Isowall - A mini-firewall that completely isolates a target device from the local network

This is a mini-firewall that completely isolates a target device from the local network. This is for allowing infected machines Internet access, but without endangering the local network.

Building

This project depends upon libpcap, and of course a C compiler.

On Debian, the following should work:

# apt-get install git gcc make libpcap-dev
# git clone https://github.com/robertdavidgraham/isowall
# cd isowall
# make

This will put the binary isowall in the local isowall/bin directory.

This should also work on Windows, Mac OS X, xBSD, and pretty much any operating system that supports libpcap.

Running

First, setup a machine with three network interfaces.

The first network interface (like eth0) will be configured as normal, with a TCP/IP stack, so that you can SSH to it.

The other two network interfaces should have no TCP/IP stack, no IP address, no anything. This is the most important configuration step, and the most common thing you'll get wrong. For example, the DHCP software on the box may be configured to automatically send out DHCP requests on these additional interfaces. You have to go fix that so nothing is bound to these interfaces.

To run, simply type:

# ./bin/isowall --internal eth1 --external eth2 -c xxxx.conf

where xxxx.conf contains your configuration, which is described below.

Configuration

The following shows a typical configuration file.

internal = eth1
internal.target.ip = 10.0.0.129
internal.target.mac = 02:60:8c:37:87:f3

external = eth2
external.router.ip = 10.0.0.1
external.router.mac = 66:55:44:33:22:11

allow = 0.0.0.0/0
block = 192.168.0.0/16
block = 10.0.0.0/8
block = 224.0.0.0-255.255.255.255

The target device we are isolating has the indicated IP and MAC address.

Only IPv4 and ARP packets are passed.

Outbound packets must have the following conditions:

• source MAC address equal to internal.target.mac
• destination MAC address equal to external.router.mac
• EtherType of 0x800 or 0x806
• source IPv4 address equal to internal.target.ip
• destination IPv4 address within an allow range, but not in a block range
• if an ARP packet, then the destination IPv4 address must equal that external.router.ip
• if an ARP packet, must be a "request"

Inbound packets must have the following conditions:

• destination MAC address equal to internal.target.mac
• source MAC address equal to external.router.mac
• EtherType of 0x800 or 0x806
• destination IPv4 address equal to internal.target.ip
• source IPv4 address within an allow range, but not in a block range
• if an ARP packet, then the source IPv4 address must equal that external.router.ip
• if an ARP packet, then must be a "reply"

Download Isowall

Read More

Webfwlog 1.01 - Web-Based Firewall Log Analysis and Reporting

Webfwlog is a flexible web-based firewall log analyzer and reporting tool. It supports standard system logs for linux, FreeBSD, OpenBSD, NetBSD, Solaris, Irix, OS X, etc. as well as Windows XP®. Supported log file formats are netfilter, ipfilter, ipfw, ipchains and Windows XP®. Webfwlog also supports logs saved in a database using the ULOG or NFLOG targets of the linux netfilter project, or any other database logs mapped with a view to the ulogd schema. Versions 1 and 2 of ulogd database schemas are supported.

Webfwlog fully supports IPv6 for database logs, and netfilter and ipfilter system logs.

With Webfwlog you can design reports to use on your logged data in whatever configuration you desire. Included are example reports as a starting point. You can sort a report with a single click, "drill-down" on the reports all the way to the packet level, and save your reports for later use. You can also create a link directly to any saved report.

PREREQUISITES

- A web server with PHP >= 4.1

- Log files in standard netfilter, ipfilter, ipfw, ipchains or Windows XP® format

      or database logs populated with the ULOG or NFLOG target of netfilter,

      or other database logs mapped with a view to ulogd version 1 or 2 schemas

- A MySQL or PostgreSQL database server:

      - MySQL >= 3.23.52 or any production release of 4.x or 5.x

            - MySQL >= 5 required for IPv6

      - PostgreSQL >= 7.1

            - PostgreSQL >= 7.4 required for IPv6

- Your favorite web browser.

Windows XP® support provided via Cygwin.

Download Webfwlog 1.01

Read More

WAF-FLE v0.6.4 - OpenSource ModSecurity Console

WAF-FLE is a OpenSource ModSecurity Console, allows modsecurity admin to store, view and search events sent by sensors using a graphical dashboard to drill-down and find quickly the most relevant events. It is designed to be fast and flexible, while keeping a powerful and easy to use filter, with almost all fields clickable to use on filter.

The inicial resources required to run WAF-FLE are normaly low (check Deployment Guide in Documentation page). It is supported in virtual machines, and is supported in Linux and FreeBSD, but should run with other OS that support PHP and MySQL.

Features

• Central event console
• Support Modsecurity in “traditional” and “Anomaly Scoring”
• Brings mlog2waffle as a replacement to mlogc
• Receive events using mlog2waffle or mlogc
  • mlog2waffle: in real-time, following log tail, or batch scheduled in crontab
  • mlogc: in real-time, piped with ModSecurity log, in batch scheduled in crontab
• No sensor limit
• Drill down of events with filter
• Dashboard with recent events information
• Almost every event data and charts are “clickable” deepening the drill down filter
• Inverted filter (to filter for “all but this item”)
• Filter for network (in CIDR format, x.x.x.x/22)
• Original format (Raw) to event download
• Use Mysql as database
• Wizard to help configure log feed between ModSecurity sensors and WAF-FLE
• Open Source released under GPL v2

Changelog v0.6.4

• Support to rules and mod_security compiled by Atomic Turtle;
• Performance impact with high number of hostnames in database;
• Custom tag ID new number, to avoid conflict with already present tag;
• Better handling of “PCRE limits exceeded”;

Download WAF-FLE v0.6.4

Read More

ModSecurity v2.8.0 - Open Source Web Application Firewall

ModSecurity™is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure.

Changelog v2.8.0

Bug fix

• Build issue: Now using autotools to identify if sys/utsname.h is present.
• Changed configure.ac version to 2.8

Changelog v2.8.0-rc1:

New features

• JSON Parser is no longer under tests. Now it is part of our mainline.
• Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list.
• New variables: FULL_REQUEST and FULL_REQUEST_LENGTH were added, allowing the rules to access the full content of a request.
• ModSecurity status is now part of our mainline.
• New operator: @detectXSS was added. It makes usage of the newest libinjection XSS detection functionality.
• Append and prepend are now supported on nginx (Ref: #635);
• SecServerSignature is now available on nginx (Ref: #637);

Improvements 

• Regression tests are not able to expect different values according to the platform;
• Visual C++ 12/10 runtime dependencies are now part of the IIS installer, no need to have it installed prior ModSecurity installation (Ref: #627);
• New script was added to the IIS versions to identify whenever there is a missing dependency (available through the Application Menu);
• Memory usage improvement: using correct memory pools according to the context (Ref: #618, #620,#619);
• Independent API call to free the connection allocations, independently from the request objects, improvements on Nginx performance, vide issue for more information (Ref: #620, #648);
• IIS installer is now using the correct 32/64bits folders to install;
• IIS Installer 32bits now refuses to install on 64bits environments;
• IIS: Using new WiX options to build the package in the correct architecture;
• While installing IIS version the installer will remove old ModSecurityIIS configuration or files before proceed with the installation, avoiding further errors;
• CRS from IIS version was upgraded to 2.2.9;
• IIS installer does not support repair anymore, in fact it was not working already and it is now disabled;
• ModSecurity now warns the user who tries to use “proxy” in IIS or Nginx. Proxy is Apache only;
• Remove warnings from the build process (Ref: #617);
• Apache configuration in regression tests was changed making it more platform independent;
• Reduced the amount of warnings during the compilation (Ref: #385a2828e87897bd611bd2a519727ef88dc6d632, #1e63e49db4a592d28e08a33fc60750c37a3886fe);
• Regression tests were refactored to be more Nginx friendly;
• Fixed some regression tests that were not being flexible to handle multiple platforms: (Ref #636);
  • Fixed config/00-load-modsec.t test case. Now it expects for Nginx loaded message as it does for Apache. (Ref: #643);
  • Fixed mixed/10-misc-directives.t. Now it does not expect for SecServerSignature on the logs, just in the headers as the Nginx does in silence;
  • Fixed tnf/10-tfn-cache.t, action/10-logging.t, config/10-misc-directives.t, config/10-request-directives.t, misc/00-multipart-parser.t , misc/10-tfn-cache.t, rule/20-exceptions.t, rule/00-basics.t, rule/10-xml.t;
  • Increased the timeout while reading the auditlog;
  • SecAuditLogType Concurrent was removed from the regression test case, not compatible with all ports yet;
  • Regression tests were speeded up, as the number of tests are growing it is impossible to have it slow;
  • Fixed regression tests scripts paths, to make it MacOS friendly;
  • Avoiding dead locks on Nginx regression tests by enforcing a timeout whenever a request appears to fail;
• Updates to fix errors found by Parfait static code analysis (Ref: #612);
• Cleaning up on the repository, by removing unused files;
• IIS installer now supports to perform the installation without register the DLL on the system. It means that the user can download our MSI installer as it was a tarball archive (Ref #629, #624);
• IIS now support 32bits and 64bits pools, both are registered on IIS (Ref #628).

