Monday, November 20, 2017

SSL state cache MSIE

In this past blog I demo how to reset the SSL cache CA for a website

http://socpuppet.blogspot.com/2017/11/ssl-cert-caching-for-mitm-inspections.html


In  MSIE ( microsoft Internet Explorer and Chrome ) it seems these browser always shows the correct CAchain issuer for the webserver when you are or are not behind a MiTM proxy.

 Take www.google.com

(  the left shows  the corp trusted CAchain )  and ( right shows the real CAchain )




Again, knowing the true certificate issuer, you can easily determine if a website  has a proxy inspection thing going on.







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

juniper SRX & JumpCloud dynamic vpn with NCP

The NCP remote vpn client is a  great client. Simple  to build proposals and user profiles. One negative tho,  you can not  export existing profile with ease.


I will show you howto do a ike group-based vpn . It's similar to  standard dynamic-group-vpn,  but the  ike user type is set to shared

e.g 
set security ike gateway myvpngw  dynamic ike-user-type shared-ike-id      <-------


I will explain the difference on shared-ike-id vr user+group later.

Here's  a few details of the platforms involved from the  VPNserver and RADIUS-aaS


JUNOS 15.1X49-D110.4

NCP Macosx  verson3   rev35061

AUTH XAUTH

RADIUS_REMOTE  ( JUMPCLOUD )



For this vpn  settings, I  decided to use defined proposal of AES256 with  auth md5/sha1/sha256 types which we will use in the NCP client settings

ike

set security ike proposal AES256SHA1 authentication-method pre-shared-keys
set security ike proposal AES256SHA1 dh-group group5
set security ike proposal AES256SHA1 authentication-algorithm sha1
set security ike proposal AES256SHA1 encryption-algorithm aes-256-cbc
set security ike proposal AES256MD5 authentication-method pre-shared-keys
set security ike proposal AES256MD5 dh-group group5
set security ike proposal AES256MD5 authentication-algorithm md5
set security ike proposal AES256MD5 encryption-algorithm aes-256-cbc
set security ike proposal AES256SHA256 authentication-method pre-shared-keys
set security ike proposal AES256SHA256 dh-group group5
set security ike proposal AES256SHA256 authentication-algorithm sha-256
set security ike proposal AES256SHA256 encryption-algorithm aes-256-cbc


NOTE  BCPs suggest  using dhgrp 14 or stronger, but to support clients who  might have a   older vpn-client software I'm using  PFS+group5

IPSEC

set security ipsec proposal AES256SHA256 protocol esp
set security ipsec proposal AES256SHA256 authentication-algorithm hmac-sha-256-128
set security ipsec proposal AES256SHA256 encryption-algorithm aes-256-cbc
set security ipsec proposal AES256SHA256 lifetime-seconds 3600
set security ipsec proposal AES256SHA1 protocol esp
set security ipsec proposal AES256SHA1 authentication-algorithm hmac-sha1-96
set security ipsec proposal AES256SHA1 encryption-algorithm aes-256-cbc
set security ipsec proposal AES256SHA1 lifetime-seconds 3600
set security ipsec proposal AES256MD5 protocol esp
set security ipsec proposal AES256MD5 authentication-algorithm hmac-md5-96
set security ipsec proposal AES256MD5 encryption-algorithm aes-256-cbc
set security ipsec proposal AES256MD5 lifetime-seconds 3600


=======================================================

Now to wrap this up you need to set the ike and ipsec policies for the gateway


set security ike policy ike_pol_wizard_dyn_vpn mode aggressive
set security ike policy ike_pol_wizard_dyn_vpn proposals AES256MD5
set security ike policy ike_pol_wizard_dyn_vpn proposals AES256SHA1
set security ike policy ike_pol_wizard_dyn_vpn proposals AES256SHA256
set security ike policy ike_pol_wizard_dyn_vpn pre-shared-key ascii-text  "mystrongpsk"


 set security ipsec policy ipsec_pol_wizard_dyn_vpn perfect-forward-secrecy keys group5
set security ipsec policy ipsec_pol_wizard_dyn_vpn proposals AES256SHA256
set security ipsec policy ipsec_pol_wizard_dyn_vpn proposals AES256SHA1
set security ipsec policy ipsec_pol_wizard_dyn_vpn proposals AES256MD5
set security ipsec vpn wizard_dyn_vpn ike gateway gw_wizard_dyn_vpn



Now the fun starts, you will  need to set the remote-access-profile to use your   jumpcloud radius servers  and set the  src_ipv4 address for the radius-client


set access profile remote_access_profile authentication-order radius
 set access profile remote_access_profile client socpuppets firewall-user password "$9$r47KLxVwY2oJYgJDiH5TRhSyvWLxN"
set access profile remote_access_profile address-assignment pool dyn-vpn-address-pool
set access profile remote_access_profile radius-server 104.154.91.253 port 1812
set access profile remote_access_profile radius-server 104.154.91.253 secret "$9$RFcSKML7-dwY5QESyeLXUjHq.53nCtu129K8Xx-d"
set access profile remote_access_profile radius-server 104.154.91.253 source-address 10.10.10.98
set access profile remote_access_profile radius-server 104.196.54.120 port 1812
set access profile remote_access_profile radius-server 104.196.54.120 secret "$9$esuW7-wYg4JG/CKW8xbwmfTzF/pu1RKr0B7Vwsg4"
set access profile remote_access_profile radius-server 104.196.54.120 source-address 10.10.10.98
set access firewall-authentication pass-through default-profile remote_access_profile


