PacketFence

You can take it a step further by adding Snort alerts to your PacketFence installation. Let's assume that using BitTorrent clients is prohibited in your environment and you want to configure PacketFence to enforce this policy. Edit /usr/local/pf/conf/violations.conf so that the section containing BitTorrent reads as follows:

[2000334]
desc=P2P (BitTorrent)
priority=8
url=/content/index.php?template=p2p
disable=N
max_enable=1
actions=trap,email,log
trigger=Detect::2000334,Detect::2000357,
↪Detect::2000369

This tells PacketFence that:

Finally, you need to activate Snort from inside PacketFence by incorporating the following into conf/pf.conf:

[trapping]
detection=enabled

[interface eth0]
type=internal, managed,monitor

and restarting the PacketFence service. Note that if you are using switches, you have to redirect a copy of your network traffic to eth0 (the PacketFence monitor—that is, the interface Snort listens to for packets).

Generating a violation in PacketFence is now as simple as launching your favorite BitTorrent client, such as Azureus. Do so, and open a torrent file to start a download. Once a couple of packets are exchanged on the network, Snort should catch some and match them with the 2000334, 2000357 or 2000369 rules. Those rules, which come from the Bleeding Edge Threats rulesets, correspond to BitTorrent peer sync, traffic and announce, respectively. Once Snort logs such unusual activity, PacketFence reacts by creating a violation.

As an administrator, you can see the list of violations with:

/usr/local/pf/bin/pfcmd violation view all

As a user, on your computer, launch your favorite Web browser and try to open any outside Web site. You'll be redirected to the PacketFence system automatically, which will display the peer-to-peer template, as shown in Figure 2.

Figure 2. PacketFence Peer-to-Peer Template

Stopping the BitTorrent client lets you regain network access. Now, try to use BitTorrent a second time. As before, an alert is generated, and your browser is redirected to the PacketFence portal. But this time, however, you won't get another chance to re-enable your access. In real life, offending users would have to call their network administrator to re-enable network access.

To activate the Nessus scanning of hosts trying to register with PacketFence, add the following section to /usr/local/pf/conf/pf.conf:

[scan]
ssl=enabled
pass=<nessus_passwd>
user=<nessus_user>
port=1241
host=127.0.0.1
registration=enabled

and restart the PacketFence service. Trying to add a computer running an unpatched version of Microsoft Windows now generates an immediate violation. You also can use the administrative Web GUI (the Scan tab) to define that complete Nessus scans should be executed every night.

Deploying PacketFence in your network with ARP-based isolation is simple. Although this isolation technique is easy to deploy, it doesn't necessarily scale well and could be bypassed by wise users with static ARP-cache entries.

Other isolation techniques exist in PacketFence, such as DHCP/DNS, which scales well. At Inverse, we also added VLAN-based isolation to PacketFence, which makes this solution more secure and appealing for large networks. PacketFence is an ideal solution for securing campus networks or even a part of your network (a VLAN or subnet). Finally, a high-quality NAC solution has emerged from the FOSS community, and the evolution of PacketFence is promising.