yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Page 11 of 24

How come assigning VPN user to specific group takes just one command but no one does it ?

October 4, 2010 / /

Group locking, as Cisco call it, has been available since ancient IOS 12.2(13)T (circa 2003) and still – most of the set ups I see of clients’ VPN servers at most use different VPN groups for different privilege access requirements and blissfully ignore the fact that all it takes to get more enabled access is to know the pre-shared key of the other VPN group. And believe me – it is not that hard when group pre-share key (PSK) is known to half of the company. So if you happen to stumble on this post bear with me and let’s fast forward from accepted practices of 90’s to 2010.
Below are possible ways to lock users connecting to Cisco device (IOS router and ASA to be precise) to predefined VPN groups and do it forcefully so that even if the end user knows the PSK of other VPN group(s) she won’t be able to connect with it.

Case 1. Cisco IOS router acting as Ezvpn server , users are authenticated locally by the router. Let’s name it – group is JUNIPER , and the local user is John.Chambers and we want to confine this user to this group for ever.
Enable group locking for specific group (don’t forget to do the same for all VPN groups)

R1(config)#crypto isakmp client configuration group JUNIPER
R1(config-isakmp-group)#group-lock

Now restrict user to be able to use this group only. For that you have to reconfigure user to look like username followed by delimeter (that can be any of @, %, /, \) and then group name , to be concrete

R1(config)#username John.Chambers@JUNIPER secret Idontworkforsalaryanymore

from now on user John.Chambers will be able to authenticate with Cisco only using John.Chambers@JUNIPER . It overrides any user for VPN connection that already exists, that is if there is already user John.Chambers it will not be able to connect with the group JUNIPER . On the other hand anyone getting PSK of the VPN group JUNIPER will fail authentication if the user is not explicitly reconfigured in the new format.
Case 2 . Cisco IOS router users are authenticated using external Radius server. Unlike local authentication, with Radius you create the user as usual – John.Chambers but then assign it in the Settings cisco-av-pair attribute called user-vpn-group, like this:
ipsec:user-vpn-group=JUNIPER
Case 3.ASA Local username authentication.
No fancy username/group configuration here, you just lock username to a group under general attributes of the user.

ASA1(config)# username John.Chambers password Idontworkforsalaryanymore
ASA1(config)# username John.Chambers attributes
ASA1(config-username)# group-lock value JUNIPER

Case 4. ASA Radius authentication .
Here also the VPn group is forced for the user settings using the following attribute:
[3076\085] Tunnel-Group-Lock JUNIPER

Turn the Checkpoint firewall into network-neutral router and do it in 2 minutes. Time starts now !!

September 30, 2010 / /

It was rather unusual request of the client that for no matter which reasons asked me to “shut down the Checkpoint firewall”. What ? “Shutdown, you know, that it just passes the traffic from interface to interface by its routing table no checking , also I need to add few routes on the way, Okay ?” . The allocated downtime was up to few minutes , so I understood that no testing/return back/etc could be done beforehand but did what I knew and it actually worked. Here is the things I changed .
Shutdown Checkpoint with #cpstop . I looked for ways to shutdown the firewall kernel module completely but hadn’t found , so warned the client if someone does restart to the machine all is screwed.
The following settings I set in file /etc/sysctl.conf and after saving changes activated them with #sysctl –p
net.ipv4.conf.default.rp_filter = 0 // Disable RPF checks, for some reason it blocked routed networks and timelimit of 2 minutes didn’t allow debug .
net.ipv4.ip_forward = 1 // Enable routing
net.ipv4.conf.default.arp_filter = 0 // Disable ARp filtering , meaningful with networks that are reachable through multiple interfaces , while it wasn’t the case just to make sure.
net.ipv4.conf.all.arp_filter = 0

Few questions you will most probably hear on your next job interview.

September 25, 2010 / / 1 Comment

Lately, for whatever reason it may be, many of my friends/colleagues/acquaintances switched the jobs and mostly because they wanted to. And hearing their accounts of job search I catch myself that while offered positions and employers differ there are ever returning themes/questions that arise on the job interviews pretty much universally.
So here I bring compendium of these questions planning to update it as I hear new stories.

Tell us about something at your current job that you did and it made you proud of yourself …
Bring us an example or few of initiatives you took at the current/previous job …

This probably tests that you actually have had some initiatives worth mentioning or in other words – Did you do something productive that didn’t come from your manager request directly?

What was the highest sign of appreciation you earned on the current/previous job and what was the cause ? …

They mean beyond the pay check that you got every month , or in other words – Did someone notice that you actually quit the job ?

