Sunday, July 23, 2017

AWS subnet concerns

When laying out a AWS VPC  you will need to select a CIDR block for that VPC.

It critical that you  ensure  your VPCs subnets will not collide or overlap with any other VPCs or your  local-OnPrem-Corporate networks.

Take this simple multiple region layout and  with VPCs executed on /20 boundaries.



These 3 containers ( VPC ) are reachable back to Corp via  DirectConnections. Alternatively they could be VPN-ipsec tunnels. The  direct-connect would eliminate any IPSEC configuration, mtu  issues, and complexity.

At the HQ these terminations could easily be terminate at a  security edge device or a gatekeeper for the appearance into AWS and the respective VPC.

Traffic between  regions could be carried via AWS backbone or a internet-IPSEC connection. Traffic could indeed travel to a customer VPCs held in another AWS account.




Network layout and subnet allocations needs to be carefully craft and thought out.  Bad design upfront could lead into duplication networks and complexity and |  or  poor network routing in or out of the AWS instances.

Key CheckPoints;

  1. have a plan
  2. have a ip management solution like ipplan  http://iptrack.sourceforge.net/  or similar
  3. try to ensure growth  for the now and future
  4. maintain ipv4 address boundaries and contiguous networks from a routing concept
  5. be aware of the max numbers and sizes of CIDRs
  6. don't over look any  local on-Prem networks and what might need access both locally or remotely


KenFelix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

Saturday, July 22, 2017

CONTROL EXTERNAL ACCESS to a F5 VS data-group

HOWTO

Restrict access to a website via external source_address  & by using a  ltm  data-group.



1st ,  craft a DATA_GROUP and specify the  networks CIDRs blocks


ltm data-group MYAPPROVEDNETS {
    records {
        6.1.9.0/17 { }
        195.3.1.0/20 { }
        1.1.1.1/32 { }
        10.17.1.0/24 { }

    }
    type ip
}


2nd
  Build a simple iRule and reference the data-group for the client_address.



ltm rule MYACCESSRULE {
       when CLIENT_ACCEPTED {
   if { not ( [class match [IP::client_addr] equals MYAPPROVEDNETS ) } {
      reject
   }
}


when HTTP_REQUEST {
  switch [HTTP::host] {
  "GHjdev.examples.com" {
   persist cookie insert "HjDEVWEBS01" "1d 00:00:00"
   pool pool.GHjdev.examples.com
    }

  "GHjdev-admin.examples.com" {
   persist cookie insert "HjDEVWEBS03" "1d 00:00:00"
   pool pool.GHjdev-admin.examples.com
   }


  "GHjtest-admin.examples.com" {
   persist cookie insert "HjDEVWEBS02" "1d 00:00:00"
   set node 10.1.1.13:80
   }

  "dfdev.examples.com" {
   persist cookie insert "HjDEVWEBSx2" "1d 00:00:00"

   snatpool  POOLSNAT01
   pool pool.dfdev.examples.com
   }

  }
 }
}


NOTE:  so  the above   examples.com  website will only allow connections from the sources defined by the data-group.



ALTERNATIVELY

You could use mutual ssl authentication and only web-users with a valid cert can access the website. This is smarter in a long run,  since you don't have to  worry about web-client that changes  address on regular  basis.


Using this approach you could stand up  DEV or UAT environments and allow  trusted  networks access  to these DEV/UAT environments.


reference a typical  design with multiple pools that makes up various sites and a dev team in two network spaces.



Ken Felix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \



Friday, July 21, 2017

Finding traffic that's hitting a F5 vip via IRule

So let say you have  traffic hitting a f5 VirtualServer,  but you want to  find out what/who  is hitting it and what URI they are asking for,  you can do  a log Statement inside   a iRule defining what you want to log ( src addr, host_header URI )  


e.g

ltm rule HOSTSWITCHER {
    when HTTP_REQUEST {
    switch [HTTP::host] {
   "mysite.mydomain.com" {

    persist cookie insert "c00k3yM0nst3r" "7d 00:00:00"
    log local0. " The site name  [HTTP::host] and uri  [HTTP::uri]  is hitting  the mysite.mydomain.com"
    pool mysite.mydomain.com_pool
   }
  
 

   default {
   log local0. " The site name  [HTTP::host] and uri  [HTTP::uri] and client's address  [IP::client_addr]   is hitting  the default"
   persist cookie insert "de3fAUlt" "1d 00:00:00"
   pool default_pool
  }
 }
}
}


This helps to find DNS entries that could be lefted over and pointing to your public address. By generating a log message for the host and|or URI  you can easily debugged left over or bad configurations.

The f5 logs  for  ltm will show something similar ;



KenFelix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, July 19, 2017

TLS1.3 support

So TLS v1.3 has been out for some time. You can navigate to various  sites that are  TLS v1.3 and check the status connections for support,   but typically your browser needs to be  enabled for this  new TLS version


The common  browsers like firefox, requires you to navigate the  about:config  and search for the tls  security settings and set the max version to  "4". Other browsers are similar to some degree of fashion.



example:



Now validate using mail.google.com ( yes google is tls v1.3 supported )



vrs  1.2




If you mistakenly set the TLS v1.3 support , and  with no  fallback,  you will start seeing the following connection errors for know  operative websites.



So what's all the TALK  about tls v1.3 ?

A Simpilifed   handshake that speeds up the delivery of  the  1st byte sent for a website.  So speed is one major change.


 1: example of  TLS handshake improvement


2: Improvement  over all and with ciphers from tls v1.2

 https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3_.28draft.29


So what the major issues that can come up ?

  1.   it  very new and needs experimentation and trials by the internet community to become comfortable with
  2.   must  existing systems don't have support for it 
  3.   most management interface for  IT gear has no awareness of  TLS v1.3
  4.   most IT support staff from the network to security engineer,  has no working knowledge of TLS much less for  the latest version
  5. Various SSL deep inspection hardware can break 
  6. some forward proxies if not update will break 


Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \





Sunday, July 16, 2017

Understanding the BIG_IQ restore process

Here's some tips on BIGIQ restore.

1st it works great,  but you need to  know a few items


A: if you  restore the active f5 it will swack roles to "standby".  This is a standard function.







B: The unit will   go off-line and disconnect while the restoral takes places






C: than a oneline disconnect



D: you will probably need to  do  cfg-sync


During the restore the bigstart process will restart but the system will not reboot.

E: if you try to restore the same "file" twice you can see the following  error








Ken Felix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


Thursday, July 6, 2017

Cisco ACS 5.8 patch

Will our report monitoring  tool hasn't  been working with  various browsers.

Will our cisco ACS need to be patched in order to get our monitor tool up and running.

1st step was to execute  backup on the primary ACS

My repository was named TAC

acs backup  TEXT01 repository  TAC JUN062017BACKUP

2nd we copy the  gpg patch ball into the host that has the repository TAC

scp ./5-8-0-32-7.tar.gpg  ken.felix@1.1.1.1:

3rd
from witin the  ciscoACS, we only need to execute the acs install patch against the repository and the name patch ball

CISCOACSSERVER01/adminacsuser# acs patch  install  5-8-0-32-7.tar.gpg repository  TAC
 md5: ae3c92ed519471319132dfdbe9982d1a
 sha256: 62bd5e42f22c9f7e4c65480ffef8b8b46ac073e50ce6e92ae6940665c8080174
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ? Y
Installing ACS patch requires a restart of ACS services. Continue?  (yes/no) yes
Calculating disk size for /opt/CSCOacs/patches
Total size of patch files are 1763 M.
Max Size defined for patch files are 2000 M.
Stopping ACS.
Stopping Management and View............................................................./opt/CSCOacs/bin/acs-for-cars-cli: line 58: kill: (7633) - No such process
..
Stopping Runtime........
Stopping Database.......
Stopping Ntpd...
Cleanup...
Stopping log forwarding .....
Installing patch version '5.8.0.32.7'
Installing ADE-OS 2.0 patch.  Please wait...
About to install files
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Installing PBIS patch.  Please wait...
Installing TCP kernel patch.  Please wait...
nstalling new NSS.  Please wait...
This patch includes security fixes which requires ACS server reboot. It is highly recommended to proceed with reboot
Do you want to reboot the server ? Y/N : y
You have choosen to reboot the server, Rebooting ...


The system is going down for reboot NOW!
/opt/CSCOacs/patches/5-8-0-32-7
Patch '5-8-0-32-7' version '5.8.0.32.7' successfully installed
Starting ACS ....

To verify that ACS processes are running, use the
'show application status acs' command.



4th

Now sit back and wait for it to come back up ;)


5th

login into the  ciscoACS and goto  > about and validate that the patch_level is correct






Finally ,




run thru the logs and  account and ensure AAAclients are authenticating.

remember to repeat the above on the secondary if you have dual ciscoACS.


;)

Wednesday, June 21, 2017

Defining multiple sites with unique TLS protocol on f5 for compliance with TLS

Take a typical  websites hosted on a F5-LTM that using  a wildcard and SNI.


https://en.wikipedia.org/wiki/Server_Name_Indication


www websites 1 2 3

www1.example.com
www2.example.com
www3.example.com



So let's say that www1 needs to support TLS1.2 only and  www2 and ww3 can support any of the other TLS version. The virtual_server is using   one wildcard.cert for *.example.com.


How can you achieve this ?  .............The answer is quite simple!


In the F5 client-side profile you will to replicate  3  client-side profile and defined the server_name in the profile.

And within that profile you can enable or disable the  various SSL/TLS version from  Negotiation between the Virtual-Server and client.


So in the end you will have  2 or 3 profiles

1: one for  TLSv1.2 -only and  www1.example.com for the server_name
2: one for  www2.example.com and www3.example.com with the  server_name and all TLSv1.x
3: or just one more  as *.example.com and no server_name defined


Take a look at these client_side profiles

Local Traffc > Profile  >  SSL client  www1.example.com

Local Traffc > Profile  >  SSL client  www2.example.com and www3.example.com


 Than just test using curl and select the TLS version.

e.g


curl --tlsv1.0 https://www1.example.com
curl --tlsv1.1 https://www1.example.com
curl --tlsv1.2 https://www1.example.com


and



curl --tlsv1.0 https://www2.example.com
curl --tlsv1.1 https://www2.example.com
curl --tlsv1.2 https://www2.example.com

and

curl --tlsv1.0 https://www3.example.com
curl --tlsv1.1 https://www3.example.com
curl --tlsv1.2 https://www3.example.com


Only the allowed and enable TLS version should established based on the  client_side ssl profile settings and the server_name entry


Ken



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


Tuesday, June 20, 2017

Finding windows XP/2003 winhosts using fortigate device ID

Fortigate has a simple OS device id function. You can easily enabled this on  any interfaces except

  • ssl 
  • vpn
  • vdom-link
  • loopbacks
  • etc....

To enable the device-identification you only need to  set the following on each interface that you want to  id;



config sys interface
     edit lan
           set device-identification enable
     end

And then wait for a few minutes before reviewing the  output of the detected devices.


FGT100D (root) # diag user device  os-summary
host operating systems discovered
  OS                   count
  unknown                  8
  Linux                    13
  NX-OS                    9 
  Cisco Catalyst L3 S      1
  Windows                 88


The  device id is simple to understand & follow.

e.g

( nexus switch  learned via  lldp )

   type 16 'Router/NAT Device'  src lldp  c 1  gen 4
    os 'NX-OS'  version ''  src lldp  id  36  c 1

 ( a linux host learned via tcp-fingerprint )

   vd root/0  00:00:ca:00:00:03  gen 13859  req 38  redir 0  last 0s  wan1
    ip 185.165.29.97
    type 6 'Linux PC'  src tcp  c 0  gen 6
    os 'Linux'  version '3.11'  src tcp  id  364  c 1

( a windows product  learned via IIS webservices)

   type 8 'Windows PC'  src http  c 1  gen 14
    os 'Windows'  version 'NT 10.0'  src http  id  1850  c 1

(  here's a user on mindsprings using pop3 unsecured  )
 c0:8c:60:b0:e7:00  gen 120009  req 0  redir 0  last 0s  Inside
    ip 10.5.5.55
    type 8 'Windows PC'  src http  c 1  gen 35
    os 'Windows'  version '7 (x64)'  src http  id  2168  c 1
    host 'CHO-0000002'  src mwbs
    user 'useronpop@mindspring.com'  src pop3

( unknown )

   00:01:d1:2d:12:43  gen 1501701  req 3c  redir 0  last 0s  DMZ
    ip 1.1.1.1
    os unknown  sig 'W mss 4;T 255;D 1;S 60;O m1440 s t n w7;'  src tcp


Now that you have understanding of what the device-id does,  you can now grep out for the strings of windowOS or the strings of interest.

e.g

 diag user device   list | grep  -i  "Windows"


Here's a  few windows  XP hosts that was located



And here's a  XP string





Now your security analyst   and IT team members  can target and  eliminate the non-compliance hosts.

