Novell Home

Configuring SUSE Firewall for the SSL VPN Component in Access Manager

Novell Cool Solutions: AppNote
By Sureshkumar T

Digg This - Slashdot This

Posted: 21 Nov 2007
 

Introduction
Deployment Setup
Open Ports for SSL VPN
Routing for SSL VPN
    Configuring Routes in Routers
    Adding NAT Rules
Configuring SUSE Firewall for SSL VPN
Additional Configuration
    Adding NAT Rules
    Allowing UDP Ports

Introduction

Novell Access Manager provides seamless access control solution, along with web single sign-on and industrial-strength identity federation. This product provides perimeter security for web resources, application servers, other servers, and corporate networks in general. Novell SSL VPN is a component of Access Manager Suite.

Novell SSL VPN is a VPN gateway whose design is based on the popular technology used in web commerce sites to protect confidential transactions. This technology is customized to protect corporate networks just like traditional VPN systems do. SSL VPN simplifies the user experience and eases the client management problem by letting the users to connect to the VPN gateway through a simple web browser.

SSL VPN is a gateway and is deployed in the organization perimeter boundary. Administrators must take the utmost care to provide high protection for this server from unwanted intrusions, because compromising this system leads to possible attacks to the production servers in the DMZ as well as internal networks. The Novell SSL VPN gateway is designed and deployed as a software appliance. It is mandatory for security administrators to lock down the base operating system on which they want to deploy the SSL VPN services.

As a good protection mechanism, it is recommended to place the SSL VPN gateway behind your corporate firewall and open only the necessary ports in the firewall. Apart from this, it is also a good practice to lock down a Linux server by configuring built-in packet filters. This document provides a step-by-step guide to configure the SUSE Firewall with the required packet filters and optional NAT rules.

Deployment Setup

The Novell Access Manager suite comes with the following three major components:

  • Identity Server
  • Access Gateway
  • SSL VPN

You would require at least three machines to setup a simple deployment. The sample deployment is shown in Figure 1:

Figure 1 - Sample deployment

The Novell SSL VPN deployment is supported on SuSE Linux Enterprise Server 9 with Service Pack 3 and on SuSE Linux Enterprise Server 10.

It is recommended you deploy a secondary firewall between the SSL VPN Server, other servers, and the internal network. That way you can configure services, such as SSH, HTTP, and SMTP, that will be used by the remote users in the secondary firewall.

Open Ports for SSL VPN

The SSL VPN gateway requires the following ports to be opened in the firewall:

PortRequired ForLocal/ External/ InternalDescription
TCP 8080Access GatewayExternalAllows the Access Gateway to accelerate SSL VPN server and to enable other communications
TCP 8443Access GatewayExternalAllows access gateway to accelerate the SSL VPN server. It also allows other communication if a secure communication is enabled between the Access Gateway and the SSL VPN server.
TCP 2010Socks ServerLocalAllows communication between the internal components of the SSL VPN Server
TCP 7777 and TCP 7778Client (Kiosk mode and Enterprise Mode)ExternalSecure port on which primary communications happen between the client and the server
TCP 1443Administration ConsoleExternal/ InternalAllows device management communication between SSL VPN and Administration Console
TCP 8444Administration ConsoleExternal/ InternalAllows device management communication between the SSL VPN server and the Administration Console
TCP 289Administration ConsoleExternal/ InternalAllows device management communication between the SSL VPN server and the Administration Console
TCP 524Administration ConsoleExternal/ InternalAllows device management communication between the SSL VPN server and the Administration Console
TCP 636Administration ConsoleExternal/ InternalAllows secure communication for LDAP from the SSL VPN servers to the Administration Console
UDP 123Time ServerExternal/ InternalFor time sync

You can open the ports for Administration Console only for internal interfaces, if you deploy SSL VPN in such a way that it can be managed through internal interfaces.

If you are deploying SSL VPN as part of the Linux Access Gateway appliance, refer to the detailed port information at:
http://www.novell.com/documentation/novellaccessmanager/basicconfig/index.html?page=/documentation/novellaccessmanager/basicconfig/data/b651hwh.html

Routing for SSL VPN

Novell SSL VPN protects communication between the remote client and the SSL VPN server. It forwards the traffic to internal hosts. The internal hosts must route the reply to remote clients through the SSL VPN Gateway. Therefore, it is essential that you add the necessary routing infrastructure to your network.

The remote clients are addressed by the IP addresses specified in the IP address pool configured in the Administration console. There are two ways to configure the routing, as described below.

Configuring Routes in Routers

You can add static routes in the routers between the hosts and the SSL VPN gateway. These routes should specify how to reach the remote clients, and these routes should point to the SSL VPN Gateway. The subnet for the SSL VPN Gateway clients should be same as the one configured in the Administration Console.

