Firewalls will always be a key ingredient to network security, but not all firewalls are equal. Recently I’ve been forced into documenting how I decide & think about firewall rules…

Strict Firewalling
IMO Strict Firewalling is the traditional way to implement your traffic policies (ACLS), each rule should be as tight as possible… the idea of “any” should not be used at all and ranges should be kept at a minimum; hosts better than subnets, source and destination IPs restricted, specific TCP ports (not ranges) used.

Service Led Firewalling
A term I think I made up, Service Led Fierwalling is where you relax the ACL/policy at the source… to host a DNS Zone you need to allow “anyone” to perform lookups so Strict Firewalling cannot be applied here but you do know the destination and the service so both of these should be defined/restricted as appropriate… you see what I mean here the policy is defined by the “service” provided.

Open Firewalling
Possibly a contradiction in terms but bare with me; there are some instances whereby implementing a firewall provides little benefit, one example I’ve seen was a customer’s security officer wanted an internal firewall (i.e. no internet connection) in front of their Microsoft file server, in order for AD & MS clients to work properly all the MS ports had to be opened… so server guys continuously complained, what exactly is the firewall doing? What is Open Firewalling? It’s the process of implementing a black list followed by a white list, rather than the traditional permit then drop processing that a firewall does; I’d create a rule that Drops Prohibited applications (such as P2P or unencrypted protocols) and then create a policy permitting all ports from legitimate IP ranges.

When would I use these?
Your firewall should be broken into zones, each zone meets both security policy and business requirements, you should then apply a firewalling technique to each zone. For example it’s not uncommon to have a back-end database which should only ever be accessed by the front end application, therefore it could be in a zone protected by Strict Firewalling; public services such as websites/email servers require flexibility on their source thus require service led firewalling. Occasionally your business or application requirements suggest that firewalling impedes things, using open firewalling to “clean” traffic compromises “security people wanting firewalls” and any historical business/application issues… the firewall is there perhaps protecting against syn-flood attacks & as previously suggested blocking prohibited apps yet the business doesn’t see any traditional firewall headaches.

I don’t agree you fool!
That’s your choice, there’s no correct answer to security, the business you work in and the security policy mandated from senior management direct what you do, these are just my approaches

You’re on a network with only HTTP/HTTPS access to the internet… you’ve got OpenVPN setup to tunnel all your traffic out via HTTPS…. but you still want to access the local LAN?

All the OpenVPN client is doing is changing the routing table on the OS (netstat -nr / route print) you’ll see that the route to the OpenVPN server is in there and the default gateway is the OpenVPN tunnel interface, to connect to the local LAN simply add a route via the “local gatway”, i.e. the same gateway used to get to the vpn server.

Cool eh? Reverse-split-tunneling!!!

After much swearing and hackerizing I’m happy to post a screenshot of Cisco’s ACS running in VirtualBox

Before I explain what I’ve done, a quick message for “the stupids”

No I won’t post a virtual machine for you to download
Buy a license or an appliance

The rest of this post is a run though of what I did, if you get bored easily skip to the summary.

The story is I’ve got a customer who wants dot1x with ACS5 and I need a box to play with before breaking their network; having read through the docs on cisco.com I noticed that vmware was a supported platform for evaluation, as awesome as that is, carrying around an ESXi server isn’t as convenient as you’d think so I boldly dropped the CD into my VirtualBox and booted to see what happened…. if only it was that simple!!!!!

As expected the installer crapped out early on complaining that VirtualBox is not a valid hardware configuration, so I decided to have a poke around the ISO image and had a moment of realisation.. THANK YOU CISCO FOR CHOOSING CENTOS!

Cisco choosing an open-source installation mechanism means that with a bit of googling I could customise the install process to work in VirtualBox…. sweeet!

