根据文档,一步一步地实现一个 [ SDN Firewall
](https://www.opensourceforu.com/2016/07/implementing-a-software-defined-
network-sdn-based-firewall/ “SDN Firewall”) .
![SDN Firewall](https://www.researchgate.net/profile/Dhaval-
Satasiya/publication/303924315/figure/fig1/AS:372477386608640@1465816937425/SDN-
Architecture_Q320.jpg)
SDN Firewall with POX Project
In this project, you will use Software Defined Networking (SDN) principles to
create a configurable firewall using an OpenFlow enabled Switch. The Software
Defined Networking (OpenFlow) functionality allows you to programmatically
control the flow of traffic on the network.
This project has three phrases as follows:
- Mininet Tutorial - This phase is a brief overview of Mininet. There are no deliverables for this phase and may be skipped, especially if you completed the Optional Simulating Networks project (Project 0).
- Wireshark Tutorial - This phase is a brief introduction to packet capture using Wireshark/tshark. You will examine the packet format for various traffic to learn of the different header values used in Phase 3. There is a deliverable of a simple packet capture file.
- SDN Firewall - This phase involves completing code to build a simple traffic blocking firewall using OpenFlow with the POX Controller based on rules passed to it from a configuration file. In addition, you will create a set of rules to test the firewall implementation.
Part 0: Project References
You will find the following resources useful in completing this project. It is
recommended that you review these resources before starting the project.
- IP Header Format - https://erg.abdn.ac.uk/users/gorry/course/inet-pages/ip-packet.html
- TCP Packet Header Format - https://en.wikipedia.org/wiki/Transmission_Control_Protocol
- UDP Packet Header Format - https://en.wikipedia.org/wiki/User_Datagram_Protocol
- The ICMP Protocol - https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
- IP Protocols - https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
- TCP and UDP Service and Port References https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
- Wireshark - https://www.wireshark.org/docs/wsug_html/
- CIDR Calculator - https://account.arin.net/public/cidrCalculator
- CIDR - https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
Part 1: Files Layout
Unzip the SDNFirewall-Summer2024zip file into your Virtual Machine. Do this by
running the following command: unzip SDNFirewall-Summer2024.zip
This will extract the files for this project into a directory named
SDNFirewall at your current path (it is recommended that your use the mininet
root directory to aid in troubleshooting ( cd ~ ). The following files will be
extracted:
- cleanup.sh - this file called by using following command line: ./cleanup.sh
This file will clean up the Mininet Environment and kill all zombie Python and
POX processes. - sdn-topology.py - this file creates the Mininet topology used in this assignment. This is like what you created in the Simulating Networks project. When evaluating your code against the ruleset specified in this project, do not change it. However, you are encouraged to make your own topologies (and rules) to test the firewall. Look at the start-topology.sh file to see how to start a different topology.
- ws-topology.py - this file is substantially like sdn-topology, but it does not call the POX Controller. You will use this during the Wireshark exercise.
- setup-firewall.py - this file sets up the frameworks used in this project. DO NOT MODIFY THIS FILE. This file will create the appropriate POX framework and then integrates the rules implemented in sdnfirewall.py into the OpenFlow engine. It will also read in the values from the configure.pol file and validate that the entries are valid. If you make changes to this file, the autograder will likely have issues with your final code as the autograder uses the unaltered distribution version of this file.
- start-firewall.sh - this is the shell script that starts the firewall. This file must be started before the topology is started. It will copy files to the appropriate directory and then start the POX OpenFlow controller. This file is called by using following command line: ./start-firewall.sh
- start-topology.sh - this is the shell script that starts the Mininet topology used in the assignment. All it does is call the sdn-topology.py file with superuser permissions. This file is called by using following command line: ./start-topology.sh
- test-client.py - this is a python test client program used to test your firewall. This file is called using the following command line: python test-client.py PROTO SERVERIP PORT SOURCEPORT where PROTO is either T for TCP, U for UDP, or G for GRE, SERVERIP is the IP address of the server (destination), PORT is the destination port, and optionally SOURCEPORT allows you to configure the source port that you are using. Example: python test-client.py T 10.0.1.1 80
- test-server.py - this is a python test server program used to test your firewall. This file is called using the following command line: python test-server.py PROTO SERVERIP PORT where PROTO is either T for
TCP, U for UDP, G for GRE, SERVERIP is the IP address of the server (the
server you are running this script on), and PORT is the service port. Example:
python test-server.py T 10.0.1.1 80 - test-suite - This is a student developed test script that was developed in 2021 that can be used to test your implementation AFTER YOU FINISH BOTH THE IMPLEMENTATION FILES. The test cases in the main folder will be used to evaluate your implementations for the first run. An alternate configuration and topology will also be used to evaluate your implementations. This will be similar to, but not identical to what is found in the extra sub-folder. See Appendix A for information on how to use the test suite.
Project Deliverables
- configure.pol - this file is where you will supply the configuration to the firewall that specifies the traffic that should either be blocked or allowed (override blocks). The format of this file will be specified later in this document. This file is one of the deliverables that must be included in your ZIP submission to Canvas.
- sdn-firewall.py -This file implements the firewall using POX and OpenFlow functions. It receives a copy of the contents of the configure.pol file as a python list containing a dictionary for each rule and you will need to implement the code necessary to process these items into POX policies to create the firewall. This file is one of the deliverables that must be included in your ZIP submission to Canvas.
- packetcapture.pcap - This will be the packet capture completed in Part 4. This file is one of the deliverables that must be included in your ZIP submission to Canvas.
Part 2: Before You Begin
This project assumes basic knowledge about IP and TCP/UDP Protocols. It is
highly encouraged that you review the following items before starting. This
will help you in understanding the contents of IP packet headers and what you
may need to match.
- What is the IP (Internet Protocol)? What are the different types of Network Layer protocols?
- Review TCP and UDP? How does TCP or UDP differ from IP?
- Examine the packet header for a generic IP protocol entry. Contrast that with the packet header for a TCP packet, and for a UDP packet. What are the differences? What does each field mean?
- What constitutes a TCP Connection? How does this contrast with a UDP connection.
- A special IP protocol is ICMP. Why is ICMP important? What behavior happens when you do an ICMP Ping? If you block an ICMP response, what would you expect to see?
- If you block a host from ICMP, will you be able to send TCP/UDP traffic to it?
- Can you explain what happens if you get a ICMP Destination Unreachable response?
- What is CIDR notation? How do you subnet a network?
- What IP Protocols use Source or Destination Ports?
Part 3: Review of Mininet
IF YOU HAVE FAMILIARITY WITH MININET OR IF YOU COMPLETED THE OPTIONAL PROJECT
SIMULATING NETWORKS, YOU MAY SKIP THIS SECTION AND START WITH PART 4:
WIRESHARK
Mininet is a network simulator that allows you to explore SDN techniques by
allowing you to create a network topology including virtual switches, links,
hosts/nodes, and controllers. It will also allow you to set the parameters for
each of these virtual devices and will allow you to simulate real-world
applications on the different hosts/nodes.
The following code sets up a basic Mininet topology similar to what is used
for this project:
#!/usr/bin/python
from mininet.topo import Topo
from mininet.net import Mininet
from mininet.node import CPULimitedHost, RemoteController
from mininet.util import custom
from mininet.link import TCLink
from mininet.cli import CLI
class FirewallTopo(Topo):
def init(self, cpu=.1, bw=10, delay=None, **params):
super(FirewallTopo,self).init()
# Host in link configuration
hconfig = {‘cpu’: cpu}
lconfig = {‘bw’: bw, ‘delay’: delay}
# Create the firewall switch
s1 = self.addSwitch(‘s1’)
hq1 = self.addHost(‘hq1’,ip=’10.0.0.1’,mac=’00:00:00:00:00:1e’, **hconfig)
self.addLink(s1,hq1)
us1 = self.addHost(‘us1’, ip=’10.0.1.1’, mac=’00:00:00:01:00:1e’, **hconfig)
self.addLink(s1,us1)
—|—
This code defines the following virtual objects:
- Switch s1 - this is a single virtual switch with the label ‘s1’. In Mininet, you may have as many virtual ports as you need - for Mininet, “ports” are considered to be a virtual ethernet jack, not an application port that you would use in building your firewall.
- Hosts hq1 and us1 - these are individual virtual hosts that you can access via xterm and other means. You can define the IP Address, MAC/Hardware Addresses, and configuration parameters that can define cpu speed and other parameters using the hconfig dictionary.
- Links between s1 and hq1 and s1 and us1 - consider these like an ethernet cable that you would run between a computer and the switch port. You can define individual port numbers on each side (i.e., port on the host and port on the virtual switch), but it is advised to let Mininet automatically wire the network. Like hosts, you can define configuration parameters to set link speed, bandwidth, and latency. REMINDER - PORTS MENTIONED IN MININET TOPOLOGIES ARE WIRING PORTS ON THE VIRTUAL SWITCH, NOT APPLICATION PORT NUMBERS.
Useful Mininet Commands: - For this project, you can start Mininet and load the firewall topology by running the ./start-topology.sh from the project directory. You can quit Mininet by typing in the exit command.
- After you are done running Mininet, it is recommended that you cleanup Mininet. There are two ways of doing this. The first is to run the sudo mn -c command from the terminal and the second is to use the ./cleanup.sh script provided in the project directory. Do this after every run to minimize any problems that might hang or crash Mininet.
- You can use the xterm command to start an xterm window for one of the virtual hosts. This command is run from the mininet> prompt. For example, you can type in us1 xterm & to open a xterm window for the virtual host us1. The & causes the window to open and run in the background. In this project, you will run the test--client.py and test--server.py in each host to test connectivity.
- The pingall command that is run from the mininet> prompt will cause all hosts to ping all other hosts. Note that this may take a long time. To run a ping between two hosts, you can specify host1 ping host2 (for example, us1 ping hq1 which will show the result of host us1 pinging hq1).
- The help command will show all Mininet commands and dump will show information about all hosts in the topology.
Part 4: Wireshark
Wireshark is a network packet capture program that will allow you to capture a
stream of network packets and examine them. Wireshark is used extensively to
troubleshoot computer networks and in the field of information security. We
will be using Wireshark to examine the packet headers to learn how to use this
information to match traffic that will be affected by the firewall we are
constructing.
tshark is a command line version of Wireshark that we will be using to capture
the packets between mininet hosts and we will use Wireshark for the GUI to
examine these packets. However, you will be allowed to use the Wireshark GUI
if you would like in doing the packet capture.
Please watch the video referenced in Part 2 if you would like to follow along
in time for a live packet capture.
- Step 1: Open up a Terminal Window and change directory to the SDNFirewall directory that was extracted in Part 1.
- Step 2: The first action is to start up the Mininet topology used for the Wireshark capture exercise. This topology matches the topology that you will be using when creating and testing your firewall. To start this topology, run the following command:
sudo python ws-topology.py
This will startup a Mininet session with all hosts created. - Step 3: Start up two xterm windows for hosts us1 and us2. After you start each xterm window, it is recommended that you run the following command in each xterm window as you load them to avoid confusion about which xterm belongs to which host:
export PS1=”hostname >” replacing hostname with the actual hostname.
Type in the following commands at the Mininet prompt.
us1 xterm & (then run export PS1=”us1 >” in the xterm window that pops up)
us2 xterm & (likewise, run export PS1=”us2 >” in the second xterm window) - Step 4: In this step, we want to start capturing all the traffic that traverses through the ethernet port on host us1. We do this by running tshark (or alternatively, wireshark) as follows from the mininet prompt:
us1 sudo tshark -w /tmp/packetcapture.pcap
This will start tshark and will output a pcap formatted file to
/tmp/capture.pcap. Note that this file is created as root, so you will need to
change ownership to mininet to use it in future steps - chown mininet:mininet
/tmp/packetcapture.pcap
If you wish to use the Wireshark GUI instead of tshark, you would call us1
sudo wireshark &. You may use this method, but the TA staff will not provide
support for any issues that may occur. - Step 5: Now we need to capture some traffic. Do the following tasks in the appropriate xterm window: in us1 xterm: ping 10.0.1.2 (hit control C after a few ping requests)
In us2 xterm: ping 10.0.1.1 (likewise hit control C after a few ping requests)
In us1 xterm: python test-server.py T 10.0.1.1 80
In us2 xterm: python test-client.py T 10.0.1.1 80
After the connection completes, in the us1 xterm, press Control-C to kill
theserver.
In us1 xterm: python test-server.py U 10.0.1.1 8000
In us2 xterm: python test-client.py U 10.0.1.1 8000
In us1 xterm: press Control C to kill the server
In Mininet Terminal: press Control C to stop tshark - Step 6: At the mininet prompt, type in exit and press enter. Next, do the chown command as described in step 4 above to your packet capture. You may also close the two xterm windows as they are finished. Copy the /tmp/packetcapture.pcap to your project directory. This file is the deliverable for this phase of the project.
- Step 7: At the bash prompt on the main terminal, run:
sudo wireshark
Go to the File => Open menu item, browse to the /tmp directory and select the
pcap file that you saved using tshark.
You will get a GUI that looks like the example packet capture. You will have a
numbered list of all the captured packets with brief information consisting of
source/destination, IP protocol, and a description of the packet. You can
click on an individual packet and will get full details including the Layer 2
and Layer 3 packet headers,
TCP/UDP/ICMP parameters for packets using those IP protocols, and the data
contained in the packet.
Part 5: SDN Firewall Implementation Details
Using the information that you learned above in running Wireshark, you will be
creating two files - one is a firewall configuration file that will specify
different header parameters to match in order to allow or block certain
traffic and the second is the implementation code to create OpenFlow Flow
Modification objects that will create the firewall using the parameters given
in the firewall configuration file.
You may create temporary rulesets to help you complete Part 5b below.
Part 5a: Specifications of configure.pol
The configure.pol file is used by the firewall implementation code to specify
the rules that the firewall will use to govern a connection. You do not need
to code this first, but the format of the file is important as your
implementation code will need to use these items. The format of the file is a
collection of lines that have the proper format:
Rule Number, Action, Source MAC, Destination MAC, Source IP, Destination IP,
Protocol, Source Port, Destination Port, Comment/Note
- Rule Number = this is a rule number to help you track a particular rule - it is not used in the firewall implementation. It can be of any value and is NOT validated in setup-firewall.py. The value need not be unique and can be numeric or text.
- Action = Block or Allow Block rules will block traffic that matches the remaining parameters of this rule. Allow rules will override Block rules to allow specific traffic to pass through the firewall (see below for an example). The entry is a string in (Block,Allow).
- Source / Destination MAC address in form of xx:xx:xx:xx:xx:xx (example: 00:a2:c4:3f:11:09) or a “-“ if you are not matching this item. You may use MAC Addresses to match an individual host. In the real world, you would use it to match a particular piece of hardware. The MAC address of a particular host is defined inside the sdn-topology.py file.
- Source / Destination IP Network Address in form of xxx.xxx.xxx.xxx/xx in CIDR notation or a “-“ if you are not matching this item.. You can use this to match either a single IP Address (using it’s IP address and a subnet mask of /32, or a particular Subnet. An entry here would look like: 10.0.0.1/32. NOTE: If you are using a CIDR mask other than /32 (individual host), make sure that the IP Address shown is the Network Address.
PRIMER ABOUT CIDR NOTATION:
An IP Address consists of 32 bits which contain both the network and the host
addresses. These 32 bits are divided into 4 sections consisting of 8 bits. The
subnet mask /24 defines how many bits of the IP Address define the network.
For a /24 network, there are 24 bits defining the network and 8 bits that
define the host. Thus, if you specify 192.168.10.0/24, the first 24 bits (the
192.168.10) define the network address, and the 0 specifies the host (255
hosts). The IP specified here must be the network address (for a /24, it must
represent the first 24 bits). For the /32 address, the entire 32 bits is a
network address and represents a single host.
The IP address of a particular host is defined inside the sdn-topology.py
file. - Protocol = integer IP protocol number per IANA (0-254) or a “-“ if you are not matching this item.. An example is ICMP is IP Protocol 1, TCP is IP Protocol 6, etc. This must be an integer.
- Source / Destination Port = if Protocol is TCP or UDP, this is the Application Port Number per IANA. For example, web traffic is generally TCP Port 80. Do not try to use port numbers to differentiate the different elements of the ICMP protocol. If you are not matching this item or are using an IP Protocol other than TCP or UDP, this field should be a “-“.