Ken Felix



NSE ( network security expert) and Route/Switching En gineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Monday, June 19, 2017

Forticlient 5.6 MACOSX initial reviews

FTNT  has released forticlient 5.6. and the MACOSX  install and launch has been flawless for me. Here's some screenshots of the  FClient and the new scaning display








The  Forticlient  list the vulnerabilities  by  level and can help with correcting the  issues.


By opening the vulnerabilities you can review the list CVE  details and summary.




Ken   Felix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Friday, June 16, 2017

MFA using certficates fortios sys admin

You can deploy  fortigate systems users for access the firewall by using  pki certificates. The advantages to this approach;

1: it supplies an  alternative approach for  MFA  ( username user.cert and optionally a password )
2: no need to roll out a big MFA token soultion
3: it allows you to restrict a user.cert and profile for system admin logins
4:  provides an option to lock down users from accessing a FGT to only just HTTPS but this still access via SSH for other users ( a PKI user can not access a fortigate via SSH )
5: works great if you have an existing PKI structure and have no restrictions for sign user.certificates
6: you could pre-sign  users certificates for a future date and duration and revoke users access



Here's the summary steps of the deployment for pki-users deployments fortigates.

1: upload the  CAroot for the user.certificates that will be sign ( very important the CAroot certificate(s) must be installed on the fortigates they will access )

note: you can have multiple CAroot-certificates install, but the root.certificate needs to be upload into the local fortigate CA storage. You might have  multiple CAs that signs various users certificates or foreign CAs that you most import as required.

see this diagram of a approach for Enterprise and Contractor or Vendor, where you have multiple CAs that issues  user.certificate for various roles , each users could have a unique  role ( access profile for that user )







2: sign  the user(s) certificates against the CAroot/key or have the user obtain a signed certificate.


3: issues certificates to  the system-admin users and profile and grant accessprofiles

4: The user needs to import the cert+key into it's OS user.certificate list , typically this is in a pkcs format ( macosx, windows, must browsers, etc....)

5: The fortigate need a user-peer defined with just at minimum the CAroot-CAcertificate selected and optionally you can apply the CN and SUBJ fields to that PKI user peer details to scrutinize  the user.certificates even more.

6: next you need need a user-group set for "firewall" with the pki peers added

7: finally you  set the  system-admin  user names  in the fortigate and set the define mode as peer-auth and the peer-group.




Here's a few snapshots of the above actions;



{ defining my pki details;
  cn with 2nd factor  password required ( optional  but advise ) }




You can also defined more grainular the subject details from the certificate also;



 TIP: use  openssl x509 and the -subject to find the subject details





{ peer-group }







{  cli cfg details for my user }













or


with IE select the correct certificate to present;



Now we login via the HTTPS webgui and present the certificate and 2nd factor password if applied and if you did everything correctly you should be logged in





Using this approach, you could give your  remote_contractors a user.certificate or have him supply his own certificate and you upload the CAroot for his user.certificate.issuer

If you control the user.certificate from your own CA signing structure, you could sign a user.certificate for duration XYZ , and never have to worry about restricting access a future date.

You could even sign a certificate for a future date and  duration, and pre-issue access for a set of users  and known that they can't access the systems until  the date is valid. This is great when working with outside consultants or technology partners that needs access for projects.

If a certificate is compromised you can pre-empt the access and revoke the certificate /remove the pki user/ or CAroot.crt  as an option.

 Try to  keep your own  certificate simple. You subject field could only contain a CN only

e.g







Use the cli cmd   debug application https -1  to troubleshoot the login process via WebGUI

 If the status response is "1" than you have successfully login via two-factor and with the certificate.





Ken Felix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \