LINICKX.com

Is your firewall Team from Venus?

Nick Bettison — Sun, 02 Feb 2020 20:26:00 +0000

Something a little different for my site; this post is a soft-skill article. In job listing, or development plans its really common for Technical roles to include a soft skills component and I had kinda assumed it was filler content, how hard is it to talk to people?! A couple of years ago I moved from Consultancy into an Internal Operational role, and now, ok I get it, it's that old saying Men from Mars, Women from Venus but with like 7 Layers of OSI complication!

I have something like 15years experience working with firewalls in large enterprise, it's a tricky topic, if you cannot communicate your requirements to the firewall team the chances are you application/solutions/service just isn't going to work, after all as Scott Adams has portrayed in Dilbert, everyone blames the firewall.

Firewalls are everywhere, and even though the security industry likes to argue that they are becoming less and less effective I'm confident they're not going away any time soon, so here are my tips:

1. Do not forward (copy/paste) vendor documentation

If I had a £$ for every time I get forwarded this Microsoft document I'd be a millionaire, forwarding the documentation verbatim is the quickest way to get yourself at the bottom of someones's todo list or land you in the SLA trap where the minimum gets done on your ticket to keep the timer green.

Communication requires consideration, throwing a document you haven't read at another team is showing you don't value their time/effort

Remember:

Everyone is busy! The simplest and most complete requests will be implemented quickest, all operations teams have this issue, it is not unique to firewalls.
The firewall team do not know anything about your application/solution/service, but are accountable for the security; help them to help you, reduce friction by having information up front.
You are making the request for Your Application, You should take the time to read and understand the documentation so that you can present the firewall change accurately and make it is simple as possible.

2. Presentation is everything

Always format your communication for your audience, powerpoint for Execs, spreadsheets for finance, for firewalls it's tables.

Large organisation will/probably/maybe have a template to follow for change requests, don't deviate from that, seriously if your firewall team has a template use it! Arguing yours is better is futile, firewalls form part of a compliance chain, auditors tick boxes your rockstar form won't tick the box; if you think you can improve the process or add value, speak to the Security Officer.

Formal documentation such as High Level (HLD) or Low Level Designs (LLD) might be a bit more fluid, here are some hints to make it easy to read and understood.

Arrows like -> should not be used in formal documentation, unless in a flow diagram, don't do it, from my experience I know it leads to mistakes. Something like 10.1.1.1 -> 192.168.1.1 on port 22 is fine for an email or instant message but for documentation use a table (or spreadsheet):

Source Name | Source IP    | Destination Name | Destination IP | Service Name | Protocol | Port | Comment
------------|--------------|------------------|----------------|--------------|----------|------|---------
VLAN11      | 10.10.0.0/24 | WebServer01      | 192.168.168.1  | HTTPS        | TCP      | 443  | Intranet
AdminPC     | 10.1.0.1     | WebServer01      | 192.168.168.1  | SSH          | TCP      | 22   | Admin Access

Use the above table format, give IP addresses names (use the FQDN if possible), the FW team will instantly recognise what needs to be done; a table like this is both simple to read and complete and will put you top of anyone's todo list.

If you have a large design document, I recommend the firewall table (communications matrix) being a summary/appendix of all the required flows as picking rules from disparate sections will only lead to tears.

3. Direction, know which way to go

On a firewall direction is really, really important. Your communication needs to demonstrate you know which way traffic is going and what your expectations are of the firewall.

Firewalls process traffic as it arrives, from a source IP to a destination IP. Your request needs to show which IP addresses are the client (source) and which IP address are the server (destination)... DO NOT bung in both directions to be "safe" when you don't need it, it just shows that you don't know what you are requesting, it's a common red flag for rule approvers/implementer.

For example, A laptop accessing a web site on HTTPS, needs TCP/443 to the server (web site) only. You do not need TCP/443 from the server (web site) to the client (laptop). Take time when digesting the vendor documentation to understand the direction of traffic flow.

Modern Firewall are smart when it comes to TCP and common applications; unless your traffic is media (voice/video) you typically don't need to worry about the random high port source, focus your effort on the destination port, get the direction right and your app will work.

(Media traffic is the devil, ask the firewall team for their recommendations prior to submitting your request)

4. Choose Secure

Most vendor documentation includes protocol choices, HTTP vs HTTPS for example. As the Firewall Team are responsible/accountable for security, you'll make friends with the security teams if you pick the secure protocol, forming strong relationships with other teams is a valuable skill.

If you are unclear, secure in this instance is encrypted. So:

HTTPS (not HTTP)
SSH (not Telnet)
FTPs (FTP with SSL is better than plain old FTP)
LDAPS (LDAP with SSL is better than plain old LDAP)
etc, etc.. if in doubt pick "s" ;-)

Thanks to the dangers of Privacy/GDPR most organisations are moving to a Secure by Design motto, the firewall team are tasked to help enforce that.

