Cadoles/formations
21
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

CESI: présentation + maquette Vagrant Sécurité entreprise

Browse Source
This commit is contained in:
wpetit
2018-02-01 17:35:41 +01:00
committed by Benjamin Bohard
parent 1fd175b4c9
commit 708bed3a16
17 changed files with 741 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cesi/securite_entreprise/ressources/intranet-demo/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
/.vagrant

18
cesi/securite_entreprise/ressources/intranet-demo/README.md Normal file
View File

@ -0,0 +1,18 @@
# Intranet Demo
Démonstrateur d'un intranet d'entreprise composé de:
- Un pare-feu
- Un réseau "Comptabilité" avec un poste client Linux
- Un réseau "Développement" avec un poste client Linux
- Un réseau "Services Intranet"
- Un réseau "Services Extranet"
Ce projet utilise [Vagrant](https://www.vagrantup.com/).
## Démarrage
```bash
vagrant plugin install vagrant-reload vagrant-vbguest
vagrant up
```

63
cesi/securite_entreprise/ressources/intranet-demo/Vagrantfile vendored Normal file
View File

@ -0,0 +1,63 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
# The most common configuration options are documented and commented below.
# For a complete reference, please see the online documentation at
# https://docs.vagrantup.com.
config.vbguest.auto_update = false
config.vbguest.no_remote = true
config.vm.provision :shell,
inline: "localectl set-keymap fr"
config.vm.define "firewall" do |firewall|
firewall.vm.box = "ubuntu/xenial64"
firewall.vm.hostname = "firewall"
firewall.vm.network "public_network"
firewall.vm.network "private_network", ip: "192.168.200.254", virtualbox_intnet: "accounting"
firewall.vm.network "private_network", ip: "192.168.201.254", virtualbox_intnet: "developer"
firewall.vm.network "private_network", ip: "192.168.202.254", virtualbox_intnet: "intra-services"
firewall.vm.provision :shell, path: "provisioning/common/disable_predictable_interfaces.sh"
firewall.vm.provision :reload
firewall.vm.provision :shell, path: "provisioning/firewall/configure_dns.sh"
firewall.vm.provision :shell, path: "provisioning/firewall/configure_ip_forwarding.sh"
firewall.vm.provision :shell, path: "provisioning/firewall/configure_firewall_rules.sh"
end
config.vm.define "intranet-portal" do |portal|
portal.vm.box = "ubuntu/xenial64"
portal.vm.hostname = "intranet-portal"
portal.vm.network "private_network", ip: "192.168.202.10", virtualbox_intnet: "intra-services"
portal.vm.provision :shell, :inline => "ip route delete default 2>&1 >/dev/null || true; ip route add default via 192.168.202.254"
end
config.vm.define "workstation1-developer-linux" do |workstation|
workstation.vm.box = "ubuntu/xenial64"
workstation.vm.hostname = "developer-ws1"
workstation.vm.network "private_network", ip: "192.168.201.10", virtualbox_intnet: "developer", auto_config: false
workstation.vm.provision :shell, path: "provisioning/workstation/configure_desktop.sh"
workstation.vm.provision :reload
workstation.vm.provision :shell, path: "provisioning/workstation/configure_network.sh"
end
config.vm.define "workstation1-accounting-linux" do |workstation|
workstation.vm.box = "ubuntu/xenial64"
workstation.vm.hostname = "accounting-ws1"
workstation.vm.network "private_network", ip: "192.168.200.10", virtualbox_intnet: "accounting", auto_config: false
workstation.vm.provision :shell, path: "provisioning/workstation/configure_desktop.sh"
workstation.vm.provision :reload
workstation.vm.provision :shell, path: "provisioning/workstation/configure_network.sh"
end
end

5
cesi/securite_entreprise/ressources/intranet-demo/provisioning/common/disable_predictable_interfaces.sh Normal file
View File

@ -0,0 +1,5 @@
#!/usr/bin/env bash
sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="net.ifnames=0"/' /etc/default/grub
update-grub

24
cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/configure_dns.sh Normal file
View File

@ -0,0 +1,24 @@
#!/usr/bin/env bash
set -xe
source /vagrant/provisioning/firewall/firewall.conf
apt-get update
apt-get install -y dnsmasq
systemctl stop systemd-resolved
systemctl disable systemd-resolved
cat > /etc/dnsmasq.d/local.conf <<EOF
interface=$DEVELOPER_IFACE
interface=$ACCOUNTING_IFACE
dhcp-range=$DEVELOPER_IFACE,192.168.201.10,192.168.201.100,4h
dhcp-range=$DEVELOPER_IFACE,192.168.200.10,192.168.200.100,4h
EOF
systemctl restart dnsmasq

