Today’s challenge was to get to grips with Cisco’s ZBFW, there are a few examples out there if you google but this cisco pdf was the best resource I found.

I’m going to share with you my GNS3 config, my first gotcha was getting the “right” IOS version, the latest advanced sec 12.4 image for the 3725 doesn’t cut it, you need to get a copy of c3725-advsecurityk9-mz.124-15.T7.bin.

My plan was simple, I wanted to re-create this following pseudo ASA style configuration:

access-list inside permit icmp any any
access-list inside permit tcp any any eq telnet
access-list outside permit tcp any host 192.168.10.100 eq telnet
access-group inside in interface inside
access-group outside in interface outside

What’s funny is that is 5 lines of code for ZBFW it’s more than 20! Yes the IOS FW isn’t a statefull firewall like the ASA but still more than 4 times the work… anyway, moving on…

The ZBFW is broken into four parts:

• Assign Zones to Interfaces
• Create a class-map to define interesting traffic
• Create a policy-map to give your class an action
• Create a zone pair to give you class a direction

As you can see in the picture, I have three routers Inside, Outside & Gateway; we will generate traffic from Inside -> Outside (and vice versa) and Gateway will be our firewall. In this blog post I’ll discuss the inside -> outside policy, read though the attached config to work out how outside->inside works

Creating zones and applying them to interfaces is the easy bit…

!
zone security inside
 description LAN
zone security outside
 description Internet
!
interface FastEthernet0/0
 ip address 10.10.10.10 255.255.255.0
 zone-member security outside
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 zone-member security inside

ZBFW supports traffic matching by protocol, ACL or both. To start with I need to create a class map equivalent of:
access-list inside permit icmp any any
So that looks like:

class-map type inspect match-any myinspectclass
 match protocol icmp

Our action to this applied via the policy map will be “inspect” … not “permit” like the access list, what we want to happen is the echo-request (echo) packet passing from the inside interface to the outside to be inspected so that the echo-reply packet is let back in…

policy-map type inspect myinspectpolicy
 class type inspect myinspectclass
  inspect

To apply this inside -> outside we create a zone-pair…

zone-pair security in-out source inside destination outside
 service-policy type inspect myinspectpolicy

Part 1 done. breath, take a break.

We can now ping from inside to outside, but outside to inside fails. Part two is to create a separate “flow” to allow telnet out. Now we could update our existing class-map, but it’s much clearer to create a new one, first we need an access-list…

ip access-list extended telnet_any
 permit tcp any any eq telnet

This will restrict our TCP protocol inspection to permit only telnet, without this ACL the following class map would permit (inspect) any TCP.

class-map type inspect match-all inspecttelnetclass
 match access-group name telnet_any
 match protocol tcp

Now that we have defined our traffic we can using the existing policy that permits the ICMP traffic through to permit this TCP thru, so this is the new policy map that replaces the one above:

policy-map type inspect myinspectpolicy
 class type inspect myinspectclass
  inspect
 class type inspect inspecttelnetclass
  inspect

The policy map will work top down, permitting ICMP traffic thru flow 1 (rule 1) and telnet through flow 2…. we don’t need to touch the zone pair

Attached is my GNS3 .net file and the three router configs [1,2,3], hopefully it all makes sense

This hit my feed reader this morning…

Atsec information security is pleased to announce the successful Common Criteria Certification of Mac OS X Snow Leopard at EAL 3

Reference: http://www.atsec.com/us/news-atsec-apple-mac-os10-6-common-criteria-evaluation-snow-leopard-184.html

It took me a few minutes to find it, but if you want a certifiably secure mac you need to follow Apple’s Admin Guide on their Common Criteria page, I know what I’ll be doing later

This issue wasted an hour of my life

Recently users visiting google mail via the bluecoat proxy started complaining of popups which said…

Your request is being scanned for security purposes

Instead of “botching” it on the blue coat I offered my users a work around… something that they should be doing anyway… switch on encryption…. So within gmail -> settings -> general, tick the box…

This did the trick, my users mail is now more confidential than it was before and there were no more pop-ups

I had lost this bookmark, saved here so I don’t loose it again

• Solution Title: How do I control / change access using defaultfilter and initialpolicy?
• Solution ID: sk41117

There are various options given in the article, this…

ipso[nick]# cp -p $FWDIR/conf/initial_module.pf $FWDIR/conf/initial_module.pf.OLD
ipso[nick]# cp $FWDIR/lib/defaultfilter.ipso $FWDIR/conf/initial_module.pf
ipso[nick]# comp_init_policy -g
initial_module:
Compiled OK.
ipso[nick]#

… will do in most cases!

I can never find these when I want them…

• CAM CLI Commands
• CAS CLI Commands

also, from the release notes show version…

cat /perfigo/build

.. there are some other useful scripts in /perfigo/common/bin such as

/perfigo/common/bin/fostate.sh

… is used for checking failover state, if you can think of any more please post them in the comments

Recently I’ve been helping out a customer with perhaps the strictest URL filtering policy I have seen in a while!

URL categorisation is in place and large sections of the internet such as “blogs / personal pages” & “social networking” were being blocked. What makes this unusual is that Google images is a popular tool, the mix of these two made it “appear” that Google images was broken.

Broken you ask? Yes, basically if you search for something harmless like “HP Laptop” or “Nokia Phone” some of the results are actually stored on personal pages (forbidden categories) , as the image is blocked your browser returns a broken image icon which makes it look like the page loading failed!

With the help of a very helpful Blue Coat guy I have a solution.

To start with you’ll need an image to insert into the page, something that shows the image was blocked, this open clip art denied sign worked nicely for me. Next you’ll need an Intranet web server to save the image on – IIS or Apache will do the trick, it doesn’t matter where the image is as long as your users can “see” it.

In the VPM you’ll need an object representing all your blocked categories and a to create a new rule..

Source = Any (or internal users, whatever)
Destination = Combined object (Call it something like Blocked_Images), in the top box you want your category object, in the bottom box you want a “HTTP Mime Types” object which matches all images – Screen Shot 1 should help.
Action = Combined object (Named something like Return_Blocked_Image), in the top box you want two actions a “Return Redirect Object” which redirects to your Image and then “Allow” which permits the HTTP request to your image. – Screen shot 2 should help

Install the policy and job done! I think you’ll find this is a very neat solution!

Milw0rm is a great source of security exploits, subscribing to it’s feed is a good way of getting a heads up on where the next attack might come…. there are a lot of script kiddies that do nothing more than download milw0rm exploits and fire them randomly into the internet hoping to get a hit!

The thing is there are a lot of exploits found everyday and it can start to fill-up your RSS Feed Reader, so it’s a good idea to filter out things that are useful to you, as an expample I have created a simple Yahoo! Pipe which delivers only WordPress exploits found on Milw0rm!

PIPE URL: http://pipes.yahoo.com/linickx/milw0rmwordpress
FEED: URL: http://pipes.yahoo.com/pipes/pipe.run?_id=RDnArZNk3hGthFdiUpWufg&_render=rss

The pipe / feed is currently empty – returns no results – as there hasn’t been anything new published recently, but I’m sure that’ll change soon enough

Bluecoat Reverse Proxy Health Check Diagram

Consider the attached diagram, a customer wants a fairly simple reverse HTTP proxy solution; behind the bluecoat is two servers one hosting pages for server1.domain.com and the other for server2.domain.com (both of these DNS names resolve to the IP address of the bluecoat).

The requirement comes with a twist, in the event that either server goes down they want requests sent to another “we’re sorry the site is down” server, below is some pseudo-code explaining what we want the bluecoat to do when it receives a HTTP request.


If (URL = http://server1.domain.com ) then
If ( webserver1 = healthy) then
Forward webserver1
Else
Forward backupserver
Fi
Fi
If (URL = http://server2.domain.com) then
If ( webserver2 = healthy) then
Forward webserver2
Else
Forward backupserver
Fi
Fi

Now it took me some time to find out how to do this, some can be applied in the GUI, the rest has to be applied in Content Policy Language (CPL). If you want to do something similar start by defining some forwarding hosts in the GUI click: Configure -> Forwarding Hosts -> New . In this example only use IP addresses, it makes things simple later, so server1.domain.com =

• alias = 192.168.1.1
• host = 192.168.1.1
• type = server
• ports = HTTP 80

then server2.doamin.com is…

• alias = 192.168.1.2
• host = 192.168.1.2
• type = server
• ports = HTTP 80

and the backup webserver is…

• alias = 192.168.1.3
• host = 192.168.1.3
• type = server
• ports = HTTP 80

If you now click: Heath Checks -> General you’ll see that some health checks like fwd.192.168.1.3 have been created for you.

