Juniper (JunOS) SRX’s support ssh public key authentication.
nick> show configuration system login | display set set system login user nick uid 2001 set system login user nick class super-user set system login user nick authentication ssh-rsa "PASTE_KEY" nick>
No-one likes to type passwords!
Recently a colleague pointed me at the following Blue Coat KB about NTLM issues as basically the iPhones on the corp network were getting multiple authentication challenges even though the username & password are saved in the connection profile!
To resolve we created a second authentication realm on the bluecoat with Kerberos & NTLM authentication disabled ( i.e. only basic auth), we then created an authentication rule which matches user agent strings and authenticates against the new basic-only realm. Below is some command lines to point you in the right direction:
!- BEGIN authentication security iwa create-realm uk 10.10.10.10 16101 security iwa edit-realm uk ;mode alternate-server 10.10.10.11 16101 exit security iwa create-realm ukBasicAuth 10.10.10.10 16101 security iwa edit-realm ukBasicAuth ;mode alternate-server 10.10.10.11 16101 credentials-kerberos disable credentials-ntlm disable exit
I should point out that the KB is out of date; upon implementing we noticed a lot of windows users getting unwanted authentication challenges therefore I suggest you only match against iphone & ipad… in-fact I stuck Macintosh in as well and my macbook is getting less challenges too!
Enjoy the CPL goodness below!
;; Description: BlueCoat KB4741
define condition __CondList1BasicUserAgents
request.header.User-Agent="iphone"
request.header.User-Agent="ipad"
request.header.User-Agent="Macintosh"
request.header.User-Agent="CFNetwork"
end condition __CondList1BasicUserAgents
define condition BasicUserAgents
condition=__CondList1BasicUserAgents
end condition BasicUserAgents
<Proxy>
condition=BasicUserAgents authenticate(ukBasicAuth) authenticate.force(no) authenticate.mode(proxy) ; KB4741
authenticate(uk) authenticate.force(yes) authenticate.mode(proxy) ; All Internet Traffic
I’ve google’d and I cannot find a way of creating a firewall range style object in an ASA, you know the kind of thing whereby you want to allow IP addresses 192.168.1.10 thru 192.168.1.20 in an ACL.
In my frustration I have given up and created a shell script which converts a CSV into an ASA output, simply create a two column CSV with Col A containing your starting IP and Col B containing you end IP.
The script is a recursive loop so should support large outputs such as 10.1.2.10 to 10.2.1.20 howvere I’m not actually sure you’d want that in your firewall config but I wrote the computability for the fun it!
Have fun, click “more” below if you can’t see the script!
I’ve had an idea, whether it’s a good one or not is yet to be seen; one of the big issues to cloud application and servers is encryption key management, there is a simple chicken n egg issue, if the secret key is on the server/application then it’s a vector to be attacked if the key isn’t then usability issues exist.
My idea is a CA / DH kinda thing, what if the actual key used for encryption was derived from the cloud it’s self, the basic premise is adding an extra layer to be compromised in order for an attacker to decypt the data.
Using RedHat’s new OpenShift service I’ve knocked up a demo -> secretkey-linickx.rhcloud.com. The demo is over HTTP (not HTTPS) so You wouldn’t use the demo in production probably because you do not trust me but I’ve pushed the code to github -> github.com/linickx/secretkey for users/dev/people/someone to take a copy and have a play.
Comments welcome, Pull requests preferred!
2011-07-26 UPDATE: Openshift has SSL termination, HTTPS does work, however as seen in my commit log the PHP cannot detect it as the SSL is being handled by a proxy.
I’ve just used this little gem to recover files off a memory card… awesome!
PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media’s file system has been severely damaged or reformatted.
PhotoRec is free – this open source multi-platform application is distributed under GNU General Public License.
People receiving scam emails are urged to forward them on to email@actionfraud.org.uk.
Reference: http://www.actionfraud.org.uk/help-disrupt-fraudsters-by-reporting-scam-emails-feb11
My how to get ACS 5.1 running in VirtualBox is one of my more popular posts; recently I was asked if 5.2 would work, the answer is yes!
I’ve posted an updated ks.cfg … if you compare it to the old one the only real difference is an updated set of version numbers, all the other instructions are exactly the same….well, except now centos 4.7 can be found in the vault 
Next I plan to see if I can make this work in EC2 as I recon a cloud based ACS server would be pretty cool, wish me luck and enjoy the 5.2 goodness!
I’m looking at running two servers on EC2; as we all know the most important thing about running services in the cloud is encryption!
Whilst googling on how to setup a host-to-host IPSEC VPN I was surprised at how easy it is…
On Host1 (192.168.56.101)…
[root@CentOS1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ipsec1 DST=192.168.56.102 TYPE=IPSEC ONBOOT=no IKE_METHOD=PSK [root@CentOS1 ~]# [root@CentOS1 ~]# cat /etc/sysconfig/network-scripts/keys-ipsec1 IKE_PSK=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [root@CentOS1 ~]# [root@CentOS1 ~]# ifup ipsec1
On host2 (192.168.56.102)…
[root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ipsec1 DST=192.168.56.101 TYPE=IPSEC ONBOOT=no IKE_METHOD=PSK [root@CentOS2 ~]# [root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/keys-ipsec1 IKE_PSK=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [root@CentOS2 ~]# [root@CentOS2 ~]#ifup ipsec1
… done!!!
[root@CentOS1 ~]# tcpdump -n -i eth1 host 192.168.56.102 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 09:46:37.306292 IP 192.168.56.101 > 192.168.56.102: AH(spi=0x0aff2b10,seq=0x203): ESP(spi=0x00a0a3cc,seq=0x203), length 84 09:46:37.310197 IP 192.168.56.102 > 192.168.56.101: AH(spi=0x09f82154,seq=0x203): ESP(spi=0x098f0ff9,seq=0x203), length 68 09:46:38.175048 IP 192.168.56.101 > 192.168.56.102: AH(spi=0x0aff2b10,seq=0x204): ESP(spi=0x00a0a3cc,seq=0x204), length 84 09:46:38.179017 IP 192.168.56.102 > 192.168.56.101: AH(spi=0x09f82154,seq=0x204): ESP(spi=0x098f0ff9,seq=0x204), length 68 09:46:39.313583 IP 192.168.56.101 > 192.168.56.102: AH(spi=0x0aff2b10,seq=0x205): ESP(spi=0x00a0a3cc,seq=0x205), length 84 09:46:39.316427 IP 192.168.56.102 > 192.168.56.101: AH(spi=0x09f82154,seq=0x205): ESP(spi=0x098f0ff9,seq=0x205), length 68 6 packets captured 6 packets received by filter 0 packets dropped by kernel [root@CentOS1 ~]#
Now this is a simple IKE pre-shared key vpn, you might want to google for using certificates for stronger authentication, you can also edit /etc/racoon/racoon.conf to change your IPSEC parameters.
Reference: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html
UPDATE: To make this work in EC2, you need to enable NAT-T see my hack here!
I’m installing Cisco Secure Desktop (CSD) for a customer and needed to re-test the installation process. Within internet explorer’s (IE Version 7 & 8 ) managed add-on feature, I noticed that the CSD ActiveX Control doesn’t have an uninstall feature.
To remove the control I had to close IE, browse to…
C:\Windows\Downloaded Program Files
..and remove the following files..
CSDWebInstaller.inf CSDWebInstaller.ocx
When re-starting IE the control was gone and I could test the re-install, I hope this helps some other googler! 
OSSEC is my favourite linux HIDS however now that I’m running a SELINUX secured web server I noticed that my active responses were not working after a reboot.
After enabling SELINUX, I started getting alerts about the following problem in my messages file….
Nov 11 12:16:22 amy kernel: type=1400 audit(1289477782.569:8): avc: denied { read write } for pid=2551 comm="iptables" path="socket:[5261]" dev=sockfs ino=5261 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket
This appears to be ossec trying to update iptables, but failing as they’re in different contexts… now I’m no selinx expert but this CentOS Wiki Page helped… run the following command which will create osseciptables.pp in the current directtory…
root@amy# grep iptable /var/log/messages | audit2allow -M osseciptables
This creates a new binary module that can be installed with….
/usr/sbin/semodule -i osseciptables.pp
You can view current selinux modules with …
/usr/sbin/semodule -l
If you want to see what is being created by audit to allow, try the following…
root@amy# grep iptable /var/log/messages | audit2allow -m osseciptables
module osseciptables 1.0;
require {
type iptables_t;
type initrc_t;
class unix_dgram_socket { read write };
}
#============= iptables_t ==============
allow iptables_t initrc_t:unix_dgram_socket { read write };
root@amy#
I hope this helps some future googler!
I’ve just spotted this in the Cisco ASA 8.3 release notes…
You can now configure access rules that are applied globally, as well as access rules that are applied to an interface. If the configuration specifies both a global access policy and interface-specific access policies, the interface-specific policies are evaluated before the global policy.
The following command was modified: access-group global
For users/companies which have migrated from Check Point to Cisco (usually to save on licensing fees), getting their head around a new interface level policy rather than a system (global) level is usually a bit of a challenge.
I’m looking forward to seeing if this really helps with policy migrations!
Firewalls will always be a key ingredient to network security, but not all firewalls are equal. Recently I’ve been forced into documenting how I decide & think about firewall rules…
Strict Firewalling
IMO Strict Firewalling is the traditional way to implement your traffic policies (ACLS), each rule should be as tight as possible… the idea of “any” should not be used at all and ranges should be kept at a minimum; hosts better than subnets, source and destination IPs restricted, specific TCP ports (not ranges) used.
Service Led Firewalling
A term I think I made up, Service Led Fierwalling is where you relax the ACL/policy at the source… to host a DNS Zone you need to allow “anyone” to perform lookups so Strict Firewalling cannot be applied here but you do know the destination and the service so both of these should be defined/restricted as appropriate… you see what I mean here the policy is defined by the “service” provided.
Open Firewalling
Possibly a contradiction in terms but bare with me; there are some instances whereby implementing a firewall provides little benefit, one example I’ve seen was a customer’s security officer wanted an internal firewall (i.e. no internet connection) in front of their Microsoft file server, in order for AD & MS clients to work properly all the MS ports had to be opened… so server guys continuously complained, what exactly is the firewall doing? What is Open Firewalling? It’s the process of implementing a black list followed by a white list, rather than the traditional permit then drop processing that a firewall does; I’d create a rule that Drops Prohibited applications (such as P2P or unencrypted protocols) and then create a policy permitting all ports from legitimate IP ranges.
When would I use these?
Your firewall should be broken into zones, each zone meets both security policy and business requirements, you should then apply a firewalling technique to each zone. For example it’s not uncommon to have a back-end database which should only ever be accessed by the front end application, therefore it could be in a zone protected by Strict Firewalling; public services such as websites/email servers require flexibility on their source thus require service led firewalling. Occasionally your business or application requirements suggest that firewalling impedes things, using open firewalling to “clean” traffic compromises “security people wanting firewalls” and any historical business/application issues… the firewall is there perhaps protecting against syn-flood attacks & as previously suggested blocking prohibited apps yet the business doesn’t see any traditional firewall headaches.
I don’t agree you fool!
That’s your choice, there’s no correct answer to security, the business you work in and the security policy mandated from senior management direct what you do, these are just my approaches
You’re on a network with only HTTP/HTTPS access to the internet… you’ve got OpenVPN setup to tunnel all your traffic out via HTTPS…. but you still want to access the local LAN?
