yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Page 18 of 24

Difference between ebgp-multihop and ttl-security.

February 26, 2010 / / 2 Comments

Once upon a time reading some CCIE paper at work I asked myself a question : “Why would someone bother to invent ttl-security and even write RFC http://tools.ietf.org/html/rfc5082 on it when multi-hop EBGP feature provides the same end result ?” .
The results of my busy/doing-nothing activity I present here.
First some background. For some (unknown to me) reasons BGP peering was envisioned as TCP connection between directly connected routers, by default. To proceed with this design (worth checking BGP RFCs if it was actually an obligation) vendors (Cisco,Juniper and even Fortinet) implemented all BGP protocol communication using TTL=1 in TCP packets being exchanged. As the logical consequence of this if a router was placed more than 1 hop away from its peer BGP session could not be established. To provide for such set ups when peers are many hops away the ebgp-multihop term was coined – on configuration level you can specify that BGP peer is that hops far away .
What happens in fact is that when you specify such multi-hop BGP peer the router starts sending BGP packets with TTL being equal to the number of hops you set . That means if I set peer to be 3 hops away and some attacker tries to spoof legit peer’s IP but is 4 hops away – such attack won’t succeed cause my router will receive spoofed BGP packets ok but will send replies with TTL of 3 which will expire just 1 hop away from the attacker.
Questionable , but security . So why ttl security?
This feature indeed enforces that BGP peer is no more than given hops away . And here comes the difference – it enforces it inbound . It works this way – after you enable ttl security on the BGP peer session and specify how many hops away this peer is allowed to be, your router
checks incoming TCP packets from this peer and does this simple calculation ; configured value <= 255 – hops-away-to-peer , if it holds true your router goes on with establishing BGP session , if not – session is shut down. Regarding outgoing TTL values – may be it is Cisco-only thing, may be not , but the moment you enable ttl security for some BGP peer on Cisco the router itself starts sending BGP-related packets to this peer with initial ttl being equal to 255. I guess it is logical that if you enforce on your side ttl security the peering side will want to do the same.

When ttl rule is broken we see in the debug session:
Dec 27 19:08:04.103: %BGP-4-INCORRECT_TTL: Discarded message with TTL 1 from 124.2.11.15
And neighbor status is:
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
124.2.11.15 4 13462 33 63 0 0 0 00:04:31 Idle

#sh ip bgp neighbors 124.2.11.15
BGP neighbor is 124.2.11.15, remote AS 13462, external link
BGP version 4, remote router ID 0.0.0.0
BGP state = Closing

VPN client stops working in visitor mode after major update

February 25, 2010 / /

Yesterday I got asked to check the Checkpoint VPN Secure Client issue . After upgrade from NGX R65 to R70 VPN client doesn’t connect when Visitor mode is enabled . The moment you disable Visitor mode the same client to the same firewall works just fine. This happens
often so I bring it here . Actually I see it as the “it is a feature not a bug” case –
after major upgrades to the firewall, the Management WebGUI (the one you use after fresh install to run the wizard) listening port will be reset to its default value of 443. This in turn prevents any other daemon/service listening on this port , so Visitor mode (I guess also SSL Extender) will not work.
To fix it you just change listening port for WebGUI. Now lets get to SSH:
To see the problem:

#lsof -i -n | grep https

cp_http_s 1864 nobody 11u IPv4 14977 TCP *:https (LISTEN)

To fix the problem:

#[Expert@fw]# webui disable

Shutting down cp_http_server_wd: [ OK ]

[Expert@fw]# webui enable 4445

Running cp_http_server_wd: [ OK ]

Now WebGUI wil be listening on port 4445 , and vpnd as should will be listening on 443:

[Expert@fw]# lsof -i -n | awk ‘/https/ || /4445/’

vpnd 3564 root 26u IPv4 29060053 TCP *:https (LISTEN)
cp_http_s 10300 nobody 5u IPv4 29100889 TCP *:4445 (LISTEN)

fw monitor add-on

February 13, 2010 / /
There is something I didn’t include in the previous post fw monitor command reference about fw monitor as I think it is rather optional and you can do well without it . I talk about tables in defining filter expressions. INSPECT – proprietary scripting language by the Checkpoint on which filtering expressions are based allows creating tables.
I won’t delve into INSPECT syntax (for today) but will list the following examples you can easily modify to suit your needs.

Legend:
{} – delimit the table
<,> – specify range of values inside (e.g. <22,25> means from 22 up to 25 inclusive)
ifid – interface identifier

#fw monitor -e "bad_ports = static {22,25,443}; accept dport in bad_ports;”   packets with destination port bein" equal to 22,25 or 443
#fw monitor -e " bad_ports = static {<22,25>} ; accept dport in bad_ports;"  packets with destination ports being equal to 22,23,24 or 25
# fw monitor -e " bad_ports = static {<22,25>,<80,443>} ; accept dport in bad_ports;"  packets with destination ports being in ranges 22-25 or 80-443
#fw monitor -e "bad_nets = static {<194.1.0.0,194.1.255.255>} ;accept src in bad_nets;"  packets originated in range of networks 194.1.0.0 – 194.1.255.255
#fw ctl iflist   Here I see what are the index values of each interface card
0 : Internal
1 : External
#fw monitor -e "bad_nets = static {<194.1.0.0,194.1.255.255>} ;accept src in bad_nets and ifid=0;"  packets originated in range of networks 194.1.0.0 – 194.1.255.255 and captured on interface eth3 only

Fortigate firewall demo free access. Also FortiManager and FortiAnalyzer

February 3, 2010 / /

As someone said best things in life are free.
Here are links to the demo Forigate firewall, ForiAnalyzer and FortiManager open to access from anywhere . So that you can
familiarize yourself with the Management GUI look and feel.
NOTE: Access is read-only.
NOTE 2: No , it is not me being so generous, it’s Fortinet caring for us.
Fortigate 300 :
user:demo
password: fortigate
fortigate.com
ForiAnalyzer 800:
user:demo
password: fortianalyzer
fortianalyzer.com
FortiManager 400:
user:demo
password: fortimanager
fortimanager.com

Mail alert on ssh login or any other rule hit in Checkpoint

February 1, 2010 / /

I once SSH login alert presented the way to send mail alert after successful login by ssh to any Linux-based machine , including Checkpoint firewalls. Now, thanks to folks at cpug.org that draw my attention to it, I will show how to get mail Alert on ANY rule in the security rulebase of the firewall, and also simplified script using Checkpoint version Of the sendmail.
First , rules alerts – on any rule in the Security Rulebase you can set in its Track column to Mail . Now all hits
On such rule will be sending mail alerts to specified recipient(s) through the specified mail server (Checkpoint doesn’t have a mail server of its own) . So, if you create rule that allows access by SSH you can set in Track Mail and each time this rule is used to access the firewall mail will be sent. Now how to configure mail server settings, you do it in
Policy -> Global Properties -> Log and Alert -> Alert Commands , check ” Send mail alert to SmartviewView Monitor” and “Run mail alert script” . In the “Run mail alert script” field set to the string of form:

internal_sendmail -s [subject of the mail] -t [ip of mail server to receive mail goes here] -f [from_who_field_in_mail] [to_whom_send_this_mail]

e.g. internal_sendmail -s SSH_login_alert -t 63.161.169.140 -f yurisk@yurisk.info president@whitehouse.gov

The mail you get on such alert looks like:

6Jan2010  7:29:55 accept fw-tokyo  >External mail rule: 2; rule_uid: {85A905A7-951E-4100-A23A-E280FAAA1D29}; SmartDefense profile: Default_Protection; service_id: ssh; src: my-management-host; dst: fw-tokyo  ; proto: tcp; product: VPN-1 & FireWall-1; service: ssh; s_port: 47145;

NOTE. Some don’ts
– You can’t send to multiple recepients;
– You can’t send using IP of the firewall for the mail server
– The mail server you specify should be the one accepting mails for the recepient’s address or be doing
mail relay without authentication. And no, Checkpoint sendmail doesn’t support authentication.

Capture packets at IOS Cisco router or finally we have a sniffer

February 1, 2010 / / 5 Comments

[showmyads]
Finally it is here – built-in sniffer on the Cisco IOS platform ! Starting IOS 12.4(20) release Cisco introduces brand new feature
called Embedded Packet Capture (EPC) that allows us to capture raw packets on the Cisco router and then later analyze it offline.
It can capture any traffic passing through the router, destined to it, or originated from it . The captured packets are stored in DRAM
of the router from where you can upload the capture file using HTTP/SCP/HTTPS/TFTP/FTP anywhere and then dissect it. The capture
is stored using PCAP format , so any protocol dissector will understand this file, including the favorite one WIreshark/Ethereal.
Now some limitations:
– CEF has to be enabled on the router;
– The capture is stored in the DRAM , so you’d better have enough of it;
– While no maximum capture buffer or packet size is stated I guess it depends on the platform (see tests below);
– IOS has to be 12.4(20) or higher.
Let’s now look at steps to configure the capture on the router and then look at the results.
Configuration involves 5 steps:

  1. Create named capture buffer in router memory (including filters what to capture and what not to). Multiple buffers simultaneously are supported;
  2. Create named capture point , again, multiple capture points active at the same time are possible. Using multiple capture buffers and capture points gives us full flexibility in the process – I can say capture packets at the same time inbound on incoming interface and
    store it to the memory buffer A while the same traffic going outbound on outgoing interface capture to another buffer B and have this
    way capture of the same traffic at 2 distinct points on the router. Your imagination is the limit here.
  3. Associate capture buffers with capture points;
  4. Start/stop capture;
  5. Export captured packets as PCAP file elsewhere or see it in raw format on the router itself (in case binary is your first language).

Now I will walk through configuring,all this is being done on Cisco 2821 (250 Mb of DRAM). IOS is being Cisco IOS Software, 2800 Software (C2800NM-IPBASEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
1) Create named capture buffer in memory. Packets are stored there, as this is DRAM storage if router does restart all capture data will be lost. You also specify filter for which packets are to be captured , if none given it will capture ALL packets at the
capture point. Not surprisingly for filtering you use access-lists, standard or extended, named or numbered.

In my testing I am trying to capture all SMTP traffic passing through the interface Giga0/1. Accordingly the ACL for it will be:

Eldorado(config)#ip access-list extended MAIL_TEST
Eldorado (config-ext-nacl)# permit tcp any any eq smtp

Now I create capture buffer in the memory:

Eldorado #monitor capture buffer MAIL filter access-list MAIL_TEST

NOTE: Fo the particular platform (cisco 2821) the limits and defaults for the buffer are these:

Eldorado#monitor capture buffer MAIL size ?
<1-5127gt; Buffer size in Kbytes : 512K or less (default is 256K)

NOTE 2: In Cisco.com documentation this and other commands related to capture have options that trying to use them gave error.
For example Command reference gives option to configure length of the packet to be captured (instead of default 68 bytes) :

Eldorado #monitor capture buffer MAIL length
^
% Invalid input detected at ‘^’ marker.

2) Creating capture point (i.e. where to capture packets on the router):

Eldorado# monitor capture point ip cef GIGA GigabitEthernet0/1 both

Here I specify interface GigabitEthernet0/1 as point of capture and also set that traffic is to be captured in both directions (or you can use in/out instead)

3) Associate capture buffer with capture point (it does not start capture yet):

Eldorado#monitor capture point associate GIGA MAIL

4) Start capturing packets:

Eldorado#monitor capture point start GIGA

4.1)Stop capture (optional) , you can export capture in the next step without stopping it:

Eldorado# monitor capture point stop GIGA

5) Export captured packets as file to external server , here I use SCP as protocol:

Eldorado#monitor capture buffer MAIL export scp://rumba@216.163.142.1:/capture.cap
Writing capture.cap
Password:
Sink: C0644 309346 capture.cap
!!
Eldorado#

– Now you can see the capture file with Wireshark .
There is it to it.

Verifying.
– To see parameters of the capture:

Eldorado#show monitor capture buffer all parameters
 Capture buffer size (linear buffer)
Buffer Size : 262144 bytes, Max Element Size : 68 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Configuration:
monitor capture buffer siz
Capture buffer MAIL (circular buffer)
Buffer Size : 512000 bytes, Max Element Size : 1024 bytes, Packets : 363
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : GIGA, Status : Inactive
Configuration:
monitor capture buffer MAIL size 500 max-size 1024 circular
monitor capture point associate GIGA MAIL
monitor capture buffer MAIL filter access-list MAIL_TEST
Eldorado#

– Seeing contents of the captured packets on the router :

# show monitor capture buffer MAIL dump 
08:18:59.995 UTC Jan 25 2010 : IPv4 LES CEF    : Gi0/1 None
 
45514C50:                            002414F7              .$.w
45514C60: 2723001F 9E4cd37F 03e4cda dd379aaa  'A...F&...E..0W.
45514C70: dd379aaa dd379aaa  dd379aaa dd379aaa @.-.Eב#X.3,,.M%
45514C80: 03e4cda 03e4cda 03e4cda  03e4cda  ../..&....s@yh
45514C90: 00000204 23ee3444 000000             .....d.....
 
 
08:19:00.699 UTC Jan 25 2010 : IPv4 LES CEF    : Gi0/1 None
 
45514C50:                            002414F7              .$.w
45514C60: 03e4cda 03e4cda 03e4cda 03e4cda 'A...F&...E..KYj
45514C70: 03e4cda 03e4cda 03e4cda 03e4cda @.-.#4$f.%%
45514C80: 03e4cda 03e4cda 03e4cda 03e4cda../..'|S^^^0])
45514C90: 03e4cda 03e4cda 03e4cda 03e4cda..EHLO smtp02.bi
45514CA0: 03e4cda 03e4cda 03e4cda 03e4cda s.eu.blackberry.
45514CB0: 636F6D0D 0A00                        com...

Enabling antispam or antivirus on the Checkpoint gateway blocks smtp or http traffic

January 26, 2010 / /

Recently I was unplesantly presented with “it is not a bug ,it is a feature” case with the Checkpoint .
There was some UTM with TS (Total Security) valid license that includes antivirus and antispam services that client paid for and even asked to enable. So far so good. Part of the routine I checked on Gateway properties Antivirus and Antispam features , in Content inspection picked this UTM as enforcing Antispam/Antivirus policy , did install and .. got a call from the client that they can’t send/receive mails . In SmartView Tracker I saw the error of invalid license (it was the most clever disguise Checkpoint could come up with) , on command line fw monitor proved connections to port 25 arrive perfectly and pass pre/post insert points inbound but then nothing happens. Trying to telnet port 25 to the external ip of the mail server got me opened session , then connection was reset.
Only with the help of Checkpoint support (that actually were surprised that after all these years with their
product I haven’t seen this “feature” yet) did I find that issue is known one and caused by that to represent the mail server in LAN I created a MANUAL NAT rule . And ANY security server inside Checkpoint has to
know from security rules or from object properties its ip before and after NAT. Of course this info is
not to be located in any guides.
So to fix the situation you have to either :

  • replace manual NAT rules with automatic ones;
  • in security rules relevant to the server in question use BOTH internal and external IPs (that was
    what I did and it works ever since – see screenshot below).

I did the rules similar to this:
rulebase for SMTP server inside

NB there exist Secureknowledge base articles for it :
sk34862
sk32198

PS I talk here about SMTP but enabling Antivirus for the webserver in LAN with static NAT will have the same
devastating result.

« Older posts Newer posts »

© 2016 yurisk.info

Theme by Anders NorenUp ↑