forksand-it-manual/source/Firewalls.tex

%
% Firewalls.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2016, 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
Firewalls keep the bad packets out, mostly. And let some good packets out.

\section{Overview}
What is the network doing?

\begin{itemize}
 \item snort
 \item MRTG
 \item Aguri
\end{itemize}

\section{Authentication}
Two-factor authentication using TOTP.

\section{Firewall Hardware Overview}
Hardware.

\begin{itemize}
    \item OPNsense is based on FreeBSD \\ \url{https://opnsense.org/}
        \\ \url{https://wiki.opnsense.org/index.html}
    \item Iris FW1100 datasheet \\ \url{https://www.supermicro.com/products/system/1U/1018/SYS-1018D-FRN8T.cfm}
\end{itemize}

The Supermicro SuperServer 1018D-FRN8T is a 1U server with front I/O.
That means that both the rear I/O ports as well as the I/O expansion
ports are found along the front side of the rack. In many cases this
is a desirable configuration as it can make cabling very simple.

\begin{figure}[!ht]
    \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
        {sf-fw/ss-front.png}
    \caption{Supermicro SuperServer 1018D-FRN8T Front}
    \label{fig:supermicroSSfront} 
\end{figure}

The rear of the unit has a redundant 400W power supply. Rated at 80
Plus Platinum the power supplies are efficient as well. The remainder
of the rear is simply a bezel for fans.

\begin{figure}[!ht]
    \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
        {sf-fw/ss-rear.png}
    \caption{Supermicro SuperServer 1018D-FRN8T Rear}
    \label{fig:supermicroSSrear}
\end{figure}

The onboard I/O is plentiful. There are two USB 3.0 ports along with
a VGA port for KVM carts. Above the USB ports there is a RJ-45
Ethernet port for out-0f-band management that can be directly
connected to a dedicated management network. 
%-------------------
Furthermore there are
six 1GbE ports connected to two Intel i210-at controllers and an
Intel i350-am4 controller. The two SFP+ ports are controlled by the
Xeon D<>s Intel X552 NIC. For firewalls and other appliances, this is
a very strong configuration.

\begin{figure}[!ht]
    \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
        {sf-fw/iris-fw1100-front.png}
    \caption{Supermicro SuperServer 1018D-FRN8T interfaces}
    \label{fig:supermicroSSinterfaces}
\end{figure}

Inside the system we see a redundant set of fans near the PSU bezel
and a very small motherboard inside. One can see our two stacks of
Seagate Enterprise Capacity V3 1TB 7200rpm drives as well. We removed
the PCIe riser and the airflow shroud from this picture to show off
the internals better.

\begin{figure}[!ht]
    \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
        {sf-fw/ss-noshroud.png}
    \caption{Supermicro SuperServer 1018D-FRN8T Internal no shroud}
    \label{fig:supermicroSSnoshroud}
\end{figure}

\subsection{Remote Management}

Supermicro<EFBFBD>s IPMI and KVM-over-IP enables deployment flexibility.
One can do remote power up, power down, and reset of the server in
the event that it becomes unresponsive.

\begin{itemize}
    \item fan speeds, chassis intrusion sensors, thermal sensors,
        and etc. can be monitored remotely
    \item remote power control. One can do remote power up, power
        down, and reset of the server in the event that it becomes
        unresponsive.
    \item alerts can be setup to notify the admins of issues.
    \item remotely mount CD images and floppy images to the machine
        over the dedicated management Ethernet controller. This keeps
        maintenance traffic off of the primary Intel NICs.
        At the same time it removes the need for an optical disk to
        be connected to the Supermicro motherboard.
\end{itemize}

Supermicro<EFBFBD>s BIOS has a feature: the BMC IP address shows
up on the post screen!
If you have a KVM cart hooked up to the system, it gives an
indicator of which machine one is connected to during post.

Supermicro does include KVM-over-IP functionality with the motherboard.