All the OpenVPN client is doing is changing the routing table on the OS (netstat -nr / route print) you’ll see that the route to the OpenVPN server is in there and the default gateway is the OpenVPN tunnel interface, to connect to the local LAN simply add a route via the “local gatway”, i.e. the same gateway used to get to the vpn server.
Cool eh? Reverse-split-tunneling!!!
After much swearing and hackerizing I’m happy to post a screenshot of Cisco’s ACS running in VirtualBox
Before I explain what I’ve done, a quick message for “the stupids”
No I won’t post a virtual machine for you to download
Buy a license or an appliance
The rest of this post is a run though of what I did, if you get bored easily skip to the summary.
The story is I’ve got a customer who wants dot1x with ACS5 and I need a box to play with before breaking their network; having read through the docs on cisco.com I noticed that vmware was a supported platform for evaluation, as awesome as that is, carrying around an ESXi server isn’t as convenient as you’d think so I boldly dropped the CD into my VirtualBox and booted to see what happened…. if only it was that simple!!!!!
As expected the installer crapped out early on complaining that VirtualBox is not a valid hardware configuration, so I decided to have a poke around the ISO image and had a moment of realisation.. THANK YOU CISCO FOR CHOOSING CENTOS!
Cisco choosing an open-source installation mechanism means that with a bit of googling I could customise the install process to work in VirtualBox…. sweeet!
To get started I followed the install guide to build a VirtualBox appliance that resembled the supported vmware machine, some things to note:
This is a summary of my VirtualBox configuration…
If you’re hoping to follow my process, I assume you’ve already downloaded from cisco a copy of the ACS_v5.1.0.44.iso and sorted an eval license.
Looking at the contents of the CD I could see that the KickStart file was rejecting my hardware configuration. In my early attempts I edited ks.cfg removing everything between %pre and %post removed the line that said %include and rebuilt the ISO; this had limited success, I could boot further on my new ISO but found that anaconda crapped out as it was unable to find the CD from which it booted … Very Odd!
Messing with the kickstart file and having to rebuild the ISO each time got boring very quickly, especially since it wouldn’t boot into anaconda stage two. I decided to move to a network based installed, I setup a web server on my laptop, downloaded CentOS-4.7-i386-bin1of4.iso and booted my guest from that using linux askmethod at the loader. On my web server I copied the contents of the ACS CD into a directory (including . hidden files), during the centos boot I was able to install “everything” from the ACS directory on web server giving me yet more limited success (Everything was installed – including the Cisco packages – but unusable).
The next step was to get my web installation to read my kickstart file, the ks.cfg has a load of finalization which looked like it created files that the cisco packages would need. I had to change the permissions of the directory to give me write access (CD files copied as RO since the CD was RO). So my edited ks.cfg has nothing between %pre & %post plus the %include line deleted, the result had massive drawback, I’d inadvertently removed the disk layout; I have since concluded that my earlier attempt with everything installed but broke also had issues due to incorrect filesystem partitions.
To put the filesystem layout back into the kickstart file I inserted the following:
part / --fstype ext3 --size=100 --grow part /localdisk --fstype ext3 --size=5120 part /recovery --fstype ext3 --size=1008 part /storedconfig --fstype ext3 --size=981 part /storeddata --fstype ext3 --size=2048 part swap --size=2048
To get the Centos Server to now boot from both the kickstart file and install from my webserver I now have to boot with linux ks=http://192.168.56.1/~nick/ACS/ks.cfg (this is instead of linux askmethod) and replace the line that says cdrom with url --url http://192.168.56.1/~nick/ACS.
After all that trial & error I was finally there! I have attached my ks.cfg for your reference and here is a summary of the steps to reproduce.
Note: During my playing the anaconda installer crapped out a couple of times, just starting the process again seemed to fix the issue, some bottleneck on virtualbox disk accesses could be the problem.
Hope that all makes sense, happy hacking!