How many times have you administered a network only to find
certain users installing and using forbidden applications such as LimeWire or
Gnutella? It happens all the time, even on the home network.

What if you could block those attempted illegal downloads (or
activity unbecoming an employee) without having to shell out what could easily
amount to your entire IT budget for an application to stop that behavior?
That’s where PacketFence comes in.

What can PacketFence
do?

PacketFence is a strong system that contains:

  • User registration:
    PacketFence has an optional user registration portal.
  • Worm and virus
    detection:     Using Snort, PacketFence ads even another layer of
    protection to your network.
  • Worm/bot detection: PacketFence can be configured so
    that any time a host is used as a bot that host
    is placed in isolation or black-holed.
  • User-directed mitigation/remediation:
    If a user/host is trapped in isolation that user/host is redirected to a
    page with removal instructions. A grace period can be set up so the violation
    can serve as a warning.
  • Pro-active
    vulnerability scans:     The administrator can set up scans so they are
    done manual, scheduled, or upon user registration.
  • Passive or in-line
    operation:     PacketFence can function either as a router (inline) or it
    can inject itself into the system (passive).

The above list shows some of the advanced features. Before
you get knee-deep into advanced features, you must first understand how to stop
traffic with PacketFence. But before we get deep into the configuration, let’s
first install one last helper application: Nessus (client) and Nessusd (daemon).

Nessus

We’re going to continue on the Ubuntu Server 6.06
environment, so apt-get will be our tool of choice. To install
everything for Nessus and Nessusd, you’ll need to run
the commands:

sudo apt-get install nessus
sudo apt-get install nessusd
sudo nessus-adduser
sudo ln -fs /etc/init.d/nessusd /etc/rc2.d/S20nessusd

Finally, to start the Nessus daemon, issue the command:

sudo /etc/init.d/nessusd start

Now your PacketFence installation is complete.

Getting to know the
commands

Even though there is a Web-based GUI for PacketFence, you’ll
rely on the commands more than the GUI. Let’s take a look at the commands you
will need to know (each command will either be issued by the root user or with
the help of sudo):

  • /sbin/iptables: There will be
    times when you’ll need to flush the IPTables cache in
    order to get PacketFence to start. To flush the cache, issue the command /sbin/iptables -F.
  • /etc/init.d/snort start: This is how you start Snort. To
    stop Snort, replace start with stop.
  • /etc/init.d/nessusd start: In order to start the
    Nessus daemon, issue this command. To stop Nessus, replace start with stop.
  • /usr/local/pf/bin/start: This
    is the command to start PacketFence.
  • /usr/local/pf/bin/pfcmd config help: This is
    where you can begin to get help with PacketFence. By issuing this command, you’ll
    see a list of all the types of help you can get. Help topics include: control,
    service, version, person, history, node, violation, report, fingerprint,
    lookup, graph, config, ui, class, trigger, update, and reload.

The pfcmd command is
a very useful tool; it can do a number of things. For example, say you want to
know what types of OSs are on your network. Issue the command /usr/local/pf/bin/pfcmd report os and the
system will return something like:

root@ubuntu:/usr/local/pf# /usr/local/pf/bin/pfcmd report os
description|percent|count
Unknown DHCP Fingerprint|18.2|2
RedHat/Fedora-based Linux|18.2|2
Microsoft Windows 2000|18.2|2
Mac OS X|18.2|2
Debian-based Linux|9.1|1
*Probable Static IP(s)|18.2|2
Total|100|11

If you definitively know the contents of your network, this
tool can quickly help you see if there is any rogue hardware.

Before a piece of hardware can actually have access to the
outside world (when PacketFence is up and running), the hardware must be
registered. The easiest way to register a piece of hardware is to use the pfcmd command. Unfortunately, you have to
know the MAC address of the machine to be registered. In order to register a
machine, issue a command like so:

/usr/local/pf/bin/pfcmd node edit  44:4d:50:02:0a:5b status="reg",pid=1

Now when you issue the command /usr/local/pf/bin/pfcmd report registered,
you’ll see:

44:4d:50:02:0a:5b|1|||reg||

This isn’t very helpful if you have a number of users, so
before registering a MAC address, add a user first. Issue the command: /usr/local/pf/bin/pfcmd person add maryjane
notes=”Graphics Department” before you register. Now when you
register, you can issue the command: /usr/local/pf/bin/pfcmd node edit   44:4d:50:02:0a:5b
status=”reg”,pid=maryjane.
Now issue the command /usr/local/pf/bin/pfcmd report registered, and
you’ll see:

44:4d:50:02:0a:5b|maryjane|||reg||

Now the report has a bit more meaning; the MAC address is
associated with a username.

Configuring the conf

In the /usr/local/pf/conf directory is the pf.conf
file. This is the file generated when you initially set up PacketFence. This
initial setup will not really do a whole lot; you need to get into this file
and really get your fingers dirty. The pf.conf
file is broken into different sections:

  • [general]: This is general
    information about the server hosting PacketFence. This will include:
    domain name, host name, and DNS servers.
  • [logging]: This will define the log
    level you wish to run (8 being the highest verbosity).
  • [alerting]: This is where you
    configure the e-mail address all alerts will go to and the SMTP server the
    alerting system will use.
  • [database]: This is the database
    information. Here you will configure the database user and the database
    password.
  • [interface]: This is where you
    configure the interface for PacketFence to use. Included in this
    configuration are the netmask, type (internal,managed,monitor), IP
    address, and gateway.
  • [services]: This is where you define
    the executable for your Web server.
  • [trapping]: Choose here whether you
    want to enable the trapping of users.
  • [registration]: The most important
    section, this is where you configure how registration is handled. You have
    to configure the following: registration method; skip mode (can users
    “skip” registration?); AUP policy (do your users have to accept
    a “user policy”?); and expire policy.
  • [scan]: When do you want to set a
    vulnerability scan?

There are many other configuration options, but we’re going
to keep this at the bare minimum. So let’s take a look at a bare bones — but
useable — pf.conf file.

[general]
domain=mydomain.name
dnsservers=192.168.1.22,192.168.1.23
[logging]
verbosity=8

[alerting]
emailaddr=admin@mydomain.name
smtpserver=mail.mydomain.name

[database]
pass=dbpassword
user=root

[interface]
mask=255.255.255.0
type=internal,managed,monitor
gateway=192.168.1.1
ip=192.168.1.29

[services]
httpd=/usr/sbin/apache2

[trapping]
registration=enabled

[registration]
skip_mode=window
skip_window=2w
skip_reminder=1d
expire_mode=window
expire_window=26w
aup=enabled
auth=local
maxnodes=1

[scan]
registration=enabled
pass=packet
user=admin
host=192.168.1.29
port=1241
ssl=enabled

There are a few additional configuration options above that
warrant explanation. In the [registration] section, you’ll see the expire options.
These options configure how long a users registered
instance will last. In the same section, you’ll see aup
options. These are the authentication methods. In the above configuration, the
system is using a local authentication which will be contained in a user:password file
called user.conf in /usr/local/pf/conf.

Stopping unwanted traffic

You don’t want P2P traffic on your network. In the /usr/local/pf/conf directory
is a file called violations.conf. This
file contains most of the common violations you’ll need. The top section is the
defaults section. Below the defaults is an entry for each violation. If you
want to examine the violation set for LimeWire, for example, it would look like
this:

[2001808]

desc=P2P (Limewire)

priority=8

url=/content/index.php?template=p2p

disable=Y

max_enable=1

trigger=Detect::2001808

Since this violation is disabled (with disable=Y), we
need to enable this violation in order to enforce it. Change enable=Y to
enable=N and restart PacketFence. Now, if any member of the network
fires up LimeWire, that user will lose Internet access.

Notice the url=
option. This defines where the user will be redirected when they violate the
policy. You can customize this page.

Final thoughts

This has been a barebones introduction to the massive system
known as PacketFence. From this launching point, you can grow this system to
meet nearly any need. On top of this, you can implement the Web-based GUI to
help make administration much easier.

Please be aware that PacketFence is an application that can
take days to master; also, implementation will vary with every installation you
do. Even with all of its difficulties (and lack of documentation), PacketFence
should quickly become your network security’s best friend.