- Comment/Note = this is for your use in tracking rules.
Special Notes About Firewall Configurations:
- Any field not being used for a match should have a ‘-‘ character as its entry. A ‘-‘ means that the item is not being used for matching traffic. It is valid for any rule element except for Action to have a ‘-‘. (i.e., a rule like: 1,Block,-,-,-,-,-,-,-,Block the world is valid, but not a rule that will be tested). HINT: Do not use any item that has a “-“ in its field as an element that you will match. If you pass a “-“ to a field in a match rule, you will cause POX to crash and your firewall will not work.
A “-“ is valid for ALL FIELDS except Action DO NOT PASS A “-“ INTO ONE OF THE
OPENFLOW MATCH VARIABLES OR YOUR CODE WILL CRASH.. - When a rule states to block the world from accessing a particular host, this means that you are matching against all possible hosts which may include hosts that are not in your topology. HINT:
Think about how you would match arbitrary traffic from anywhere on the
network. Don’t overthink this. Also, due to restrictions placed on the
implementation by POX, please do not use 0.0.0.0/0 as an address for “world”.
In a real-world situation, this address would be valid as addressing any host
on the internet. - Note that a rule does not necessarily need a MAC or IP Address. Also, it is possible to have a rule that only has network addresses and no ports/protocols. What won’t ever be tested is using a src/dst port WITHOUT an IP Protocol.
- What is the difference between source and destination? Source makes a request of the destination. For ports, you will most often use destination ports, but make sure that your firewall implements both source and destination ports. For IP and MAC addresses, you will use both most of the time.
- When should I use MAC vs IP Addresses? You will want to interchange them in this file to test the robustness of your implementation. It is valid to specify a Source MAC address and a Destination IP Address.
Example Rules (included in the project files
1,Block,-,-,10.0.0.1/32,10.0.1.0/24,6,-,80,Block 10.0.0.1 host from accessing a web server on the 10.0.1.0/24 network
2,Allow,-,-,10.0.0.1/32,10.0.1.125/32,6,-,80,Allow 10.0.0.1 host to access a web server on 10.0.1.125 overriding rule
What do these rules do?
The first rule basically blocks host hq1 (IP Address 10.0.0.1/32) from
accessing a web server on any host on the us network (the subnet 10.0.1.0/24
network). The web server is running on the TCP IP Protocol (6) and uses TCP
Port 80.
The second rule overrides the initial rule to allow hq1 (IP Address
10.0.0.1/32) to access a web server running on us5 (IP Address 10.0.1.125/32)
By definition - from the sdn-topology.py file:
This class defines the Mininet Topology for the network used in this project. This network consists of the following hosts/networks:
Headquarters Network (hq1-hq5). Subnet 10.0.0.0/24
US Network (us1-us5). Subnet 10.0.1.0/24
India Network (in1-in5). Subnet 10.0.20.0/24
China Network (cn1-cn5). Subnet 10.0.30.0/24
UK Network (uk1-uk5). Subnet 10.0.40.0/24
In Part 6, you will be given a set of firewall conditions that you will need
to create the configure.pol needed for your submission.
You may create temporary rulesets to help you complete Part 5b below.
Part 5b: Implementing the Firewall in Code
After reviewing the format of the configure.pol file, you will now code a
generic implementation of a firewall that will use the values provided from
the configuration file (passed to you as dictionary items). As it is provided,
the firewall implementation code blocks no traffic. You must implement code
that does the following:
- Create an OpenFlow Flow Modification object
- Create a POX Packet Matching object that will integrate the elements from a single entry in the firewall configuration rule file (which is passed in the policy dictionary) to match the different IP and TCP/UDP headers if there is anything to match (i.e., no “-“ should be passed to the match object, nor should None be passed to a match object if a “-“ is provided).
- Create a POX Output Action, if needed, to specify what to do with the traffic.
Please reference code examples in Appendix C, or you may refer to the POX API
documentation (WARNING, this is long and the API is confusing).
You will need to rewrite the rule = None to reference your Flow Modification
object.
Your code will go into a section that will repeat itself for every line in the
firewall configuration file that is passed to it. The “rule” item that is
added to the “rules” list is an OpenFlow Modification object. The process of
injecting this rule into the POX controller is handled automatically for you
in the start-firewall.py file.
TIP: If your implementation code segment is more than 25-30 lines, you are
making it too difficult. The POX API can provide many features that are not
used in this project. The Appendix provides all of the information that you
will need to code the project.
Key Information: - policies is a python list that contains one entry for each rule line contained in your configure.pol file.
Each individual line of the configure.pol file is represented as a dictionary
object named policy. This dictionary has the following keys:- policy[‘mac-src’] = Source MAC Address (00:00:00:00:00:00) or “-“
- policy[‘mac-dst’] = Destination MAC Address (00:00:00:00:00:00) ) or “-“
- policy[‘ip-src’] = Source IP Address (10.0.1.1/32) in CIDR notation ) or “-“
- policy[‘ip-dst’] = Destination IP Address (10.0.1.1/32) ) or “-“
- policy[‘ipprotocol’] = IP Protocol (6 for TCP) ) or “-“
- policy[‘port-src’] = Source Port for TCP/UDP (12000) ) or “-“
- policy[‘port-dst’] = Destination Port for TCP/UDP (80) ) or “-“
- policy[‘rulenum’] = Rule Number (1)
- policy[‘comment’] = Comment (Example Rule)
- policy[‘action’] = Allow or Block
Use these to match traffic. Please note that all fields are strings and may
contain a ‘-‘ character. You may either use policy[‘ip-dst’] or the split
policy[‘ip-dst-address’]/[policy[‘ip-dst-subnet’] in your implementation (the
split was requested by prior semesters), but realize that if you use the ip-
dstaddress and ip-dst-subnet, you will need to carefully check your
implementation to ensure that it is blocking the addresses you intend to
block.
- You will need to assume that all traffic is IPV4. It is acceptable to hardcode this value. Do not hardcode other values. Your code should be generic enough to handle any possible configuration.
- Hints:
- The difference between an Allow or a Block is dependent on an Action and the Priority.
- You don’t necessarily need an action. See Appendix C for a discussion of what happens to a packet after it is matched.
- There should be two priorities - one for ALLOW and one for BLOCK. Separate them sufficiently to override any exact matching behavior that the POX controller implements). It is suggested one priority be 0 or 1 and the other one above 10000. The reasoning for this is discussed in Appendix C.
- Outputting extra print debug lines will not adversely impact the autograder.
- PLEASE TEST ALL COMBINATIONS OF INPUT!! YOU WILL BE TESTED USING SOURCE PORTS, DESTINATION PORTS, SOURCE AND DESTINATION MAC ADDRESSES AND IP ADDRESSES, AND IP PROTOCOLS OTHER THAN 1, 6, OR 17. YOU CODE NEEDS TO HANDLE THESE DIFFERENT COMBINATIONS.
Part 6: Configuration Rules
You will need to submit a configure.pol file to create policies that implement
the following scenarios. You may implement your rules in any manner that you
want, but it is recommended using this step as an opportunity to check your
firewall code implementation. The purpose of these rules is to test your
firewall and to help determine how traffic flows across the network (source vs
destination, protocols, etc).
DO NOT block all traffic by default and only allow traffic specified. You will
lose many points because the firewall is open by default and only blocks the
traffic that is specified.
You work for GT-SDN Corporation that has offices in the US, China, India, and
the UK, with a US headquarters that acts as the datacenter for the company.
Your task is to implement a firewall that accomplishes the following goals:
- Task 1: On the headquarters network, you have two active DNS servers (using the newer DNSover-TLS standard operating on TCP and UDP Port 853). hq1 provides DNS service to the public (the world) and hq2 provides a private DNS service that should be accessible only to the 5 corporate networks (i.e., the US, China, India, UK, and Headquarters network). (DNS-over-TLS is restricted to TCP and UDP Protocol 853 for the purpose of satisfying the ruleset for this project)
Rule Objective: A connection from any host in the word should be able connect
to hq1 on TCP and UDP 853. However, only hosts on the US, China, India, UK,
and HQ networks should be able to connect to TCP and UDP 853 on host hq2. All
other hosts should NOT be able to connect to the DNS Server on host hq2. - Task 2: On the headquarters network, the host hq3 acts as a VPN server that connects to each of the other sites (hosts us3, uk3, in3, and cn3) using the OpenVPN server (standard ports - using both TCP and UDP Ports 1194 will satisfy the requirements for this rule). Create a set of firewall rules that will only allow the 4 offsite hosts (us3, uk3, in3, and cn3) access to the hq3 OpenVPN server. No other hosts in the world should be able to access the OpenVPN server on hq3.
