INE 2810 Mission 4

Version 1.3

Mission outlines

  1. Configure your router and firewall so that hosts in your internal network can reach the hosts in DMZ
  2. Set up a CA server in your internal network
  3. Set up a SSL web server in your DMZ
  4. Configure your firewall to restrict the access to your internal network 
 

Task 1 : Configure your router and firewall so that hosts in your internal network can reach the hosts in DMZ 

  1. Configure your router such that traffic to your internal network will route to your firewall.
    2. E.G.
    ip route 172.18.10.0 255.255.255.0 10.32.64.

  2. Configure your firewall such that host in you private network can reach hosts in DMZ by ip masquerade
    E.G.
    iptables -t nat -A POSTROUTING -o eth0 -d ! 10.32.64.0/24 -j MASQUERADE

Task 2: Set up a CA server in your internal network

  1. Choose one of your hosts in your internal network as the CA server. At this hosts, download the CA package from http://www.modssl.org/contrib/ftp/contrib/ssl.ca-0.1.tar.gz  by using lynx

  2. Use this CA package to generate your CA key pair and cert

  3. Generate a web site server key pair and cert for your branch office and sign it with your CA private key

  4. Generate a user key pair and cert for your branch office and sign it with your CA private key. Then pack it into p12 file so that the user can import the key.

  5. Generate another user key pair and cert with the comman name CTO and sign it with your CA private key. Then pack it into p12 file so that the CTO user can import the key.


Task 3: Set up a SSL Web Server in your DMZ
  1. Choose one of your hosts in DMZ as your SSL Web Server

  2. Set the DNS record for this web server in your DNS server. Make sure you reload the named after you update the zone file. (i.e. /etc/rc.d/init.d/named reload )

  3. Copy the cert and key files from your CA server to this web server , says using scp

  4. Configure the /etc/httpd/conf/httpd.conf file to 
    1. include your web site cert,  private key and CA cert
    2. restrict internal information access by user cert authentication:
      1. internal directory: can only be accessed by user whose certs is signed by your CA
      2. CTO directory: can only be accessed by user whose cert's common name is "CTO" and is signed by your CA

  5. Restart your httpd by /etc/rc.d/init.d/httpd restart. tail /etc/httpd/logs/error_log to check any error.


If you are outside INE Lab, you need to set your browser security proxy to be proxy.ine.cuhk.edu.hk:8012 so as to access your SSL web server


Task 4: Configure your firewall to restrict the access to your internal network

Configure your firewall such that

  1. Hosts in internal network can access any outside host through IP masquerade
  2. Only host in DMZ can access hosts in the internal network
 

You can view the tutor example at https://www.cd.delta.ine.cuhk.edu.hk. Make sure you set your browser security proxy to be proxy.ine.cuhk.edu.hk:8012 if you are outside INE lab

 

References