PacketFence

How to set up and use the powerful open-source network access control solution.
Incorporating Snort and Nessus

You can take it a step further by adding Snort alerts to your PacketFence installation. Let's assume that using BitTorrent clients is prohibited in your environment and you want to configure PacketFence to enforce this policy. Edit /usr/local/pf/conf/violations.conf so that the section containing BitTorrent reads as follows:

[2000334]
desc=P2P (BitTorrent)
priority=8
url=/content/index.php?template=p2p
disable=N
max_enable=1
actions=trap,email,log
trigger=Detect::2000334,Detect::2000357,
↪Detect::2000369

This tells PacketFence that:

  • The BitTorrent violation can be generated by the Snort alerts 2000334, 2000357 and 2000369 (the trigger parameter).

  • The system has to act upon this violation by isolating the user, sending an e-mail alert to the administrator and logging the violation to /var/log/messages (the actions parameter).

  • The user is allowed to re-enable network access once (the max_enable parameter).

Finally, you need to activate Snort from inside PacketFence by incorporating the following into conf/pf.conf:

[trapping]
detection=enabled

[interface eth0]
type=internal, managed,monitor

and restarting the PacketFence service. Note that if you are using switches, you have to redirect a copy of your network traffic to eth0 (the PacketFence monitor—that is, the interface Snort listens to for packets).

Generating a violation in PacketFence is now as simple as launching your favorite BitTorrent client, such as Azureus. Do so, and open a torrent file to start a download. Once a couple of packets are exchanged on the network, Snort should catch some and match them with the 2000334, 2000357 or 2000369 rules. Those rules, which come from the Bleeding Edge Threats rulesets, correspond to BitTorrent peer sync, traffic and announce, respectively. Once Snort logs such unusual activity, PacketFence reacts by creating a violation.

As an administrator, you can see the list of violations with:

/usr/local/pf/bin/pfcmd violation view all

As a user, on your computer, launch your favorite Web browser and try to open any outside Web site. You'll be redirected to the PacketFence system automatically, which will display the peer-to-peer template, as shown in Figure 2.

Figure 2. PacketFence Peer-to-Peer Template

Stopping the BitTorrent client lets you regain network access. Now, try to use BitTorrent a second time. As before, an alert is generated, and your browser is redirected to the PacketFence portal. But this time, however, you won't get another chance to re-enable your access. In real life, offending users would have to call their network administrator to re-enable network access.

To activate the Nessus scanning of hosts trying to register with PacketFence, add the following section to /usr/local/pf/conf/pf.conf:


[scan]
ssl=enabled
pass=<nessus_passwd>
user=<nessus_user>
port=1241
host=127.0.0.1
registration=enabled

and restart the PacketFence service. Trying to add a computer running an unpatched version of Microsoft Windows now generates an immediate violation. You also can use the administrative Web GUI (the Scan tab) to define that complete Nessus scans should be executed every night.

Conclusion

Deploying PacketFence in your network with ARP-based isolation is simple. Although this isolation technique is easy to deploy, it doesn't necessarily scale well and could be bypassed by wise users with static ARP-cache entries.

Other isolation techniques exist in PacketFence, such as DHCP/DNS, which scales well. At Inverse, we also added VLAN-based isolation to PacketFence, which makes this solution more secure and appealing for large networks. PacketFence is an ideal solution for securing campus networks or even a part of your network (a VLAN or subnet). Finally, a high-quality NAC solution has emerged from the FOSS community, and the evolution of PacketFence is promising.

Ludovic Marcotte (ludovic@inverse.ca) holds a Bachelor's degree in Computer Science from the University of Montréal. He is currently a senior systems architect for Inverse, Inc., an IT consulting company located in downtown Montréal that specializes in the deployment of infrastructures based on free and open-source components.

Dominik Gehl (dgehl@inverse.ca) holds a Master's degree in Computer Science from the University of Montréal. He is currently a systems architect for Inverse, Inc., an IT consulting company located in downtown Montréal that specializes in the deployment of infrastructures based on free and open-source components.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Thanks for the articles...

Kredi's picture

Thanks for the articles...

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix