Mise en place d’une protection durant la Nuit Du Hack 2016

Mise en place d’une protection durant la Nuit Du Hack

La protection de nos communications, nos données et de notre système à la Hack In Paris est important. Durant la nuit s »échangeront des millions de flux, une préparation en amont avec une sécurité minimale doit être mis en place car nous savons que nous allons être la cible d’attaquants. De ce fait, je me lance ce petit projet SafeNight avec un routeur pare-feu de Juniper srx100h2 avec JunOS  12.1X46-D52.

Pré-requis :

  1. Le minimum requis est de posséder un système à jour et qui est encore maintenu par l’éditeur. Idéalement votre machine utilise un pare-feu local avec vos propre règles sans partage ni logiciels (flash player, reader DC, Java, ancien navigateur…). Au moment ou je rédige ces lignes, les utilisateurs Windows devront patcher le DNS.
  2. La vigilance est de mise durant l’événement. Il faut vérouiller nos machines lorsque nous ne sommes plus sur nos sièges et veillons à la surveillance de notre matériel et également à celui de nos collègues.
  3. Attribution des adresses sur le réseau : le SRX100 ne fournira aucun serveur DHCP sur les différents réseaux mais il y aura 6 adresses IP disponible par VLAN. Je vous fournirais votre plage d’addresse au début de l’événement. Il y a 8 ports disponibles dont 2 seront réservés (.1 pour la passerelle et .6 devra être votre PC) voici une information détaillant vote réseau, VLAN, port physique ainsi la personne qui s’y connectera :
RéseauVLANPORTUtilisateur
10.10.0.0/2910ge0Camille

172.16.20.0/29

20ge1Emmanuel

192.168.30.0/29

30ge2Arnaud
10.40.0.0/2940ge3Valentin
172.16.50.0/2950ge4Florian
192.168.60.0/2960ge5Jérémie
10.70.0.0/2970ge6Raspberry
172.16.0.24/19/ge7HIPlan

Informations :

  1. Le cloisonnement des réseaux : pour le bien être de tous nous cloisonons chaque port dans un VLAN afin d’être indépendant les uns des autres. Aucun élément n’analysera vos trames hors Juniper (log).

  2.  Dans le cadre de la confidentialité de vos données vers l’internet je vous propose d’utiliser tout comme moi un serveur OpenVPN pour avoir un nœud de sortie sécurisé. Pour ceux qui n’en disposent pas alors, je peux si besoin vous en créer un dans un conteneur Docker.

  3. Le Rasberry PI sera un HoneyPot sur le port SSH (récupération des logs à la fin) et maltrail nous informera des attaques existantes connues (c’est un pur challenge afin de stocker les attaques adverses).

La configuration du routeur/pare-feu

Le routeur/pare-feu que j’utilise est un Juniper (dit aussi passerelle de service) modèle : SRX110 à jour avec le firmware 12.1X46-D50 datant du 19 Avril 2016. Voici ma configuration spécifique pour la Hack In Paris afin de nous protéger des attaquants potentiels. Voici l’ensemble de ma configuration JunOS :

#--------------------------------------#
#---[ First configuration device ]-----#
#--------------------------------------#

set system host-name junsrx
set system time zone GMT
set system root-authentication encrypted-password "*******"
set system name-server 208.67.220.220 208.67.222.222
set system name-resolution no-resolve-on-input
set system syslog archive size 100k files 3
set system syslog user * any emergency
set system syslog file message any critical
set system syslog file message authorization info
set system syslog file interfactive-commands interfactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollback 5
set system licence autoupdate url https://ae1.juniper.net/junos/key_retrieval

set system services ntp server ntp.ovh.net
set system services ssh
set system services ssh protocol-version v2
set system services ssh rate-limit 3 connection-limit 2
set system services ssh root-login
set system services ssh max-sessions-per-connection 1
set system services web-management https port 36344
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.60
set system services web-management session idle-timeout 60
set system services web-management session-limit 1

set applications application junos-ssh destination-port 44363
set applications application junos-ssh protocol tcp
set applications application junos-ssh application-protocol ssh
set applications application junos_mailtrail
set applications application rodolphe-http destination-port 1337
set applications application rodolophe-http protocol tcp
set routing-options static route 0.0.0.0/0 next-hop 172.16.1.1 arp 172.16.1.1 mac 00:04:23:d0:47:a2

#---------------------------------------#
#---[ Configuration : fe & lo0 ]--------#
#---------------------------------------#

set interfaces fe-0/0/7 description "HIPlan"
set interfaces fe-0/0/7 speed 100m
set interfaces fe-0/0/7 link-mode full-duplex
set interfaces fe-0/0/7 fastether-options no-auto-negociation
set interfaces fe-0/0/7 unit 0 family inet address 172.16.0.24/19 

set interfaces fe-0/0/6 description "Raspberry"
set interfaces fe-0/0/6 speed 100m
set interfaces fe-0/0/6 link-mode full-duplex
set interfaces fe-0/0/6 fastether-options no-auto-negociation
set interfaces fe-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members all

set interfaces fe-0/0/5 description "Jeremie"
set interfaces fe-0/0/5 speed 100m
set interfaces fe-0/0/5 link-mode full-duplex
set interfaces fe-0/0/5 fastether-options no-auto-negociation
set interfaces fe-0/0/5 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members jeremie
s
set interfaces fe-0/0/4 description "Rodolphe"
set interfaces fe-0/0/4 speed 100m
set interfaces fe-0/0/4 link-mode full-duplex
set interfaces fe-0/0/4 fastether-options no-auto-negociation
set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode access vlan
set interfaces fe-0/0/4 unit 0 family ethernet-switching members rodolphe

set interfaces fe-0/0/3 description "Valentin"
set interfaces fe-0/0/3 speed 100m
set interfaces fe-0/0/3 link-mode full-duplex
set interfaces fe-0/0/3 fastether-options no-auto-negociation
set interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members valentin

set interfaces fe-0/0/2 description "Arnaud"
set interfaces fe-0/0/2 speed 100m
set interfaces fe-0/0/2 link-mode full-duplex
set interfaces fe-0/0/2 fastether-options no-auto-negociation
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members arnaud

set interfaces fe-0/0/1 description "Corentin"
set interfaces fe-0/0/1 speed 100m
set interfaces fe-0/0/1 link-mode full-duplex
set interfaces fe-0/0/1 fastether-options no-auto-negociation
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members corentin

set interfaces fe-0/0/0 description "Camille"
set interfaces fe-0/0/0 speed 100m
set interfaces fe-0/0/0 link-mode full-duplex
set interfaces fe-0/0/0 fastether-options no-auto-negociation
set interfaces fe-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members camille

set interfaces lo0 unit 0 family inet address 1.1.1.1/32

#-------------------------------#
#---[ Configuration : vlans ]---#
#-------------------------------#

set vlans raspberry vlan-id 70
set vlans jeremie vlan-id 60
set vlans rodolphe vlan-id 50
set vlans valentin vlan-id 40
set vlans arnaud vlan-id 30
set vlans corentin vlan-id 20
set vlans camille vlan-id 10

set interfaces vlan unit 70 family inet address 10.70.0.1/29
set interfaces vlan unit 60 family inet address 192.168.60.1/29
set interfaces vlan unit 50 family inet address 172.16.50.1/29
set interfaces vlan unit 40 family inet address 10.40.0.1/29
set interfaces vlan unit 30 family inet address 192.168.30.1/29
set interfaces vlan unit 20 family inet address 172.16.20.1/29
set interfaces vlan unit 10 family inet address 10.10.0.1/29

set vlans raspberry l3-interface vlan.70
set vlans jeremie l3-interface vlan.60
set vlans quentin l3-interface vlan.50
set vlans valentin l3-interface vlan.40
set vlans arnaud l3-interface vlan.30
set vlans corentin l3-interface vlan.20
set vlans camille l3-interface vlan.10

#-------------------------------------------#
#---[ Configuration : Security Zones ]------#
#-------------------------------------------#

set security zones security-zone HIPlan interfaces fe-0/0/7
set security zones security-zone HIPlan interfaces fe-0/0/7.0
set security zones security-zone HIPlan screen untrust-screen

set security zones security-zone Raspberry interfaces vlan.70
set security zones security-zone Raspberry interfaces fe-0/0/0
set security zones security-zone Raspberry host-inbound-traffic system-services http https ssh
set security zones security-zone Raspberry host-inbound-traffic protocols tcp
set security zones security-zone Raspberry address-book address network-70 10.70.0.0/29
set security zones security-zone Raspberry address-book address raspberry-pi 10.70.0.6/32
set security zones security-zone Raspberry address-book address jeremie-pc 192.168.60.6/32

set security zones security-zone Jeremie interfaces vlan.60
set security zones security-zone Jeremie host-inbound-traffic system-services https ssh
set security zones security-zone Jeremie host-inbound-traffic protocols tcp
set security zones security-zone Jeremie address-book address network-60 192.168.60.0/29
set security zones security-zone Jeremie address-book address jeremie-pc 192.168.60.6/32

set security zones security-zone Rodolphe interfaces vlan.50
set security zones security-zone Rodolphe address-book address network-50 172.16.50.0/29
set security zones security-zone Rodolphe address-book address rodolphe-pc 172.16.50.6/32

set security zones security-zone Valentin interfaces vlan.40
set security zones security-zone Valentin address-book address network-40 10.40.0.0/29
set security zones security-zone Valentin address-book address valentin-pc 10.40.0.6/32

set security zones security-zone Arnaud interfaces vlan.30
set security zones security-zone Arnaud address-book address network-30 192.168.30.0/29
set security zones security-zone Arnaud address-book address arnaud-pc 192.168.30.6/32

set security zones security-zone Corentin interfaces vlan.20
set security zones security-zone Corentin address-book address network-20 172.16.20.0/29
set security zones security-zone Corentin address-book address corentin-pc 172.16.20.6/32

set security zones security-zone Camille interfaces vlan.10
set security zones security-zone Camille address-book address network-10 10.10.0.0/29
set security zones security-zone Camille address-book address camille-pc 10.10.0.6/32

#------------------------------------#
#---[ Configuration : NAT source ]---#
#------------------------------------#

set security nat source pool gateway-vlan70 address 10.70.0.1/32
set security nat source pool gateway-vlan60 address 192.168.60.1/32
set security nat source pool gateway-vlan50 address 172.16.50.1/32
set security nat source pool gateway-vlan40 address 10.40.0.1/32
set security nat source pool gateway-vlan30 address 192.168.30.1/32
set security nat source pool gateway-vlan20 address 172.16.20.1/32
set security nat source pool gateway-vlan10 address 10.10.0.1/32

set security nat source rule-set src-vlan-70 from zone RaspberryPi
set security nat source rule-set src-vlan-70 to zone HIPlan
set security nat source rule-set src-vlan-70 rule vlan-70 match source-address 10.70.0.0/29
set security nat source rule-set src-vlan-70 rule vlan-70 match destination-address 0.0.0.0/0
set security nat source rule-set src-vlan-70 rule vlan-70 then source-nat interface

set security nat source rule-set src-vlan-60 from zone Jeremie   
set security nat source rule-set src-vlan-60 to zone HIPlan                                    
set security nat source rule-set src-vlan-60 rule vlan-60 match source-address 192.168.60.0/29
set security nat source rule-set src-vlan-60 rule vlan-60 match destination-address 0.0.0.0/0
set security nat source rule-set src-vlan-60 rule vlan-60 then source-nat interface

set security nat source rule-set src-vlan-50 from zone Rodolphe
set security nat source rule-set src-vlan-50 to zone HIPlan   
set security nat source rule-set src-vlan-50 rule vlan-50 match source-address 172.16.50.0/29
set security nat source rule-set src-vlan-50 rule vlan-50 match destination-address 0.0.0.0/0
set security nat source rule-set src-vlan-50 rule vlan-50 then source-nat interface

set security nat source rule-set src-vlan-40 from zone Valentin
set security nat source rule-set src-vlan-40 to zone HIPlan  
set security nat source rule-set src-vlan-40 rule vlan-40 match source-address 10.40.0.0/29
set security nat source rule-set src-vlan-40 rule vlan-40 match destination-address 0.0.0.0/0
set security nat source rule-set src-vlan-40 rule vlan-40 then source-nat interface

set security nat source rule-set src-vlan-30 from zone Arnaud
set security nat source rule-set src-vlan-30 to zone HIPlan  
set security nat source rule-set src-vlan-30 rule vlan-30 match source-address 192.168.30.0/29
set security nat source rule-set src-vlan-30 rule vlan-30 match destination-address 0.0.0.0/0
set security nat source rule-set src-vlan-30 rule vlan-30 then source-nat interface

set security nat source rule-set src-vlan-20 from zone Corentin
set security nat source rule-set src-vlan-20 to zone HIPlan  
set security nat source rule-set src-vlan-20 rule vlan-20 match source-address 172.16.20.0/29
set security nat source rule-set src-vlan-20 rule vlan-20 match destination-address 0.0.0.0/0
set security nat source rule-set src-vlan-20 rule vlan-20 then source-nat interface

set security nat source rule-set src-vlan-10 from zone Camille
set security nat source rule-set src-vlan-10 to zone HIPlan  
set security nat source rule-set src-vlan-10 rule vlan-10 match source-address 10.10.0.0/29
set security nat source rule-set src-vlan-10 rule vlan-10 match destination-address 0.0.0.0/0
set security nat source rule-set src-vlan-10 rule vlan-10 then source-nat interface

#-----------------------------------------#
#---[ Configuration : NAT destination ]---#
#-----------------------------------------#

set security nat destination pool raspberry-pi adresse 10.70.0.6/32 port 21452

set security nat destination rule-set dest-honeypot rule ssh match source-address 0.0.0.0/0
set security nat destination rule-set dest-honeypot rule ssh match destination address 10.70.0.6/32
set security nat destination rule-set dest-honeypot rule ssh match destination-port 22
set security nat destination rule-set dest-honeypot rule ssh then destination-nat pool raspberry-pi

set security nat destination pool rodolphe-pc adresse 172.16.50.6/32 port 1337

set security nat destination rule-set dest-rodolphePC rule http match source-address 0.0.0.0/0
set security nat destination rule-set dest-rodolphePC rule http match destination-address 172.16.50.6/32
set security nat destination rule-set dest-rodolphePC rule http ematch destination-port 1337
set security nat destination rule-set dest-rodolphePC rule http then destination-nat pool rodolphe-pc

#------------------------------------#
#---[ Configuration : policies ]-----#
#------------------------------------#

set security policies default-policy deny-all

set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot match source-address any
set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot match destination-address raspberry-pi
set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot match application any
set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot then permit
set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot then log session-init
set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot then log session-close

set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe match source-address any
set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe match destination-address rodolphe-pc
set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe match application any
set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe then permit
set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe then log session-init
set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe then log session-close

set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop match source-address any
set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop match destination-address any
set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop match application any
set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop then reject log session-init
set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop then reject log session-close

set security policies from-zone Raspberry to-zone HIPlan policy All_HIPlan match source-address network-70
set security policies from-zone Raspberry to-zone HIPlan policy All_HIPlan match destination-address any
set security policies from-zone Raspberry to-zone HIPlan policy All_HIPlan match application any
set security policies from-zone Raspberry to-zone HIPlan policy All_HIPlan then permit

set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie match source-address 192.168.60.6/32
set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie match destination-address any
set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie match application any
set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie then permit
set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie then log session-init
set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie then log session-close

set security policies from-zone Jeremie to-zone HIPlan policy All_HIPlan match source-address network-60
set security policies from-zone Jeremie to-zone HIPlan policy All_HIPlan match destination-address any
set security policies from-zone Jeremie to-zone HIPlan policy All_HIPlan match application any
set security policies from-zone Jeremie to-zone HIPlan policy All_HIPlan then permit

set security policies from-zone Jeremie to-zone Raspberry policy mgmt_Jeremie2 match source-address any
set security policies from-zone Jeremie to-zone Raspberry policy mgmt_Jeremie2 match destination-address any
set security policies from-zone Jeremie to-zone Raspberry policy mgmt_Jeremie2 match application any
set security policies from-zone Jeremie to-zone Raspberry policy mgmt_Jeremie2 then permit

set security policies from-zone Rodolphe to-zone HIPlan policy All_HIPlan match source-address network-50
set security policies from-zone Rodolphe to-zone HIPlan policy All_HIPlan match destination-address any
set security policies from-zone Rodolphe to-zone HIPlan policy All_HIPlan match application any
set security policies from-zone Rodolphe to-zone HIPlan policy All_HIPlan then permit

set security policies from-zone HIPlan to-zone HIPlan policy http_HIPLan match source-address any
set security policies from-zone HIPlan to-zone HIPlan policy http_HIPLan match destination-address 172.16.50.6/32
set security policies from-zone HIPlan to-zone HIPlan policy http_HIPLan
set security policies from-zone HIPlan to-zone HIPlan policy http_HIPLan then permit

set security policies from-zone Valentin to-zone HIPlan policy All_HIPlan match source-address network-40
set security policies from-zone Valentin to-zone HIPlan policy All_HIPlan match destination-address any
set security policies from-zone Valentin to-zone HIPlan policy All_HIPlan match application any
set security policies from-zone Valentin to-zone HIPlan policy All_HIPlan then permit

set security policies from-zone Arnaud to-zone HIPlan policy All_HIPlan match source-address network-30
set security policies from-zone Arnaud to-zone HIPlan policy All_HIPlan match destination-address any
set security policies from-zone Arnaud to-zone HIPlan policy All_HIPlan match application any
set security policies from-zone Arnaud to-zone HIPlan policy All_HIPlan then permit

set security policies from-zone Corentin to-zone HIPlan policy All_HIPlan match source-address network-20
set security policies from-zone Corentin to-zone HIPlan policy All_HIPlan match destination-address any
set security policies from-zone Corentin to-zone HIPlan policy All_HIPlan match application any
set security policies from-zone Corentin to-zone HIPlan policy All_HIPlan then permit

set security policies from-zone Camille to-zone HIPlan policy All_HIPlan match source-address network-10
set security policies from-zone Camille to-zone HIPlan policy All_HIPlan match destination-address any
set security policies from-zone Camille to-zone HIPlan policy All_HIPlan match application any
set security policies from-zone Camille to-zone HIPlan policy All_HIPlan then permit