean, that one does not need to read documentation. But it means, that not all documentation needs to be read. Each chapter gives a good overview of an important aspect of SCB and at the end there are pointers to further reading in the administrators guide. One can find there additional details if necessary.
There are also some screen casts of SCB, so one can see how to use the software even without starting it. And as setting up a good test environment is often difficult, these examples are more life like than a simple test environment with one or two connections.
While learning SCB I met with a friend who is specialized in miniaturized computers. When he found, what I’m doing, he pulled out something looking like a power supply out from his pocket, just a little smaller. Looking at it more closely, it turned out, that it’s a complete computer, which can be used for many things, but used primarily as a thin client.
SCB was running as a virtual machine on my laptop, and I could also simply use rdesktop or ssh from it to create connections through SCB. But using a separate machine as client has some advantages other than being fun. I could do four eyes authentication while watching what happens on the client side. Or follow in real time what is happening on the screen of the thin client using the Audit Player.
It’s still difficult for me to believe the size of the machine. Even my ARM systems are larger in size, but it’s an x86. The machine is using a Vortex86 system on chip, which is somewhere between i486 and i586. This of course means, that not all Linux distributions run on it, but I have seen XP on it and used Debian to build a thin client.
The machine is powered using a standard USB cable, has Ethernet, video, audio, three USB pots and an SD card slot. It boots from USB or an SD card, which is emulated as an IDE HDD. There are no moving parts inside, so it’s completely silent. It has VESA mounting holes, so it can easily be attached to the back of modern LCD monitors. This way it is not visible at all, or takes any precious desk space.
If you are interested in, how your thin client infrastructure could be secured and audited, please read our SCB thin client white paper.
FreeBSD, pfsense and syslog-ng
One of the main strengths of syslog-ng is that it runs on many different architectures. Not just on Linux, but on most BSD variants, AIX, HP-UX, Solaris and the Premium Edition also has clients for Windows and IBM System i. The platform I want to talk about now is FreeBSD. First of all, because it’s my favorite server platform, and also because FreeBSD users seem to like syslog-ng.
How do I know this? Some download statistics, some personal e-mails and also from forum messages:
- When we released the first alpha version of syslog-ng 3.4 and updated the sysutils/syslog-ng-devel port for it, I checked the source download statistics, and most of the downloads were initiated from FreeBSD systems.
- One of the major organizations supporting FreeBSD’s development asked us in private e-mail to enable SSL support by default in the syslog-ng port. Thanks to Cy, who maintains the package in FreeBSD ports, it’s enabled now, so the next time FreeBSD packages are built from ports, syslog-ng will have SSL support compiled in.
- Somebody asked for syslog-ng support in pfsense, a very nice FreeBSD based firewall distribution.
I used pfsense in the last couple of days, and I like it very much, as my Internet connection feels to be a lot faster now even without upgrading the line 
Once I have a little more time, I’ll check how difficult it would be to integrate syslog-ng into this nice firewall distribution.