To get started I followed the install guide to build a VirtualBox appliance that resembled the supported vmware machine, some things to note:

• The disk is on a SCSI controller
• The processor is PAE
• You need a serial port enabled

This is a summary of my VirtualBox configuration…

• General
  • Name: Cisco ACS 5
  • OS Type: Red Hat
• System
  • Base Memory: 1024 MB
  • Processor(s):1
  • Boot Order:Floppy, CD/DVD-ROM, Hard Disk
  • VT-x/AMD-V:Enabled
  • Nested Paging:Enabled
• Display
  • Video Memory:12 MB
  • 3D Acceleration:Disabled
  • 2D Video Acceleration:Disabled
  • Remote Display Server:Disabled
• Storage
  • IDE Controller
    IDE Primary Master (CD/DVD):Empty
  • Floppy Controller
    Floppy Device 0:Empty
  • SCSI Controller
    SCSI Port 0:CiscoACS.vdi (Normal, 65.00 GB)
• Misc
  • Audio
    Disabled
  • Network
    Adapter 1:PCnet-FAST III (Host-only adapter, ‘vboxnet0′)
  • Serial Ports
    Port 1:COM1, Disconnected
  • USB
    Disabled
  • Shared Folders
    None

If you’re hoping to follow my process, I assume you’ve already downloaded from cisco a copy of the ACS_v5.1.0.44.iso and sorted an eval license.

Looking at the contents of the CD I could see that the KickStart file was rejecting my hardware configuration. In my early attempts I edited ks.cfg removing everything between %pre and %post removed the line that said %include and rebuilt the ISO; this had limited success, I could boot further on my new ISO but found that anaconda crapped out as it was unable to find the CD from which it booted … Very Odd!

Messing with the kickstart file and having to rebuild the ISO each time got boring very quickly, especially since it wouldn’t boot into anaconda stage two. I decided to move to a network based installed, I setup a web server on my laptop, downloaded CentOS-4.7-i386-bin1of4.iso and booted my guest from that using linux askmethod at the loader. On my web server I copied the contents of the ACS CD into a directory (including . hidden files), during the centos boot I was able to install “everything” from the ACS directory on web server giving me yet more limited success (Everything was installed – including the Cisco packages – but unusable).

The next step was to get my web installation to read my kickstart file, the ks.cfg has a load of finalization which looked like it created files that the cisco packages would need. I had to change the permissions of the directory to give me write access (CD files copied as RO since the CD was RO). So my edited ks.cfg has nothing between %pre & %post plus the %include line deleted, the result had massive drawback, I’d inadvertently removed the disk layout; I have since concluded that my earlier attempt with everything installed but broke also had issues due to incorrect filesystem partitions.

To put the filesystem layout back into the kickstart file I inserted the following:

part / --fstype ext3 --size=100 --grow
part /localdisk --fstype ext3 --size=5120
part /recovery --fstype ext3 --size=1008
part /storedconfig --fstype ext3 --size=981
part /storeddata --fstype ext3 --size=2048
part swap --size=2048


To get the Centos Server to now boot from both the kickstart file and install from my webserver I now have to boot with linux ks=http://192.168.56.1/~nick/ACS/ks.cfg (this is instead of linux askmethod) and replace the line that says cdrom with url --url http://192.168.56.1/~nick/ACS.

After all that trial & error I was finally there! I have attached my ks.cfg for your reference and here is a summary of the steps to reproduce.

Install Summary:

1. Download ACS
2. Download Centos
3. Install a web server
4. Copy the contents of the ACS CD to your web server (look out for .discinfo)
5. Replace ks.cfg with your edited version (or mine)
6. Create a virtualbox machine
7. Boot the VirtualBox machine from the CentOS CD with linux ks=http://URL
8. As soon as you see a blue “installer” screen eject the CentOS CD
9. Wait
10. Done

Note: During my playing the anaconda installer crapped out a couple of times, just starting the process again seemed to fix the issue, some bottleneck on virtualbox disk accesses could be the problem.

Hope that all makes sense, happy hacking!

Today’s challenge was to get to grips with Cisco’s ZBFW, there are a few examples out there if you google but this cisco pdf was the best resource I found.

I’m going to share with you my GNS3 config, my first gotcha was getting the “right” IOS version, the latest advanced sec 12.4 image for the 3725 doesn’t cut it, you need to get a copy of c3725-advsecurityk9-mz.124-15.T7.bin.

My plan was simple, I wanted to re-create this following pseudo ASA style configuration:

access-list inside permit icmp any any
access-list inside permit tcp any any eq telnet
access-list outside permit tcp any host 192.168.10.100 eq telnet
access-group inside in interface inside
access-group outside in interface outside

What’s funny is that is 5 lines of code for ZBFW it’s more than 20! Yes the IOS FW isn’t a statefull firewall like the ASA but still more than 4 times the work… anyway, moving on…

The ZBFW is broken into four parts:

• Assign Zones to Interfaces
• Create a class-map to define interesting traffic
• Create a policy-map to give your class an action
• Create a zone pair to give you class a direction

As you can see in the picture, I have three routers Inside, Outside & Gateway; we will generate traffic from Inside -> Outside (and vice versa) and Gateway will be our firewall. In this blog post I’ll discuss the inside -> outside policy, read though the attached config to work out how outside->inside works

Creating zones and applying them to interfaces is the easy bit…

!
zone security inside
 description LAN
zone security outside
 description Internet
!
interface FastEthernet0/0
 ip address 10.10.10.10 255.255.255.0
 zone-member security outside
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 zone-member security inside

ZBFW supports traffic matching by protocol, ACL or both. To start with I need to create a class map equivalent of:
access-list inside permit icmp any any
So that looks like:

class-map type inspect match-any myinspectclass
 match protocol icmp

Our action to this applied via the policy map will be “inspect” … not “permit” like the access list, what we want to happen is the echo-request (echo) packet passing from the inside interface to the outside to be inspected so that the echo-reply packet is let back in…

policy-map type inspect myinspectpolicy
 class type inspect myinspectclass
  inspect

To apply this inside -> outside we create a zone-pair…

zone-pair security in-out source inside destination outside
 service-policy type inspect myinspectpolicy

Part 1 done. breath, take a break.

We can now ping from inside to outside, but outside to inside fails. Part two is to create a separate “flow” to allow telnet out. Now we could update our existing class-map, but it’s much clearer to create a new one, first we need an access-list…

ip access-list extended telnet_any
 permit tcp any any eq telnet

This will restrict our TCP protocol inspection to permit only telnet, without this ACL the following class map would permit (inspect) any TCP.

class-map type inspect match-all inspecttelnetclass
 match access-group name telnet_any
 match protocol tcp

Now that we have defined our traffic we can using the existing policy that permits the ICMP traffic through to permit this TCP thru, so this is the new policy map that replaces the one above:

policy-map type inspect myinspectpolicy
 class type inspect myinspectclass
  inspect
 class type inspect inspecttelnetclass
  inspect

The policy map will work top down, permitting ICMP traffic thru flow 1 (rule 1) and telnet through flow 2…. we don’t need to touch the zone pair

Attached is my GNS3 .net file and the three router configs [1,2,3], hopefully it all makes sense

This hit my feed reader this morning…

Atsec information security is pleased to announce the successful Common Criteria Certification of Mac OS X Snow Leopard at EAL 3

Reference: http://www.atsec.com/us/news-atsec-apple-mac-os10-6-common-criteria-evaluation-snow-leopard-184.html

It took me a few minutes to find it, but if you want a certifiably secure mac you need to follow Apple’s Admin Guide on their Common Criteria page, I know what I’ll be doing later

This issue wasted an hour of my life

Recently users visiting google mail via the bluecoat proxy started complaining of popups which said…

Your request is being scanned for security purposes

Instead of “botching” it on the blue coat I offered my users a work around… something that they should be doing anyway… switch on encryption…. So within gmail -> settings -> general, tick the box…

This did the trick, my users mail is now more confidential than it was before and there were no more pop-ups

I had lost this bookmark, saved here so I don’t loose it again

• Solution Title: How do I control / change access using defaultfilter and initialpolicy?
• Solution ID: sk41117

There are various options given in the article, this…

ipso[nick]# cp -p $FWDIR/conf/initial_module.pf $FWDIR/conf/initial_module.pf.OLD
ipso[nick]# cp $FWDIR/lib/defaultfilter.ipso $FWDIR/conf/initial_module.pf
ipso[nick]# comp_init_policy -g
initial_module:
Compiled OK.
ipso[nick]#

… will do in most cases!

I can never find these when I want them…

• CAM CLI Commands
• CAS CLI Commands

also, from the release notes show version…

cat /perfigo/build

.. there are some other useful scripts in /perfigo/common/bin such as

/perfigo/common/bin/fostate.sh

… is used for checking failover state, if you can think of any more please post them in the comments

Recently I’ve been helping out a customer with perhaps the strictest URL filtering policy I have seen in a while!

URL categorisation is in place and large sections of the internet such as “blogs / personal pages” & “social networking” were being blocked. What makes this unusual is that Google images is a popular tool, the mix of these two made it “appear” that Google images was broken.

Broken you ask? Yes, basically if you search for something harmless like “HP Laptop” or “Nokia Phone” some of the results are actually stored on personal pages (forbidden categories) , as the image is blocked your browser returns a broken image icon which makes it look like the page loading failed!

With the help of a very helpful Blue Coat guy I have a solution.

To start with you’ll need an image to insert into the page, something that shows the image was blocked, this open clip art denied sign worked nicely for me. Next you’ll need an Intranet web server to save the image on – IIS or Apache will do the trick, it doesn’t matter where the image is as long as your users can “see” it.

In the VPM you’ll need an object representing all your blocked categories and a to create a new rule..

Source = Any (or internal users, whatever)
Destination = Combined object (Call it something like Blocked_Images), in the top box you want your category object, in the bottom box you want a “HTTP Mime Types” object which matches all images – Screen Shot 1 should help.
Action = Combined object (Named something like Return_Blocked_Image), in the top box you want two actions a “Return Redirect Object” which redirects to your Image and then “Allow” which permits the HTTP request to your image. – Screen shot 2 should help

Install the policy and job done! I think you’ll find this is a very neat solution!

Milw0rm is a great source of security exploits, subscribing to it’s feed is a good way of getting a heads up on where the next attack might come…. there are a lot of script kiddies that do nothing more than download milw0rm exploits and fire them randomly into the internet hoping to get a hit!

The thing is there are a lot of exploits found everyday and it can start to fill-up your RSS Feed Reader, so it’s a good idea to filter out things that are useful to you, as an expample I have created a simple Yahoo! Pipe which delivers only WordPress exploits found on Milw0rm!

PIPE URL: http://pipes.yahoo.com/linickx/milw0rmwordpress
FEED: URL: http://pipes.yahoo.com/pipes/pipe.run?_id=RDnArZNk3hGthFdiUpWufg&_render=rss

The pipe / feed is currently empty – returns no results – as there hasn’t been anything new published recently, but I’m sure that’ll change soon enough

Bluecoat Reverse Proxy Health Check Diagram

Consider the attached diagram, a customer wants a fairly simple reverse HTTP proxy solution; behind the bluecoat is two servers one hosting pages for server1.domain.com and the other for server2.domain.com (both of these DNS names resolve to the IP address of the bluecoat).

The requirement comes with a twist, in the event that either server goes down they want requests sent to another “we’re sorry the site is down” server, below is some pseudo-code explaining what we want the bluecoat to do when it receives a HTTP request.


If (URL = http://server1.domain.com ) then
If ( webserver1 = healthy) then
Forward webserver1
Else
Forward backupserver
Fi
Fi
If (URL = http://server2.domain.com) then
If ( webserver2 = healthy) then
Forward webserver2
Else
Forward backupserver
Fi
Fi

Now it took me some time to find out how to do this, some can be applied in the GUI, the rest has to be applied in Content Policy Language (CPL). If you want to do something similar start by defining some forwarding hosts in the GUI click: Configure -> Forwarding Hosts -> New . In this example only use IP addresses, it makes things simple later, so server1.domain.com =

• alias = 192.168.1.1
• host = 192.168.1.1
• type = server
• ports = HTTP 80

then server2.doamin.com is…

• alias = 192.168.1.2
• host = 192.168.1.2
• type = server
• ports = HTTP 80

and the backup webserver is…

• alias = 192.168.1.3
• host = 192.168.1.3
• type = server
• ports = HTTP 80

If you now click: Heath Checks -> General you’ll see that some health checks like fwd.192.168.1.3 have been created for you.

Next In the VPM (Policy -> Visual Policy Manager -> Launch) create a web access layer permitting “any” to your webserver hosts server1.domain.com & server2.domain.com

Finally you need to upload come CPL ( Policy -> Policy Files -> Under: Install Local File from -> Select: Text Editor -> Install)

<Forward>
	; Forward to server1.domain.com
	server_url.host.exact="server1.domain.com" is_healthy.fwd.192.168.1.1=yes forward(192.168.1.1)
	server_url.host.exact="server1.domain.com" is_healthy.fwd.192.168.1.1=no forward(192.168.1.3)
	; Forward to server2.domain.com
	server_url.host.exact="server2.domain.com" is_healthy.fwd.192.168.1.2=yes forward(192.168.1.2)
	server_url.host.exact="server2.domain.com" is_healthy.fwd.192.168.1.2=no forward(192.168.1.3)

Change as necessary, but now if server1.domain.com goes down the page on 192.168.1.3 is displayed (and the same happens for server2) neat!

(Correct as of SGOS 5.4.1.3 as usual YMMV!)

Note to Self:

If an administrator has setup your Nokia (IPSO) shell account to log into clish rather than the unix shell… and you need to cpstop;cpstart… you can switch shells with the command…

Nokia:>shell
[admin@nokia]#

It’s quite a simple command, so why can’t I remember it!

Footnote:
iclid is the “router shell” – where you can do show commands
clish is the “voager shell” – where you can “set” things and make changes
/bin/sh or Bourne shell (or sh) is the “Unix shell” – where you have access to the root operating system and can make changes to the file-system or restart processes.

When using windows, Notepad++ is my editor of choice. When editing PHP files, it’s nice to see coloured highlighting confirming your syntax is correct.

As I regularly have to review & build Cisco ASA Firewall configs I thought it would be nice to add a little colour

Notepad++ supports a user defined language system whereby users can create their own syntax highlighting. As google couldn’t find anyone else who’d had a go at this before I thought I’d have a crack at being the 1st.

Attached to this post you’ll find userDefineLang_ASA.xml, what you need to do is..

1. Download the user-defined language to your computer
2. Open the file with your favourite text editor (such as notepad++ or notepad)
3. Click start, run, type (or paste in) %APPDATA%\Notepad++ then click ok
4. Open userDefineLang.xml with a text editor
5. If this is the first userdefined language you are adding, copy/paste the entire first file (which you downloaded) into the userDefineLang.xml, replacing all that was there. If this is the second or more language you add, simply copy everything from the first file starting at to and paste it at the end of the userDefineLang.xml right before
6. Save the newly improved userDefineLang.xml

Reference: http://notepad-plus.sourceforge.net/uk/download.php

Now my implementation is quite simple at this stage, I’ve copied all the top level commands, i.e. anything from an initial “?” such as “show”, but I haven’t gone thru grabbing level two such as “run” as in “show run”. I have however added the most common level two commands so you should see something useful.

Comments or improvements welcome

I’ve recently started installed the firefox add-on NoScript to improve my online security.

One of the things that’s been a little frustrating has been having to manually accept/white list internal 192.168.1.1 type addresses. After a fruitless google, I’ve managed to find the answer here in the NoScript Forum.

There is one major limitation and that is the NoScript white list only accepts entries of more than one byte, this means that you cannot whitelist the whole of 10.*.*.* (10/8) as inputting 10. is only one byte. On the upside you can however whitelist a whole /16 (255.255.0.0) subnet, which works out nicely for the 192.168.0.0/16 set off addresses but for the 10′s & 172′s you’re a bit stuffed.

Now you may find that when you try to white list 10.123.0.0/16 that you have issues, I know I did! The trick is to read the forum post carefully. If you want to white list 10.123.0.0 through 10.123.255.255 then add the following:

http://10.123

https://10.123

That should allow both http & ssl traffic to all those internal addresses to be permitted by NoScript!

Dear googler, I hope this was of some help