Security

SolutionBase: Use PacketFence to stop unwanted network traffic

Looking for a system that blocks illegal downloads without breaking your IT budget? Jack Wallen introduces PacketFence, an open-source network access control (NAC) system.

How many times have you administered a network only to find certain users installing and using forbidden applications such as LimeWire or Gnutella? It happens all the time, even on the home network.

What if you could block those attempted illegal downloads (or activity unbecoming an employee) without having to shell out what could easily amount to your entire IT budget for an application to stop that behavior? That's where PacketFence comes in.

What can PacketFence do?

PacketFence is a strong system that contains:

  • User registration: PacketFence has an optional user registration portal.
  • Worm and virus detection: Using Snort, PacketFence ads even another layer of protection to your network.
  • Worm/bot detection: PacketFence can be configured so that any time a host is used as a bot that host is placed in isolation or black-holed.
  • User-directed mitigation/remediation: If a user/host is trapped in isolation that user/host is redirected to a page with removal instructions. A grace period can be set up so the violation can serve as a warning.
  • Pro-active vulnerability scans: The administrator can set up scans so they are done manual, scheduled, or upon user registration.
  • Passive or in-line operation: PacketFence can function either as a router (inline) or it can inject itself into the system (passive).

The above list shows some of the advanced features. Before you get knee-deep into advanced features, you must first understand how to stop traffic with PacketFence. But before we get deep into the configuration, let's first install one last helper application: Nessus (client) and Nessusd (daemon).

Nessus

We're going to continue on the Ubuntu Server 6.06 environment, so apt-get will be our tool of choice. To install everything for Nessus and Nessusd, you'll need to run the commands:

sudo apt-get install nessus
sudo apt-get install nessusd
sudo nessus-adduser
sudo ln -fs /etc/init.d/nessusd /etc/rc2.d/S20nessusd

Finally, to start the Nessus daemon, issue the command:

sudo /etc/init.d/nessusd start

Now your PacketFence installation is complete.

Getting to know the commands

Even though there is a Web-based GUI for PacketFence, you'll rely on the commands more than the GUI. Let's take a look at the commands you will need to know (each command will either be issued by the root user or with the help of sudo):

  • /sbin/iptables: There will be times when you'll need to flush the IPTables cache in order to get PacketFence to start. To flush the cache, issue the command /sbin/iptables -F.
  • /etc/init.d/snort start: This is how you start Snort. To stop Snort, replace start with stop.
  • /etc/init.d/nessusd start: In order to start the Nessus daemon, issue this command. To stop Nessus, replace start with stop.
  • /usr/local/pf/bin/start: This is the command to start PacketFence.
  • /usr/local/pf/bin/pfcmd config help: This is where you can begin to get help with PacketFence. By issuing this command, you'll see a list of all the types of help you can get. Help topics include: control, service, version, person, history, node, violation, report, fingerprint, lookup, graph, config, ui, class, trigger, update, and reload.

The pfcmd command is a very useful tool; it can do a number of things. For example, say you want to know what types of OSs are on your network. Issue the command /usr/local/pf/bin/pfcmd report os and the system will return something like:

root@ubuntu:/usr/local/pf# /usr/local/pf/bin/pfcmd report os
description|percent|count
Unknown DHCP Fingerprint|18.2|2
RedHat/Fedora-based Linux|18.2|2
Microsoft Windows 2000|18.2|2
Mac OS X|18.2|2
Debian-based Linux|9.1|1
*Probable Static IP(s)|18.2|2
Total|100|11

If you definitively know the contents of your network, this tool can quickly help you see if there is any rogue hardware.

