Juniper (JunOS) SRX’s support ssh public key authentication.
nick> show configuration system login | display set set system login user nick uid 2001 set system login user nick class super-user set system login user nick authentication ssh-rsa "PASTE_KEY" nick>
No-one likes to type passwords!
Recently a colleague pointed me at the following Blue Coat KB about NTLM issues as basically the iPhones on the corp network were getting multiple authentication challenges even though the username & password are saved in the connection profile!
To resolve we created a second authentication realm on the bluecoat with Kerberos & NTLM authentication disabled ( i.e. only basic auth), we then created an authentication rule which matches user agent strings and authenticates against the new basic-only realm. Below is some command lines to point you in the right direction:
!- BEGIN authentication security iwa create-realm uk 10.10.10.10 16101 security iwa edit-realm uk ;mode alternate-server 10.10.10.11 16101 exit security iwa create-realm ukBasicAuth 10.10.10.10 16101 security iwa edit-realm ukBasicAuth ;mode alternate-server 10.10.10.11 16101 credentials-kerberos disable credentials-ntlm disable exit
I should point out that the KB is out of date; upon implementing we noticed a lot of windows users getting unwanted authentication challenges therefore I suggest you only match against iphone & ipad… in-fact I stuck Macintosh in as well and my macbook is getting less challenges too!
Enjoy the CPL goodness below!
;; Description: BlueCoat KB4741
define condition __CondList1BasicUserAgents
request.header.User-Agent="iphone"
request.header.User-Agent="ipad"
request.header.User-Agent="Macintosh"
request.header.User-Agent="CFNetwork"
end condition __CondList1BasicUserAgents
define condition BasicUserAgents
condition=__CondList1BasicUserAgents
end condition BasicUserAgents
<Proxy>
condition=BasicUserAgents authenticate(ukBasicAuth) authenticate.force(no) authenticate.mode(proxy) ; KB4741
authenticate(uk) authenticate.force(yes) authenticate.mode(proxy) ; All Internet Traffic
I’ve google’d and I cannot find a way of creating a firewall range style object in an ASA, you know the kind of thing whereby you want to allow IP addresses 192.168.1.10 thru 192.168.1.20 in an ACL.
In my frustration I have given up and created a shell script which converts a CSV into an ASA output, simply create a two column CSV with Col A containing your starting IP and Col B containing you end IP.
The script is a recursive loop so should support large outputs such as 10.1.2.10 to 10.2.1.20 howvere I’m not actually sure you’d want that in your firewall config but I wrote the computability for the fun it!
Have fun, click “more” below if you can’t see the script!
I’ve had an idea, whether it’s a good one or not is yet to be seen; one of the big issues to cloud application and servers is encryption key management, there is a simple chicken n egg issue, if the secret key is on the server/application then it’s a vector to be attacked if the key isn’t then usability issues exist.
My idea is a CA / DH kinda thing, what if the actual key used for encryption was derived from the cloud it’s self, the basic premise is adding an extra layer to be compromised in order for an attacker to decypt the data.
Using RedHat’s new OpenShift service I’ve knocked up a demo -> secretkey-linickx.rhcloud.com. The demo is over HTTP (not HTTPS) so You wouldn’t use the demo in production probably because you do not trust me but I’ve pushed the code to github -> github.com/linickx/secretkey for users/dev/people/someone to take a copy and have a play.
Comments welcome, Pull requests preferred!
2011-07-26 UPDATE: Openshift has SSL termination, HTTPS does work, however as seen in my commit log the PHP cannot detect it as the SSL is being handled by a proxy.
I’ve just used this little gem to recover files off a memory card… awesome!
PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media’s file system has been severely damaged or reformatted.
PhotoRec is free – this open source multi-platform application is distributed under GNU General Public License.
People receiving scam emails are urged to forward them on to email@actionfraud.org.uk.
Reference: http://www.actionfraud.org.uk/help-disrupt-fraudsters-by-reporting-scam-emails-feb11
My how to get ACS 5.1 running in VirtualBox is one of my more popular posts; recently I was asked if 5.2 would work, the answer is yes!
I’ve posted an updated ks.cfg … if you compare it to the old one the only real difference is an updated set of version numbers, all the other instructions are exactly the same….well, except now centos 4.7 can be found in the vault 
Next I plan to see if I can make this work in EC2 as I recon a cloud based ACS server would be pretty cool, wish me luck and enjoy the 5.2 goodness!
So it turns out my 5 minute vpn doesn’t work in EC2 because the ESP/AH protocols (50 and 51) are blocked on the AWS network.
This is no big deal tho, as NAT-T allows one to tunnel IPSEC over UDP… however getting it to work on CentOS required a bit of a hack.
If you have already tried setting up an IPSEC vpn, shut it down with ifdown ipsec1 and remove your /etc/racoon/192.168.56.101.conf (or whatever IP yours is).
To start the hack on BOTH boxes, you need to edit /etc/sysconfig/network-scripts/ifup-ipsec. Around line 215 you need to insert nat_traversal force;… like this….
BEFORE:
case "$IKE_METHOD" in
PSK)
cat >> /etc/racoon/$DST.conf << EOF
my_identifier address;
proposal {
encryption_algorithm $IKE_ENC;
hash_algorithm $IKE_AUTH;
authentication_method pre_shared_key;
dh_group $IKE_DHGROUP;
}
}
AFTER:
case "$IKE_METHOD" in
PSK)
cat >> /etc/racoon/$DST.conf << EOF
my_identifier address;
nat_traversal force;
proposal {
encryption_algorithm $IKE_ENC;
hash_algorithm $IKE_AUTH;
authentication_method pre_shared_key;
dh_group $IKE_DHGROUP;
}
}
Again, on both boxes update your /etc/sysconfig/network-scripts/ifcfg-ipsec1 files so that AH is disabled… because AH doesn’t like NAT… like this….
[root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ipsec1 DST=192.168.56.101 TYPE=IPSEC ONBOOT=yes IKE_METHOD=PSK AH_PROTO=none [root@CentOS2 ~]#
On your iptables policy make sure that UDP 500 and UDP 4500 are permitted and volia.
# tcpdump -n -i eth1 port not 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 20:26:49.257590 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xa), length 116 20:26:49.261076 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xa), length 116 20:26:50.260942 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xb), length 116 20:26:50.262939 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xb), length 116 20:26:51.261298 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xc), length 116 20:26:51.264974 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xc), length 116 20:26:52.262289 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xd), length 116 20:26:52.265488 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xd), length 116 20:26:53.264008 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xe), length 116 20:26:53.267003 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xe), length 116 20:26:54.265655 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xf), length 116 20:26:54.267264 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xf), length 116 20:26:55.267459 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0x10), length 116 20:26:55.269678 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0x10), length 116 14 packets captured 14 packets received by filter 0 packets dropped by kernel #
IPSEC VPN Tunnelling over UDP…. done!
I’m looking at running two servers on EC2; as we all know the most important thing about running services in the cloud is encryption!
Whilst googling on how to setup a host-to-host IPSEC VPN I was surprised at how easy it is…
On Host1 (192.168.56.101)…
[root@CentOS1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ipsec1 DST=192.168.56.102 TYPE=IPSEC ONBOOT=no IKE_METHOD=PSK [root@CentOS1 ~]# [root@CentOS1 ~]# cat /etc/sysconfig/network-scripts/keys-ipsec1 IKE_PSK=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [root@CentOS1 ~]# [root@CentOS1 ~]# ifup ipsec1
On host2 (192.168.56.102)…
[root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ipsec1 DST=192.168.56.101 TYPE=IPSEC ONBOOT=no IKE_METHOD=PSK [root@CentOS2 ~]# [root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/keys-ipsec1 IKE_PSK=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [root@CentOS2 ~]# [root@CentOS2 ~]#ifup ipsec1
… done!!!
[root@CentOS1 ~]# tcpdump -n -i eth1 host 192.168.56.102 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 09:46:37.306292 IP 192.168.56.101 > 192.168.56.102: AH(spi=0x0aff2b10,seq=0x203): ESP(spi=0x00a0a3cc,seq=0x203), length 84 09:46:37.310197 IP 192.168.56.102 > 192.168.56.101: AH(spi=0x09f82154,seq=0x203): ESP(spi=0x098f0ff9,seq=0x203), length 68 09:46:38.175048 IP 192.168.56.101 > 192.168.56.102: AH(spi=0x0aff2b10,seq=0x204): ESP(spi=0x00a0a3cc,seq=0x204), length 84 09:46:38.179017 IP 192.168.56.102 > 192.168.56.101: AH(spi=0x09f82154,seq=0x204): ESP(spi=0x098f0ff9,seq=0x204), length 68 09:46:39.313583 IP 192.168.56.101 > 192.168.56.102: AH(spi=0x0aff2b10,seq=0x205): ESP(spi=0x00a0a3cc,seq=0x205), length 84 09:46:39.316427 IP 192.168.56.102 > 192.168.56.101: AH(spi=0x09f82154,seq=0x205): ESP(spi=0x098f0ff9,seq=0x205), length 68 6 packets captured 6 packets received by filter 0 packets dropped by kernel [root@CentOS1 ~]#
Now this is a simple IKE pre-shared key vpn, you might want to google for using certificates for stronger authentication, you can also edit /etc/racoon/racoon.conf to change your IPSEC parameters.
Reference: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html
UPDATE: To make this work in EC2, you need to enable NAT-T see my hack here!
I’m installing Cisco Secure Desktop (CSD) for a customer and needed to re-test the installation process. Within internet explorer’s (IE Version 7 & 8 ) managed add-on feature, I noticed that the CSD ActiveX Control doesn’t have an uninstall feature.
To remove the control I had to close IE, browse to…
C:\Windows\Downloaded Program Files
..and remove the following files..
CSDWebInstaller.inf CSDWebInstaller.ocx
When re-starting IE the control was gone and I could test the re-install, I hope this helps some other googler! 
OSSEC is my favourite linux HIDS however now that I’m running a SELINUX secured web server I noticed that my active responses were not working after a reboot.
After enabling SELINUX, I started getting alerts about the following problem in my messages file….
Nov 11 12:16:22 amy kernel: type=1400 audit(1289477782.569:8): avc: denied { read write } for pid=2551 comm="iptables" path="socket:[5261]" dev=sockfs ino=5261 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket
This appears to be ossec trying to update iptables, but failing as they’re in different contexts… now I’m no selinx expert but this CentOS Wiki Page helped… run the following command which will create osseciptables.pp in the current directtory…
root@amy# grep iptable /var/log/messages | audit2allow -M osseciptables
This creates a new binary module that can be installed with….
/usr/sbin/semodule -i osseciptables.pp
You can view current selinux modules with …
/usr/sbin/semodule -l
If you want to see what is being created by audit to allow, try the following…
root@amy# grep iptable /var/log/messages | audit2allow -m osseciptables
module osseciptables 1.0;
require {
type iptables_t;
type initrc_t;
class unix_dgram_socket { read write };
}
#============= iptables_t ==============
allow iptables_t initrc_t:unix_dgram_socket { read write };
root@amy#
I hope this helps some future googler!
I’ve just spotted this in the Cisco ASA 8.3 release notes…
You can now configure access rules that are applied globally, as well as access rules that are applied to an interface. If the configuration specifies both a global access policy and interface-specific access policies, the interface-specific policies are evaluated before the global policy.
The following command was modified: access-group global
For users/companies which have migrated from Check Point to Cisco (usually to save on licensing fees), getting their head around a new interface level policy rather than a system (global) level is usually a bit of a challenge.
I’m looking forward to seeing if this really helps with policy migrations!
Fortinet FCNSP
Firewalls will always be a key ingredient to network security, but not all firewalls are equal. Recently I’ve been forced into documenting how I decide & think about firewall rules…
Strict Firewalling
IMO Strict Firewalling is the traditional way to implement your traffic policies (ACLS), each rule should be as tight as possible… the idea of “any” should not be used at all and ranges should be kept at a minimum; hosts better than subnets, source and destination IPs restricted, specific TCP ports (not ranges) used.
Service Led Firewalling
A term I think I made up, Service Led Fierwalling is where you relax the ACL/policy at the source… to host a DNS Zone you need to allow “anyone” to perform lookups so Strict Firewalling cannot be applied here but you do know the destination and the service so both of these should be defined/restricted as appropriate… you see what I mean here the policy is defined by the “service” provided.
Open Firewalling
Possibly a contradiction in terms but bare with me; there are some instances whereby implementing a firewall provides little benefit, one example I’ve seen was a customer’s security officer wanted an internal firewall (i.e. no internet connection) in front of their Microsoft file server, in order for AD & MS clients to work properly all the MS ports had to be opened… so server guys continuously complained, what exactly is the firewall doing? What is Open Firewalling? It’s the process of implementing a black list followed by a white list, rather than the traditional permit then drop processing that a firewall does; I’d create a rule that Drops Prohibited applications (such as P2P or unencrypted protocols) and then create a policy permitting all ports from legitimate IP ranges.
When would I use these?
Your firewall should be broken into zones, each zone meets both security policy and business requirements, you should then apply a firewalling technique to each zone. For example it’s not uncommon to have a back-end database which should only ever be accessed by the front end application, therefore it could be in a zone protected by Strict Firewalling; public services such as websites/email servers require flexibility on their source thus require service led firewalling. Occasionally your business or application requirements suggest that firewalling impedes things, using open firewalling to “clean” traffic compromises “security people wanting firewalls” and any historical business/application issues… the firewall is there perhaps protecting against syn-flood attacks & as previously suggested blocking prohibited apps yet the business doesn’t see any traditional firewall headaches.
I don’t agree you fool!
That’s your choice, there’s no correct answer to security, the business you work in and the security policy mandated from senior management direct what you do, these are just my approaches