September 23, 2008

Securing your network with PacketFence

Author: Cory Buford

Network access control (NAC) aims to unify endpoint security, system authentication, and security enforcement in a more intelligent network access solution than simple firewalls. NAC ensures that every workstation accessing the network conforms to a security policy and can take remedial actions on workstations if necessary. For example, NACs can check if a workstation has antivirus software installed and, if not, NAC will limit the workstation's access to the network. In some cases, if NAC is capable of remedial measures, it can force-install an antivirus program on the workstation so that it will conform to the security policy. Although NAC can improve the security of your environment, most commercial NACs cost several thousand dollars. However, using NAC does not need to be that expensive. PacketFence, a free open source NAC application, gives you the security of NAC for free.

By using PacketFence, you can be sure that all user workstations connect to your network will comply to your organization's network policy. You can easily restrict P2P services and track who owns a specific MAC address. In brief, PacketFence assures you that only authorized users and workstations have access to the network, and helps you track them.

For any NAC to work effectively, you must have a properly planned network security policy available in advance. You must identify possible sources of vulnerabilities and threats, actions that will be taken when such threats are detected, and ways to prevent unforeseen vulnerabilities and threats from recurring.

PacketFence incorporates components such as Nessus and Snort, for malicious traffic and vulnerability detection, which lets it perform a host of security services. It can automatically detect workstations across the network, isolate non-conforming workstations, and perform remediation through a captive portal by redirecting the non-conforming workstation to a Web page that tells the user how to remove the violation by removing the component causing the violation, adding patches, or employing other methods that might be applicable.

If properly configured, PacketFence can detect vulnerabilities on the fly once a device connects to the network. In addition, if you need to periodically check all workstations connected to the network, you can schedule vulnerability scans to check whether the workstations connected to the network have vulnerabilities, viruses, or other network threats. If a vulnerabiliy is detected that does not conform with the network policy, PacketFence can automatically isolate the workstation. Virtual Local Area Network (VLAN) isolation is a feature of PacketFence that allows it to dynamically change the VLAN membership of a switch port depending on the device connected to the port. By using SNMP traps, PacketFence can read and write/change VLAN membership of specific ports. For example, when a new workstation is connected to a port, PacketFence detects its MAC address. If the MAC address is not yet in the registered workstation database, it will move that specific port to the registration VLAN.

Before you download PacketFence, view the "What are the requirements?" section of the PacketFence FAQ. You can download the latest version, PacketFence 1.7.2, in source or RPM formats. You can also try PacketFence ZEN, a VMware image of CentOS 5.2 in which PacketFence is already installed. ZEN stands for Zero Effort NAC, which is not necessarily the case. If you choose to install PacketFence on an already existing Red Hat Enterprise Linux (RHEL) or CentOS system, you have to separately install all of its required services, including MySQL and Apache. However, if you choose the PacketFence ZEN image, all necessary components, including Apache and MySQL, are already included in the installation -- leaving only the configuration to be completed.

Installation and configuration of PacketFence can be difficult and time-consuming. On my first try, I used the RPM package and tried to install it on a RHEL5 platform. I quickly found out that, if any of the services are installed in a directory different from what is written in the PacketFence configuration files, you will have a problem. A wiki documents the process.

It is much easier to use the PacketFence ZEN version, as all the necessary components come pre-installed. I tested PacketFence using a PowerEdge 2950 with four network interface cards (NIC) and VMware ESX 3.5 installed. The 400MB download extracts to a 1.6GB VMware image. Follow the instructions on the PacketFence site. For PacketFence to be effective, the VLAN isolation feature must be used. The instructions page discusses not only VLAN isolation but the whole process of configuration to make PacketFence work effectively. Since it's based on PacketFence ZEN, the page doesn't discuss the installation process itself. As part of the process you will have to create and edit configuration files to get PacketFence ZEN up and running.

To run PacketFence ZEN, you must allocate at least 512MB of RAM for the virtual machine. To use all of PacketFence's features you will need at least four virtual NICs for the four VLANs (described below), and your network switch must support both VLAN and SNMP traps. You can check the switch compatibility list to see the switches compatible with PacketFence. Be sure to also check the configuration steps necessary for PacketFence to work with your switch. I used a Cisco 2960 switch.


To deploy PacketFence ZEN, just load the image in VMware and configure some virtual machine settings for each of the four VLANs:

  • Regular VLAN is the VLAN in which verified and registered workstations that conform to policy are connected. The workstations connected here have access to the network.
  • Registration VLAN is the VLAN in which unregistered workstations are connected. Unregistered workstations are redirected to a registration page. By default, unregistered workstations won't have access to the network. If you try to run any network protocol on an unregistered device, your traffic will be limited to devices inside the registration VLAN. You must open the registration page to register the workstation or ask the administrator to register the workstation from within the management console.
  • Isolation VLAN is the VLAN into which registered workstations that violate the policy are put. As the name suggests, the workstations in this VLAN are isolated and have no access to the network unless the violation is resolved.
  • MAC detection VLAN is the VLAN into which newly connected workstations are put. The only purpose of this VLAN is for PacketFence to immediately acquire the MAC address of the workstation. Then, the workstation will be included as an unregistered device and be placed on the registration VLAN.

I used one switch port for each of four VLANs and set the switch configuration to have four ports -- one for each of the four VLANs (regular, registration, isolation, MAC detection). If your switch is not configured to use 802.1q trunking, each of the ports needs to connect to the corresponding NIC of the PacketFence server. With the virtual machine image having one virtual NIC as its default, you will have to add three virtual NICs and bind them to the remaining three physical NICs which connect to the corresponding switch ports. However, by enabling 802.1q trunking on a switch port, you will only need one NIC for the PacketFence server, since it will allow the port to be a member of all four VLANs, though you will still need four virtual NICs that bridge to one physical NIC.

Once you have everything configured to your liking, start the virtual machine and let it boot until it reaches the login prompt. Unlike some other virtual machine appliances, PacketFence ZEN does not automatically start its services on the first run -- you have to configure it before you run its services. Log in and follow the instructions using your own parameters for IP addresses, hostname, and so on.

You must set up all four VLANs and configure the switch before you configure PacketFence. Start by assigning the right IP address for each NIC to handle the individual VLANs, then run the PacketFence configuration script using the command / When asked for the PacketFence template, choose PacketFence ZEN with VLAN isolation (8). Proceed through the subsequent steps, which will ask for information such as IP address, hostname, and Domain Name Server (DNS), then add and edit configuration files for the necessary services such as bind (DNS) and Dynamic Host Configuration Protocol (DHCP). Once you have completed that process, you can start the PacketFence service using the command service PacketFence start. Hint: On RHEL, Fedora, CentOS, or openSUSE environments, you can use chkconfig PacketFence on to put PacketFence in your startup. By using chkconfig, you can include the PacketFence service to start on a specific runlevel. On Debian systems, update-rc.d is the equivalent of chkconfig. You can then access the Web management interface from a browser at https://managementIPaddress:1443.

I encountered some issues during the initial configuration. The exact location of the directory in which the file resides is not stated in the PacketFence ZEN instructions, though there is a hint on the instruction site that the directory is named pf. Many of the configuration files reside in /usr/local/pf, and this is where resides, but if you do not take time to read the whole page, you may not find the exact directory.

I had another issue with the configuration of the BIND files. The steps indicated on the site produced an "rndc: no key definition for name rndc.key" error and the startup of the bind service failed because of issues with the rndc.key that was being used by BIND. To fix the issue, you need to recreate the key and set the proper permission.

I browsed the PacketFence documentation but did not find any mention of the default username and password for Web administration. Frustrated, I initiated the / command to do a reinstallation of PacketFence. During the installation process, you can overwrite the existing Web administration username and password.

Testing PacketFence

With the initial configuration done, you can finally test PacketFence. First, I created some users with the Web management interface. I plugged some client workstations into the available switch ports. When I tried to browse the Internet from a network client, since I have not yet registered the workstation, the registration page appears as expected for me to enter my authorization credentials. PacketFence supports external authentication mechanisms such as Lightweight Directory Access Protocol (LDAP) and Remote Authentication Dial-In User Server/Service (RADIUS) to avoid the hassle of prior administrative setup for each user account, but I selected local authentication and entered my username and password. Looking at the Web management console, I could then see that the workstation was registered.

Once a workstation is registered, it's viewed as agreeing to the network policy and to be monitored to follow the policy. If on first-time registration, the workstation is seen to be clean and following the policy, it will be automatically allowed to be part of the regular VLAN. Otherwise, it will be put in isolation until the violation is removed. You don't have to do anything to assign the workstation to a regular or isolation VLAN. Once the policies are places and defined in the PacketFence configuration, it will automatically move a workstation to the isolation VLAN if it violates the policies or move it back to the regular VLAN once the violations are remedied. However, you can still manually place a workstation on a specific VLAN if necessary.

I tried to isolate the workstations that have peer-to-peer traffic using applications such as Limewire by editing the configuration file /usr/local/pf/conf/violations.conf and specifying that P2P traffic, and even BitTorrent, constitutes a violation. This file contains predefined violations that you can enable and disable. You can also configure violation options from the Web management console, such as enabling violation detection during registration and specifying actions to be taken when a violation is detected, but to detect specific traffic like P2P, you must edit the configuration file. Once I enabled P2P violations, the workstation with Limewire traffic was transferred to the isolation VLAN, cutting off its access to the Internet. The first time you run PacketFence, you must configure it to automatically return violating devices and users to a more permissive VLAN once the violating program is closed so that there is no need for manual administration.

PacketFence can do many other things as well. For example, you can configure a wireless access point to use the concept of registration VLAN and isolation VLAN. For a wireless access point to work with PacketFence, just like the switch, you must specify the indicated VLANs on the access point configuration. PacketFence also detects hardware-based VoIP phones as well as workstations that may be connected behind software VoIP phones. There are some scenarios in which the VoIP phone and workstation share a single switch port and others, as with older switches, that only allows a VoIP device or a workstation on each port -- thus the VoIP and workstation are separated. But newer switches allows a VoIP and workstation to share a single port. Since PacketFence is dependent on device detection on each port, it has a feature to correctly identify the VoIP device and workstation on a single port. By adjusting some configurations at the switch level, PacketFence can properly detect the VoIP phone/device and the workstation.

If a workstation violates an established policy or malware is detected on the system, PacketFence can take action to remedy the situation by isolating the workstation from the network and redirecting it on a defined Web page that will direct the user through the necessary steps to remove the vulnerability, virus, or violation. If the workstation can't access the URL, because there's no Web browser or for other reasons, the only way to end the isolation is to directly report it to the administrator. If a browser is opened, the user will be directed immediately to a violation or remediation page for necessary actions to fix the problem. The page might ask the user to download and install an antivirus agent, patch the system, or remove certain programs that don't conform with the network policy.

PacketFence uses Nessus as its vulnerability scanner, and the scanning can be done according to schedule or on an ad hoc basis. For example, scanning can be done automatically when a workstation is first registered or manually as new threats appear. Since Nessus can update itself to get the latest threats and updates, you can automatically configure PacketFence to perform vulnerability scanning once Nessus receives the latest threat update.

Final thoughts

PacketFence ZEN is not for the average system administrator. Even experienced IT personnel could have some difficulty in getting this application up and running. The ZEN version is intended to ease deployment, but, while the number of complicated tasks has been reduced, it is still complicated to set up. Since that defeats the purpose of "zero effort" deployment, I hope the developers will address the issues previously mentioned.

With its somewhat lacking documentation, it will take time for anyone to master this program. However, once mastered, PacketFence can work wonders for your network security.


  • Reviews
  • System Administration
  • Security