5. Firewalls are everywhere

In a large enterprise there is going to be more than one firewall. Some organisations will add a column to their request tables to record which flow (rule) belongs to which firewall others will want a table per firewall.

If your environment is large/complicated, typically you'll find different firewalls for management, production traffic or testing. Keep the communication flowing with the firewall team to find out what you need to know/do before submitting a 100 rules, it'll save you all time!

Some firewall language

To finish, here is some further firewall language to help you on your way:

Security Policy - A document that tells the firewall guy what he can and cannot allow through the firewall
Firewall Policy - The complete set of rules implemented on a single firewall
Firewall Rule - A line in the FW policy that contains, source, destination, service. The exact content of the line may vary by vendor.
Flow - Firewall Flow / Network Flow / Traffic flow. All used interchangeably, it means the path taken from the source to the destination, a flow might touch one or many firewalls
Communications Matrix - All of the rules required for an application or service that need to be implemented into an existing firewall policy

/End

Hopefully this is of help to someone, comments via twitter are welcomed; would you like to see more of this kind of thing?

2019: The Missing Year

Nick Bettison — Wed, 01 Jan 2020 16:11:00 +0000

2019 has taught me a new appreciation for stale websites; over the last year or two having/making time available to publish content has gotten tricky for me, so now when going about my usual Internet day, when I come across a site that hasn't been updated in a while I wonder "what has changed in their life" ?

I expect this year to be just as crazy, but with a little change in direction I'm hopeful to get some additional content up, you never know I might help someone! My github account has seen a couple of updates over the last year that could have been blog worthy...:

snsync

snsync is a personal project for keeping text copies of Simplenote locally, (find an intro to snsync here). has had a couple of updates in 2019:

A major library update
A bug fix that was accidentally removing tags

I use this project everyday so if you're a Simplenote users give it a whirl!

Docker Python containers

Python scripts can fix the world ;-) but dependency management doesn't get any better so I'm sharing some potentially useful containers:

docker-python-alpine-dnspython : With python2 now EOL running old libraries is going to be more challenging, this container boots an Apline (python2) image with dnspython installed
docker-python-alpine-easysnmp: Another apline image, this one with Python3 running easysnmp useful for automating snmp sweeps when bash & snmp-utils just isn't enough!

Of course, you shouldn't run random containers from the internet, please check out the Dockerfiles to see what they really do!

checking if python is running via ssh

Nick Bettison — Mon, 30 Nov 2015 16:19:00 +0000

Sometimes it's nice when something is much easier than you expected. I have a few cobbled together python scripts for speeding things up, one in particular I have on my home pc which I wanted to work out if am I running it locally or if I have SSH'd in... below is the surprising simple example!

#!/usr/bin/env python

import os

try:
    os.environ["SSH_TTY"]
    print("SSH Connection Detected")
except:
    print("Running Locally")

You could also test the SSH_CLIENT variable as well, but this was good enough for me.

Enjoy!

Good bye WordPress, Hello Pelican !

Nick Bettison — Fri, 13 Feb 2015 12:05:00 +0000

After 10 happy years as a WordPress user, yesterday I switched my site over to pelican.

WordPress is awesome I'd recommend it to anyone, however over the last year I've become increasing frustrated with my sites stability; I've been pretty pleased with the average response time but it wouldn't take much to exhaust my cloud servers CPU. (I've tried pretty much every caching technique and couldn't find a perfect fix)

For anyone else that is embarking on this transition and having issues with pelican-import, I advise opening your posts.xml in Vi scroll through and look for any dodgey looking characters and remove them.

Making my new pelican site look "exactly" like my old site has been a labour of love so I have published some of my fixes online.

FEED URLS

In WordPress I had pretty URLs for Feeds like /feed, /feed/atom and /tag/security/feed. I found that feeds were limited to files in Pelican and did not support a nested structure. To fix this I have proposed a pull-request on github, I guess we'll see if it gets accepted.

URL Rewriting

This Pelican is a bit of an experiment to ease regression I want to leave my WordPress config completely untouched, therefore I have migrated from Apache to Nginx. I've not used nginx before, so it's been a bit of a learning curve if you're having problems with rewriting maybe my config can help?

Theme

The pelican LINICKX theme is now based on bootstrap.

Pelican Config

Tying it all together, nginx, pelican, etc takes a little effort... example pelicanconf.py and publishconf.py are on github.

To Do

There's still loads for me to fix, I've replaced all teh [gallery] tags but I know there's plenty of [caption] tags to remove.
I haven't yet worked out how I'm going to handle image resize/upload in a neat and tidy way, in fact my whole write & publish workflow needs a bit of thought. BUT this first pelican post, written in atom has gone well, so only time will tell!

SPAM from China

nick — Sun, 23 Nov 2014 13:07:00 +0000

I just wanted to let you know that I am aware that some botnet is attempting to use my domain name for SPAM.

LINICKX.com (& .co.uk) are both configured with SPF, DKIM and have valid DMARC records.

As you can see from my dmarcian report, I am requesting that all SMTP/Mail servers reject any message which has not authenticated itself, if you are receiving mail, please update your server to respect this.

I have attempted to contact the owners of the addresses sending the SPAM, according to dmarcian they are all in china... I even used google translate to translate the mail ;)

Unfortunately the mailboxes for the abuse email addresses are bouncing (probably full) and are rejecting mail.

If you think I've missed something, and you have any advise feel free to use my contact page.

Installing Paramiko (Python and PIP) on Windows

nick — Fri, 15 Aug 2014 12:25:00 +0100

Following the release of crassh; the 1st FAQ was, great how do I make this work on windows?

Steps as follows:

Download and install Visual Studio C++ 2008 Express Edition
(do not install SQL)
Install Python 2.7.8 - Select the correct MSI for your architecture
Download get-pip.py (Don't use Internet Explorer it will mangle the file; use Firefox to download.)
Open an Administrator command prompt and run "c:\Python27\python.exe get-pip.py"
From the same admin prompt, run "C:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools\vsvars32.bat" (for 32bit machines... or for 64bit machines, run "C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\Tools\vsvars64.bat"
From the same admin prompt, run "c:\Python27\Scripts\pip install paramiko"

And you're done!

#REF: http://stackoverflow.com/questions/2817869/error-unable-to-find-vcvarsall-bat

Cisco ASA - inc - regex examples

nick — Thu, 01 May 2014 17:28:00 +0100

I use stuff like show run | inc abc all the time but I've never really dabbled with plumbing regex through it, I played a little today. Here's a couple of examples you might find useful:

Look for either https or www in an access-list

FW01/pri/act# show run access-list inside | inc (https|www) 
access-list inside extended permit tcp object inside any4 eq www 
access-list inside extended permit tcp object inside any4 eq https

Look for either 10.10.1.91 or 10.10.1.92 in an access-list

FW01/pri/act# show access-list inside | inc 10.10.1.(91|92)
  access-list inside line 8 extended permit udp host 10.10.1.91 host 10.1.2.199 eq 1001 (hitcnt=0) 0xd0cd20cd 
  access-list inside line 8 extended permit udp host 10.10.1.91 host 10.1.2.200 eq 1001 (hitcnt=0) 0xf94e6d62 
  access-list inside line 8 extended permit udp host 10.10.1.92 host 10.1.2.199 eq 1001 (hitcnt=0) 0x0bced66c 
  access-list inside line 8 extended permit udp host 10.10.1.92 host 10.1.2.200 eq 1001 (hitcnt=0) 0x9ceae405

There's loads that can be done, google is your friend.

Using bootstrap on Cisco ISE

nick — Sun, 15 Sep 2013 11:55:00 +0100

ISE 1.1 had horrible web portals which didn't render well on mobile devices at all (which was odd for a BYOD solution), anyway, Cisco have fixed that now in 1.2 with the ability to enable a mobile version... but what if you want something totally custom that works well both on desktops and mobile?

Enter bootstrap!

The trick to getting this working is know the correct paths for the stylesheets so to make things easy I have created a gitgub project called ise-bootstrap. To get started create a custom portal with the name myportal and upload the files. Change your authz result to point an the new file and enjoy the responsive goodness!

Here are some 1.1 screenshots of me creating the portal, the process is pretty similar in 1.2 - I will upload some newer screenshots at some point!

The only gotcha to be aware of are the Glyphicons, if you want to use those then you need to customise the bootstrap download so that it matches the name of your portal.

This is the end result...

If you get stuck, there is a README which compliments this blog post.

Cisco.com & Wget

nick — Thu, 25 Apr 2013 18:20:00 +0100

Ever since cisco updated their website (you know like, a year ago), I've struggled to find a way to wget software onto a box.

This week, I found a bodge using firefox. Sign into cisco.com and go through the normal process, accepting agreements and begin the download.

Once the download starts, pause it... right click and copy the download link:

[caption id="attachment_3875" align="aligncenter" width="300"] Copy link from downloads[/caption]

Then from your terminal/linux box, you can paste the url into wget:

wget -O ise-1.1.3.124.i386.iso "https://secure-us.esd.cisco.com/files/swc/sec/4_SDSP_59/bah/bah/ha?uid=linickxdotcom&key=go"

Quick gotcha alert, the link you paste must be in speachmarks/double quotes or the full url will not paste correctly.

Test post from iPhone

nick — Sun, 04 Nov 2012 18:09:00 +0000

Hello, yes I have an iPhone and yes this is a test... Move along, nothing to see here. 😀