45
cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/configure_firewall_rules.sh Normal file
View File

@ -0,0 +1,45 @@
#!/usr/bin/env bash
set -xe
source /vagrant/provisioning/firewall/firewall.conf
ufw disable
# Règles de pare-feu/routage
ufw logging on
# Règles par défaut
ufw default deny outgoing
ufw default deny
ufw allow ssh\
comment "ALLOW SSH (IN)"
ufw allow in 53,67,68/udp\
comment "ALLOW DNS + DHCP (IN)"
ufw allow out 53,67,68/udp\
comment "ALLOW DNS + DHCP (OUT)"
# Règles de routage
ufw route allow in on $DEVELOPER_IFACE out on $MGMT_IFACE to any port 80 from $DEVELOPER_NETWORK\
comment "DEVELOPER -> 80 INTERNET"
ufw route allow in on $DEVELOPER_IFACE out on $MGMT_IFACE to any port 443 from $DEVELOPER_NETWORK\
comment "DEVELOPER -> 443 INTERNET"
# On autorise les connexions HTTP(S) vers l'exterieur depuis le réseau "accounting"
ufw route allow in on $ACCOUNTING_IFACE out on $MGMT_IFACE to any port 80 from $ACCOUNTING_NETWORK\
comment "ACCOUNTING -> 80 INTERNET"
ufw route allow in on $ACCOUNTING_IFACE out on $MGMT_IFACE to any port 443 from $ACCOUNTING_NETWORK\
comment "ACCOUNTING -> 443 INTERNET"
# On autorise toutes les connexions vers le réseau "services intranet" depuis le réseau "accounting"
# et le réseau "developer"
ufw route allow in on $ACCOUNTING_IFACE out on $INTRANET_IFACE to any from $ACCOUNTING_NETWORK\
comment "ACCOUNTING -> * SERVICES INTRA"
ufw route allow in on $DEVELOPER_IFACE out on $INTRANET_IFACE to any from $DEVELOPER_NETWORK\
comment "DEVELOPER -> * SERVICES INTRA"
# Application des règles
ufw --force enable

30
cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/configure_ip_forwarding.sh Normal file
View File

@ -0,0 +1,30 @@
#!/usr/bin/env bash
set -xe
source /vagrant/provisioning/firewall/firewall.conf
# Activation du NAT Forwarding
sed -i 's/^#net\/ipv4\/ip_forward.*$/net\/ipv4\/ip_forward=1/' /etc/ufw/sysctl.conf
sed -i 's/^#net\/ipv6\/conf\/default\/forwarding.*$/net\/ipv6\/conf\/default\/forwarding=1/' /etc/ufw/sysctl.conf
sed -i 's/^#net\/ipv6\/conf\/all\/forwarding.*$/net\/ipv6\/conf\/all\/forwarding=1/' /etc/ufw/sysctl.conf
#sed -i 's/^DEFAULT_FORWARD_POLICY="DROP"$/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
# Ajout des règles de forwarding
TMP_FILE=$(mktemp)
cat > "$TMP_FILE" <<EOF
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s $INTRANET_NETWORK -o $MGMT_IFACE -j MASQUERADE
-A POSTROUTING -s $ACCOUNTING_NETWORK -o $MGMT_IFACE -j MASQUERADE
-A POSTROUTING -s $DEVELOPER_NETWORK -o $MGMT_IFACE -j MASQUERADE
COMMIT
$(cat /etc/ufw/before.rules)
EOF
mv /etc/ufw/before.rules /etc/ufw/before.rules.bak
mv "$TMP_FILE" /etc/ufw/before.rules
rm -f "$TMP_FILE"

11
cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/firewall.conf Normal file
View File

@ -0,0 +1,11 @@
IFACES=($(ls /sys/class/net))
MGMT_IFACE="${IFACES[0]}"
PUBLIC_IFACE="eth1"
INTRANET_IFACE="eth4"
DEVELOPER_IFACE="eth3"
ACCOUNTING_IFACE="eth2"
INTRANET_NETWORK="192.168.202.0/24"
DEVELOPER_NETWORK="192.168.201.0/24"
ACCOUNTING_NETWORK="192.168.200.0/24"

6
cesi/securite_entreprise/ressources/intranet-demo/provisioning/workstation/configure_desktop.sh Normal file
View File

@ -0,0 +1,6 @@
#!/usr/bin/env bash
set -ex
apt-get update
apt-get install -y xubuntu-desktop

7
cesi/securite_entreprise/ressources/intranet-demo/provisioning/workstation/configure_network.sh Normal file
View File

@ -0,0 +1,7 @@
#!/usr/bin/env bash
set -ex
ip route delete default
IFACES=($(ls /sys/class/net))
dhclient -v ${IFACES[1]}