Improve Network Security with Open Source Monowall: Part 2

by Carla Schroder

Part 2 of our series on Monowall, an open source firewall, focuses on using it to set up secure remote access.

In Part 1, we installed the excellent Monowall and completed basic configurations. In part 2, we use it to create a firewall and set up secure remote access over the Internet.

How to Set Up an Internet Firewall with Monowall

Ideally you have an Internet connection that you can connect only to your little two-computer test lab (see Part 1) until you are comfortable with Monowall.

The Internet is a big bad scary place full of malware, and also full of much automated spew that we don't need pouring into our own private networks. The simplest firewall blocks all incoming traffic, except for allowing only responses to traffic that originates from inside your LAN, such as email and Web surfing. If you are not running any Internet-facing services then this is the firewall for you. The Number1 rule of firewalls is "Deny all, allow only as needed."

You will need the configuration settings for your account from your Internet service provider. If you have your own static IP address then most likely it's your IP address, gateway, and the addresses of your ISP's nameservers. If it's a dynamic account then you'll need just the nameserver addresses.

Enter Monowall's webGUI and set up your WAN interface. Do this on the Interfaces > WAN screen. Start at the very top with the Type dropdown menu. Select Static or DHCP, whichever is appropriate for your Internet account. Skip MAC address.

If you have a static address, then enter it and your gateway address in Static IP configuration. Skip everything else until you get to the bottom where it has a checkbox for Block private networks. Make sure this is checked, and then click Save.

Now go to the System > General Setup tab and enter your ISP's DNS servers in the DNS Servers section. Do this even if you have a DHCP account, and leave the Allow DNS server list to be overridden by DHCP/PPP box checked.

Do one more bit of housekeeping while you're here -- at the bottom, change the NTP time server to pool.ntp.org. This is always the best default since it links to the global NTP server pool. When you configure which NTP server your LAN clients should use, point them to your Monowall server.

That's it. Plug Monowall into your Internet interface and you should be able to Web surf from your test LAN PC. You can run a quick test from GRC ShieldsUP! to test your firewall.

Note how it detects and reports your public IP address. Then click the Proceed button to go to the next page. In the ShieldsUP!! Services box click the All service ports button. A progress graph appears as each port is tested. You should not see any red.

When it's finished, it will mark the test as a failure because of the Ping Reply test. Do not disable ping, or more precisely ICMP echo. Some admins mistakenly believe that blocking pings is good security. It isn't, and it's an essential network function, so ignore this "failure."

Secure IPsec VPN

A VPN (virtual private network) is a secure tunnel over untrusted networks, so you can safely log into to your work network from home, or connect branch offices. If you've been doing any Windows networking, you're probably familiar with PPTP (Point-to-point protocol). It is popular because it is easy to set up. However it is not very secure, so it is better to invest a little time learning how to run a more secure VPN. Monowall supports IPsec (Internet protocol security), which provides good strong security.

If you're going to enable remote access to your network, you really need an Internet account with a static IP address. It is possible, but painful, to use a low-budget dynamic Internet account. It's not worth the hassle -- spend the few more bucks to get a static address.

VPN Between Two Networks

Before you set this up there are some prerequisites. First, you cannot connect overlapping subnets. If your LAN is in the range, then you cannot set up a VPN tunnel with another network, because you must have unique subnets. Then there must be a VPN server on the other end of the connection. This can be another Monowall box or some other IPsec server.

In the Monowall webGUI, go to the VPN > IPsec > Tunnels tab. Check Enable IPsec. Then click on the little plus button to add a VPN connection, which opens a screen like Figure 1.

Monowall open source firewall; remote access VPN
Figure 1: Creating a new site-to-site VPN tunnel.
(Click for larger image)

The Mode is Tunnel, which we can't change. The Disable option is nice, an easy way to turn it off for troubleshooting. Obviously do not disable it now! Interface is WAN. Check Enable Nat Traversal. The Dead Peer Detection option automatically closes the tunnel when it is not being used; 60 seconds is a reasonable value. (The IPsec protocol passes "I am here" messages even when there is no user activity.) The Local Subnet defines how much of your LAN you want to be remotely accessible; the LAN subnet is your whole LAN, and you don't have to type in the address.

Remote Subnet, which is the network on the other end of the connection, must be exactly the same as the Local Subnet setting on the other end of the connection. The Description field is anything you want, like a nickname for this connection, or notes on its purpose.

Now move on to the Phase 1 proposal section (see Figure 2).

Monowall open source firewall; remote access VPN
Figure 2: Security settings for your new VPN tunnel.
(Click for larger image)

Set Negotiation Mode to Aggressive. My Identifier can be a number of things; the easiest is your WAN IP address. The Encryption Algorithm must match what the other endpoint uses, and 3DES is pretty much universal. The Hash algorithm should be SHA1 because it is stronger than MD5, though again this needs to agree with the other endpoint. Same for DH key group; 1024 bits (2) is a good balance between speed and security.

The Lifetime field controls (in seconds) how long your side of the tunnel will wait for Phase 1 to be completed. The Monowall manual recommends 28800.

The Pre-Shared key must be exactly the same on both sides of the connection. Make this strong, more than 10 characters and mixed-case, numbers, and punctuation.

Now move on to the "Phase 2 proposal" section (Figure 3).

Monowall open source firewall; remote access VPN
Figure 3: Configuring the VPN tunnel protocol and encryption types.
(Click for larger image)

For Protocol select ESP. In the Encryption Algorithms section it is safe to select everything, though it is better to select only what you're going to use. Use SHA1 in the Hash Algorithms section if possible, because it is stronger than MD5. Set PFS Key Group to option 2, or 1024 bits.

The Lifetime value, in seconds, controls the lifetime of your negotiated keys. 28800 is eight hours, which should get you through a workday. Don't go over 86400, which is 24 hours.

Click Save and Apply Changes, and your IPsec server is ready to connect to your other endpoint. How the connection is initiated depends on the IPsec server used on the other end; if it's another Monowall server then it will connect when you click Apply Changes, and you should be able to ping back and forth. The most important thing to remember is all those settings need to be the same.

Mobile VPN User

First go to the VPN > IPsec > Pre-Shared Keys tab and create a key for your user. Use their email address as the identifier, and create a long key (at least ten characters) using mixed-case, punctuation marks and numbers. Then go to the Mobile clients tab and set it up just like creating a site-to-site tunnel, using the identifier and pre-shared key you created.

The client setup depends on the software on the client machine; again remember to make everything the same where it needs to be. The Monowall handbook has a detailed example using the SafeNet SoftRemoteLT client software.

To learn more, consult the Monowall Handbook and my own Linux Networking Cookbook for detailed tutorials on all kinds of networking tasks.

Carla Schroder is the author of The Book of Audacity, Linux Cookbook, Linux Networking Cookbook, hundreds of Linux how-tos, former managing editor of Linux Planet and Linux Today.

Small Business Computing is on Facebook. Join us on Facebook and interact with the site's editors, post messages, share your small business challenges and successes, discuss technology and suggest topics you'd like covered on Small Business Computing.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
This article was originally published on Thursday Jul 7th 2011
Mobile Site | Full Site