In the jumpcloud portal, you have to define the radius-client and set the shared secret and have remote-users defined







NOTE: you can execute a unix-shell and tcpdump on your interface that sends the  radius-access-request to look for radius reject or access messages,  and to confirm the radius-requests are actually going out from the Juniper SRX to the RADIUS-aaS platform.






( a no-success  login )




( a  success  login )






The NCP-vpn-client-side is configured very easily,  by setting both a IKE and IPSEC proposals and defined these in your NCP profiles.


e.g defined IPSEC transform and IKEproposals











user details;



You remember the shared-ike-id thing,  that  I mention earlier ?




When  you connect into the SRX,  the  NCPvpnclient identity would be just the client-ipv4-addr and the groupname.

e.g  IKE  SA details  ( shared-ike-id)






vrs  the typical user+group-ike-id combination




The one cool item about the NCP client, it can   display almost too much details for logging and diagnostics purposes.





Here's the final  vpn configuration for dynamic-vpn









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Friday, November 17, 2017

locking down the SSLVPN based on geoip

Using the SSLVPN and portals,  you sometime want to banned certain locations by GEOIPs.

Example, let's says your a Enterprise-Org that has a presences in only one country/continent and your users based resides in just that continent.

By using a null group and  portal, you can easily locked down your fortinet forticlients to only that geo-ip-range thats allowed or even a  network-subnet or ip-range.

E.g  we are only allow US geoips to access our network, all others will be blocked.







By using  the cli-cmd  diag debug application sslvpn -1  we can validate what rules and groups




As you can see I matched rule-auth #2   was not allowed SSLVPN access  to any portal. So a client trying to come via a banned  geo-address will be delivered a non-existence portal named none








In the next example we are allowing our PBXeng team access but only from the firewall.address named PBX_vendors    network










 !!!!  Be cautious of  the ordering of the auth-rules  !!!!


Ken Felix






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

FortiClient locked ?

Have you played with fortiClient? if yes you might run into the "locked stated" This allow you very limited or restricted  access to the vpn-client.

Here on a MACOSX client you get the  bottom left "session lock message"




You have to use the "disconnect" option  



Ken    Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

SSL cert caching for MiTM inspections

Firefox and a host of other  browsers  are notorious for  caching SSL certificates in the trust-chain.

This can lead to  mis-information  when doing any diagnostics/debugging &  if you  using a browser and actually inspect  the cert-chain for the trusteded-CA for a website.


Take my day-job which has a bluecoatSGproxy for SSL inspection  & we have a trusted  entrerprised-CA-cert that's present in the chain for pcgus  { aus-web.gateway.pcgus.com in  this example }






That CA-chain is from the trust CAcert that we delivered and imported into our browsers.






Now that I'm off the  pcgus network, that chain is misleading since I'm going to the website
https://forum.fortinet.com directly. Until we tell firefox to clear it's self , that chain is misleading to the unaware , unsuspecting end user.

 




Now look at the  chain once we reload the website. Notice how the previous aus-webgateway.pcgus.com is now eliminated? And the real CA-chain is presented?






So always us a tool like curl or gnutls-cli when you wan to double or triple check the CA-chain for a website.

Or

Run the website thru  a site like SSLlab and inspect the chain.







 Doing this,  is a 100% sure way to determine if a MiTM device is doing inspections.If you see a CA-chain that does not reflect  the true raw chain from a site inspection-too, than you know that a "imposter" is in  the CA-chain .




Ken Felix





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

FortiClient Trouble-Shooting IPSEC-vpn

The forticlient  logging  capability is great for major  diagnostics,  but some time you only need to following the window diagnostic output to guide you to a potential problem.

If you have a FortiClient  deployment and a few clients with problems , use the  feedback-windows or lack of.


1st up a bad Pre-Shard-Key



That should  need no explanation outside of  re-key your PSK


Next bad logins;



Here it's tricky

1: a bad  group-id
2: a bad username
3: or a bad password

Always validate the  users is  correct


Image result for TIP A group defined in the  client and  fortigate but the user is NOT part of that  group is also cause of bad login.



Let's say you have a   VPN- peer-id set and authserver group  and the actual vpn-user is not part of the group , the fortigate will provide the generic bad-login





 If you still have issues you might need to run fortigate cli diag debug cmds


e.g


diag debug enable
diag debug application ike -1





Image result for TIPUs the  diag vpn ike filter and on the client_address that's trying to connect in  a heavy used forticlient deployment


Lastly, if a client  tries to connect to a fortigate and have no pop-up windows this is a good indication of one or more of the following

1: client didn't reach the fortigate
2: client ike proposal where not matched and accepted
3: NAT or NAT-T issues
4: client had the wrong address  configued ( see #1 above )
5: or a combination of the above


 Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Thursday, November 16, 2017

HOWTO:Decode PreSharedKeys Juniper SRX

In junos they have a great feature.


To decrypt a configured  pre-shared-key,  you only need to apply the  hash with the request system decrypt.

This works great if you have pre-existing  ipsec-configurations , and you  mis-placed or don't want to  re-key a vpn tunnel.

or if a sec-engineer leaves the company and fails to document the PSK for vpn-tunnels.



e.g



A fortigate for example , does not have this feature.

So unless your fortigate is peer'd with a linux-swan, cisco asa or juniperSRX, you  have almost a zero% chance of  decoding the share PSK.

This also make the fortiOS superior in protection of  the "PSK",  since it  can't easily be decode base on just a  interception of a  fortios conf file.

So when passing JuniperSRX cfg files around, you want to redact the  PSK values.



Ken Felix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Monday, November 13, 2017

HOWTO activate 5gig thruput ASR1001X

The cisco ASR 1001X is a pay-as-you-go/grow  device. To use the evaluation license ,  you need to  1st accept the  EULA aggreement.


     config t
      license accept end user agreement

You will be prompt a YES or NO


next you  can validate current  thru-put ( default is 2.5gbps )

      show platform hardware thruput level

ASR01#show platform hardware  throughput level The current throughput level is 2500000 kb/s

Now to  change the thru-put level;


 ASR01(config)#platform hardware throughput level 5000000
% The config will take effect on next reboot

  ASR01(config)#


And then yo can reboot the device. Cisco will display a few warnings and status b4 you  reload.



ASR01#reload
The following license(s) are transitioning, expiring or have expired.
Features with expired licenses may not work after Reload.
Feature: interface_10g                  ,Status: transition, Period Left: 1  wk  2  days
Feature: throughput_5g                  ,Status: transition, Period Left: 8  wks 4  days

Proceed with reload? [confirm]^C





 Felix, Ken 




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Juniper SRX and Pulse client dialup

The Small-Branch models of the Juniper SRX appliances, typically  comes with two vpn licenses. You can easily set the  SRX up for ipsec-dialup access  for  remote-access.


The JWEBwebgui wizard does a good job & with building a simple/effective dialup-profile and for  local-accounts.

Here's the  final junOS  cli cfg details that seems to work best  with  pulse-client


IKE phase1 using the standard-proposl dhgrp2-aes128-sha1

set security ike policy ike_pol_wizard_dyn_vpn mode aggressive
set security ike policy ike_pol_wizard_dyn_vpn proposal-set standard
set security ike policy ike_pol_wizard_dyn_vpn pre-shared-key ascii-text KEEPITSECURED
set security ike gateway gw_wizard_dyn_vpn ike-policy ike_pol_wizard_dyn_vpn
set security ike gateway gw_wizard_dyn_vpn dynamic hostname GROUPIDHERE
set security ike gateway gw_wizard_dyn_vpn dynamic connections-limit 50
set security ike gateway gw_wizard_dyn_vpn dynamic ike-user-type group-ike-id
set security ike gateway gw_wizard_dyn_vpn external-interface ge-0/0/0.0
set security ike gateway gw_wizard_dyn_vpn xauth access-profile remote_access_profile
set security ike gateway gw_wizard_dyn_vpn version v1-only




IPSEC phase2 using the standard-proposl dhgrp2-aes128-sha1 and w/PFS

set security ipsec policy ipsec_pol_wizard_dyn_vpn perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_wizard_dyn_vpn proposal-set standard
set security ipsec vpn wizard_dyn_vpn ike gateway gw_wizard_dyn_vpn
set security ipsec vpn wizard_dyn_vpn ike ipsec-policy ipsec_pol_wizard_dyn_vpn
set security dynamic-vpn clients wizard-dyn-group ipsec-vpn wizard_dyn_vpn



set security dynamic-vpn access-profile remote_access_profile
set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 10.1.1.0/24
set security dynamic-vpn clients wizard-dyn-group ipsec-vpn wizard_dyn_vpn
set security dynamic-vpn clients wizard-dyn-group user socpuppets


set access profile remote_access_profile client socpuppets firewall-user password  mypasswordhere
set access firewall-authentication web-authentication default-profile remote_access_profile


set access profile remote_access_profile address-assignment pool dyn-vpn-address-pool

set access firewall-authentication web-authentication default-profile remote_access_profile


     You need to ensure that the IKE service is allowed  & on the untrusted interface or where the  vpn-clients will connect on. if you get any log message of "no response" than 99.99% of the time it's due to the firewall-engineer forgetting to enable IKE.

e.g

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike



The wizard will also set a fwpolicy that you can later modified with the "services" you want


set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match source-address any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match destination-address any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match application any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn then permit tunnel ipsec-vpn wizard_dyn_vpn




After a client connects,  you  can validate the  Phase1/Phase2 Security-Associations  details.


e.g







The NCP remote-client-access is very similar btw.



Ken    Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \