IPCop defines up to four network interfaces, RED, GREEN, BLUE and ORANGE.
This network is the Internet or other untrusted network. IPCop's primary purpose is to protect the GREEN, BLUE and ORANGE networks and their computers from traffic originating on the RED network. Your current connection method and hardware are used to connect to this network.
This interface only connects to the computer(s) that IPCop is protecting. It is presumed to be local. Traffic to it is routed though an Ethernet NIC on the IPCop computer firewall.
This optional network allows you to place wireless devices on a separate network. Computers on this network cannot get to the GREEN network except tightly controlled “pinholes”, or via a VPN. Traffic to this network is routed through an Ethernet NIC.
This optional network allows you to place publicly accessible servers on a separate network. Computers on this network cannot get to the GREEN or BLUE networks, except through tightly controlled “DMZ pinholes”. Traffic to this network is routed through an Ethernet NIC.
Your firewall will need at least 1 Ethernet cable and network interface card (NIC). It may need up to 4 NICs, depending on the network configuration you choose and your connection to the Internet.
All NICs must be different physical cards (or their equivalent if you have multiport cards).
Ignoring for a moment the RED network, you will have to plug a separate Ethernet NIC and cable into your firewall for each of the GREEN, BLUE and/or ORANGE network. The GREEN and RED networks are required. The ORANGE and BLUE networks are optional. The interface requirements for your RED network will vary depending on your connection to the Internet. The RED network may require an additional Ethernet card and cable.
The RED, ORANGE, BLUE, GREEN diagram shows that, other than the RED net, each of the networks needs an Ethernet card. If you are currently using an Ethernet connection to the Internet, you will need a card for it, too. The networks must have different network addresses.
Remember, the BLUE and ORANGE networks are optional.
Table 1.1. NIC Requirements
Connection | Modem | ISDN | USB ADSL | Ethernet |
---|---|---|---|---|
RED, GREEN | 1 NIC (G) | 1 NIC (G) | 1 NIC (G) | 2 NICs (G,R) |
RED, BLUE, GREEN | 2 NICs (B,G) | 2 NICs (B,G) | 2 NICs (B,G) | 3 NICs (B,G,R) |
RED, ORANGE, GREEN | 2 NICs (O,G) | 2 NICs (O,G) | 2 NICs (O,G) | 3 NICs (O,G,R) |
RED, ORANGE, BLUE, GREEN | 3 NICs (O,B,G) | 3 NICs (O,B,G) | 3 NICs (O,B,G) | 4 NICs (O,B,G,R) |
The security model of IPCop is that the GREEN network is fully trusted and any requests from this network, whether initiated by a user or by a machine infected with a virus, Trojan horse or other “malware” is legitimate and allowed by IPCop.
A new feature of IPCop 1.4.0, allows for the Intrusion Detection System to be enabled for each network interface. It is always a good idea to glance at the IDS logs for your internal networks to see if a machine on your network is behaving strangely. This may indicate a virus infection.
The order of trustworthiness of networks in order of increasing trust is:
RED→ORANGE→BLUE→GREEN
The base configuration is RED/GREEN where IPCop protects a single internal network from the Internet. If you have a wireless access point then you can attach it to the BLUE NIC and configure IPCop to restrict the access of machines on your wireless LAN. If you have some servers that need to be accessible to the Internet you can place them in an untrusted DMZ attached to the ORANGE NIC. You should decide which combination you want for your site.
Since the RED interface can connect either by modem or by Ethernet, there are eight Network Configuration Types:
GREEN (RED is modem/ISDN)
GREEN + RED (RED is Ethernet)
GREEN + ORANGE + RED (RED is Ethernet)
GREEN + ORANGE (RED is modem/ISDN)
GREEN + BLUE + RED (RED is Ethernet)
GREEN + BLUE (RED is modem/ISDN)
GREEN + BLUE + ORANGE + RED (RED is Ethernet)
GREEN + BLUE + ORANGE (RED is modem/ISDN)
How are you currently connecting to the Internet, today?
If you are connected through an external broadband modem or router, you probably will be connected via an Ethernet network interface card or NIC. In any case, a similar card must be in your IPCop PC. If you are connected via an internal analog modem, ISDN modem, or ADSL USB modem, this must be moved to the IPCop PC. If you are connected via an external dial up modem, you will have to connect it to your IPCop PC.
This hardware will be used for your RED network interface.
Write down some key parameters from your current interface.
Check how you are currently obtaining your IP address: static, DHCP, PPPOE or PPTP.
If you obtain your IP address via DHCP, check to see if your system has a hostname it is providing to your ISP's DHCP server, see Checking Your DHCP Host Name, below.
Check what your name servers' addresses are. Your ISP's DHCP server may provide the addresses automatically or you may need to enter them manually.
Note any default sub domain addresses specified. These allow you to specify hosts like mail or news without entering the full host name, see the discussion in DHCP setup, below.
If you don't know if your ISP requires a host name, or you don't know what it is, check the paperwork that came with your ISP's installation kit or call their support center for help. If that fails, enter:
$
ifconfig -a
on a *nix platform, and look at your eth0 IP address. On Windows 95, 98, ME, etc. the command is
C:\
winipcfg
entered from the command prompt. On Windows NT and Windows 2000, the command is
C:\
ipconfig /all
In any case, write down your IP address and then issue an
$
nslookup nnn.nnn.nnn.nnn
command, where
nnn.nnn.nnn.nnn
is your IP address.
If you get a response, write
down the full host name you receive.
The first part may be your DHCP hostname, the last
part may be used to configure IPCop's DHCP
server.
Decide what your GREEN or local network address range will be. This is not the IP address provided by your ISP. Addresses on this interface will never appear on the Internet. IPCop uses a technique called Port Address Translation, PAT, to hide your GREEN machines from outside eyes. To make sure there are no IP address conflicts, it is suggested that you choose one of the address ranges defined in RFC1918 as private (non-routable) addresses. There are over 65,000 of these network address ranges you can choose from. For a list of available network address ranges, please see Appendix A . The easiest network to pick is the 192.168.1.xxx network. This will allow IPCop to handle over 250 computers. Typically routers and firewalls are placed at the top or bottom of the address range, so we suggest that you pick 192.168.1.1 for your GREEN network interface. IPCop will automatically set your network mask based on your IP address, but you can modify it, if you need to.
If you will be using BLUE and/or ORANGE networks pick different network addresses for each of them. For example, BLUE might be 192.168.2.xxx and ORANGE might be 192.168.3.xxx. This will allow over 250 computers on each network.