Rule Objective: Only hosts us3, uk3, in3, and cn3 should connect to TCP and
UDP Port 1194 on host HQ3. No other host should be able to connect to TCP and
UDP 1194 on hq3. - Task 3: Allow the hosts on the Headquarters network to be reachable via an ICMP ping from the world (including from the us, uk, in, and cn networks). However, the us, uk, in, and cn networks should not be reachable from the world (due to firewall implementation limitations, the hq network would be able to ping the us, uk, in, and cn network. Why? What changes could be made to the implementation requirements to allow this?)
Rule Objective: All hosts can receive a complete ping request/response to any
HQ network computers. Any hosts attempting to ping the US, UK, IN, and CN
networks should NOT get a complete ping request/response from these hosts
EXCEPT for the HQ network. In order to satisfy the first part of this rule,
the HQ network must be able to ping the US, UK, IN, and CN network. - Task 4: One of the main routes for ransomware to enter a corporate network is through a remote desktop connection with either an insecure version of a server protocol or via leaked or weak credentials (using either the Microsoft Remote Desktop protocol or the Virtual Networking Computing (VNC) protocols as the remote desktop server). For this task, write a set of rules that will block the internet from connecting to a remote desktop server on the five corporate networks. Allow the uk, us, in, and cn to connect to a remote desktop server on the headquarters network. (Use TCP Port 3389 for Remote Desktop and TCP Port 5900 for VNC)
Rule Objective: Block any hosts outside of the corporate network (HQ, US, UK,
IN, and CN) from connecting to any hosts on corporate network on TCP ports
3389 and 5900).
Computers on the corporate network CAN connect to TCP ports 3389 and 5900 on
the headquarters network. Connections between the other corporate networks
(cn1 to us1) are not defined and can be set as desired.
You only need to block in the direction specified. - Task 5: The servers located on hosts us3 and us4 run a micro webservice on TCP Port 8510 that processes financial information. Access to this service should be blocked from hosts uk2, uk3, uk4, uk5, in4, in5, us5, and hq5. (Hint: Note the IP Addresses for these hosts and you may use the smallest subnet mask that handles the listed hosts using CIDR notation).
Rule Objective: This rule is designed to test using different CIDR notations
to bracket hosts together. Otherwise, the rule is to be interpreted as
written. You do not need to use CIDR notation to combine hosts, but it will
result in many additional rules.
TIPS
- Note that you only need to use an ALLOW rule to override a BLOCK rule. So if no block rule is supplied, the ALLOW is not needed. This is important for Rule #1. You will definitely need to use ALLOW rules for Rule #3.
- Note that if a rule specifies that TCP Port 8510 should be blocked, it does not mean that UDP Port 8510 should be blocked. The autograder checks to ensure that connections are not being overblocked.
What to Turn In
You need to submit your copy of packetcapture.pcap, sdn-firewall.py and
configure.pol from your project directory using the instructions from the
Piazza Post “How to Submit / Zip Our Projects. To recap, zip up the two files
using the following command, replacing gtlogin with your GT Login that you use
to log into Canvas:
zip gtlogin_sdn.zip packetcapture.pcap configure.pol sdn-firewall.py
The key to properly zipping the project is to NOT zip up the directory. ZIP
only the files you are included.
You may also include an additional text file if you have comments, criticisms,
or suggestions for improvement for this project. If you wish to provide this
information, add it to your ZIP file with the name comments.txt. This is
completely optional.
Please check your submission after uploading. As usual, we do not accept
resubmissions past the stated deadlines.
What you can and cannot share
Do not share the content of your sdn-firewall.py, configure.pol, or
packetcapture.pcap with your fellow students, on Ed Discussions, or elsewhere
publicly. You may share any new topologies, testing rulesets, or testing
frameworks, as well as packet captures that do not address the requirements of
Part 4b.