Before a piece of hardware can actually have access to the outside world (when PacketFence is up and running), the hardware must be registered. The easiest way to register a piece of hardware is to use the pfcmd command. Unfortunately, you have to know the MAC address of the machine to be registered. In order to register a machine, issue a command like so:

/usr/local/pf/bin/pfcmd node edit  44:4d:50:02:0a:5b status="reg",pid=1

Now when you issue the command /usr/local/pf/bin/pfcmd report registered, you'll see:

44:4d:50:02:0a:5b|1|||reg||

This isn't very helpful if you have a number of users, so before registering a MAC address, add a user first. Issue the command: /usr/local/pf/bin/pfcmd person add maryjane notes="Graphics Department" before you register. Now when you register, you can issue the command: /usr/local/pf/bin/pfcmd node edit   44:4d:50:02:0a:5b status="reg",pid=maryjane. Now issue the command /usr/local/pf/bin/pfcmd report registered, and you'll see:

44:4d:50:02:0a:5b|maryjane|||reg||

Now the report has a bit more meaning; the MAC address is associated with a username.

Configuring the conf

In the /usr/local/pf/conf directory is the pf.conf file. This is the file generated when you initially set up PacketFence. This initial setup will not really do a whole lot; you need to get into this file and really get your fingers dirty. The pf.conf file is broken into different sections:

  • [general]: This is general information about the server hosting PacketFence. This will include: domain name, host name, and DNS servers.
  • [logging]: This will define the log level you wish to run (8 being the highest verbosity).
  • [alerting]: This is where you configure the e-mail address all alerts will go to and the SMTP server the alerting system will use.
  • [database]: This is the database information. Here you will configure the database user and the database password.
  • [interface]: This is where you configure the interface for PacketFence to use. Included in this configuration are the netmask, type (internal,managed,monitor), IP address, and gateway.
  • [services]: This is where you define the executable for your Web server.
  • [trapping]: Choose here whether you want to enable the trapping of users.
  • [registration]: The most important section, this is where you configure how registration is handled. You have to configure the following: registration method; skip mode (can users "skip" registration?); AUP policy (do your users have to accept a "user policy"?); and expire policy.
  • [scan]: When do you want to set a vulnerability scan?

There are many other configuration options, but we're going to keep this at the bare minimum. So let's take a look at a bare bones — but useable — pf.conf file.

[general]
domain=mydomain.name
dnsservers=192.168.1.22,192.168.1.23
[logging]
verbosity=8
[alerting]
emailaddr=admin@mydomain.name
smtpserver=mail.mydomain.name
[database]
pass=dbpassword
user=root
[interface]
mask=255.255.255.0
type=internal,managed,monitor
gateway=192.168.1.1
ip=192.168.1.29
[services]
httpd=/usr/sbin/apache2
[trapping]
registration=enabled
[registration]
skip_mode=window
skip_window=2w
skip_reminder=1d
expire_mode=window
expire_window=26w
aup=enabled
auth=local
maxnodes=1
[scan]
registration=enabled
pass=packet
user=admin
host=192.168.1.29
port=1241
ssl=enabled

There are a few additional configuration options above that warrant explanation. In the [registration] section, you'll see the expire options. These options configure how long a users registered instance will last. In the same section, you'll see aup options. These are the authentication methods. In the above configuration, the system is using a local authentication which will be contained in a user:password file called user.conf in /usr/local/pf/conf.

Stopping unwanted traffic

You don't want P2P traffic on your network. In the /usr/local/pf/conf directory is a file called violations.conf. This file contains most of the common violations you'll need. The top section is the defaults section. Below the defaults is an entry for each violation. If you want to examine the violation set for LimeWire, for example, it would look like this:

[2001808]
desc=P2P (Limewire)
priority=8
url=/content/index.php?template=p2p
disable=Y
max_enable=1
trigger=Detect::2001808

Since this violation is disabled (with disable=Y), we need to enable this violation in order to enforce it. Change enable=Y to enable=N and restart PacketFence. Now, if any member of the network fires up LimeWire, that user will lose Internet access.

Notice the url= option. This defines where the user will be redirected when they violate the policy. You can customize this page.

Final thoughts

This has been a barebones introduction to the massive system known as PacketFence. From this launching point, you can grow this system to meet nearly any need. On top of this, you can implement the Web-based GUI to help make administration much easier.

Please be aware that PacketFence is an application that can take days to master; also, implementation will vary with every installation you do. Even with all of its difficulties (and lack of documentation), PacketFence should quickly become your network security's best friend.

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox