Checkpoint, Gaia, TACACS – two lines of config

If you have a checkpoint firewall, you probably know about Gaia… and if you have more than one firewall admin, you probably want to individually authenticate them to the operating system (as apposed to a encrypted file of usernames & passwords which get’s passed around the office)

 add rba role TACP-0 domain-type System all-features
 set aaa tacacs-servers authentication server 10.10.10.10 key mysecretkey

What you need to know about the above…

  • If a user can successfully authenticate by TACACS they become a super user, if you need different roles read up on “role based administration”, TACP-15 and the enable_tacacs command.
  • The config has been tested on Cisco ACS 5.4, the default TACACS “default device administration” profile works with no changes.
  • This is tacacs authentication only, authorization is handled by the local RBA.

sourcefire virtual sensor system requirements

I don’t know why but the system requirements for sourcefire‘s virtual sensor is burried in the wording of their datasheets… anyway saved here so ease of reference :)

Sensor

VMware ESX/ESXi 4.1/5.0 or Xen 3.3.2/3.4.2
at least one CPU
min 1GB RAM

Defence Centre

VMware ESX/ESXi 4.1/5.0 or Xen 3.3.2/3.4.2
at lest two CPU
min 2GB RAM

…hum, I wonder if they’re boot in virtualbox? ;)

[UPDATE]
The sensor provisions 50Gb of disk, and the manager 250Gb, the OVF supports thin disk provisioning so you don’t need all that storage on day1.

mod_security and WordPress with Commands in Permalinks (urls)

For a long while now, one of my oldest posts (nagios ping tool) returned a 403 error and I couldn’t work out why… a recent post about curl also fell foul of the same issue so I’ve been forced to work out why ;)

The main challenge that I faced was that I could not find any errors in my logs, apache’s error_logs were empty, varnish is not catching the error page and my mod_security debuglog didn’t show anything. Now there is clearly a 2do here, I need to look into my logging issues because the issue was mod_security!

modsecurity_crs_40_generic_attacks as a list of system rules which will deny access to commands, on my system ping & traceroute are indeed commands! Looking thru _crs_40 I can see that rule ID 950907 blocks curl, therefore I can create a simple location match to permit access to that page.

<LocationMatch "^/3659/my-lifestream-php-curl-ca-certificate-issues">
    SecRuleRemoveById 950907
</LocationMatch>

Traceroute and Ping are IDs 958837 & 958893 respectively. Going forward I could simply remove those IDs globally, but to be honest I don’t want to, I feel comfort with the restriction they begin… I will just have to be more careful with the titles I use on pages.

Hacking Cisco ISE UDI

ISE Virtual Machine that thinks it a CAM
The back story… you’ve deployed your ISE appliance and the world is great! Your management need you to make a change “right now” but that virtual machine in the lab you have been using for testing is 91 days old and the eval no longer works. You raise a case to get budget and a PO over to Cisco for a lab ISE appliance or license but this change is critical, if only there was a way to use your appliance license on your VM?

Perhaps you should log into your ISE appliance and make a note of the Product Identifier (PID), Version Identifier (VID) and the Serial Number (SN).

What you might want to do now is shutdown your ISE VM and mount the disk… I always have a CentOS server kicking around for this kind of thing, so if I was to do this, I would mount the ISE virtual disk as an extra disk that CentOS has access to.

From within CentOS you can use fdisk -l to view the hard drive partitions… When you’re hacking a VM you mount as many of the ISE partitions as you can (some will fail) to see what’s there. On my test machine /dev/sdb7 was the partition of interest as it had an /opt directory (cisco always install stuff in opt).

Inside mount-point/opt/system/bin/ you might find a file called cars_udi_util, that’s the puppy that the license is bound to.

What you might want to do is rename that file and replace it with something that always gives the “right” answer. Attached is cars_udi_util.txt, a shell script I have been testing, edit the top of the file and insert the PID/VID/SN you found earlier.

Now save the cars_udi_util.txt to mount-point/opt/system/bin/cars_udi_util, that’s right remember to remove the .txt!

Unmount the disk, shutdown Centos and boot up ISE.

Now I’ve been hacking my machine and after this change the services wouldn’t start (show application status ise) to fix that I ran application reset-config ise from the ISE CLI Shell, rebooted and Voila! …The machine booted up with a blank default config.

After changing the default admin password (from cisco) it would now be possible for you to use your proper appliance license on your VM… of course this is only a temporary thing and I fully expect & recommend you undo these changes as soon as your new license arrives from Cisco.

Happy Hacking!

password-less ssh login to JunOS

Juniper (JunOS) SRX’s support ssh public key authentication.

nick> show configuration system login | display set 
set system login user nick uid 2001
set system login user nick class super-user
set system login user nick authentication ssh-rsa "PASTE_KEY"
nick> 

No-one likes to type passwords!

Blue Coat Proxy, iPhone’s multiple authentication issues.

Recently a colleague pointed me at the following Blue Coat KB about NTLM issues as basically the iPhones on the corp network were getting multiple authentication challenges even though the username & password are saved in the connection profile!

To resolve we created a second authentication realm on the bluecoat with Kerberos & NTLM authentication disabled ( i.e. only basic auth), we then created an authentication rule which matches user agent strings and authenticates against the new basic-only realm. Below is some command lines to point you in the right direction:

!- BEGIN authentication
security iwa create-realm uk 10.10.10.10 16101
security iwa edit-realm uk ;mode
alternate-server 10.10.10.11 16101
exit
security iwa create-realm ukBasicAuth 10.10.10.10 16101
security iwa edit-realm ukBasicAuth ;mode
alternate-server 10.10.10.11 16101
credentials-kerberos disable
credentials-ntlm disable
exit

I should point out that the KB is out of date; upon implementing we noticed a lot of windows users getting unwanted authentication challenges therefore I suggest you only match against iphone & ipad… in-fact I stuck Macintosh in as well and my macbook is getting less challenges too!

Enjoy the CPL goodness below!

;; Description: BlueCoat KB4741
define condition __CondList1BasicUserAgents
        request.header.User-Agent="iphone"
        request.header.User-Agent="ipad"
        request.header.User-Agent="Macintosh"
        request.header.User-Agent="CFNetwork"
end condition __CondList1BasicUserAgents

define condition BasicUserAgents
        condition=__CondList1BasicUserAgents
end condition BasicUserAgents

<Proxy>
        condition=BasicUserAgents authenticate(ukBasicAuth)  authenticate.force(no) authenticate.mode(proxy)    ; KB4741
        authenticate(uk)  authenticate.force(yes) authenticate.mode(proxy)      ; All Internet Traffic

Secret Keys for the Cloud

I’ve had an idea, whether it’s a good one or not is yet to be seen; one of the big issues to cloud application and servers is encryption key management, there is a simple chicken n egg issue, if the secret key is on the server/application then it’s a vector to be attacked if the key isn’t then usability issues exist.

My idea is a CA / DH kinda thing, what if the actual key used for encryption was derived from the cloud it’s self, the basic premise is adding an extra layer to be compromised in order for an attacker to decypt the data.

Using RedHat’s new OpenShift service I’ve knocked up a demo -> secretkey-linickx.rhcloud.com. The demo is over HTTP (not HTTPS) so You wouldn’t use the demo in production probably because you do not trust me but I’ve pushed the code to github -> github.com/linickx/secretkey for users/dev/people/someone to take a copy and have a play.

Comments welcome, Pull requests preferred!

2011-07-26 UPDATE: Openshift has SSL termination, HTTPS does work, however as seen in my commit log the PHP cannot detect it as the SSL is being handled by a proxy.

Cisco ACS 5.2 works in VirtualBox

My how to get ACS 5.1  running in VirtualBox is one of my more popular posts; recently I was asked if 5.2 would work, the answer is yes!

I’ve posted an updated ks.cfg … if you compare it to the old one the only real difference is an updated set of version numbers, all the other instructions are exactly the same….well, except now¬†centos 4.7 can be found in the vault :)

Next I plan to see if I can make this work in EC2 as I recon a cloud based ACS server would be pretty cool, wish me luck and enjoy the 5.2 goodness!

Cisco: Uninstalling the CSD ActiveX Control

I’m installing Cisco Secure Desktop (CSD) for a customer and needed to re-test the installation process. Within internet explorer’s (IE Version 7 & 8 ) managed add-on feature, I noticed that the CSD ActiveX Control doesn’t have an uninstall feature.

To remove the control I had to close IE, browse to…

C:\Windows\Downloaded Program Files

..and remove the following files..

CSDWebInstaller.inf
CSDWebInstaller.ocx

When re-starting IE the control was gone and I could test the re-install, I hope this helps some other googler! :cool:

SELINUX and OSSEC IPTables error

OSSEC is my favourite linux HIDS however now that I’m running a SELINUX secured web server I noticed that my active responses were not working after a reboot.

After enabling SELINUX, I started getting alerts about the following problem in my messages file….

Nov 11 12:16:22 amy kernel: type=1400 audit(1289477782.569:8): avc:  denied  { read write } for  pid=2551 comm="iptables" path="socket:[5261]" dev=sockfs ino=5261 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket

This appears to be ossec trying to update iptables, but failing as they’re in different contexts… now I’m no selinx expert but this CentOS Wiki Page helped… run the following command which will create osseciptables.pp in the current directtory…

root@amy# grep iptable /var/log/messages | audit2allow -M osseciptables

This creates a new binary module that can be installed with….

/usr/sbin/semodule -i osseciptables.pp 

You can view current selinux modules with …

/usr/sbin/semodule -l

If you want to see what is being created by audit to allow, try the following…

root@amy# grep iptable /var/log/messages | audit2allow -m osseciptables

module osseciptables 1.0;

require {
        type iptables_t;
        type initrc_t;
        class unix_dgram_socket { read write };
}

#============= iptables_t ==============
allow iptables_t initrc_t:unix_dgram_socket { read write };
root@amy#

I hope this helps some future googler!

Cisco ASA – First steps to a Check Point Style Policy

I’ve just spotted this in the Cisco ASA 8.3 release notes

You can now configure access rules that are applied globally, as well as access rules that are applied to an interface. If the configuration specifies both a global access policy and interface-specific access policies, the interface-specific policies are evaluated before the global policy.

The following command was modified: access-group global

For users/companies which have migrated from Check Point to Cisco (usually to save on licensing fees), getting their head around a new interface level policy rather than a system (global) level is usually a bit of a challenge.

I’m looking forward to seeing if this really helps with policy migrations!