Mise en place d’une protection durant la Nuit Du Hack
La protection de nos communications, nos données et de notre système à la Hack In Paris est important. Durant la nuit s »échangeront des millions de flux, une préparation en amont avec une sécurité minimale doit être mis en place car nous savons que nous allons être la cible d’attaquants. De ce fait, je me lance ce petit projet SafeNight avec un routeur pare-feu de Juniper srx100h2 avec JunOS 12.1X46-D52.
Pré-requis :
- Le minimum requis est de posséder un système à jour et qui est encore maintenu par l’éditeur. Idéalement votre machine utilise un pare-feu local avec vos propre règles sans partage ni logiciels (flash player, reader DC, Java, ancien navigateur…). Au moment ou je rédige ces lignes, les utilisateurs Windows devront patcher le DNS.
- La vigilance est de mise durant l’événement. Il faut vérouiller nos machines lorsque nous ne sommes plus sur nos sièges et veillons à la surveillance de notre matériel et également à celui de nos collègues.
- Attribution des adresses sur le réseau : le SRX100 ne fournira aucun serveur DHCP sur les différents réseaux mais il y aura 6 adresses IP disponible par VLAN. Je vous fournirais votre plage d’addresse au début de l’événement. Il y a 8 ports disponibles dont 2 seront réservés (.1 pour la passerelle et .6 devra être votre PC) voici une information détaillant vote réseau, VLAN, port physique ainsi la personne qui s’y connectera :
Réseau | VLAN | PORT | Utilisateur |
---|---|---|---|
10.10.0.0/29 | 10 | ge0 | Camille |
172.16.20.0/29 | 20 | ge1 | Emmanuel |
192.168.30.0/29 | 30 | ge2 | Arnaud |
10.40.0.0/29 | 40 | ge3 | Valentin |
172.16.50.0/29 | 50 | ge4 | Florian |
192.168.60.0/29 | 60 | ge5 | Jérémie |
10.70.0.0/29 | 70 | ge6 | Raspberry |
172.16.0.24/19 | / | ge7 | HIPlan |
Informations :
-
Le cloisonnement des réseaux : pour le bien être de tous nous cloisonons chaque port dans un VLAN afin d’être indépendant les uns des autres. Aucun élément n’analysera vos trames hors Juniper (log).
-
Dans le cadre de la confidentialité de vos données vers l’internet je vous propose d’utiliser tout comme moi un serveur OpenVPN pour avoir un nœud de sortie sécurisé. Pour ceux qui n’en disposent pas alors, je peux si besoin vous en créer un dans un conteneur Docker.
-
Le Rasberry PI sera un HoneyPot sur le port SSH (récupération des logs à la fin) et maltrail nous informera des attaques existantes connues (c’est un pur challenge afin de stocker les attaques adverses).
La configuration du routeur/pare-feu
Le routeur/pare-feu que j’utilise est un Juniper (dit aussi passerelle de service) modèle : SRX110 à jour avec le firmware 12.1X46-D50 datant du 19 Avril 2016. Voici ma configuration spécifique pour la Hack In Paris afin de nous protéger des attaquants potentiels. Voici l’ensemble de ma configuration JunOS :
#--------------------------------------# #---[ First configuration device ]-----# #--------------------------------------# set system host-name junsrx set system time zone GMT set system root-authentication encrypted-password "*******" set system name-server 208.67.220.220 208.67.222.222 set system name-resolution no-resolve-on-input set system syslog archive size 100k files 3 set system syslog user * any emergency set system syslog file message any critical set system syslog file message authorization info set system syslog file interfactive-commands interfactive-commands error set system max-configurations-on-flash 5 set system max-configuration-rollback 5 set system licence autoupdate url https://ae1.juniper.net/junos/key_retrieval set system services ntp server ntp.ovh.net set system services ssh set system services ssh protocol-version v2 set system services ssh rate-limit 3 connection-limit 2 set system services ssh root-login set system services ssh max-sessions-per-connection 1 set system services web-management https port 36344 set system services web-management https system-generated-certificate set system services web-management https interface vlan.60 set system services web-management session idle-timeout 60 set system services web-management session-limit 1 set applications application junos-ssh destination-port 44363 set applications application junos-ssh protocol tcp set applications application junos-ssh application-protocol ssh set applications application junos_mailtrail set applications application rodolphe-http destination-port 1337 set applications application rodolophe-http protocol tcp set routing-options static route 0.0.0.0/0 next-hop 172.16.1.1 arp 172.16.1.1 mac 00:04:23:d0:47:a2 #---------------------------------------# #---[ Configuration : fe & lo0 ]--------# #---------------------------------------# set interfaces fe-0/0/7 description "HIPlan" set interfaces fe-0/0/7 speed 100m set interfaces fe-0/0/7 link-mode full-duplex set interfaces fe-0/0/7 fastether-options no-auto-negociation set interfaces fe-0/0/7 unit 0 family inet address 172.16.0.24/19 set interfaces fe-0/0/6 description "Raspberry" set interfaces fe-0/0/6 speed 100m set interfaces fe-0/0/6 link-mode full-duplex set interfaces fe-0/0/6 fastether-options no-auto-negociation set interfaces fe-0/0/6 unit 0 family ethernet-switching port-mode access set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members all set interfaces fe-0/0/5 description "Jeremie" set interfaces fe-0/0/5 speed 100m set interfaces fe-0/0/5 link-mode full-duplex set interfaces fe-0/0/5 fastether-options no-auto-negociation set interfaces fe-0/0/5 unit 0 family ethernet-switching port-mode access set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members jeremie s set interfaces fe-0/0/4 description "Rodolphe" set interfaces fe-0/0/4 speed 100m set interfaces fe-0/0/4 link-mode full-duplex set interfaces fe-0/0/4 fastether-options no-auto-negociation set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode access vlan set interfaces fe-0/0/4 unit 0 family ethernet-switching members rodolphe set interfaces fe-0/0/3 description "Valentin" set interfaces fe-0/0/3 speed 100m set interfaces fe-0/0/3 link-mode full-duplex set interfaces fe-0/0/3 fastether-options no-auto-negociation set interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members valentin set interfaces fe-0/0/2 description "Arnaud" set interfaces fe-0/0/2 speed 100m set interfaces fe-0/0/2 link-mode full-duplex set interfaces fe-0/0/2 fastether-options no-auto-negociation set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members arnaud set interfaces fe-0/0/1 description "Corentin" set interfaces fe-0/0/1 speed 100m set interfaces fe-0/0/1 link-mode full-duplex set interfaces fe-0/0/1 fastether-options no-auto-negociation set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode access set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members corentin set interfaces fe-0/0/0 description "Camille" set interfaces fe-0/0/0 speed 100m set interfaces fe-0/0/0 link-mode full-duplex set interfaces fe-0/0/0 fastether-options no-auto-negociation set interfaces fe-0/0/0 unit 0 family ethernet-switching port-mode access set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members camille set interfaces lo0 unit 0 family inet address 1.1.1.1/32 #-------------------------------# #---[ Configuration : vlans ]---# #-------------------------------# set vlans raspberry vlan-id 70 set vlans jeremie vlan-id 60 set vlans rodolphe vlan-id 50 set vlans valentin vlan-id 40 set vlans arnaud vlan-id 30 set vlans corentin vlan-id 20 set vlans camille vlan-id 10 set interfaces vlan unit 70 family inet address 10.70.0.1/29 set interfaces vlan unit 60 family inet address 192.168.60.1/29 set interfaces vlan unit 50 family inet address 172.16.50.1/29 set interfaces vlan unit 40 family inet address 10.40.0.1/29 set interfaces vlan unit 30 family inet address 192.168.30.1/29 set interfaces vlan unit 20 family inet address 172.16.20.1/29 set interfaces vlan unit 10 family inet address 10.10.0.1/29 set vlans raspberry l3-interface vlan.70 set vlans jeremie l3-interface vlan.60 set vlans quentin l3-interface vlan.50 set vlans valentin l3-interface vlan.40 set vlans arnaud l3-interface vlan.30 set vlans corentin l3-interface vlan.20 set vlans camille l3-interface vlan.10 #-------------------------------------------# #---[ Configuration : Security Zones ]------# #-------------------------------------------# set security zones security-zone HIPlan interfaces fe-0/0/7 set security zones security-zone HIPlan interfaces fe-0/0/7.0 set security zones security-zone HIPlan screen untrust-screen set security zones security-zone Raspberry interfaces vlan.70 set security zones security-zone Raspberry interfaces fe-0/0/0 set security zones security-zone Raspberry host-inbound-traffic system-services http https ssh set security zones security-zone Raspberry host-inbound-traffic protocols tcp set security zones security-zone Raspberry address-book address network-70 10.70.0.0/29 set security zones security-zone Raspberry address-book address raspberry-pi 10.70.0.6/32 set security zones security-zone Raspberry address-book address jeremie-pc 192.168.60.6/32 set security zones security-zone Jeremie interfaces vlan.60 set security zones security-zone Jeremie host-inbound-traffic system-services https ssh set security zones security-zone Jeremie host-inbound-traffic protocols tcp set security zones security-zone Jeremie address-book address network-60 192.168.60.0/29 set security zones security-zone Jeremie address-book address jeremie-pc 192.168.60.6/32 set security zones security-zone Rodolphe interfaces vlan.50 set security zones security-zone Rodolphe address-book address network-50 172.16.50.0/29 set security zones security-zone Rodolphe address-book address rodolphe-pc 172.16.50.6/32 set security zones security-zone Valentin interfaces vlan.40 set security zones security-zone Valentin address-book address network-40 10.40.0.0/29 set security zones security-zone Valentin address-book address valentin-pc 10.40.0.6/32 set security zones security-zone Arnaud interfaces vlan.30 set security zones security-zone Arnaud address-book address network-30 192.168.30.0/29 set security zones security-zone Arnaud address-book address arnaud-pc 192.168.30.6/32 set security zones security-zone Corentin interfaces vlan.20 set security zones security-zone Corentin address-book address network-20 172.16.20.0/29 set security zones security-zone Corentin address-book address corentin-pc 172.16.20.6/32 set security zones security-zone Camille interfaces vlan.10 set security zones security-zone Camille address-book address network-10 10.10.0.0/29 set security zones security-zone Camille address-book address camille-pc 10.10.0.6/32 #------------------------------------# #---[ Configuration : NAT source ]---# #------------------------------------# set security nat source pool gateway-vlan70 address 10.70.0.1/32 set security nat source pool gateway-vlan60 address 192.168.60.1/32 set security nat source pool gateway-vlan50 address 172.16.50.1/32 set security nat source pool gateway-vlan40 address 10.40.0.1/32 set security nat source pool gateway-vlan30 address 192.168.30.1/32 set security nat source pool gateway-vlan20 address 172.16.20.1/32 set security nat source pool gateway-vlan10 address 10.10.0.1/32 set security nat source rule-set src-vlan-70 from zone RaspberryPi set security nat source rule-set src-vlan-70 to zone HIPlan set security nat source rule-set src-vlan-70 rule vlan-70 match source-address 10.70.0.0/29 set security nat source rule-set src-vlan-70 rule vlan-70 match destination-address 0.0.0.0/0 set security nat source rule-set src-vlan-70 rule vlan-70 then source-nat interface set security nat source rule-set src-vlan-60 from zone Jeremie set security nat source rule-set src-vlan-60 to zone HIPlan set security nat source rule-set src-vlan-60 rule vlan-60 match source-address 192.168.60.0/29 set security nat source rule-set src-vlan-60 rule vlan-60 match destination-address 0.0.0.0/0 set security nat source rule-set src-vlan-60 rule vlan-60 then source-nat interface set security nat source rule-set src-vlan-50 from zone Rodolphe set security nat source rule-set src-vlan-50 to zone HIPlan set security nat source rule-set src-vlan-50 rule vlan-50 match source-address 172.16.50.0/29 set security nat source rule-set src-vlan-50 rule vlan-50 match destination-address 0.0.0.0/0 set security nat source rule-set src-vlan-50 rule vlan-50 then source-nat interface set security nat source rule-set src-vlan-40 from zone Valentin set security nat source rule-set src-vlan-40 to zone HIPlan set security nat source rule-set src-vlan-40 rule vlan-40 match source-address 10.40.0.0/29 set security nat source rule-set src-vlan-40 rule vlan-40 match destination-address 0.0.0.0/0 set security nat source rule-set src-vlan-40 rule vlan-40 then source-nat interface set security nat source rule-set src-vlan-30 from zone Arnaud set security nat source rule-set src-vlan-30 to zone HIPlan set security nat source rule-set src-vlan-30 rule vlan-30 match source-address 192.168.30.0/29 set security nat source rule-set src-vlan-30 rule vlan-30 match destination-address 0.0.0.0/0 set security nat source rule-set src-vlan-30 rule vlan-30 then source-nat interface set security nat source rule-set src-vlan-20 from zone Corentin set security nat source rule-set src-vlan-20 to zone HIPlan set security nat source rule-set src-vlan-20 rule vlan-20 match source-address 172.16.20.0/29 set security nat source rule-set src-vlan-20 rule vlan-20 match destination-address 0.0.0.0/0 set security nat source rule-set src-vlan-20 rule vlan-20 then source-nat interface set security nat source rule-set src-vlan-10 from zone Camille set security nat source rule-set src-vlan-10 to zone HIPlan set security nat source rule-set src-vlan-10 rule vlan-10 match source-address 10.10.0.0/29 set security nat source rule-set src-vlan-10 rule vlan-10 match destination-address 0.0.0.0/0 set security nat source rule-set src-vlan-10 rule vlan-10 then source-nat interface #-----------------------------------------# #---[ Configuration : NAT destination ]---# #-----------------------------------------# set security nat destination pool raspberry-pi adresse 10.70.0.6/32 port 21452 set security nat destination rule-set dest-honeypot rule ssh match source-address 0.0.0.0/0 set security nat destination rule-set dest-honeypot rule ssh match destination address 10.70.0.6/32 set security nat destination rule-set dest-honeypot rule ssh match destination-port 22 set security nat destination rule-set dest-honeypot rule ssh then destination-nat pool raspberry-pi set security nat destination pool rodolphe-pc adresse 172.16.50.6/32 port 1337 set security nat destination rule-set dest-rodolphePC rule http match source-address 0.0.0.0/0 set security nat destination rule-set dest-rodolphePC rule http match destination-address 172.16.50.6/32 set security nat destination rule-set dest-rodolphePC rule http ematch destination-port 1337 set security nat destination rule-set dest-rodolphePC rule http then destination-nat pool rodolphe-pc #------------------------------------# #---[ Configuration : policies ]-----# #------------------------------------# set security policies default-policy deny-all set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot match source-address any set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot match destination-address raspberry-pi set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot match application any set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot then permit set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot then log session-init set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot then log session-close set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe match source-address any set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe match destination-address rodolphe-pc set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe match application any set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe then permit set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe then log session-init set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe then log session-close set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop match source-address any set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop match destination-address any set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop match application any set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop then reject log session-init set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop then reject log session-close set security policies from-zone Raspberry to-zone HIPlan policy All_HIPlan match source-address network-70 set security policies from-zone Raspberry to-zone HIPlan policy All_HIPlan match destination-address any set security policies from-zone Raspberry to-zone HIPlan policy All_HIPlan match application any set security policies from-zone Raspberry to-zone HIPlan policy All_HIPlan then permit set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie match source-address 192.168.60.6/32 set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie match destination-address any set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie match application any set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie then permit set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie then log session-init set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie then log session-close set security policies from-zone Jeremie to-zone HIPlan policy All_HIPlan match source-address network-60 set security policies from-zone Jeremie to-zone HIPlan policy All_HIPlan match destination-address any set security policies from-zone Jeremie to-zone HIPlan policy All_HIPlan match application any set security policies from-zone Jeremie to-zone HIPlan policy All_HIPlan then permit set security policies from-zone Jeremie to-zone Raspberry policy mgmt_Jeremie2 match source-address any set security policies from-zone Jeremie to-zone Raspberry policy mgmt_Jeremie2 match destination-address any set security policies from-zone Jeremie to-zone Raspberry policy mgmt_Jeremie2 match application any set security policies from-zone Jeremie to-zone Raspberry policy mgmt_Jeremie2 then permit set security policies from-zone Rodolphe to-zone HIPlan policy All_HIPlan match source-address network-50 set security policies from-zone Rodolphe to-zone HIPlan policy All_HIPlan match destination-address any set security policies from-zone Rodolphe to-zone HIPlan policy All_HIPlan match application any set security policies from-zone Rodolphe to-zone HIPlan policy All_HIPlan then permit set security policies from-zone HIPlan to-zone HIPlan policy http_HIPLan match source-address any set security policies from-zone HIPlan to-zone HIPlan policy http_HIPLan match destination-address 172.16.50.6/32 set security policies from-zone HIPlan to-zone HIPlan policy http_HIPLan set security policies from-zone HIPlan to-zone HIPlan policy http_HIPLan then permit set security policies from-zone Valentin to-zone HIPlan policy All_HIPlan match source-address network-40 set security policies from-zone Valentin to-zone HIPlan policy All_HIPlan match destination-address any set security policies from-zone Valentin to-zone HIPlan policy All_HIPlan match application any set security policies from-zone Valentin to-zone HIPlan policy All_HIPlan then permit set security policies from-zone Arnaud to-zone HIPlan policy All_HIPlan match source-address network-30 set security policies from-zone Arnaud to-zone HIPlan policy All_HIPlan match destination-address any set security policies from-zone Arnaud to-zone HIPlan policy All_HIPlan match application any set security policies from-zone Arnaud to-zone HIPlan policy All_HIPlan then permit set security policies from-zone Corentin to-zone HIPlan policy All_HIPlan match source-address network-20 set security policies from-zone Corentin to-zone HIPlan policy All_HIPlan match destination-address any set security policies from-zone Corentin to-zone HIPlan policy All_HIPlan match application any set security policies from-zone Corentin to-zone HIPlan policy All_HIPlan then permit set security policies from-zone Camille to-zone HIPlan policy All_HIPlan match source-address network-10 set security policies from-zone Camille to-zone HIPlan policy All_HIPlan match destination-address any set security policies from-zone Camille to-zone HIPlan policy All_HIPlan match application any set security policies from-zone Camille to-zone HIPlan policy All_HIPlan then permit