Open Source Network Access Control: PacketFence

Posted on Posted in Tools

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with IDSs and vulnerability scanners; PacketFence can be used to effectively secure networks – from small to very large heterogeneous networks.

Free and Open Source Network Access Control

Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.

packetfence-component-s

Among the different markets are :

  • banks
  • colleges and universities
  • engineering companies
  • convention and exhibition centers
  • hospitals and medical centers
  • hotels
  • manufacturing businesses
  • school boards (K-12)
  • telecommunications companies

Features:

  • Out of band Deployment

    PacketFence’s operation is completely out-of-band which allows the solution to scale geographically and to be more resilient to failures. When using the right technology (like port security), a single PacketFence server can be used to secure hundreds of switches and many thousands nodes connected to them..

  • Inline Deployment

    While out-of-band is the preferred way of deploying PacketFence, an inline mode is also supported for unmanageable wired or wireless equipment. Deploying PacketFence using the inline mode can also be accomplished in minutes! Note also that the inline mode can coexist very well together with an out-of-band deployment.

  • 802.1X Support

    Wireless and wired 802.1X is supported through a FreeRADIUS [External] module which is included in PacketFence.

  • Voice over IP support

    – Also called IP Telephony (IPT), VoIP is fully supported (even in heterogeneous environments) for multiple switch vendors (Cisco, Edge-Core, HP, LinkSys, Nortel Networks and many more).

  • Wireless integration

    PacketFence integrates perfectly with wireless networks through a FreeRADIUS [External] module. This allows you to secure your wired and wireless networks the same way using the same user database and using the same captive portal, providing a consistent user experience. Mixing access points (AP) vendors and wireless controllers is supported.

  • Registration of Devices

    PacketFence supports an optional registration mechanism similar to “captive portal” solutions. Contrary to most captive portal solutions, PacketFence remembers users who previously registered and will automatically give them access without another authentication. Of course, this is configurable. An Acceptable Use Policy can be specified such that users cannot enable network access without first accepting it.

  • Detection of abnormal network activities

    Abnormal network activities (computer virus, worms, spyware, traffic denied by establishment policy, etc.) can be detected using local and remote Snort [External], Suricata or commercial sensors. Beyond simple detection, PacketFence layers its own alerting and suppression mechanism on each alert type. A set of configurable actions for each violation is available to administrators.

  • Proactive vulnerability scans

    Nessus [External] or OpenVAS [External] vulnerability scans can be performed upon registration, scheduled or on an ad-hoc basis. PacketFence correlates the Nessus/OpenVAS vulnerability ID’s of each scan to the violation configuration, returning content specific web pages about which vulnerability the host may have.

  • Statement of Health

    While doing a 802.1X user authentication, PacketFence can perform a complete posture assessment of the connecting device using the TNC Statement of Health protocol. For example, PacketFence can verify if an antivirus is installed and up-to-date, if operating system patches are all applied and much more – all without any agent installed on the endpoint device!

  • Remediation through a captive portal

    Once trapped, all network traffic is terminated by the PacketFence system. Based on the nodes current status (unregistered, open violation, etc), the user is redirected to the appropriate URL. In the case of a violation, the user will be presented with instructions for the particular situation he/she is in, reducing costly help desk intervention.

  • Isolation of problematic devices

    PacketFence supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors.

  • Command-line and Web-based management

    Web-based and command-line interfaces for all management tasks. Web-based administration supports different permission-levels for users and authentication of users against LDAP or Microsoft Active Directory.

docum

PacketFence reuses many components in an infrastructure. Thus,it requires the following ones:

  • Database server (MySQL or MariaDB)
  • Webserver (Apache)
  • DHCP server (ISCDHCP)
  • RADIUS server (FreeRADIUS)

Depending on your setup you may have to install additional components like:

  • NIDS(Snort/Suricata)

Minimum Hardware Requirements

The following provides a list of the minimum server hardware recommendations:

  • Intel or AMD CPU 3GHz
  • 8 GB of RAM
  • 100 GB of disk space(RAID-1 recommended)
  • 1 Network card (2 recommended)

Operating System Requirements

PacketFence supports the following operating systems on the x86_64 architectures:

  • RedHat Enterprise Linux 6.x Server
  • Community ENTerprise Operating System (CentOS) 6.x
  • Debian 7.0 (Wheezy)
  • Ubuntu 12.04 LTS (PrecisePangolin)

Make sure that you can install additional packages from your standard distribution

Other distributions such as Fedora and Gentoo are also known to work

 OS Installation

Install your distribution with minimal installation and noadditional packages.
Then:

  • Disable Firewall
  • Disable SELinux
  • Disable AppArmor
  • Disable resolvconf

Make sure your system is up to date and your apt-get database is updated.

apt-get update
apt-get upgrade

Regarding SELinux or AppArmor, even if these features may be wanted by some organizations, PacketFence will not run properly if SELinux or AppArmor are enabled. You will need to explicitly disable SELinux in the/etc/selinux/config file and AppArmor with update-rc.d -f apparmor stop, update-rc.d -f apparmor teardownand update-rc.d -f apparmor remove. Regarding resolvconf,you can remove the symlink to that file and simply create the /etc/resolv.conf file with the content you want.

All the PacketFence dependencies are available through the official repositories but you must enable non-free repository:

For non-free, edit the file /etc/apt/source.list and add non-free:

deb http://debian.mirror.iweb.ca/debian/ wheezy main non-free

In order to use the repository, create a file named /etc/apt/sources.list.d/packetfence.list:

echo 'deb http://inverse.ca/downloads/PacketFence/debian wheezy wheezy' > /etc/apt/sources.list.d/packetfence.list

Once the repository is defined, you can install PacketFence with all its dependencies, and the required external services (Database server,DHCP server,RADIUS server)using:

sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4
sudo apt-get update
sudo apt-get install packetfence

images

Quelle: CyberPunk

Facebooktwittergoogle_plus