WWWOFFLE – World Wide Web Offline Explorer is a free simple easy to configure Webproxy with good security and privacy features. WWWOFFLE is designed to work for Unix and Linux based systems and a partially functional port is available for Windows.

WWWOFFLE can be used for a network with multiple PCs or can be used just on your local PC to improve performance and offline availability of pages.

While WWWOFFLE covers the basic features of a webproxy, there are some special features of WWWOFFLE that is worth mentioning. Especially the Offline access feature specially for Dial-up connections, easy configuration options with a web-interface and the level of control on the caches, index of the caches and security.

Once installed, WWWOFFLE by default listens on the port 8080. There is a detailed list of compatible browser versions here. Worth having a look before implementing the proxy system. Also, the configuration can be fine tuned to the user requirement level.

Some of the highlighting features of WWWOFFLE are

Easy configuration and a built-in web interface for easy configuration and access to cached contents,certifcates for HTTPS etc.

Easy administration with autmated start/stop

Timeout configuration for DNS,Remote Server connections etc to avoid the server crashing

Download control including Pause & Stop for interrupted downloads

Purging old cache and control purging action by maximum cache size, time since last access or last caching

Auto Proxy configuration using Auto-config file

Conditional fetch of pages that have changed based on Expiration Date, Time since last fetch or Once per session

Non-Cached Support for SSL Connections

Caching support for HTTPS connections

Block access to pages and support redirect to alternate pages (like pages educating users on Internet usage policy or redirect to company homepage)

Control pages in cache and backup cache for offline use

Support Compressed pages and Chunked transfer-encoding request from webservers

Dial-on demand for contents not in cache and control websites that can be downloaded the next time system goes online

Offline access fine tune by controlling what can be accessed from cache

Automatic fetching of selected pages and objects from pages and monitoring select pages at regular intervals and recurrsive caching by following links

Insert Footers and modify HTML pages to remove page objects like scripts, javascripts etc

Information on cached pages and the index of the cached pages with multiple indexes for cached pages. Also can search the cached pages using various tools.

Automatic Authentication for external proxies, support pages with username/password for authentication

Censor incoming and outgoing HTTP headers as to what you reveal about your information like browser type etc. This enhances privacy on the internet

For more information, documentation, example scripts to start with and download, click here for WWWOFFLE homepage.

RANCID is Really Awesome New Cisco Config Differ. AS its name implies, RANCID monitors network device configuration, including software and hardware and uses CVS (Concurrent Version System) or Subversion to maintain history of changes. RANCID is simple and is easy to use.

The same very functionality of RANCID can be used as a backup system for Network device config backup system or even a config change alert system as it can email changes from previous saved configurations. All this RANCID does by logging on to a network device using Telnet or SSH and runs various show commands to grab config changes (hardware & Software), send alert emails of any changes, format the info and commit to the CVS system.

Some of the devices that RANCID supports

Cisco Routers and Cisco Catalyst Switches (IOS & CatOS)

Juniper Routers

Foundry Switches

HP ProCurve Switches

Alteon Switches

Redback NAS

ADC EZT3 MUXs

MRTd & IRRd

RANCID is a Linux based software and needs to be compiled and installed (unfortunately there is no package built for specific Linux platforms)

RANCID can be downloaded from SHURBBERY networks here

RANCID requires the expect module installed on the Linux platform. A sample email notification showing changes based on the previous config versions can be found here.

Packet Fence is an OpenSource NAC (Network Access Control) Solution available under GPL license and is completely free. Packet Fence is a Network Access Control solution with world class features and many features beating those provided by expensive commercial alternatives. Mostly installed in acamedic institutions, please visit here to find a list of organisations and institutions that use Packet Fence as a Network Access Control system.

Packet Fence is built on Redhat/Fedora Linux and can be built from source and installed on most if not on all of the Linux distributions. Packet Fence is easily configurable with a good GUI although installation takes a bit of a hardwork as it involves installing a lot of other opensource software and tools for it to work like Nessus (Opensource Security Vulnerability Scanner) and Snort (Opensource Intrusion Detection). Packet Fence is now also available as a VMware image (PF ZEN) that can be downloaded from their website. This requires no work (a zero effort installation) and can be operational almost instantly (ideal for testing before deployment).

Highlighting features of Packet Fence include:

• Operate in INLINE, PASSIVE using ARP Spoofing/Poisoning)& DHCP mode

• VLAN switching support to be available soon (a workaround for VLAN supoort has beed submitted here)

• Registration Mechanism similar to a Captive Portal systems with multiple authentication support (All Apache supported authentications)

• Worm and Virus Detection, alert and Supression (Snort for Detection)

• Worm and Bot detection and Isolation

• Mitigation and Remediation using User-direction for trapped hosts

• Proactive Vulnerability Scans using NESSUS

• DHCP Fingerprinting

• OS Fingerprinting and Banning

• NAC and AP detection and Isolation

Good documentation with installation and configuration information available online, Packet Fence is a great Opensource NAC.

Actively developed and supported by the community, packet fence can also offer commercial support on request.

For more information and download, please visit Packet Fence website here

ICMP Redirects Send and Accept are by default enabled on most of the linux flavours including Debian, Ubuntu, Redhat Enterprise Linux, Suse Linux.

While ICMP Redirects are not the very efficient way to update a hosts Routing table of an optimal route to a target destination, it can cause serious security concerns where a hacker or attacker can send malicously crafted ICMP redirect messages and cause a Denial of Service attack on the network.

If ICMP Redirects are not used in the network for route updates and if the server is not acting as a Router or a Gateway (ICMP Redirect send only) then ICMP Redirect send and accepts should be disabled on the server.

In most of the Linux flavors (tested on Debian,Ubuntu,Redhat Enterprise linux,Suse) ICMP Redirects can be dynamically disabled on the host by using

1. /sbin/sysctl utility which can modify Kernel paramters at runtime

Login as root and run the following command to disable ICMP Redirects Send and Accept

Server# /sbin/sysctl -w net.ipv4.conf.all.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv4.conf.all.send_redirects = 0

Server# /sbin/sysctl -w net.ipv6.conf.all.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.all.send_redirects = 0

The above disables ICMP Redirects globally on the server. However, if you want to disable on a per interface basis then in the above command, instead of using "all" use the inerface name (say "eth0")

Server# /sbin/sysctl -w net.ipv4.conf.eth0.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv4.conf.eth0.send_redirects = 0

Server# /sbin/sysctl -w net.ipv6.conf.eth0.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.eth0.send_redirects = 0

This will disable ICMP Redirects immediatly.

or even a simpler option would be to

2. Passing appropriate value (0 or 1) to the above kernel variables as follows:

Server# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects [for IPv4]

Server# echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects [for IPv6]
Server# echo 0 > /proc/sys/net/ipv6/conf/all/send_redirects [for IPv6]

Again this can be used on a per interface basis as

Server# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects [for IPv4]

Server# echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_redirects [for IPv6]
Server# echo 0 > /proc/sys/net/ipv6/conf/eth0/send_redirects [for IPv6]

However, these kernel changes made at runtime will be lost when the system reboots. So it is important that these are applied at boot time as well to ensure that the server is secure.

ICMP REDIRECT DISABLE AT BOOT TIME

In order to disable ICMP Redirects at boot time,

1. Edit the /etc/sysctl.conf file

Edit the /etc/sysctl.conf file and add the following lines:

In Debian and Ubuntu Linux:

net/ipv4/conf/all/accept_redirects = 0 [for IPv4]
net/ipv4/conf/all/send_redirects = 0 [for IPv4]

net/ipv6/conf/all/accept_redirects = 0 [for IPv6]
net/ipv6/conf/all/send_redirects = 0 [for IPv6]
 
Again, if you want to control ICMP redirects on a per interface basis then add the following lines (say for eth0):

net/ipv4/conf/eth0/accept_redirects = 0 [for IPv4]
net/ipv4/conf/eth0/send_redirects = 0 [for IPv4]

net/ipv6/conf/eth0/accept_redirects = 0 [for IPv6]
net/ipv6/conf/eth0/send_redirects = 0 [for IPv6]

In Redhat Enterprise Linux and Suse:

net.ipv4.conf.all.accept_redirects = 0 [for IPv4]
net.ipv4.conf.all.send_redirects = 0 [for IPv4]

net.ipv6.conf.all.accept_redirects = 0 [for IPv6]
net.ipv6.conf.all.send_redirects = 0 [for IPv6]
 
Again, if you want to control ICMP redirects on a per interface basis then add the following lines (say for eth0):

net.ipv4.conf.eth0.accept_redirects = 0 [for IPv4]
net.ipv4.conf.eth0.send_redirects = 0 [for IPv4]

net.ipv6.conf.eth0.accept_redirects = 0 [for IPv6]
net.ipv6.conf.eth0.send_redirects = 0 [for IPv6]

This will allow the /etc/sysctl.conf be read by the /sbin/sysctl utility at the startup.

NOTE: In Debian and Ubuntu, this will be overiden by any options set in /etc/network/options as the /etc/init.d/networking script which sets the /etc/network/options file kernel paramters at boot time runs after the /etc/init.d/procps script which sets the kernel variable values specified in /etc/sysctl.conf file. It is advisable to make all change to /etc/sysctl.conf file instead of /etc/network/options file as this is being depreciated.

Firewall Builder is an Opensource multi-vendor Firewall Configuration and Management GUI tool. It uses a set of policy compilers for the different firewalls supported. If you are a Network administrator supporting multiple sites and multiple firewall devices then you would know what difference a central Firewall Manager can make to the day to day task. A Netscreen Security Manager for Junipers or the admin tool for checkpoints is an example, despite these being expensive commercial options from the very own vendors. Firewall Builder on the other hand a hetrogenous, vendor neutral configuration and management tool with support to more than one single platform and an easy design allowing expanding support more platforms.

Firewall Builder uses object-oriented approach, it helps administrator maintain a database of network objects and allows policy editing using simple drag-and-drop operations. Firewall Builder can generate configuration file for any supported target firewall platform from the same policy created in its GUI. This provides for both consistent policy management solution for heterogeneous environments and possible migration path.

Firewall Builder uses the same Object database (hosts,networks,services etc) for all the different vendor firewalls in an xml format and any change to any of the object will automatically update the rules on the policy sets and they only need to recompile the policies  and apply to the firewall devices. Maintaing the Object Database in XML format and keeping the GUI and policy compilers completely independent makes it easy to expand support new firewall platforms.

In Firewall Builder, administrator works with an abstraction of firewall policy and NAT rules; software effectively "hides" specifics of particular target firewall platform and helps administrator focus on implementation of security policy. Backend software components, or policy compilers, can deduct many parameters of policy rules using information available through network and service objects and therefore generate fairly complex code for the target firewall, thus relieving administrator from having to remember all its details and limitations. Policy compilers can also run sanity checks on firewall rules and make sure typical errors are caught before generated policy is deployed.

Firewall Builder supports

• iptables on Linux (Kernel 2.4 & Kernel 2.6)
• ipfilter on Sun Solaris, FreeBSD and OpenBSD
• ipfw on FreeBSD and MacOS X
• pf on OpenBSD
• CiscoPIX (commercial license)
• Cisco IOS  Access Control Lists (commercial license)
• Linksys Firewall running sveasoft and OpenWrt firmware

Firewall Builder can run on

• Redhat Linux, Mandrake Linux 10, Suse 9.1
• FreeBSD 5.3
• MacOS X
• Windows XP SP1 and later

Firewall Builder licensing is a dual-license model where all the opensource modules are available under GPL while the commercial modules are licensed under its own Netcitaadel End User licensing model.

The Firewall Builder software has great documentation and lots of How Tos, installation guides and a good FAQ to support this very good piece of software.

For more information and download, click here to visit the homepage of Firewall Builder.

ClarkConnect is an all-in-one Opensource networking suite from Point Clark Networks. It is a full blown security suite on one front with Stateful firewall protection, Intrusion Detection and prevention, Maile Gateway with Antivirus, Anti-spam and Anti-phishing support, proxy & web content filtering, peer to peer connection filtering for web protection while is also a networking suite with IPSec and PPTP support, bandwdith and system monitoring and a server with web-server, Database server support, file & print sharing, mail server, system and mail backup. All built on a cut down redhat linux with a good web interface.

ClarkConnect is an opensource winner with all the features are directly enabled by opensource packages.

The top features of ClarkConnect are

• Statefule Firewall with DMZ interface enabled, NAT and port forwarding support
• Intrusion Detection (Snort) and Preention (snortsam)
• Peer to Peer connection prevention
• MultiWAN support with bandwidth monitoring
• VPN support with IPSec and PPTP support
• Webproxy, Content Filtering, Popup/banner adblocker
• Email Server support (POP, IMAP and SMTP) and webmail support
• Dns, DynDNS, DHCP Support
• Mail Gateway with antispam (spamassasin,Dspam,greylisting), Antivirus (ClamA), phishing filter,  Mail Disclaimer support
• Groupware and Flexshare
• Webserver (LAMP)
• File and Print Sharing, FTP server
• Network Backup

For more detailed listing of features, click here

ClarkConnect comes in three different editions as Enterprise, Office and Community editions. The Community edition is a free edition with no support for the serices and hence is good for Home and Small Office. The Office edition has all of the network and security features enabled with the exception of the Grouware support and the all enabled version is the Enterprise edition. While the Office and Enterprise editions are commercial, the cost is not very pricey.