Bug fix

• Correctly handling inet_pton in IIS version;
• Nginx was missing a terminator while the charset string was mounted (Ref: #148);
• Added mod_extract_forwarded.c to run before mod_security2.c (Ref: #594);
• Added missing environment variables to regression tests;
• Build system is now more flexible by looking at liblua at: /usr/local/lib;
• Fixed typo in README file.
• Removed the non standard compliant HTTP response status code 44 from modsecurity recommended file (Ref: #665);
• Fixed segmentation fault if it fails to write on the audit log (Ref: #668);
• Not rejecting a larger request with ProcessPartial. Regression tests were also added (Ref: #597);
• Fixed UF8 to unicode conversion. Regression tests were also added(Ref: #672);
• Avoiding segmentation fault by checking if a structure is null before access its members;
• Removed double charset-header that used happen due a hardcoded charset in Nginx implementation (Ref: #650);
• Now alerting the users that there is no memory to proceed loading the configuration instead of just die;
• If SecRuleEngine is set to Off and SecRequestBodyAccess On Nginx returns error 500. Standalone is now capable to identify whenever ModSecurity is enabled or disabled, independently of ModSecurity core (Ref: #645);
• Fixed missing headers on Nginx whenever SecResponseBodyAccess was set to On and happens to be a filter on phase equals or over 3. (Ref #634);
• IIS is now picking the correct version of AppCmd while uninstalling or installing ModSecurityISS. (Ref#632).

Download ModSecurity v2.8.0

Read More

[WAF-FLE v0.6.3] Web application firewall: fast log and event console

WAF-FLE is a OpenSource Console for ModSecurity, it allow the modsec admin to view and search events sent by mlogc (modsecurity event log handler).

Features:

• Central event console
• Support Modsecurity in “traditional” and “Anomaly Scoring”
• Able to receive events sent from mlogc (in real time or in batch using mlogc-batch-load.pl)
• No sensor number limit
• Dashboard with recent events information
• Drill down of events with filter
• Every (almost) data is “clickable” to drill down the filter
• Inverted filter (to filter for “all but this item”)
• Filter for network (in CIDR format, x.x.x.x/22)
• Raw event download
• Use Mysql as database
• Open Source released under GPL v2

Download WAF-FLE v0.6.3

Read More

[dotDefender] Web Application Security

dotDefender is the market-leading software Web Application Firewall (WAF). dotDefender boasts enterprise-class security, advanced integration capabilities, easy maintenance and low total cost of ownership (TCO).

dotDefender is the perfect choice for protecting your web site and web applications today.

Robust Security for Any Web Application

dotDefender protects any web site or web service on your server, and continues to as you update, change, and expand your code. The dotDefender WAF reduces the costs of code scanning, and enables you to focus on business, not web application security. dotDefender can handle .NET Security issues.

PCI DSS Compliance

dotDefender helps you achieve Compliance with the Payment Card Industry Data Security Standard (PCI DSS Compliance).

Robust Security for Any Web Application

dotDefender protects any web site or web service on your server, and continues to as you update, change, and expand your code. The dotDefender WAF reduces the costs of code scanning, and enables you to focus on business, not web application security. dotDefender can handle .NET Security issues.

PCI DSS Compliance

dotDefender helps you achieve Compliance with the Payment Card Industry Data Security Standard (PCI DSS Compliance).

Why Application Security?

If you thought that network security and other "traditional security measures" were enough - think again. Web Application Firewalls deal with security attacks aimed squarely at your website, and these attacks are on the rise. Read more on Web Application Firewalls and the dotDefender security solution. Able to handle .NET Security issues.

Download dotDefender

Read More

[ModSecurity v2.7] Open Source Web Application Firewall

ModSecurity is an embeddable web application firewall, which means it can be deployed as part of your existing web server infrastructure (Apache, IIS7 and Nginx).

This deployment method has certain advantages:

1. No changes to existing network. It only takes a few minutes to add ModSecurity to your existing web servers. And because it was designed to be completely passive by default, you are free to deploy it incrementally and only use the features you need. It is equally easy to remove or deactivate it should decide you don't want it any more.
2. No single point of failure. Unlike with network-based deployments, you will not be introducing a new point of failure to your system.
3. Implicit load balancing and scaling. Because it works embedded in web servers, ModSecurity will automatically take advantage of the additional load balancing and scalability features. You will not need to think of load balancing and scaling unless your existing system needs them.
4. Minimal overhead. Because it works from inside the web server process there is no overhead for network communication and minimal overhead in parsing and data exchange.
5. No problem with encrypted or compressed content. Many IDS systems have difficulties analysing SSL traffic. This is not a problem for ModSecurity because it is positioned to work when the traffic is decrypted and decompressed.

ModSecurity is known to work well on a wide range of operating systems. Our customers are successfully running it on Linux, Windows, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, Mac OS X, and HP-UX.

Download ModSecurity v2.7

Read More

[Tunna Framework] Tool designed to bypass firewall restrictions on remote webservers

Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments. The web application file must be uploaded on the remote server. It will be used to make a local connection with services running on the remote web server or any other server in the DMZ. The local application communicates with the webshell over the HTTP protocol. It also exposes a local port for the client application to connect to.

Since all external communication is done over HTTP it is possible to bypass the filtering rules and connect to any service behind the firewall using the webserver on the other end.

Tunna framework

Tunna framework comes witht he following functionality:

	Ruby client - proxy bind: Ruby client proxy to perform the tunnel to the remote web application and tunnel TCP traffic.
	Python client - proxy bind: Python client proxy to perform the tunnel to the remote web application and tunnel TCP traffic.
	Metasploit integration module, which allows transparent execution of metasploit payloads on the server
	ASP.NET remote script
	Java remote script
	PHP remote script

Download Tunna

Read More

[Sanewall 1.0.0] Making sense of firewalling

Sanewall is a firewall builder for Linux which uses an elegant language abstracted to just the right level. This makes it powerful as well as easy to use, audit, and understand. It allows you to create very readable configurations even for complex stateful firewalls.

Sanewall can be used for almost any firewall need, including:

• control of any number of internal/external/virtual interfaces
• control of any combination of routed traffic
• setting up DMZ routers and servers
• all kinds of NAT
• providing strong protection (flooding, spoofing, etc.)
• transparent caches
• source MAC verification
• blacklists, whitelists

The current experimental snapshotssupport IPv6. Sanewall abstracts the differences between IPv4 and IPv6, allowing you to define a common set of rules for both whilst permitting specific rules for each as you need.

Sanewall is a fork of FireHOL. The configuration language is identical, just see this FAQ for some variable name changes. For now the FireHOL website is still the best source of introductory information.

Sanewall is released under the GPLv2+open source licence.

Download Sanewall 1.0.0

Read More

[WAF-FLE] Web application firewall: fast log and event console

WAF-FLE is a OpenSource Console for ModSecurity, it allow the modsec admin to view and search events sent by mlogc (modsecurity event log handler).

Features:

• Central event console
• Support Modsecurity in “traditional” and “Anomaly Scoring”
• Able to receive events sent from mlogc (in real time or in batch using mlogc-batch-load.pl)
• No sensor number limit
• Dashboard with recent events information
• Drill down of events with filter
• Every (almost) data is “clickable” to drill down the filter
• Inverted filter (to filter for “all but this item”)
• Filter for network (in CIDR format, x.x.x.x/22)
• Raw event download
• Use Mysql as database
• Open Source released under GPL v2

Download WAF-FLE v0.6.0 (final)

Read More

[360-FAAR v0.4.1] Firewall Analysis Audit And Repair

360-FAAR (Firewall Analysis Audit and Repair) is an offline, command line, Perl firewall policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in Checkpoint dbedit, Cisco ASA or ScreenOS commands, and its one file!

Changes: This release adds the 'mergelog' mode to merge binary log entries from one config with another and significantly updates the user interface. All configs can be loaded from the 'load' menu instead of specifying them on the command line. Added 'verbose' switches to 'print' and 'rr' modes so that screen output can be switched off, and all 'end.' key words have been changed to simply '.' to reduce the number of keystrokes needed. Entering '0' now adds all options and '.' chooses the default if available. The Netscreen output stage now uses a default zone if none are specified.

Read Policy and Logs for:

Checkpoint FW1 (in odumper.csv / logexport format),

Netscreen ScreenOS (in get config / syslog format),

Cisco ASA (show run / syslog format),

360-FAAR uses both inclusive and exclusive CIDR and text filters, permitting you to split large policies into smaller ones for virutalisation at the same time as removing unused connectivity.

360-FAAR supports, policy to log association, object translation, rulebase reordering and simplification, rule moves and duplicate matching automatically. Allowing you to seamlessly move rules to where you need them.

Download 360-FAAR Firewall Analysis Audit And Repair 0.4.1

Read More

[360-FAAR] Firewall Analysis Audit And Repair 0.3.6

360-FAAR (Firewall Analysis Audit and Repair) is an offline, command line, Perl firewall policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in Checkpoint dbedit, Cisco ASA or ScreenOS commands, and its one file!

Read Policy and Logs for:

Checkpoint FW1 (in odumper.csv / logexport format),
Netscreen ScreenOS (in get config / syslog format),
Cisco ASA (show run / syslog format),

360-FAAR uses both inclusive and exclusive CIDR and text filters, permitting you to split large policies into smaller ones for virutalisation at the same time as removing unused connectivity.

360-FAAR supports, policy to log association, object translation, rulebase reordering and simplification, rule moves and duplicate matching automatically. Allowing you to seamlessly move rules to where you need them.

TRY: 'print' mode. One command, and spreadsheet for your audit needs!

Features

• WRITTEN IN SIMPLE Perl - NEEDS ONLY STANDARD MODULES - IS ONE FILE
• .
• Easy to Edit Menu Driven Text Interface
• Capable of manipulating tens of thousands of rules, objects and groups
• Handles infinitely deep groups
• Capable of CIDR filtering connectivity in/out of policy rulebases.
• Capable of merging rulebases.
• Identifies existing connectivity in rulebases and policies
• Automatically performs cleanup if a log file is provided.
• Keeps DR connecitvity via any text or IP tag
• Encryption rules can be added during policy moves to remove the "merge from" rules for traffic that would be encrypted by the time it reached the firewall on which the "merge to" policy is to be installed - sounds complicated but its not in practice - apropriate ike and esp rules should be added manually
• Runs consistency checks on its own objects and rule definitions
• Extendable via a simple elsif in the user interaction loop section.
• .
• EASY TO EXECUTE:
• ./360-faar.pl <FW CONFIG TYPE> <log> <config> <nats> <FW CONFIG TYPE> <log> <config> <nats> <FW CONFIG TYPE> <log> <config> <nats>
• .
• CONFIG TYPES: - cisco soon!
• od = logexported logs, object dumper format config, fwdoc format nat rules csv
• ns = syslog format logs, screenos6 format config, nats are included in policy but not processed fuly yet, fwdoc format nats can be used though
• cs = cisco asa syslog file, cisco ASA format config, - not ready yet
• .
• OUTPUT TYPES:
• od = output an odumper/ofiller format config to file, and print the dbedit for the rulebase creation to screen
• ns = outputs netscreen screenos6 objects and policies (requires a netscreen config or zone info)
• cs = cisco asa format config - not ready yet
• .
• By default 360-FAAR accepts exactly 3 configs on the command line.
• Make an empty file called "fake" and and use this as the file name, for log config and nats if you want to process less than 3 configs at once.
• Log file headders in fw1 logexported logs are found automatically so many files can be cated together
• .
• FUTHER PROCESSING AND MANUAL EDITING:
• Output odumper/ofiller format files and make them more readable (watchout for spaces in names) using the numberrules helper script
• Edit these csv's in Openoffice or Excell using any of the object or group definitions from the three loaded configs.
• You can then use this file as a template to translate to many different firewalls using the 'bldobjs' mode

DOWNLOAD 360-FAAR Firewall Analysis Audit And Repair 0.3.6

Screens

Read More