\newpage
\section{Alternatives Firewalls Hardware Overview}
Some resellers:
\begin{itemize}
    \item \url{https://www.deciso.com/}
    \item \url{https://www.pfwhardware.com/}
    \item \url{https://www.osnet.eu/}
\end{itemize}

\begin{itemize}
    \item (8) 1 gig ethernet ports
        Connects to (1) 100M ethernet upstream fiber optic
        Connects to (1) 100M ethernet upstream wifi
        Various LAN
    \item (Hot swap?) Dual Power Supplies
    \item (How swap?) RAID (Linux md), with SSD storage.
    \item 2.5'' drive bays
    \item Total ~8GHz CPU
    \item ~8-16 gigs RAM ? Depends on OS.
    \item Two servers total, for standby/failover
\end{itemize}

\section{IP-tables Firewall}
\subsection{Overview}
Most servers and workstations run GNU/Linux, which uses iptables.


\subsection{iptables}
iptables is part of the Netfilter project and has been included by default in
the Linux kernel for many years.

\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-netfilter.png}
 \caption{Netfilter Website}
 \label{fig:www-netfilter}
\end{figure}

\subsection{Requirements}
There are a lot of operating systems to consider to use as a firewall...

Notes on some requirements in a firewall.

\begin{itemize}
 \item Must be free software.
 \item The project must still be alive.
 \item Does it use a hardened kernel?
 \item How does it do security updates?
 \item Are there open security issues?
 \item Are there any CVEs?
 \item How are security issues handled?
 \item Is there a list of security issues?
 \item Does it have a wifi portal? (Should that be a separate box or in OpenWRT?)
 \item Does upstream https actually work?
 \item UTM - Unified Threat Management (e.g. snort, etc.)
 \item Load balancing between multiple upstreams (without BGP).
 \item Load balancing between dual local routers.
 \item Fail over to standby router (e.g. pfsync).
 \item ``Anti-virus'', SMTP, POP scans? Meh? (e.g. OpenBSD has greylist/tarpit.)
 \item Packet cleansing (e.g. tcp header randomization).
 \item Do we want DNS, DHCP, etc? Probably not?
 \item OpenVPN (built into router, or thru it?).
 \item Network graphing (MRTG, aguri, etc.)
 \item No broken ``community'' editions.
 \item Have mirrored server doing analysis?
 \item NAT options? cone, etc.
 \item Local system monitoring (e.g. system temp, hdd status, etc.)
 \item sshd
 \item GSM, pppd ?
 \item Two-factor authentication.
 \item snort, suricata
\end{itemize}


\subsection{Firewall Operating Systems in Use}
\Large{Debian}

\href{https://www.debian.org/}{Debian}

Debian is used for nearly everything. It could easily be used as a
router/firewall. There are better, more tuned options.

Linux's iptables is used on servers.

\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png}
 \caption{Debian Website}
 \label{fig:www-debian-in-firewalls-chapter}
\end{figure}

\Large{Proxmox setups iptables-firewall}
During Proxmox installation on the nodes, firewall is being confugured.
Some of nodes configurations can be found in chapter Free software under 
path apps/forksand-nodes-bootstrap/...

especially in two of files is mentioned:
\begin{minted}{sh}
# Firewalling is done through Proxmox.
cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
\end{minted}

\begin{minted}{sh}
# Enable firewall.
# Datacenter --> shark4 (host) --> Firewall --> Add.
# Enable firewall for datacenter:
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Enable firewall for shark4:
# Datacenter --> Firewall --> Add.
\end{minted}

\textcolor[rgb]{0.80,0.00,0.00}{
Todo check other nodes, add other shark nodes if similar iptables-firewall related configs. \\
Find out why mention of firewall in hk1 node is discarded.
}

\begin{minted}{sh}
# Enable firewall.
# Datacenter --> truck (host) --> Firewall --> Add.
# Enable firewall for datacenter:
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Enable firewall for truck:
# Datacenter --> Firewall --> Add.
\end{minted}

Also Nextcloud chapter mentiones configs of iptables firewall \ref{ssec:nextcloudfirewall} on p.\pageref{ssec:nextcloudfirewall}.

Also certain Ansible including virtual machines enable iptables configuratiion.
For example ansible-debian-male contains mikegleasonjr.firewall.
\href{https://github.com/mikegleasonjr/ansible-role-firewall}{
ansible firewall\char`_v4\char`_configure example on github
}
May be browsed in Free software chapter under path apps/ansible-debian-mail/roles/