For a comparision on the versions, click here

A detailed hardware requirement can be found on ClarkConnect website with downloads available here.

A Reader's Toolbox

For 640-802, it is important to qualify both 350-001 as well as 70-291. Still a number of individuals settle for 70-649 too.

redWall Firewall is a free opensource firewall based on Gentoo linux distribution with Linux Kernel 2.6. redWall firewall runs from a bootable CD-ROM while the configs are saved on a USB Memory stick, Floppy drive or on the Hard Drive. Newer version has support to install the firewall on the Hard Disk. The redWall firewall has a good web interface.

Reporting on the firewall is based on a MySQL database (except for squid) and so presents the advantage of using the firewall also as a Management console or a logging console so multiple firewalls in the network can report back to the management station or do the logging onto the redWall firewall for better presentation and broader visibility of the whole network security.

Features include

• Stateful Firewall (iptables)
• Proxy using Squid
• Intrusion Detection System (IDS) using Snort
• Mail gateway functionality with Virus scanning and Antivirus support
• Support for Bridging, NAT
• DNS support using dnsmasq
• Traffic shaping
• Network Analyzer using nTop and DarkStat
• Network monitoring and Bandwidth monitoring using Zabbix and Jffnms
• SNMP reporting using Cacti
• Webmin support
• Log analysis using BASE
• Good reporting for Squid and rest of the logs using Sarg Report
• Management/Logging console for multiple firewalls on the network

There is not much documentation available on the website for redWall but given that the firewall can run off the CD-ROM (installable to Hard Disk) and that the configs can be saved onto a USB Memory Stick, Floppy or a Hard Disk, an old PC can certainly be enough to run a fully functional Firewall. Ofcourse, give some good hard disk space for Squid and/or for central logging (if used as a logging console)

The CD ISO image can be downloaded here.

To install the Firewall onto the Hard Disk, run "redwall-setup" from the console and select "INSTALLATION" and follow the onscreen instructions.

A Reader's Toolbox

Normally after 220-602 a number of individuals go for 1Y0-259 or the more advanced 640-822. People seldom try for 220-601 as that only leads to 70-293.

pfSense is yet another opensource firewall which can turn your old PC into a fully functional Firewall. pfSense opensource firewall is based on the m0n0wall opensource embedded firewall with all the good features of m0n0wall and advanced addition features.

pfSense uses OpenBSD's ported packet filter, FreeBSD 6.1 ALTQ (HSFC) for excellent packet queueing and integrated package managegement system for extending with new features.

pfSense can be downloaded a Live CD which is also an installation CD or as an installation ISO for developer edition or an Embedded edition. For more info on the download packages, click here.

The software itself can be downloaded from here

A good set of install instructions are available here

More information on Hardware, minimum requirements and recommended vendor products, visit pfSense here

In additional to the existing features on m0n0wall firewall, pfSense has the special additional features. The following are some of the key additional features:

• Wireless a/b/g using wpa_supplicant with turbo, WEP, WPA-E/PSK and WPA2 (TKIP) support. Advanced support for wireless devices including HostAP-mode, hardware-encryption if supported by driver, mac-filtering, non-broadcasting SSID with FreeBSD6 supported wireless devices (atheros recommended for full functionality)
• Incoming/outgoing load balancing pools
• Multiple WAN Support
• PPPoE Server
• Setup wizard and package using xml -> web gui toolkit
• Realtime settings change to avoid reboots
• pf for openbsd's packet filter
• CARP – for failover and clustersyncing (rules, trafficshaper, nat, IPSEC SAs…)
• failovercapable DHCP-Server with advanced settings (specify gateway, DNS, WINS)
• Systemstatus with realtimegraphs including SWAP usage monitor
• ALTQ traffic shaping with integrated magic shaper wizard with Queuegraphs for Trafficshaper
• FTP-Proxy using Squid Transparent proxy
• proxy/masquerading for SIP-protocol using siproxd
• Anti-Spam-Proxy using assp
• Fake SMTP-Server as Spam-Tarpit using spamd
• Networkscanner for security auditing using nmap
• Enhanced traceroute using mtr
• enhanced configuration-system featuring a configuration history and partial config down-/uploads
• converting PF-status-massages to Cisco NetFlow-Datagrams using pfflowd
• PFStat Graphing
• Enhanced network history data using NTOP
• STunnel to wrap standard ports with SSL
• arpwatch to watch ethernet/ip-adress-pairings
• freeradius to Radiusserver
• iperf/netio for bandwidth-measuring

