2008年12月9日 星期二

[ZeroShell] 測試環境介紹

前言

網際網路的蓬勃發展,出現了許許多多不同種類的網路服務,由於網際網路是公開的空間,因此安全性上的考量不得不視為非常重要的一部分,而傳統的 layer 3 firewall 早已不敷使用,因此才陸陸續續出現了許多號稱可以處理 layer 7(Application Layer)的 firewall。

ZeroShell 是市面上眾多選擇中功能較為強大,且可以免費使用的防火牆軟體;它整合了許多 open source 的專案,因此不僅功能強大,相對於封閉型的產品應該也是較為安全穩定。

而 ZeroShell 有哪些功能,以下從引用官方網站的說明:

  • Load Balancing and Failover of multiple Internet connections;

  • UMTS/HSDPA connections by using 3G modems;

  • RADIUS server for providing secure authentication and automatic management of the encryption keys to the Wireless 802.11b, 802.11g and 802.11a networks supporting the 802.1x protocol in the EAP-TLS, EAP-TTLS and PEAP form or the less secure authentication of the client MAC Address; WPA with TKIP and WPA2 with CCMP (802.11i complaint) are supported too; the RADIUS server may also, depending on the username, group or MAC Address of the supplicant, allow the access on a preset 802.1Q VLAN;

  • Captive Portal to support the web login on wireless and wired networks. Zeroshell acts as gateway for the networks on which the Captive Portal is active and on which the IP addresses (usually belonging to private subnets) are dynamically assigned by the DHCP. A client that accesses this private network must authenticate itself through a web browser using Kerberos 5 username and password before the Zeroshell's firewall allows it to access the public LAN. The Captive Portal gateways are often used to provide authenticated Internet access in the HotSpots in alternative to the 802.1X authentication protocol too complicated to configure for the users. Zeroshell implements the functionality of Captive Portal in native way, without using other specific software as NoCat or Chillispot;

  • QoS (Quality of Service) management and traffic shaping to control traffic over a congested network. You will be able to guarantee the minimum bandwidth, limit the max bandwidth and assign a priority to a traffic class (useful in latency-sensitive network applications like VoIP). The previous tuning can be applied on Ethernet Interfaces, VPNs, bridges and VPN bondings. It is possible to classify the traffic by using the Layer 7 filters that allow the Deep Packet Inspection (DPI) which can be useful to shape VoIP and P2P applications;

  • HTTP Proxy server which is able to block the web pages containing virus. This feature is implemented using the ClamAV antivirus and HAVP proxy server. The proxy server works in transparent proxy mode, in which, you don't need to configure the web browsers of the users to use it, but the http requests will be automatically redirected to the proxy;

  • Wireless Access Point mode with Multiple SSID and VLAN support by using WiFi network cards based on the Atheros chipsets. In other words, a Zeroshell box with one of such WiFi cards could become a IEEE 802.11a/b/g Access Point providing reliable authentication and dynamic keys exchange by 802.1X and WPA protocols. Of course, the authentication takes place using EAP-TLS and PEAP over the integrated RADIUS server;

  • Host-to-lan VPN with L2TP/IPsec in which L2TP (Layer 2 Tunneling Protocol) authenticated with Kerberos v5 username and password is encapsulated within IPsec authenticated with IKE that uses X.509 certificates;

  • Lan-to-lan VPN with encapsulation of Ethernet datagrams in SSL/TLS tunnel, with support for 802.1Q VLAN and configurable in bonding for load balancing (band increase) or fault tolerance (reliability increase);

  • Router with static and dynamic routes (RIPv2 with MD5 or plain text authentication and Split Horizon and Poisoned Reverse algorithms);

  • 802.1d bridge with Spanning Tree protocol to avoid loops even in the presence of redundant paths;

  • 802.1Q Virtual LAN (tagged VLAN);

  • Firewall Packet Filter and Stateful Packet Inspection (SPI) with filters applicable in both routing and bridging on all type of interfaces including VPN and VLAN;

  • It is possible to reject or shape P2P File Sharing traffic by using IPP2P iptables module in the Firewall and QoS Classifier;

  • NAT to use private class LAN addresses hidden on the WAN with public addresses;

  • TCP/UDP port forwarding (PAT) to create Virtual Servers. This means that real server cluster will be seen with only one IP address (the IP of the virtual server) and each request will be distributed with Round Robin algorithm to the real servers;

  • Multizone DNS server with automatic management of the Reverse Resolution in-addr.arpa;

  • Multi subnet DHCP server with the possibility to fix IP depending on client's MAC address;

  • PPPoE client for connection to the WAN via ADSL, DSL and cable lines (requires a suitable MODEM);

  • Dynamic DNS client used to easily reach the host on WAN even when the IP is dynamic;

  • NTP (Network Time Protocol) client and server for keeping host clocks synchronized;

  • Syslog server for receiving and cataloging the system logs produced by the remote hosts including Unix systems, routers, switches, WI-FI access points, network printers and others compatible with the syslog protocol;

  • Kerberos 5 authentication using an integrated KDC and cross-authentication between realms;

  • LDAP, NIS and RADIUS authorization;

  • X509 certification authority for issuing and managing electronic certificates;

  • Unix and Windows Active Directory interoperability using LDAP and Kerberos 5 cross realm authentication.

ZeroShell 將 Linux 上的一大堆服務都包了進來,乍看之下真的眼花撩亂,不過大部分的功能都是預設關閉的,只要針對自己的需求開啟需要的部份功能即可囉!

 

使用環境 & 設備

硬體

  • PC * 4 (ZeroShell 主機需要三張網路卡)

  • Switch Hub * 1

軟體

  • ZeroShell 1.0 beta 11

  • Windows 2003 & XP

  • Ubnutu

 

網路架構

在整個架構中,包含 ZeroShell 一共有四台電腦組成此架構,其中可以分為四個部份說明:

  1. ZeroShell 主機
    ZeroShell 擔負 firewall 與 router 的角色,並包含三個網路介面,分別為 External(外部網路)、Internal(內部網路)、DMZ(伺服機所在之處)

  2. External(ETH00) [外部網路]
    此部份為整個架構的對外連線介面,整個網路架構所有的對外連線,都會經過此介面出去;因此若要過濾篩選由外至內的網路封包,就必須從這個介面下手。

  3. DMZ(ETH01) [對外服務的伺服機所在之處]
    所有對外服務的 server,例如 Web、DNS … 等等,都可以置於此處。

  4. Internal(ETH02) [內部網路]
    內部網路就是外面連不進來的部份了! 但若是有從外部連至內部網路的需求,則可以透過 VPN tunnel 來達成此需求。

沒有留言:

張貼留言