Next In the VPM (Policy -> Visual Policy Manager -> Launch) create a web access layer permitting “any” to your webserver hosts server1.domain.com & server2.domain.com

Finally you need to upload come CPL ( Policy -> Policy Files -> Under: Install Local File from -> Select: Text Editor -> Install)

<Forward>
	; Forward to server1.domain.com
	server_url.host.exact="server1.domain.com" is_healthy.fwd.192.168.1.1=yes forward(192.168.1.1)
	server_url.host.exact="server1.domain.com" is_healthy.fwd.192.168.1.1=no forward(192.168.1.3)
	; Forward to server2.domain.com
	server_url.host.exact="server2.domain.com" is_healthy.fwd.192.168.1.2=yes forward(192.168.1.2)
	server_url.host.exact="server2.domain.com" is_healthy.fwd.192.168.1.2=no forward(192.168.1.3)

Change as necessary, but now if server1.domain.com goes down the page on 192.168.1.3 is displayed (and the same happens for server2) neat!

(Correct as of SGOS 5.4.1.3 as usual YMMV!)

Note to Self:

If an administrator has setup your Nokia (IPSO) shell account to log into clish rather than the unix shell… and you need to cpstop;cpstart… you can switch shells with the command…

Nokia:>shell
[admin@nokia]#

It’s quite a simple command, so why can’t I remember it!

Footnote:
iclid is the “router shell” – where you can do show commands
clish is the “voager shell” – where you can “set” things and make changes
/bin/sh or Bourne shell (or sh) is the “Unix shell” – where you have access to the root operating system and can make changes to the file-system or restart processes.

Recently I’ve been involved with a bluecoat install; one of the requirements I’ve been faced with was helping the client with was removing fixed proxy settings within their browsers.

For how-to references a combination of google, wikipedia and this post are good places to start; I intend to document my experience you may find some overlap.

The 1st thing to understand is that Firefox (FF) and Internet Explorer (IE) both support an “automatically detect proxy” setting, but they are implement in different ways. Both FF & IE use a proxy.pac (also known as wpad.dat) for their configuration, they just “look for it” in different ways.

The proxy pac file is a java script that tells the browsers (both FF & IE) how to connect, there’s some good pac file examples here, this is what I did…


function FindProxyForURL(url, host)
{
// The 1st if function tests if the URI should be by-passed…
// Proxy By-Pass List
if (
// ignore RFC 1918 internal addreses
isInNet(host, "10.0.0.0", "255.0.0.0") ||
isInNet(host, "172.16.0.0", "255.240.0.0") ||
isInNet(host, "192.168.0.0", "255.255.0.0") ||

// is url is like http://server by-pass
isPlainHostName(host) ||

// localhost!!
localHostOrDomainIs(host, "127.0.0.1") ||

// by-pass internal URLS
dnsDomainIs(host, ".mycompany.com") ||
dnsDomainIs(host, ".mycompany.local")
)

// If True, tell the browser to go direct…
return "DIRECT";

// If False, it’s not on the by-pass then Proxy the request… if you fail to connect to the proxy, try direct.
return "PROXY 10.10.10.10:8080;DIRECT";

}


Once you’re happy with what you’ve written you need to “publish” the pac file on a webserver for your clients to download it… I’ve decided to use the bluecoat proxy SG.

Now you can’t upload the pac file via the GUI, you need to get down and dirty with the command line, below is an example ssh session…


Proxy> enable
Proxy# conf t
Proxy# inline accelerated-pac 123
....... Paste the contents of proxy.pac .......
123
Proxy#


Before going any further log into you’re bluecoat, make sure that under Services -> Proxy Services, HTTP 80 & 8080 are set to Intercept. Next check that Services -> Management services, HTTP-Console 8081 is enabled… this service will be used to get the pac file, leave HTTPS-Console 8082 on as using the 8081 for administrator access would be a bad idea.

You will now hopefully be able to download your pac file from the following url http://10.10.10.10:8081/accelerated_pac_base.pac .. change the IP as necessary.

Once that works we’re going to add some proxy policy to make that url (a) nicer (b) compatible with Firefox. In the Bluecoat GUI under policy (not the visual policy manager) make sure that the local policy is read 1st… at the top of the file list. The following ssh session of policy, re-writes the pac file for a variety of names, basically I’ve tried to capture every combination that a user might try…..


Proxy> enable
Proxy# conf t
Proxy# inline policy local 123


<proxy>
url=http://proxy.mycompany.local/proxy.pac authenticate(no)
url=http://proxy.mycompany.local/wpad.dat authenticate(no)
url=http://wpad.mycompany.local/wpad.dat authenticate(no)
url=http://www.wpad.com/wpad.dat authenticate(no)
url=http://proxy.mycompany.local:8081/accelerated_pac_base.pac authenticate(no)
url=http://10.10.10.10:8081/accelerated_pac_base.pac authenticate(no)


<cache>
url.domain=http://proxy.mycompany.local/proxy.pac cache(no)
url.domain=http://proxy.mycompany.local/wpad.dat cache(no)
url.domain=http://wpad.mycompany.local/wpad.dat cache(no)
url.domain=http://www.wpad.com/wpad.dat cache(no)
url.domain=http://proxy.mycompany.local:8081/accelerated_pac_base.pac cache(no)
url.domain=http://10.10.10.10:8081/accelerated_pac_base.pac cache(no)


<proxy>
url=http://proxy.mycompany.local/proxy.pac action.rewrite_pac(yes)
url=http://proxy.mycompany.local/wpad.dat action.rewrite_pac(yes)
url=http://wpad.mycompany.local/wpad.dat action.rewrite_pac(yes)
url=http://www.wpad.com/wpad.dat action.rewrite_pac(yes)
url=/wpad.dat action.rewrite_pac(yes)


define action rewrite_pac
rewrite(url,"(.*)","http://10.10.10.10:8081/accelerated_pac_base.pac")
end


123
Proxy#


Phew, thats the bluecoat side of things sorted, now we need to get clients to download the file! This is where the browser have different approaches….

Internet explorer uses DCHP Option 252 to detect the proxy, you can set the option of any of the URLS you’re re-writing on the bluecoat, I chose http://wpad.mycompany.local/wpad.dat .

Firefox uses DNS to detect the proxy, so you’re going to need to create some records… The bluecoat was called “proxy” so an A record for proxy.mycompany.local already existed, we created a CNAME record for wpad.mycompany.local pointing to proxy.mycompany.local … if your dns domain is something like uk.mycomany.local you’ll need to add cname records wpad.uk.mycompany.local & wpad.mycompany.local and add the necessary lines to the bluecoat rewire code above.

Once done you can set either browser to “automatically detect” and finger’s cross all will work!

When using windows, Notepad++ is my editor of choice. When editing PHP files, it’s nice to see coloured highlighting confirming your syntax is correct.

As I regularly have to review & build Cisco ASA Firewall configs I thought it would be nice to add a little colour

Notepad++ supports a user defined language system whereby users can create their own syntax highlighting. As google couldn’t find anyone else who’d had a go at this before I thought I’d have a crack at being the 1st.

Attached to this post you’ll find userDefineLang_ASA.xml, what you need to do is..

1. Download the user-defined language to your computer
2. Open the file with your favourite text editor (such as notepad++ or notepad)
3. Click start, run, type (or paste in) %APPDATA%\Notepad++ then click ok
4. Open userDefineLang.xml with a text editor
5. If this is the first userdefined language you are adding, copy/paste the entire first file (which you downloaded) into the userDefineLang.xml, replacing all that was there. If this is the second or more language you add, simply copy everything from the first file starting at to and paste it at the end of the userDefineLang.xml right before
6. Save the newly improved userDefineLang.xml

Reference: http://notepad-plus.sourceforge.net/uk/download.php

Now my implementation is quite simple at this stage, I’ve copied all the top level commands, i.e. anything from an initial “?” such as “show”, but I haven’t gone thru grabbing level two such as “run” as in “show run”. I have however added the most common level two commands so you should see something useful.

Comments or improvements welcome

I’ve recently started installed the firefox add-on NoScript to improve my online security.

One of the things that’s been a little frustrating has been having to manually accept/white list internal 192.168.1.1 type addresses. After a fruitless google, I’ve managed to find the answer here in the NoScript Forum.

There is one major limitation and that is the NoScript white list only accepts entries of more than one byte, this means that you cannot whitelist the whole of 10.*.*.* (10/8) as inputting 10. is only one byte. On the upside you can however whitelist a whole /16 (255.255.0.0) subnet, which works out nicely for the 192.168.0.0/16 set off addresses but for the 10’s & 172’s you’re a bit stuffed.

Now you may find that when you try to white list 10.123.0.0/16 that you have issues, I know I did! The trick is to read the forum post carefully. If you want to white list 10.123.0.0 through 10.123.255.255 then add the following:

http://10.123

https://10.123

That should allow both http & ssl traffic to all those internal addresses to be permitted by NoScript!

Dear googler, I hope this was of some help

Follow up post from yesterday’s tweet.

This is the list of PodCasts that I’m hoping will keep my security brain well fed…

• Security Now
• Network Security Blog
• Sec this.com
• Paul Dot Com
• SploitCast

For a while now, I’ve warned that forwarding “beware of xYz virus” e-mails causes as much harm as the intended good; I like this McAfee post, personally I would have titled it, “Hoax or Not – Delete it!”