A Reader's Toolbox

After SY0-101, a small number of individuals are content with their N10-003 where as the rest go on to study 70-620. This group later covers 350-030 as well.

m0n0wall is a free opensource embedded firewall that runs on embedded PCs (recommended) and other generic standard PC workstations that can run FreeBSD or rather supported by FreeBSD. m0n0wall firewall provides most of the features provided by a commercial firewall.

Click here for a list of supported FreeBSD/i386 hardware.

For more information on the hardware details m0n0wall click here

M0n0wall is based on a bare-bones version of FreeBSD with mini-httpd webserver for web GUI and PHP (with CGI support) for boot time configuration. The complete configuration is stored in XML format. This is likely the only softwar where PHP does the boot time configuration instead of Shell scripts.

The image file for installation is of 6MB in size including the core freebsd and the required components and utilities that offers most if not all the features of a commercial firewall appliance. There are seperate image files for each of the different hardware platforms supported. For more information on downloads, click here

The whole software package can be run on a compact flash card (atleast 8M in size) or on a IDE hard disk. The recommended memory is atleast 64MB. The installation procedures are well documented.

For details on installation procedures click here

The Main features of m0n0wall firewall are,

• Stateful Packet Filtering
• Web Interface (SSL) and Serial Console for administration (mini-httpd)
• Wireless Support
• Captive Portal
• 802.1Q VLAN  support
• Stateful Packet Filtering using ipfilter
• NAT/PAT, Static Router, Host Aliases support
• DHCP client, PPPoE, PPTP and Telstra BigPond Cable support on the WAN interface
• IPsec IKE VPN using Racoon with support for hardware crypto cards, mobile clients and certificates
• PPTP VPN (with RADIUS server support)
• DHCP server and DHCP-Relay (ISC DHCP)
• Caching DNS forwarder using dnsmasq
• DynDNS client and RFC 2136 DNS updater using ez-ipupdate
• Traffic shaping
• SVG-based traffic grapher
• firmware upgrade through the web browser
• Wake on LAN
• Configuration backup/restore

For more detailed feature list, click here

For more information on this FreeBSD based open source firewall, please click here

A Reader's Toobox

After 70-290, a small number of professionals who wants to study 70-296 move on to the next level i.e. 70-270, where as the rest go with the 642-901.

IPCop Firewall – Bad Packets Stop here!!! 

IPCop Firewall is a well known Opensource Linux distribution built to protect Home and SOHO networks from hackers and potential intruders on the Internet. IPCop can run a old PC and can be installed and be operational within minutes.

Please click here for more information on the Hardware compatibility list. Installation is fairly straight forward. Involves downloading the ISO image and burn it to a CD and start the hardware with the installation media and follow the onscreen instructions. A detailed installation instruction is here.

The IPCop firewall runs on Linux Kernel 2.4 and is a stateful firewall (1.3 and later) based on Linux IPTables. The IPCop firewall has a nice web interface from where almost all the configurations can be done.

While IPCop firewall is primarily a router and Stateful firewall, it has most of the common features found on commercial hardware firewall appliances. Some of the key features are

• Stateful Firewall using IPTables
• Intrusion Detection System using Snort
• IP, Web and FTP proxy using Squid Proxy
• Dynamic DNS Support
• DNS Forwarding and DHCP using dnsmasq
• IPSec VPN supporting both roadwarrior and Site to Site using OpenSwan
• Wireless supported a DMZ on the firewall using the Wireless_Tools (opensource Wireless tools sponsored and supported by HP)
• Traffic Shaping on the External Internet facing interface (RED)
• SSH using OpenSSH
• Local and remote logging support
• NTP Server/Client support
• NAT Helper and port forwarding support

The IPCop Firewall has a very good documentation and FAQ on its website actively supported by the Opensource community. Smoothwall Express is a opensource firewall based on th IPCop firewall

For more information and download, please click here