Mise en place d'une protection durant la Nuit Du Hack 2016

Mise en place d'une protection durant la Nuit Du Hack

La protection de nos communications, nos données, et de notre système à la Hack In Paris est important. Durant la nuit s''échangeront des millions de flux,  une préparation en amont avec une sécurité minimale doit être mis en place.  Nous savons que nous allons être la cible d'attaquant. De ce fait, je me lance ce petit projet "SafeNight"avec un routeur pare-feu de Juniper srx100h2 avec JunOS  12.1X46-D52.

Pré-requis :

  1. Le minimum sur la machine :
    Il faut avoir un système à jour et j'entends par la un système qui est encore maintenu par l'éditeur...idéalement votre machine à un pare-feu local avec vos propre règles sans partage accessible ni logiciels faillible (flash player, reader DC, Java, ancien navigateur...) Pour les utilisateurs Windows s'il vous plaît patcher votre problème de DNS pour ne pas être détourner en cas de pénétration de votre OS.
  2. La vigilante est de mise durant l’événement :
    Verrouillons nos machines quand nous ne sommess plus sur nos siège et veillons à la surveillance de notre matériel et également à celui de nos collègues.
  3. Attribution des adresses sur le réseau : Le SRX100 ne fournira aucun serveur DHCP sur les différents réseaux mais il y aura 6 adresses IP disponible par VLAN. Je vous fournirais votre plage d'addresse au début de l’événement.. Il y a 8 ports disponible dont 2 seront réservée (.1 pour la passerelle et .6 devra être votre PC) voici une informations détaillant vote réseau, vlan, port physique ainsi la personne qui s'y connectera :
Réseau VLAN PORT Utilisateur
10.10.0.0/29 10 ge0 Camille

172.16.20.0/29

20 ge1 Emmanuel

192.168.30.0/29

30 ge2 Arnaud
10.40.0.0/29 40 ge3 Valentin
172.16.50.0/29 50 ge4 Florian
192.168.60.0/29 60 ge5 Jeremie
10.70.0.0/29 70 ge6 Raspberry
172.16.0.24/19 / ge7 HIPlan

Informations :

  1. Le cloisonnement des réseaux : Pour le bien être de tous, nous cloisons chaque port dans un VLAN afin d'être indépendant les uns des autres. Aucun élément n'analysera vos trames hors juniper (log).

  2.  Dans le cadre de la confidentialité de vos données vers l'internet je vous propose d'utiliser tout comme moi un serveur OpenVPN pour avoir un nœud de sortie sécurisé. Pour ce qui n'en dispose pas alors, je peux si besoin vous en créer un dans un conteneur Docker.

  3. Le Rasberry PI sera un HoneyPot sur le port SSH (récupération des logs à la fin) et  maltrail nous informera des attaques existante connu (c'est un pure challenge afin de stocker les attaques adverses).

La configuration du routeur/pare-feu

Le routeur/pare-feu que j'utilise est un Juniper (dit aussi passerelle de service) modèle : SRX110 à jour avec le firmware 12.1X46-D50 datant du 19 Avril 2016. Voici ma configuration spécifique pour la Hack In Paris afin de nous protéger des attaquants susceptible de nous rentrer dedans ! Voici l'ensemble de ma configuration JunOS 

#--------------------------------------#
#---[ First configuration device ]-----#
#--------------------------------------#

set system host-name junsrx
set system time zone GMT
set system root-authentication encrypted-password "*******"
set system name-server 208.67.220.220 208.67.222.222
set system name-resolution no-resolve-on-input
set system syslog archive size 100k files 3
set system syslog user * any emergency
set system syslog file message any critical
set system syslog file message authorization info
set system syslog file interfactive-commands interfactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollback 5
set system licence autoupdate url https://ae1.juniper.net/junos/key_retrieval

set system services ntp server ntp.ovh.net
set system services ssh
set system services ssh protocol-version v2
set system services ssh rate-limit 3 connection-limit 2
set system services ssh root-login
set system services ssh max-sessions-per-connection 1
set system services web-management https port 36344
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.60
set system services web-management session idle-timeout 60
set system services web-management session-limit 1

set applications application junos-ssh destination-port 44363
set applications application junos-ssh protocol tcp
set applications application junos-ssh application-protocol ssh
set applications application junos_mailtrail
set applications application rodolphe-http destination-port 1337
set applications application rodolophe-http protocol tcp
set routing-options static route 0.0.0.0/0 next-hop 172.16.1.1 arp 172.16.1.1 mac 00:04:23:d0:47:a2

#---------------------------------------#
#---[ Configuration : fe & lo0 ]--------#
#---------------------------------------#

set interfaces fe-0/0/7 description "HIPlan"
set interfaces fe-0/0/7 speed 100m
set interfaces fe-0/0/7 link-mode full-duplex
set interfaces fe-0/0/7 fastether-options no-auto-negociation
set interfaces fe-0/0/7 unit 0 family inet address 172.16.0.24/19 

set interfaces fe-0/0/6 description "Raspberry"
set interfaces fe-0/0/6 speed 100m
set interfaces fe-0/0/6 link-mode full-duplex
set interfaces fe-0/0/6 fastether-options no-auto-negociation
set interfaces fe-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members all

set interfaces fe-0/0/5 description "Jeremie"
set interfaces fe-0/0/5 speed 100m
set interfaces fe-0/0/5 link-mode full-duplex
set interfaces fe-0/0/5 fastether-options no-auto-negociation
set interfaces fe-0/0/5 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members jeremie
s
set interfaces fe-0/0/4 description "Rodolphe"
set interfaces fe-0/0/4 speed 100m
set interfaces fe-0/0/4 link-mode full-duplex
set interfaces fe-0/0/4 fastether-options no-auto-negociation
set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode access vlan
set interfaces fe-0/0/4 unit 0 family ethernet-switching members rodolphe

set interfaces fe-0/0/3 description "Valentin"
set interfaces fe-0/0/3 speed 100m
set interfaces fe-0/0/3 link-mode full-duplex
set interfaces fe-0/0/3 fastether-options no-auto-negociation
set interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members valentin

set interfaces fe-0/0/2 description "Arnaud"
set interfaces fe-0/0/2 speed 100m
set interfaces fe-0/0/2 link-mode full-duplex
set interfaces fe-0/0/2 fastether-options no-auto-negociation
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members arnaud

set interfaces fe-0/0/1 description "Corentin"
set interfaces fe-0/0/1 speed 100m
set interfaces fe-0/0/1 link-mode full-duplex
set interfaces fe-0/0/1 fastether-options no-auto-negociation
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members corentin

set interfaces fe-0/0/0 description "Camille"
set interfaces fe-0/0/0 speed 100m
set interfaces fe-0/0/0 link-mode full-duplex
set interfaces fe-0/0/0 fastether-options no-auto-negociation
set interfaces fe-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members camille

set interfaces lo0 unit 0 family inet address 1.1.1.1/32

#-------------------------------#
#---[ Configuration : vlans ]---#
#-------------------------------#

set vlans raspberry vlan-id 70
set vlans jeremie vlan-id 60
set vlans rodolphe vlan-id 50
set vlans valentin vlan-id 40
set vlans arnaud vlan-id 30
set vlans corentin vlan-id 20
set vlans camille vlan-id 10

set interfaces vlan unit 70 family inet address 10.70.0.1/29
set interfaces vlan unit 60 family inet address 192.168.60.1/29
set interfaces vlan unit 50 family inet address 172.16.50.1/29
set interfaces vlan unit 40 family inet address 10.40.0.1/29
set interfaces vlan unit 30 family inet address 192.168.30.1/29
set interfaces vlan unit 20 family inet address 172.16.20.1/29
set interfaces vlan unit 10 family inet address 10.10.0.1/29

set vlans raspberry l3-interface vlan.70
set vlans jeremie l3-interface vlan.60
set vlans quentin l3-interface vlan.50
set vlans valentin l3-interface vlan.40
set vlans arnaud l3-interface vlan.30
set vlans corentin l3-interface vlan.20
set vlans camille l3-interface vlan.10

#-------------------------------------------#
#---[ Configuration : Security Zones ]------#
#-------------------------------------------#

set security zones security-zone HIPlan interfaces fe-0/0/7
set security zones security-zone HIPlan interfaces fe-0/0/7.0
set security zones security-zone HIPlan screen untrust-screen

set security zones security-zone Raspberry interfaces vlan.70
set security zones security-zone Raspberry interfaces fe-0/0/0
set security zones security-zone Raspberry host-inbound-traffic system-services http https ssh
set security zones security-zone Raspberry host-inbound-traffic protocols tcp
set security zones security-zone Raspberry address-book address network-70 10.70.0.0/29
set security zones security-zone Raspberry address-book address raspberry-pi 10.70.0.6/32
set security zones security-zone Raspberry address-book address jeremie-pc 192.168.60.6/32

set security zones security-zone Jeremie interfaces vlan.60
set security zones security-zone Jeremie host-inbound-traffic system-services https ssh
set security zones security-zone Jeremie host-inbound-traffic protocols tcp
set security zones security-zone Jeremie address-book address network-60 192.168.60.0/29
set security zones security-zone Jeremie address-book address jeremie-pc 192.168.60.6/32

set security zones security-zone Rodolphe interfaces vlan.50
set security zones security-zone Rodolphe address-book address network-50 172.16.50.0/29
set security zones security-zone Rodolphe address-book address rodolphe-pc 172.16.50.6/32

set security zones security-zone Valentin interfaces vlan.40
set security zones security-zone Valentin address-book address network-40 10.40.0.0/29
set security zones security-zone Valentin address-book address valentin-pc 10.40.0.6/32

set security zones security-zone Arnaud interfaces vlan.30
set security zones security-zone Arnaud address-book address network-30 192.168.30.0/29
set security zones security-zone Arnaud address-book address arnaud-pc 192.168.30.6/32

set security zones security-zone Corentin interfaces vlan.20
set security zones security-zone Corentin address-book address network-20 172.16.20.0/29
set security zones security-zone Corentin address-book address corentin-pc 172.16.20.6/32

set security zones security-zone Camille interfaces vlan.10
set security zones security-zone Camille address-book address network-10 10.10.0.0/29
set security zones security-zone Camille address-book address camille-pc 10.10.0.6/32

#------------------------------------#
#---[ Configuration : NAT source ]---#
#------------------------------------#

set security nat source pool gateway-vlan70 address 10.70.0.1/32
set security nat source pool gateway-vlan60 address 192.168.60.1/32
set security nat source pool gateway-vlan50 address 172.16.50.1/32
set security nat source pool gateway-vlan40 address 10.40.0.1/32
set security nat source pool gateway-vlan30 address 192.168.30.1/32
set security nat source pool gateway-vlan20 address 172.16.20.1/32
set security nat source pool gateway-vlan10 address 10.10.0.1/32

set security nat source rule-set src-vlan-70 from zone RaspberryPi
set security nat source rule-set src-vlan-70 to zone HIPlan
set security nat source rule-set src-vlan-70 rule vlan-70 match source-address 10.70.0.0/29
set security nat source rule-set src-vlan-70 rule vlan-70 match destination-address 0.0.0.0/0
set security nat source rule-set src-vlan-70 rule vlan-70 then source-nat interface

set security nat source rule-set src-vlan-60 from zone Jeremie   
set security nat source rule-set src-vlan-60 to zone HIPlan                                    
set security nat source rule-set src-vlan-60 rule vlan-60 match source-address 192.168.60.0/29
set security nat source rule-set src-vlan-60 rule vlan-60 match destination-address 0.0.0.0/0
set security nat source rule-set src-vlan-60 rule vlan-60 then source-nat interface

set security nat source rule-set src-vlan-50 from zone Rodolphe
set security nat source rule-set src-vlan-50 to zone HIPlan   
set security nat source rule-set src-vlan-50 rule vlan-50 match source-address 172.16.50.0/29
set security nat source rule-set src-vlan-50 rule vlan-50 match destination-address 0.0.0.0/0
set security nat source rule-set src-vlan-50 rule vlan-50 then source-nat interface

set security nat source rule-set src-vlan-40 from zone Valentin
set security nat source rule-set src-vlan-40 to zone HIPlan  
set security nat source rule-set src-vlan-40 rule vlan-40 match source-address 10.40.0.0/29
set security nat source rule-set src-vlan-40 rule vlan-40 match destination-address 0.0.0.0/0
set security nat source rule-set src-vlan-40 rule vlan-40 then source-nat interface

set security nat source rule-set src-vlan-30 from zone Arnaud
set security nat source rule-set src-vlan-30 to zone HIPlan  
set security nat source rule-set src-vlan-30 rule vlan-30 match source-address 192.168.30.0/29
set security nat source rule-set src-vlan-30 rule vlan-30 match destination-address 0.0.0.0/0
set security nat source rule-set src-vlan-30 rule vlan-30 then source-nat interface

set security nat source rule-set src-vlan-20 from zone Corentin
set security nat source rule-set src-vlan-20 to zone HIPlan  
set security nat source rule-set src-vlan-20 rule vlan-20 match source-address 172.16.20.0/29
set security nat source rule-set src-vlan-20 rule vlan-20 match destination-address 0.0.0.0/0
set security nat source rule-set src-vlan-20 rule vlan-20 then source-nat interface

set security nat source rule-set src-vlan-10 from zone Camille
set security nat source rule-set src-vlan-10 to zone HIPlan  
set security nat source rule-set src-vlan-10 rule vlan-10 match source-address 10.10.0.0/29
set security nat source rule-set src-vlan-10 rule vlan-10 match destination-address 0.0.0.0/0
set security nat source rule-set src-vlan-10 rule vlan-10 then source-nat interface

#-----------------------------------------#
#---[ Configuration : NAT destination ]---#
#-----------------------------------------#

set security nat destination pool raspberry-pi adresse 10.70.0.6/32 port 21452

set security nat destination rule-set dest-honeypot rule ssh match source-address 0.0.0.0/0
set security nat destination rule-set dest-honeypot rule ssh match destination address 10.70.0.6/32
set security nat destination rule-set dest-honeypot rule ssh match destination-port 22
set security nat destination rule-set dest-honeypot rule ssh then destination-nat pool raspberry-pi

set security nat destination pool rodolphe-pc adresse 172.16.50.6/32 port 1337

set security nat destination rule-set dest-rodolphePC rule http match source-address 0.0.0.0/0
set security nat destination rule-set dest-rodolphePC rule http match destination-address 172.16.50.6/32
set security nat destination rule-set dest-rodolphePC rule http ematch destination-port 1337
set security nat destination rule-set dest-rodolphePC rule http then destination-nat pool rodolphe-pc

#------------------------------------#
#---[ Configuration : policies ]-----#
#------------------------------------#

set security policies default-policy deny-all

set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot match source-address any
set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot match destination-address raspberry-pi
set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot match application any
set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot then permit
set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot then log session-init
set security policies from-zone HIPlan to-zone Raspberry policy ssh_honeypot then log session-close

set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe match source-address any
set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe match destination-address rodolphe-pc
set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe match application any
set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe then permit
set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe then log session-init
set security policies from-zone HIPlan to-zone Rodolphe policy http_rodolphe then log session-close

set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop match source-address any
set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop match destination-address any
set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop match application any
set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop then reject log session-init
set security policies from-zone HIPlan to-zone Raspberry policy log_and_drop then reject log session-close

set security policies from-zone Raspberry to-zone HIPlan policy All_HIPlan match source-address network-70
set security policies from-zone Raspberry to-zone HIPlan policy All_HIPlan match destination-address any
set security policies from-zone Raspberry to-zone HIPlan policy All_HIPlan match application any
set security policies from-zone Raspberry to-zone HIPlan policy All_HIPlan then permit

set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie match source-address 192.168.60.6/32
set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie match destination-address any
set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie match application any
set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie then permit
set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie then log session-init
set security policies from-zone Raspberry to-zone Jeremie policy mgmt_Jeremie then log session-close

set security policies from-zone Jeremie to-zone HIPlan policy All_HIPlan match source-address network-60
set security policies from-zone Jeremie to-zone HIPlan policy All_HIPlan match destination-address any
set security policies from-zone Jeremie to-zone HIPlan policy All_HIPlan match application any
set security policies from-zone Jeremie to-zone HIPlan policy All_HIPlan then permit

set security policies from-zone Jeremie to-zone Raspberry policy mgmt_Jeremie2 match source-address any
set security policies from-zone Jeremie to-zone Raspberry policy mgmt_Jeremie2 match destination-address any
set security policies from-zone Jeremie to-zone Raspberry policy mgmt_Jeremie2 match application any
set security policies from-zone Jeremie to-zone Raspberry policy mgmt_Jeremie2 then permit

set security policies from-zone Rodolphe to-zone HIPlan policy All_HIPlan match source-address network-50
set security policies from-zone Rodolphe to-zone HIPlan policy All_HIPlan match destination-address any
set security policies from-zone Rodolphe to-zone HIPlan policy All_HIPlan match application any
set security policies from-zone Rodolphe to-zone HIPlan policy All_HIPlan then permit

set security policies from-zone HIPlan to-zone HIPlan policy http_HIPLan match source-address any
set security policies from-zone HIPlan to-zone HIPlan policy http_HIPLan match destination-address 172.16.50.6/32
set security policies from-zone HIPlan to-zone HIPlan policy http_HIPLan
set security policies from-zone HIPlan to-zone HIPlan policy http_HIPLan then permit

set security policies from-zone Valentin to-zone HIPlan policy All_HIPlan match source-address network-40
set security policies from-zone Valentin to-zone HIPlan policy All_HIPlan match destination-address any
set security policies from-zone Valentin to-zone HIPlan policy All_HIPlan match application any
set security policies from-zone Valentin to-zone HIPlan policy All_HIPlan then permit

set security policies from-zone Arnaud to-zone HIPlan policy All_HIPlan match source-address network-30
set security policies from-zone Arnaud to-zone HIPlan policy All_HIPlan match destination-address any
set security policies from-zone Arnaud to-zone HIPlan policy All_HIPlan match application any
set security policies from-zone Arnaud to-zone HIPlan policy All_HIPlan then permit

set security policies from-zone Corentin to-zone HIPlan policy All_HIPlan match source-address network-20
set security policies from-zone Corentin to-zone HIPlan policy All_HIPlan match destination-address any
set security policies from-zone Corentin to-zone HIPlan policy All_HIPlan match application any
set security policies from-zone Corentin to-zone HIPlan policy All_HIPlan then permit

set security policies from-zone Camille to-zone HIPlan policy All_HIPlan match source-address network-10
set security policies from-zone Camille to-zone HIPlan policy All_HIPlan match destination-address any
set security policies from-zone Camille to-zone HIPlan policy All_HIPlan match application any
set security policies from-zone Camille to-zone HIPlan policy All_HIPlan then permit

Commentaires