Philip a écrit :
>
> I have a VLANed network to which I would like to connect a commercial
> vulnerability scanner.
> The scanner is an appliance from a vendor which is not very configurable.
> Therefore I have put a debian lenny firewall in front of the scanner.
> The firewall has these interfaces:-
> admin0, which is a normal interface with openssh listening. also the
> scanner vendor is reachable via this interface.
> scanner0, which has udhcpd and bind listening on it, this is connected
> to the vulnerability scanner with a crossover cable and the bind and
> dhcp configure it so that it routes via the lenny firewall and can find
> the vendors IP addresses.
> trunk0, which is a vlanned interface to an ethernet switch.
> trunk1, which is a vlanned interface to another ethernet switch.
> I am using iptables to snat the scanner traffic onto IP addresses that
> the lenny firewall owns inside each vlan.
> This is all working beautifully and I can successfully scan hosts in
> each vlan for security vulnerabilities.
Note that NAT breaks end-to-end connectivity and therefore may hide some
vulnerabilities from the scanner.
> The problem is that I think that I have broken the security model that
> uses VLANs to segregate the hosts that I'm scanning.
> I beleive that any host in any vlan could also send traffic to another
> vlan if it routes it via the IP address of the lenny firewall that it
> has locally in its own VLAN, and that my firewall will SNAT that hosts
> traffic onto it's own IP address in the other VLAN.
Yes, with ip_forward=1 the Debian lenny box acts as a IPv4 router and by
default forwards IPv4 packets between all its network interfaces, unless
you add some filtering with iptables.
> This is not what I wanted. What I want is for only the scanner on
> interface scanner0 to be snatted and nothing else. Note that the lenny
> firewall is only supposed to be used for scanning because there is
> another firewall on each vlan for carrying normal packets.
>
> My nat.sh startup script looks like this:-
>
> /sbin/depmod -a
What do you need this for ?
> /sbin/modprobe ip_tables
> /sbin/modprobe ip_conntrack
> /sbin/modprobe iptable_nat
These modules should be automatically loaded when needed.
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
What do you need this for ?
> iptables -t nat -A POSTROUTING -o admin0 -j SNAT --to 10.0.1.5
What do you need this for ? Does the scanner need to scan hosts in the
admin network ?
> How can I change this so that only packets from interface scanner0 can
> get SNATed and nothing else ?
NAT is not a security feature, so forget about SNAT and concentrate on
packet filtering. SNAT will handle only packets that have been accepted
by the filtering rules. My suggestion is to add rules in the FORWARD
chain to accept forwarded packets only to or from the scanner and drop
the rest.
# default policy = drop
iptables -P FORWARD DROP
# allow packets from the scanner to anywhere
iptables -A FORWARD -i scanner0 -j ACCEPT
# allow packets from anywhere to the scanner
iptables -A FORWARD -o scanner0 -j ACCEPT
This way, communication between VLANs is prohibited. Communication
between the admin network and VLANs is prohibited to, but I think you
don't need it.
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment