Skip to main content

IPCop can save your network from attacks

While preparing a talk for Linux day 2014 on a firewall linux I was looking at web interfaces, creating a description of them, I noticed that this was making me sleepy, so I thought about the effect this might have on a possible listener, who may not even be akin to firewalling, port blocking and forwarding techniques...
We needed a top-down approach and something different from the usual guides found on the net primarily on the official IPCop
web site.So I decided to look at it in a more descriptive and less technical way oriented to the services provided and not to the mere configuration masks, trying to leave an overview of what are the functionalities trying not to go too much into technical configuration details

To get the software: IPCop Linux download, in this installation we used the iso "Installation CD i486" for convenience but it was possible in case you do not have a reader to use an image for USB

Network type

In this talk we will see a very simple network, consisting of WAN to which is assigned a network card shown as RED and an internal interface (LAN) shown as GREEN

Ipcop RED and GREEN

Ipcop allows us to have more complex network topologies, with DMZ (ORANGE) and with the use of plug-ins other interfaces

Services provided or desired

  1. Client browsing filters and blacklists
  2. VPN
    1. Teleworking via VPN
  3. Connections to remote locations (ipsec)
  4. Traffic Priority Management (QoS)
  5. External Plugins
  6. Antivirus filters for:
    1. Mail
    2. Navigation
    3. Messaging (msn, google...)
    4. Restrictions on the time and day
  7. Limits on the size of transferred files (upload and download)
  8. Limits on maximum transfer speed
  9. Bandwidth limitations based on the type of content
  10. Blocking of specific mime (ex: youtube flashvideo)
  11. Blocking of unwanted useragents (Google heart or mediaplayer)

You can also leverage various types of authentication to access the proxy either locally (internal to the proxy) or remotely (to connect it to existing authentication systems)

Blacklist or url filtering

This type of service uses squidguard, a set of tools for filtering based on the domain name contacted by clients
First choose the blacklists in the maintenance section and update them (the compilation will take some time), enable the redirectors in the proxy category, after that we will have at our disposal the selection of what to block and we can customize the blocking alerts
A note for the advanced options should be spent: they make it possible for us to block connection by IP address (easy method to avoid filtering) and to enable google safesearch.
As for google safesearch being done over https to be sure of effectiveness it needs the use of google in no-SSL mode

VPN

Teleworking via VPN (OpenVPN)

ipcop vpn client to lan

The first necessity is to create a certificate via the VPN/CA mask of our Linux firewall, VPNs can also be used on "home" type connections with dynamic IP that changes each time we reconnect via dynamic DNS
We activate the server on the necessary interfaces (RED in this case) and start
At this point we can add clients and create their certificates with their passwords that will be set on the client
NB: this allows us, in the moment of loss of the laptop/smartphone to quickly delete the certificate and recreate a new one when needed (limiting the possibility of unwanted access)

Lan to Lan (IPSec)


Ipcop lan to lan vpn

Very similar in configuration to openvpn but it is used to connect two lan's so that clients can transparently reach the remote location

Priority traffic

It often happens on highly exploited connections that you have poor quality problems especially in Real Time protocols (VoIP Telephony, Videoconferencing...) the QoS, quality of service, lends itself to the purpose of prioritizing packets in transit, a trivial example:

  1. High: UDP 51 (SIP)
  2. Medium: TCP 80 (HTTP)
  3. Low: TCP 25 (SMPT)

In this example, those who are sending mail and downloading heavy files from the Internet are not going to affect the quality of the voice transmitted to our SIP telephony server
Important is also to define the maximum bandwidth by rounding down so as to leave some bandwidth unused

External Plugins

Separate extensions are available to install on ipcop, typical installation involves extracting the archive into the Linux firewall and launching the associated installer.

Copfilter

Surely one of the best ipcop addons, it allows us to use antispam, antivirus, process watchdog, proxy Instant Messaging

A special thanks to:
Ipcop.org
Linux Day 2014 Reggio emilia

Thanks to all who participated

If you need a hand with IPCop, contact now a Linux technician expert. Free 30 minutes!