Next Generation Routers and SecurityConcept or Virtual Reality

Halon Security Router The security router is a network operating system and

software distribution based on OpenBSD. The routing platform was created with the intention of

replacing proprietary systems such as Cisco and Juniper. The Security router enables UNIX root access. The system is a mix of open and closed back end source. The security router has a Web GUI for administration.

Halon’s claim to fame! Halon states their system is capable of clustering, load

balancing, firewall and VPN in the same product. Offers both software/virtual and hardware solutions. Open source: with patches web, LCD, except backend

process which are closed source. Revision managed single config file with soft reconfigure. Open SOAP and REST API controls the system. Their product is Secure (or so they say)

VPN Halon’s VPN supports the following.

Manual Key Ipsec IKE for auto key Ipsec L2TP and PPTP VPN server

DNS with support via DHCP inform. RADIUS support GRE, IPIP and ethernet tunnels High Availability using SA syncronization

Routing BGP with IPv6 support TCP-MD5 and VPN extended

communities. OSPF and OSPF3 (IPv6) Multi-path routing VRF using routing domains Policy routing

Halon (Virtualbox) Configuration A VSR images was downloaded from the vendor’s web site. I used the vmdx 32 bit image. The virtualbox configuration is the following.

1 CPU 4gb of Ram 20GB of hard drive space PAE enabled CPU

Getting a functioning Router The Halon was installed on a virtualbox – my verizon router

was used as the default gateway for configuring the router. In the network settings use the bridged network setting. Getting the Web UI working required changing files on the

UNIX system. #cd /var/www/logs vi resolv.conf and change the ip to the IP

address assigned to the virtual machine. By default the system tries to obtain an IP address via DHCP

Basic Security Checks on the UNIX side (issues) Deleted the passwd file. Man pages are not installed. System files were able to be edited. Allowed root login via ssh out of the box.

Files were able to be edited such as passwd, sudoers, rc, I can log directly onto the system via root user. sshd_config editing both good and bad

UNIX Security and Recovery Top level directories are read only. Deletion of crucial files such as passwd are self healing.

Does NOT render the system unusable.

Router Features Network IP addressing and DHCP ( I assigned static IP addresses) Firewalling (will go into this more) IPv6 ( did not test) Routing domains ( very little testing) BGP and OSPF (border gateway protocol and Open shortest

path first) VPN ( couldn’t test as this is a closed home network)

PPTP/L2TP server EtherIP (layer 2) tunnels Ipsec Load Balancing and failover

Web GUI One of the selling points of newer routers are ease of use. Halon accomplishes this with their intuitive web GUI.

Not a lot of networking experience needed to administer the system

Intuitive UI, with help via the use of the tools. Gives ports and protocols

GUI network configuration The network can be configured from the web gui Services such as firewall, dhcp server, DNS, VPN,

loadbalancer and Ipsec can be configured from the network tab.

Diagnostics Configuration Reboot feature, requiring less than 1 minute downtime.

Firewalling

Clustering

IPSec

VPN

Terminal through GUI

Conclusion The halon is a capable router/firewall appliance. The clustering / load balancing are invaluable for maximum

uptime. The interface is intuitive and does not require advanced

knowledge of networking to configure and have a functional router.

If I were to deploy this in an enterprise network, I would recommend using a hybrid of traditional hardware routers, and use the virtual appliances for network segmenting.

Q and ADenise’s Presentation