User Tools

Site Tools


manual:security

Security

Firewall

The firewall modules protects the system services from exposure to the outside network. The firewall rules can be IP or subnet based in order to allow fine-grained ingress filtering.

Note: be careful when changing the firewall rules to avoid locking yourself out from the web-interface.

firewall rules

  • Description
    Description for the firewall rule.
  • Ethernet interface
    The interface this rule needs to be applied to.
  • Direction
    • Incoming packets: traffic destined inbound towards the HSMX
    • outgoing packets: traffic flowing from the HSMX towards the interface
  • Protocol
    • All
    • TCP
    • UDP
    • ICMP
  • Action
    • Accept: allow this type of traffic (connection-accepted).
    • Reject: will notify the sender the service is blocked (connection closed).
    • Drop: Do not notify or respond (time-out).
  • State
    • All: stateless firewall
    • Established: existing open connections
    • Related: in active FTP connections, the stream to port 20/tcp is related to 21/tcp
  • Port
    • TCP/UDP port (unspecified equals any port)
  • Source IP: single IP address or network address with subnet
  • Destination IP: single IP address or network address with subnet

Intrusion detection

The intrusion detection module safeguards the system by actively blocking or warning when brute force log-in attempt is done. The system can block access to the web interface for a configurable period when too many log-in attempts are done. It is also possible to add the offending IP address to the blacklist and (optionally) warn the administrator about the event.

The system has IP based access control, either we accept every IP except the offenders listed in the black list or we block every IP except the IP or IP ranges listed in the white list. To disable subscribers access to the web management interface you can put the subscriber IP networks in the blacklists.

Intrusion detection

  • Enable intrusion detection
    Tick to enable IDS
    • Number of login attempts
      Number of allowed failed login attempts
    • Block external logins for
      The period of time the source IP is prevented from signing in.
    • Move IP to blacklist
      Add the IP address to the blacklist once it's been blocked
    • Send an e-mail to administrator
      This option will send the administrator configured in smtpsettings an e-mail once an IP has been blocked.
  • Login settings:
    • Enable black list/white list
      Tick to enable white-list or black-listing feature.
      • Allow everyone except blacklist
        Allow all source IP addresses to login except those on the blacklist.
      • Allow only whitelist
        Everyone is blocked except the whitelist. This option makes it really easy to lock yourself out.

Both blacklist and whitelist tabs work in the same way. You can Add a single IP address by entering the same IP in start and end IP address. To specify a range enter the begin and end address. You can use the drop-down in the top-right corner to quickly enable the IP subnet associated with that interface.

Log settings

System log

The HSMX can be configured to log anything between nearly nothing and very verbose debug log-files. You can configure the logging facility under Security → Log Settings. It's possible to send the log-files to a external syslog server. There are multiple sources defined within the HSMX from where a log-message can originate from:

  • AAA
  • Radius
  • Portal
  • Config
  • XML
  • System
  • Load-balancing
    Wan-load-balancing messages
  • Cluster
  • Wireless
    3G-modem and WiFi logging

Each log-message has a specific severity. Lower severity levels log more information but might overwhelm the administrator with unrelated information.

  • EMERGENCY: System is unusable
    A “panic” condition usually affecting multiple apps/servers/sites. At this level it would usually notify all tech staff on call.
  • ALERT: Action must be taken immediately
    Should be corrected immediately, therefore notify staff who can fix the problem. An example would be the loss of a primary ISP connection.
  • CRITICAL: Critical conditions
    Should be corrected immediately, but indicates failure in a secondary system, an example is a loss of a backup ISP connection.
  • ERROR: Error conditions
    Non-urgent failures, these should be relayed to developers or admins; each item must be resolved within a given time.
  • WARNING: Warning conditions
    Warning messages, not an error, but indication that an error will occur if action is not taken, e.g. file system 85% full - each item must be resolved within a given time.
  • NOTICE: Normal but significant condition
    Events that are unusual but not error conditions - might be summarized in an email to developers or admins to spot potential problems - no immediate action required.
  • INFO: Informational messages
    Normal operational messages - may be harvested for reporting, measuring throughput, etc. - no action required.
  • DEBUG: Debug-level messages
    Info useful to developers for debugging the application, not useful during operations.

source: Wikipedia[en]

To view the log-files browse to Tools → Logging → Syslog (read more).

lawful interception

Lawful interception

Choose if the device needs to log user activity and specify what details need to be stored. You can send the logs to a remote server by enabling remote logging.

URL logging

This setting will use an internal proxy server to log all URL's requested by subscribers. Only use this feature if it is allowed to log this information in your region. Using a proxy disables certain functionality such as QoS for web traffic or 1-to-1 NAT. URL logging will not work when subscribers set up a VPN connection (this is inherently impossible because of encryption).

DNS logging

Once DNS logging has been enabled all DNS requests on subscriber interfaces will be logged into the HSMX and visible in subscriber details. Optionally you can configure the number of subdomains that should be retained by HSMX.

Network policies

Network policies are firewall rules for subscribers, they can be used to redirect, slow, deny or allow network traffic from and to a single subscriber device. To apply a network policy you can assign a rule or group of rules to a location or billing plan. When both a network-policy via billing-plan and location are applicable to a subscriber, the former take precedence (billing-plan over location).

  • Drop
    This will drop the packet without notifying the sender. The sender will likely time-out or stall the half-open connection.
  • Accept
    Packets will be allowed through
  • Redirect
    Apply destination NAT to forwarded packets
  • Limit
    Selectively forward and drop packets
    • per Packets
    • per Connections

You can do these action based on traffic type (TCP (+port) / UDP (+port) / ICMP and / or on a destination IP / subnet. You can group network policies by checking them and clicking the “add to group” link, this is needed if you want to apply multiple rules at the same time.

Limit

It's easier to explain how limiting works based on an example configuration: 3 connections per second with a burst of 5.

ClientA

  • 0→1 sec: initiate 3 connections. → OK
  • 1→2 sec: initiate 3 connections. → OK
  • 2→3 sec: initiate 4 connections. → PARTIAL OK: the last connection will be held back

ClientB

  • 0→1 sec: initiate 3 connections. → OK
  • 1→2 sec: initiate 2 connections. → OK
  • 2→3 sec: initiate 4 connections. → OK: we borrow an unused connection from the previous time slot)

ClientC

  • 0→1 sec: initiate 3 connections. → OK
  • 1→2 sec: initiate 0 connections. → OK
  • 2→3 sec: initiate 6 connections. → PARTIAL OK: we borrow two unused connections from the previous time slot and one connection will be cut off because the burst limit has been reached.

SSL

System SSL

With this module you can manage the SSL certificate of the webserver. By default the system is loaded with the certificate for login.fdxtended.com, this is a valid certificate. In case you already have a certificate, you can use the 'enter SSL certificates manually' functionality. You can input the private / public key and the CA certificates. In case you still need to generate a certificate, click on generate CSR to create a certificate signing request, with this CSR you can buy a SSL certificate from a known certificate authority.

Guest networks

If a valid SSL certificate is uploaded you can enable the following options:

  • Redirect portal requests to HTTPS: all portal requests will use HTTPS
  • Support HTTPS redirections on the LAN side: by default the gateway doesn't accept HTTPS request for non-authorized clients, by enabling this feature the portal will also be shown for HTTPS request although an invalid SSL certificate warning will be shown by the browser ( Subscriber receives certificate warnings).
manual/security.txt · Last modified: 2015/05/20 08:51 by ewald