Adding NAT Rules

By configuring NAT rules, you can restrict the visibility of the new subnet configured in Gateway configuration only to SSL VPN server. You do not have to modify routing tables. However, some applications that require a connect back cannot function with this approach. For a quick deployment, this approach can be done easily. For this to work, you need a masquerading rule to iptables, such as with the following command:

iptables -t nat -A POSTROUTING -s <vpn subnet> -j SNAT --to <internal ip address>

For example:

	iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j SNAT --to 10.16.12.247
                 where
		10.16.12.247 ? to internal interface IP address
		10.8.0.0/16 ? subnet allocated in Gateway Configuration

Configuring SUSE Firewall for SSL VPN

You can use yast to configure firewall rules.

1. Log in as root.

2. Enter the following command:

# yast2 firewall

The following screen appears.

Figure 2 - Reconfiguring firewall settings

3. Select the Reconfigure Firewall Settings option, then tab to Next and click it.

4. Configure the interfaces as follows:

Figure 3 - Basic firewall configuration, step 1 of 4

  • External Interface: Enter the interface which is facing the internet in the top most list box.
  • Internal Interface: Enter the private internal interfaces or DMZ interfaces in the bottom list box. You can specify multiple interfaces separated by spaces. Make sure that you enter the tun0 and tun1 devices names in the list. This interface will not be present if SSL VPN is not running; however, you still need to enter the interface. You can configure this interface name in /etc/opt/novell/sslvpn/openvpn-server.conf.tmpl by changing tun to tun0 or any other name starting with tun. Then, tab to Next.

Next, you need to configure the allowed services.

Figure 2 - Basic firewall configuration, step 2 of 4

5. Select check boxes for HTTP and HTTPS. These services should be running.

6. Click the Expert option.

7. Enter the ports specified in the above section to be allowed. These ports needs to be opened for SSL VPN operation.

Figure 4 - Basic firewall configuration, step 3 of 4

If you are running SSL VPN along with Linux Access Gateway, you need to open port 80. For more information on or other ports that need to be open for Linux Access Gateway, refer to the Novell Access Manager 3.0 Administration Guide.

8. Press Tab to OK, then click OK and click Next.

Do the other configurations as follows:

Figure 5 - Basic firewall configuration, step 4 of 4

9. Select "Forward Traffic and Do Masquerading"

Selecting this option turns on ip_forward and adds a default NAT rule to the iptables. In our example deployment, we need to masquerade only packets coming from the subnet that we configured in the Administration Console. This adds a level of security, so it is suggested to turn off this option and only allow IP Forwarding by changing the following line in /etc/sysconfig/SuSEfirewall2 FW_ROUTE="" to FW_ROUTE="yes"

NOTE: When the SUSE Firewall is running, it supersedes the ip_forward option set in /etc/sysctl.conf. ISSL VPN requires ip_forward to be enabled.

10. Select "Protect from Internal network" if you plan to deny internal connections also. In this case, you need specify additional services or pots in the previous configuration.

11. Select "Protect all network services".

12. Deselect "Allow Traceroute" if you do not want to allow trace route.

13. Select "Treat IPSec traffic as internal" if you want to treat IPSec traffic as internal.

14. Click Next.

Now your system is protected by the SUSE Firewall.

Additional Configuration

You can add the following additional configurations if required. There is no interface in Yast to change these settings. You must edit the files directly as explained below.

Adding NAT Rules

If you are going to use NAT based routing approach specified above, then follow these steps:

1. Edit the file /etc/sysconfig/SuSEfirewall2 and change the following line:

	FW_CUSTOMRULES=""

to

	FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

2. Open the /etc/sysconfig/scripts/SuSEfirewall2-custom file in an editor.

3. Add the following lines under the sections fw_custom_before_denyall and fw_custom_before_masq

               iptables -A $chain -j ACCEPT -s 10.8.0.0/22
               iptables -A $chain -j ACCEPT -d 10.8.0.0/22 
               iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j SNAT --to 10.1.1.1

This is to allow all traffic with configured subnet and to do the NAT.

The file will look like the example below (keep the other lines intact). 10.8.0.0/16 is configured as a tunnel subnet, and 10.1.1.1 is your private interface.

fw_custom_before_masq() {
  iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j SNAT --to 10.1.1.1
  true
}

fw_custom_before_denyall() {
  for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do
  iptables -A $chain -j ACCEPT -s 10.8.0.0/22
  iptables -A $chain -j ACCEPT -d 10.8.0.0/22
  done

  true
}

Allowing UDP Ports

The Enterprise mode of SSL VPN allows you to configure SSL VPN tunneling in order to use UDP as secure medium of communication between client and the SSL VPN Gateway. In that case, you must allow the configured UDP port via the firewall by changing the following line:

FW_SERVICES_INT_UDP=??

to

FW_SERVICES_INT_UDP=?7777?

The example above assumes that 7777 is configured as the port for encryption.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell