I was called in to help secure a network in pinch. This called for some quick action, with very little resources. No time to purchase a firewall, or drastically redesign the network. We needed something now.
The clients network had their printers, desktops, servers, SANS, and switches all on one subnet, publicly accessible to the internet, with no hardware firewall. Hackers were exploiting NTP bugs, trying default accounts and passwords, and trying to brute force their way into everything. Without having a complete understanding of the infrastructure, and what renumbering and redesigning the entire network might impact, I decided to implement a quick fix while a firewall was ordered and careful redesign steps could be planned for.
This quick fix was to create a transparent bridge and move all the vulnerable devices onto a private VLAN, while allowing the transparent bridge to firewall and secure all of these devices.
First, I had to reclaim an old Dell R310 server. Nobody knows the BIOS passwords for any of the servers, so after a quick BIOS password clear and reboot, I installed Ubuntu 12.04LTS using basic settings, and updates. After consulting with my Cisco experts, we configured two ports:
interface gi 1/0/1
switchport mode access
switchport access vlan 24
interface gi 1/0/2
switchport mode access
switchport access vlan25
On the server I setup bridge networking by installing bridge-utils
apt-get install bridge-utils
and adding these lines to /etc/network/interfaces
iface br-vlan25 inet dhcp
bridge_ports eth0 eth1
up /sbin/ifconfig $IFACE up || /sbin/true
When I brought up the interfaces the bridge started forwarding Spanning Tree Protocol (STP) packets, and the switch immediately killed one of the interfaces to prevent a loop.
My solution was to install the ebtables package
sudo apt-get install ebtables
And add the following rules
ebtables -P INPUT DROP
ebtables -P FORWARD DROP
ebtables -P OUTPUT DROP
ebtables -A OUTPUT -p IPv4 -j ACCEPT
ebtables -A OUTPUT -p arp -j ACCEPT
ebtables -A INPUT -p IPv4 -j ACCEPT
ebtables -A INPUT -p arp -j ACCEPT
ebtables -A FORWARD -p IPv4 -j ACCEPT
ebtables -A FORWARD -p arp -j ACCEPT
And then modify /etc/default/ebtables so that all the “no” settings were “yes”, that way the rules would preserve on reboot or interface reset
I now had a functioning bridge, but no firewall, so I added these rules to iptables to only allow locally sourced traffic through
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -I FORWARD -s X.Y.Z.o/24 -j ACCEPT
iptables -I FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
And then installed the iptables-persistent package to save iptables rules across reboots and interface resets
apt-get install iptables-persistent
The next step was to look at all the switch ports, identify all the devices that needed to be secured, and move them to the new private vlan.
show int status
find all the vulernable device ports
int gi 1/0/X
switchport access vlan 25
Then I went to the vCenter and looked at all the guests that needed to be secured, including the esxi hosts themselves, and changed them to the new private vlan.
Now an NMAP scan from on site has access to their equipment, and an NMAP scan from offsite shows just a collection of desktops, printers, and public facing servers. No more free access to esxi hosts, equallogic storage, video cameras, environmental sensors, etc…