Usage/Case studies .

This is rather a metacategory and will include slightly different subject depending on the sought title. I will bring united cases for the 2 titles – in enterprise networking and security.
Networking.

We are the internet enabled and reliant company. What are the key factors in designing network topology and connectivity and how you suggest to implement them ?

Key words here: Redundancy, reliability of connection, cost saving in managing the lines utilization.
How do you implement this:
Redundancy in Internet connectivity (different ISPs and infrastructure types with possible hot failover, routing advertisements of your IPs if you have them [BGP]).
Redundancy in network equipment (HSRP and VRRP for standby routers/Etherchannel for Cisco switches/ ) .Proprietary clustering implementations by some vendors (3COM,HP, Checkpoint firewalls – you think you can escape it ?).
Line utilization management – maximize bits for bucks ratio using traffic management or load balancing solutions like F5 Big-IP with Link Controller module for accessing the internet or if some webservers are hosted at the company premises then also using Local/Global Traffic Manager modules. On a cheaper side Radware load balancers like Linkproof for Internet access , Appdirector for webservers will do the job.
Implementing DRP procedure – remote hosting of database backups.
Security.

We are the Internet connected and publicly traded company that should safeguard against external and internal threats, what key factors in fulfilling this requirement would you list ? What would be actual implementation ?

Key factors:

  • Security in depth.
  • Accountability for security-related events in the company.
  • Ability to comply with external audit/standards requirements.
  • Data Leak/Lost Protection/Prevention (everyone says it differently anyway).
  • Ability to sustain determined and targeted external attacks.

How would you implement this ?
Perimeter security with Checkpoint firewall(s), possible with clustering for reliability.
Central log and events correlation and management system (ArcSight).
If there are web servers to be protected then Web Application Firewall – say Imperva.
For DLP – Websense/Symantec / maybe EMC Documentum as part of the more comprehensive task. Also endpoints data encryption – Symantec.
Antivirus ofcourse by default – Symantec or McAfee
To thwart and detect dedicated and highly skilled attacks IPS will be appropriate. Say
McAfee or Tipping Point .
Regarding compliance usually people didn’t mean to exam you on every point of PCI requirement , but at least awareness of such standards is expected.
That is all I could remember from the stories told so far. As I hear new ones I will update this post.
Cheers.

Number of connected SecureClient or Secureremote users

September 7, 2010 / /

Here is how to see number of connected to the gateway users. Nothing special/interesting and I am sure somewhere in the SecureKnowledgeBase it is to be found but with recent licensing improvements people ask a lot about that.

# fw tab -t userc_users -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost userc_users 73 1 3 0

Turn netconf.C routes into linux route command

September 7, 2010 / / 1 Comment

I must confess that I prefer good solutions today over perfect solutions tomorrow.
So when the need aroused to do a script that takes netconf.C and transforms all the
route statements in it to the general linux form of “route add xxx” I did this one-liner you can see below. The script looks ugly and sketchy but it works. For those preferring perfect solutionscheck this website Monkey with agun that has script to manage mane networking settings of the SPLAT. I haven’t tried it myself though but looks serious investment of time and effort.

awk ' (/dest/ || /via/) && ! /127.0.0.0/ ' /etc/sysconfig/netconf.C | sed 's/[():]/ /g' | sed ' s/^.* via/ gw/' | sed ' s/^.*dest / route add -net /' | awk ' {if($0~/\/32/) { gsub(/-net/,"-host "); print} else print} '| awk ' {if(NR % 2 == 1) {gsub(/$/," "); printf($0)} else print} '

After you run you will get something like that to the stdout:

route add -net “192.168.9.0/22” gw 10.20.20.6
route add -net "172.16.11.0/24" gw 10.20.20.6
route add -net "172.16.12.0/24" gw 10.20.20.6
route add -net "172.16.13.0/24" gw 10.20.20.6

snmp-map in ASA is for passing through traffic only

August 28, 2010 / /

I don’t know who to blame – me for not being attentive or Cisco documentation for being vague, but when I read about snmp-map inspection that allows you to block selectively by SNMP version I decided it was the way to protect ASA itself from such queries. And only with the help of Netpro forum at Cisco.com did I learn that this feature is designed to inspect the SNMP traffic that passes THROUGH the ASA and not destined to the ASA itself.
So if you want to limit what version of SNMP ASA will use to answer queries , use usual snmp-server host …
For those who do want to block passing through the ASA SNMP of say version 1 and 2c , here is how:

Louvre(config)#   snmp-map no-v1or2-here
deny version 1
deny version 2c

Now define with access-list what traffic to inspect, you may use specific IPs or just general SNMP ports – udp 161 and 162:

Louvre#  sh run access-list no-v3
access-list no-v1or2-here extended permit udp any any eq snmptrap
access-list no-v1or2-here extended permit udp any any eq snmp

Bind ACL to class-map:

Louvre(config)#  class-map snmp-block-v2or1
match access-list no-v1or2-here

Use the class-map in policy map with enabling snmp-map inspection :

Louvre(config)#  policy-map no-snmp-v2or1
class snmp-block-v2or1
inspect snmp no-v1or2-here

And finally apply the policy map on some interface

Louvre(config)#  service-policy no-snmp-v2or1interface outside

ASA 8.2 now speaks SNMP v3 decently

August 25, 2010 / / 1 Comment

ASA 8.2 speaks SNMP v3 decently
This article is all about SNMP in ASA. ASA has much less configuration options than IOS does, and this is good. Starting version 8.2 ASA supports version 3 of the SNMP protocol which adds new security model to the whole SNMP stack. But first we will start with old fashioned SNMP v2c (c is for ‘community’) . It takes about 15 secs to do it:

snmp-server location “935 Pennsylvania Avenue, NW”
snmp-server contact “Don’t call us we’ll call you”
snmp-server community *****    // Note this community will be used if more specific one isn’t given per host
snmp-server enable traps snmp authentication linkup linkdown coldstart   //specific traps
snmp-server enable    // you enable server
snmp-server listen-port 161   // in case you want to change, who knows …
snmp-server host outside 195.95.193.8 community ****** version 1 udp-port 162     // only now SNMP polling is enabled and to the given host , also version 1 and port 162 on SNMP management (195.95.193.8) to send traps
no snmp-server enable traps ipsec start stop    // To disable specific traps

As you already know this setup will exchange community strings in clear text and also no packet is cryptographically authenticated/verified. What a shame for “Adaptive Security Appliance” . The fix is on the way. It is called SNMP v3 and has 3 security levels to choose from:
noAuthNoPriv – packets are neither authenticated nor encrypted . Basically the model used so far by SNMP v1 and v2c – everything clear text.
authNoPriv – packets are authenticated , that is user is sent in clear text but its password is not , (configurable) MD5 or SHA algorithm.
authPriv – the highest level, all SNMP packets are both authenticated using MD5 or SHA and their content is encrypted with DES/3DES/AES (128,196,256) algorithm.
Using the list above let’s configure our ASA for each level .
General steps:

  • Configure snmp-server group for every security level you want to use ;
  • Creatre user for each security level you wan to use and assign it to the snmp-server group of your choice
  • Create usual snmp-server host entry but adding version 3 and username to be used by this host. NOTE You can have only one such command per host but no matter which out of 3 security levels you specify in this command it will allow the other 2 to be used in querying as well

noAuthNoPriv.

snmp-server group v3-noauth v3 noauth
snmp-server user Jambo v3-noauth v3
snmp-server host outside 199.252.47.11 version 3 Jambo

Querying the ASA:

snmpwalk -v 3 -u Jambo -l noauthnopriv 155.7.145.89

authNoPriv.

snmp-server group V3-auth v3 auth
snmp-server user AUTH V3-auth v3 auth md5 12345678

Minimum pass length is 8 , and while ASA seems not to care it is a violation and snmpwalk will complain on pass < 8 and bail out .
snmp-server host outside 199.252.47.11 version 3 AUTH

Querying the ASA:

snmpwalk -v 3 -u AUTH -a md5 -A 12345678 -l authnopriv 155.7.145.89

authPriv.
Here everything will be encrypted.

snmp-server group v3-priv v3 priv
snmp-server user very_secure v3-priv v3 auth md5 12345678 v3-priv v3 auth md5 12345678 priv aes 128 12345678
snmp-server host outside 199.252.47.11 version 3 very_secure

N.B. To my surprise there is no such thing as debug snmp . Actually it does exist, but entering this command gives no error and produces no debug either.
Noticed by the way. In logs you can see all the passwords you entered while configuring SNMP, not very secure I would rather say .

(config)# sh log | grep snmp
%ASA-5-111008: User ‘enable_15’ executed the ‘snmp-server user AUTH V3-auth v3 auth md5 12345678’ command.
« Older posts Newer posts »

© 2016 yurisk.info

Theme by Anders NorenUp ↑