Monday, October 30, 2017

Juniper SRX zonetoglobal address tool

Within  Junos & the SRX, you can defined firewall.adr,objects aka addressbook zone or globally. Previous OS version usedd the zone concept but the default now is the global method.

advantages with global method;

  •  you can reduce any  duplicates
  •  use address in ANY zone
  •  and in  any direction
  •  less maintenance when you need to change or update a address

The following link  has a tool for conversion of  address to global

https://github.com/scottdware/zone2global/blob/master/zone2global.go

YMMV

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

HOWTO do passwordless login juniperSRX

In this blog I will show you how the JuniperSRX  admin can enabled  ssh login with no passwords.

1:  First require the admin users to  send you a copy of the  rsa_pub.id key ( public ssh key )

2:  from within  the   Junos cli and the shell,  vi a new filename and paste the  ssh key in that file.








3: paste in the key and save the file so you can use it later in the cli configuration.


4: Now set the user login authentication to be  authentication load-key and specify the previous saved file.









5: The full configuration would look similar  to the following;

  
 The beauty of this approach, you can use  enc-password or  ssh-key. So if your user  keys are lost or changed,  you can  still login , but with a password.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \




Tuesday, October 24, 2017

building HTTP PKP header for insert thru a f5 LTM_POLICY

Here's a quick means for inserting HTTP PubkeyPining  via a F5 LTM POLICY. This process is very simple and if you have experience with f5 and PKP it quite trivial to setup.



Public-Key-Pins is a header response that's sent to the http-client that list the  pubkey hash(es) in the certificate-chain . It suppose to provide protection if a rogue  certificate is used  or changed on web-server.
 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

The headers looks similar to  the following;




How much of a benefit this header provides is limited and subjective to one's opinion. It can boost the  website security rating if one is present.

!!!!!!!!!!!!!!It can also break you if you deploy it wrong or poorly!!!!!!!!!!


1st steps

 You need to define sha256  public-key hash. Ideally you will  hash the current  server-certificate public-key plus one  backup-key.


or


Hash the  current server-certificate pubkey and one of the intermediate plus  one backup



The ideal behind the backup key can  follow this simple logic

If the current-certificate  is  compromise, you  use the  new private-key to  generate a  new CSR,
since the  new CSR will have the  twin of the public-key that's already added to your HTTP PKP header, you can transparently  switch out certificates and not impact a end-user that has hash the  sha256 PKP



!!!!!  protect the backup key  it's just as critical as the primary active key !!!!!




 To hash an existing certificate you can use any of the  following;

Ken recommends SSLLAB

The ssllab "the server check  shows the  expect hash" in the CA-chain









 All certificate chain will have the hash computed , ssllab make it's so easy and requires very little work to hash the current  chain




If you want an alternative use the HTTP PKP hash generator located at https://report-uri.io/home/pkp_hash



 
It will output all  hash for all certificate in the current chain to a output similar to below;





again  all parts of the chain certificate at that time,  will have the correct sha256 hashes generated !



Okay up to  this point your almost done. Now to properly run HTTP PKP , you will need a backup pubkey.  So you have to be creative.


 You could do any of the following;


1: craft a RSA key { keysize 2048 }  and extract the pubkey



2:  Generate a new rsa key along with a csr and just hold on to the CSR. Extract the  pubkey from the new yet signed CSR 


After you have the pubkey for the backup key you will need to convert it to a sha256 hash using openssl, again  openssl is  good tool for SSL.


And  then you can format the header in a format similar to the following;







Now on the F5-LTM it's really easy to apply the HTTP PKP  header by using a  F5 LTM_POLICY


STEPS:

1: build a named policy
2: match on the expected  "Host_Header" for the site  to ensure that the  PKP header is appended for just that  WEBSITE
3: apply the Public-Key-Pin header and ENSURE you set it as a HTTP RESPONSE 


responses goes back to  the webclient and requests  goes to the web-server




when building the header in LTM_POLICY for the pin-sha256 you need to pre-pend    "/" before the " marks, the resulting Public-Key-Pins header does not have the "" around the  hash it will not pass the checks.
 

Ensure you apply the new LTM_POLICY after publishing it under the  Virtual-Server that supports that website.

 


Use ssllab or report-uri-io to review headers and read the funny blog on the numerous wrong  formats  or incorrectly deployed PKP  headers,  for a laugh ;)








HEADER analyzer



Here's a few errors,  if you should get it all wrong;






Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Tuesday, October 17, 2017

HOWTO find certificates issued against your domain

CT certificate transparency is a means for the CA issued certificate to be logged  indirectly for transparency. This can be used to alert for  certificate issued against your domain without knowledge.

e.g

A rogue site installed  masking as yourdomain.com



A cool means for finding any certificates issue against your domain is to use crt.sh  site.

Here's a quick snippet of certificates issued against fortinet.com

NOTE: use the % sign before the domainname for a any search






You can even used this when doing PKI audit and forensic. Here's a site that had a certificate revoke




If you drill-in on id 165913200 you can get the revocation date  & when it was logged


crt.sh is very simple to use,  and can help provide  information for tracking , incident investigate and plain auditing for your domain(s) and x509 certificates.

You can find out details that  include

  •  previous/current certificates
  • the CAissuer that was used
  • lifetime-expiration details
  • revocation details and type
  • cert details ( sha fingerprint, pubkey,key size,etc......)


It's very hard to hide anything from certification-transparency


Ken

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Friday, October 13, 2017

F5 DTLS edgeclient sslvpn

In this blog we will look at  DTLS setup for a F5 APM access-policy &  for remote-sslvpn clients.

To enable DTLS, you need to craft virtual-server and enabled  the  protocol UDP. Also within the Access Policy you have to enable the DTLS option.  The port you enable in the access-policy network-access  settings,  must match the virtual-server configuration for the destination-address.


Here's a simple Virtual-Server for support DTLS using the  connection profile

Notice: protocol UDP  and port 4433











The apm policy network resource needs the DTLS check box enabled and the defined service port which should match the ltm virtual server  service-port.  { access-policy > network-access > setting  }




If you monitor the  client access details from  the tmsh,  you will see no reference to  DTLS v1.0 being used directly.

e.g










But  to validate DTLS usage ,    monitor  the  statistics for the  ltm  profile  client-ssl profile, use the  grep to-match on DTLS.


or;



When the edeg-client connect you will see the   edge-client statistics listing the connect as DTLS and the  cipher that's  in use for the session.




And the apm log message will display a output that's similar  when a client negotiates  a DTLS v1.0 connection.






  • if the client can't negotiate DTLS the  client will falback to  TLS.
  • beware of any forward proxies preventing   DTLS negotiation for port  4433 and udp
  • any local and remote firewall could prevent access to port udp.port == 4433
  •  initial contact is via  TLS but if the APM and client negotiate  DTLS the  data path will be switched to DTLS.





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \




Monday, October 2, 2017

HOWTO disable CBC ciphers in JunosSRX for SSH

JunOS
Version 15.1X49-D50.3

Here's how to disable chain-block mode ciphers for SSHv2 in JunOS. This quick howto will show you how to disable  sshv2 cipher  in JunOS SRX


You can disable these in  the cli using the following commands.

 



And then test  for allowance of CBC after re-configuring.







That's all that's required to locked down the JunosSRX firewall  from weaker SSH ciphers. You would think by now the security vendors would set the default to be CTR based ciphers and require you to actually enable CBC mode if so desired.

read more here in one of my previous blog;

http://socpuppet.blogspot.com/2013/04/ssh-and-ciphers-tipstricks.html



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

how to use unix sleep in IOS-XE

In order to pause { sleep } you have to enable the term shell option in the IOS-XE terminal


e.g

term shell
sleep 30 ; show clock ; dir bootflash:

The above would wait 30sec  before execution of  the show clock  and dir bootflash cmds

You can use these command to execute certain function at a set time or with a delay.




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

FortiOS FQDN address objects blues

Playing around with long DNS name and  FQDN objects I found  a issue.

1> when trying to delete a FQDN object under 5.2.11, the appliance would NOT allow me to delete it


2>  the cache-tty value in the address book was set to a low number;


3> The NS hosting this   FQDN was change and the update was pushed but the fortigate cache-ttl did not refresh immediately.



So the  address.object should have picked up the 1.1.1.12 address.



Ken



 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \




HOWTO eliminate CBC ssh ciphers cisco IOS-XE

In order to locked down SSH accesss here's a few tips for execution. CBC ciphers should be eliminate and replaced with  CTR ciphers.

In various  cisco IOS devices this is quite easy todo;

( sample   cfg )


config term
ip ssh logging events
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
!
ip access-list standard SSHACCESS
 permit 10.13.1.0 0.0.0.255
 permit 10.12.22.0  0.0.0.255
 remark " PLACE MANAGEMENT NETWORKS HERE"
!



line vty 0 97
 session-timeout 10
 access-class SSHACCESS in vrf-also
 exec-timeout 30 0
 logging synchronous
 length 0
 transport input ssh
 transport output none

~                    


     Use the  vrf-also if you are running  VRFs.


Run  a open ssh client with the verbose  -v  switch and supply inferiors CBC ciphers and ensure they are not allowed.


e.g  testing a ASR  for  support of a CBC cipher








 
 
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \