Aria and SEED as alternatives to AES

Two additional ciphers that are not as widely known but available for ipsecs are defined by A Korean Based group

ARIA & SEED, both of which are block based ciphers. I believe these don't fall under the USA munition-export restrictions nor have restrictions for exporting.

Like AES, they are built around 128bit block size with key bit-sizes of 128 192 256 for ARIA and a 128 key bit-size for SEED. I only known of one Commercial firewall vendor that supports these  ciphers FortiNet.

To determine if your firewall has support for these ciphers you can use the cli command diag vpn ipsec status

( fortigate without-support )

( fortigate with support )

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

DH-groups sizes and reccommendations for ipsec

In this  below table I place the weakest to strongest DHgroup options. You should strive to avoid Diffie-Hellman group  1 or 2.

If you use PFS remember to set the DHgroup options in your  ipsec phase2 proposals


Keep in mind the  DHgroup proposal is used during the key-exchange,  and determine the strength of the key used in the key exchange process. The higher DHgroup#s are more secure, but require additional time to compute the key during the key exchange.

Which DHgroup you use will be determine by  numerous factors such as;

•  the far end device compatibility
•  your company defined security policy ( various banks and gov  business like to set minimal support levels  & hows committees when they need exemptions )
• and how paranoid  you are !

William S. Burroughs

Elliptic curve DiffieHellman is always better not support in a lot of devices


During the IKE key-exchange the Diffiehellman  is used to secure the key over the unsecured network suchs as the internet.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

ZoneBasedFirewall Huawei Eudemon

The huawei Eudemon  firewall meets the true definition of a ZoneBasedFirewall.

It's similar to  netscreen/SRX/PaloAlto  and uses a combination of ZBF  features such as security concepts and acls.

Here in this example, we will build a basic classic 3 zone  security concept ( untrust/dmz/trust ) and assign interfaces into the zones


zone =  utrust ( public internet )
zone =  trust ( inside )
zone =  dmz ( dmz services )

1st we build the interfaces

interface GigabitEthernet0/0/0

 description UNTRUSTED

 ip address  192.0.2.1 255.255.255.0

#

interface GigabitEthernet0/0/1

 description TRUST-zone

 ip address 192.168.100.1 255.255.255.0

  Vrrp vrid 11 virtual-ip 192.168.100.254 master

#

interface GigabitEthernet0/0/2

 description  DMZprimario

 ip address 192.168.101.1 255.255.255.0

  Vrrp vrid 12 virtual-ip 192.168.101.254 master

Next we assign the interfaces to our zones;

firewall zone untrust

  add interface GigabitEthernet0/0/0

    set priority 5

firewall zone trust

  add interface GigabitEthernet0/0/1

  set priority 100

firewall zone dmz

  add interface GigabitEthernet0/0/2

  set prior 50

 Finally we put the few misc items;

#

 ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 description uplink_to_world

#

#

ip address-set LAN1 type group

 description         LANnetwork     

 address 0 192.168.100.0 mask 24

#

#

ip address-set DMZ1 type group

 description         DMZnetwork     

 address 0 192.168.101.0 mask 24

#

#

policy interzone trust untrust outbound

  policy 0

  action permit

  policy source address-set LAN1

#

policy interzone trust dmz outbound

 policy 0

  action permit

  policy source 192.168.101.0 0.0.0.255

#  my SNAT pool

nat adress-group 1 192.0.0.1 192.0.0.2

#

# SNAT for local LAN1 outbound 

nat-policy interzone trust untrust outbound

 policy 0

  action source-nat

  policy source address-set LAN1

  address-group 1

                                
         

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

Heuristic Options Fortimail

When using  Heuristic Filtering options within your AS policies, keep in mind that the  total score after computation, will determine if the messages is classified as SPAM.

When email messages are matched as spam, you will find the similar messages in your logs;

"Message    Detected by Heuristic check. Score 3.934000"

The action taken based on the AS profile will be your default or specified action.

When you have a match, your log will show something similar.

Monitor your email delivery and logs for possible false-positives. Be cautious on how you use heuristic checks in your AS policies.

It's sometime wise to use a specific  AS policies for  specific users email_address like ; sales/info/support@yourdomain.com , and adjust the AS profile and heuristic thresholds as required

Here's some more FortiMail tips from socpuppets; http://socpuppet.blogspot.com/2013/06/fortimail-tips-tricks.html

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

More cisco 9.3.2 woes ( scp and ftp )

I ran into something strange while figuring out the best approach for finding the  ospf authentication key in a running-cfg or saved-cfg-file &  on a cisco ASA that's running in multi-context modes.

1st a copying via the  "scp" of the running cfg DOES NOT display  the authentication key. In fact copy the  config via  running to scp, shows completed, but it fails to actually write  file to the target hosts. The same holds true of the saved context config.cfg  file or a backup config file.

I also seen numerous "Resource temporarily unavailable " errors w/asa9.3.2

The above would indicate the copy was successful, but no file was found at the target when using  the above copy  and "scp".  Now here's what was even stranger, when using "ftp"  as the target it also "echos" the password to the screen.

So it seems like something is wrong with ssh/scp on the  cisco ASA & the same with "ftp". I don't recall this behavior before with any previous earlier ASA.

The  copying of the  running or cfg file still don't show the "encrypted key" . I also found out with the backup command, the backup file also does not display the opsf authentication key as listed earlier

We also test the behavior on a asa running 9.3.1 and got different results. It failed  with permission denied for both  "scp" or "ftp". For ssh it  had to deal with ssh key hash.

( behavior on 9.3.1 )

Probably time for a ticket with  cisco TAC.



Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

The lack of security in the internet by security engineers

Here's a post rant of just the crap  that makes the internet so bad and suspect. Here's a snmpget on a edge facing firewall. The engineers and firewalls are from  huawei btw.

The above is installed in a production celluar data provider network. Just, $sad$ in so many ways.

Even the numerous huawei  security notices tells you  to watch out & restrict snmp access.

http://support.huawei.com/support/pages/news/NewsInfoAction.do?actionFlag=view&doc_id=IN0000054930&colID=ROOTENWEB|CO0000000170


Looking at the above security anonoucement , I can conclude that this firewall is;

1: probably at risk
2: not running the latest code  from huawei
3: should never have  ReadWrite Access via a community string of "private"  ( yes  RW was set for private, RO = public no restrictions )
4: much less open to the untrusted internet on a public interface
5: uses  some very weak logins 

So without trying this is what I gathered from a snmpwalk using the RW community of "private".

reference for mibs

http://www.oidview.com/mibs/2011/HUAWEI-AAA-MIB.html


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

Backups for multicontext ASA

I open a ticket with TAC on where to find the backup options within the ASDM & found out the  backup option is not available within the ASDM & firewalls  running in multi-contexts modes.So
one Prerequisite for using the ASDM backup is for the firewall to be in a single-context operating mode.


http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/admin_swconfig.html#wp1380620

Also one other thing that I found that was interesting, there's no means for  a cli  command to backup up a context while in the admin context or any other defined context. So if you had a admin defined for a context, he/she could not use a backup/restoral commands unless he/she changed to the system context. This goes back to the "limited" to no access to the disk0: storage & from within a none "system" contexts.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \