Installing a threat profile cisco ASA IPS

In this post we will look at attaching a predefined threat profile for the cisco IPS. 1st let's look a sensor with the default "none" threat profile.

Next here's the list of  threat-profile that are shown via the list threat-profile cmd

The defaults of Data_Center , Edge,  SCADA & Web_Applications exists.

So we will apply the  Edge to our sensor and recheck that the configuration was applied.

NOTE: as you can see, the  virtual sensor vs0 has the defined threat profile  "Edge" attached to the signature definition "sig0"


And lastly, if you have a standby ASA, don't forget to make the same changes  on this unit.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  +  - )=
       o 
      /  \

My SixXS ipv6 tunnel setup attempts

SixXS  has been a major player within the  IPv6 tunneling creation, with over 40+ pops worldwide accept africa, they have one the biggest tunnel-broker service outside of  Hurricane Electric.  You can find more here;   https://www.sixxs.net/


When you 1st go to the account creation page you have to fill out a  multi-line  account request to include  your ful-name EUI format phone #, address etc... Most of this is populated in their WHOIS server that they manage.

Once you get your account acceptance email, than you will have to wait approx 1 -2 days for approval.

and;

note: The one negative about  SixXS, if you loose your "usernanme" you can not conduct a simple  password recovery. You need to supply the  username and  email-address for recovery. HE does not have the  limitation btw.


After approval, you can select a tunnel and pop for servicing the tunnel.  The tunnel pop selection should be based on distance to the PoP from your service router or firewall. But you should click on the pop to see and get details of the pop. Look at the establishment date, number or prefix and type of prefixes served from that pop.

( example chi equinix location )

note: I circled key items to review above


After, you have selected the pop and have  supplied your tunnel information, than you can proceed with  configuration of your end device.

As of today's date, I still have not been successful in obtaining a Ipv6 tunnel via SixXS. And y 1st attempt was done like 2 months ago.

Stay tune.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  +  - )=
       o 
      /  \

A look at the Fortinet beta program

Fortinet has been offering  a beta program for development of their FortiOS software. This beta program is suppose to help identify bugs and features improvements prior to introduction of new features and functions in a major code release.

To Participate you must have a fortinet firewall that's under contract as listed by their agreement cause;

Anybody can  submit  a request  and entrance into the beta program or forward arequest to another user. The beta team will review to see if they meet the criteria under their acceptance cause.

Once you have been accepted, you can now download code for  your registered devices.

It's advise able not to install beta-code on production critical devices.


Beta code is just that Beta. So expect mis-behavior and performance impacts. So YMMV and use at your risk surely applies here. If your network become unstable or breaks, don't blame fortinet.


Once you have download the code and upgraded a unit, your system will state the build as being beta.

NOTE: The code will not expire nor have any limitations

To be a good beta tester , you should develop a plan to record events and create  a diary  of events and issues that you find. By doing so and contacting the beta admins and forums, you can now gain information and provide your findings to the team & beta community.

It's crucial to complain to the team on both  positive or negative findings so they can be made aware of issues that you find.

http://support.fortinet.com/forum/

Without the feedback, they will not know of any issues that you may have found. I don't know of any other  security provider that offers a beta release and welcomes a selected group of testers invited to the general public.


Ken Felix
Freelance Network/Security Engineer
kfelix -<a-t>  socpuppets-<d-o-t>- com

Google Nexus Android 5.0 lollipop

I was surprised to see that the 5.0 andorid OS was  recently released. So I've start my 5.0 upgrade.  A associate has upgrade his Nexus5 phone with 5.0.

http://www.android.com/versions/lollipop-5-0/

Outside the new interface  & desktop icons, the screen interface looks much better.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

Hush now ( alternative email security in a pinch )

If you ever needs to send something via email and have no security enabled mail client, than hush mail might be beneficial for you.  https://www.hushmail.com/

After building an account, you can craft  a email and set the passphrase  that you will share with the recipient via an out-of-band ( OOB ) channel like SMS, voice call, etc...

note: please don't use test1234567890 as a pass-phrase ;)

The email receiver will get an email message with a direct link to the encrypted email message in his inbox. This provide 100% security to the content since you download the  message over  a HTTPs session.

If the email was intercepted and  if the  a login/brute force attack was taken, the mail will be automatically delete after 5 failures.


e.g

and then the mail is deleted;

This service is great for those that don't know how to implement  PGP and keys management. I still will suggest that you use local encryption if you need 100% secure email communications.

You can read about the legal issues with hushmail  at the below link.

http://en.wikipedia.org/wiki/Hushmail

example of a simple composing

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \

NXOS md5 file verification nx3500 switch

In this short post, I will show the internal  file verification command usage. The command

show version  image <storage_device:image_name>

You can execute this on any image listed on the device. The result is either a pass or fail.

E.g

Ken Felix
Freelance Network/Security Engineer
kfelix -a-t  socpuppets-d-o-t- com

     ^      ^

=(   ^   ^  )=

          o

       /     \

A HOWTO: Fortigate ipv6 snmp configurations

In this post,  we will look at the basic ipv6  snmp communities settings that's required.

1st my big warning, you need to configure the communities hosts6 via the cli. The address input via the WebGUI as of 5.2.2 is only for a ipv4 address. There's no provisions for doing this under the WebGUI. You typically will list the SNMP management hosts(s) in this section.


The basic snmp configuration would look similar to  the following screen

Config > snmp 

Now let's looking at my final ipv6 cfg for snmp queries. ( CLI )
 

NOTE: remember to enable snmp under the allowaccess for both ipv6 config.
e.g   set ip6-allowaccess ping https ssh


Now to query a ipv6  snmp  enabled fortigate, you need to include single quotation for the ipv6 address & within your snmpwalk/set/get.


e.g1  

e.g2

If you run into problems a combination of diag sniffer packet, diag debug app snmpd -1  or diag debug flow filter6 161 could shed some light into the issues.

Here's a snapshot on what happens if you don't allowaccess the snmp services;

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \

5.2.2 fortios ugrades b642

5.2.2 was release in the last 24hrs  { 11-18-2014 } .

So we are evaluating this newly release version. The release notes indicated a few minor fixes and nothing  really big on a the "what's new " front. One thing that caught my eye. 

Which was funny since I'm doing some testing with that particular modem. So it good to see it's included in 5.2.2.

As with any upgrade, do a system backup before any upgrades. It's also a good ideal to have  a fall back image handy if things goes sour.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \

How to craft a signatures with GNU gpg by socpuppets

With GNU gpg, you can craft an embedded signature within the data or "de-attach" signature. I will demonstrate the  two methods. Where and how you would use the two is up to you.

1st the de-attached signature which probably the one I use the most. Your data can be compressed after signature  creation, if so desired and to save space. The signature  is publicly available  for any persons that wish to verify the file integrity.

cli gpg -b <file.name>

This does 2 things;

            1: it make a digital signature based off you private-key
            2: it does NOT make any modifications to the original  data

NOTE: the signature is always  created from the original filename and the added suffix "sig" to the newly created signature file.

Next we will make a embedded  signature. This requires the "-s" switch option.  So we will take the same file  & create our sign+encryption.

cli gpg -s  <filename>

Now we should notice a few things,

       1: we have a new file name  file.txt.gpg ( data that's encrypted )
       2: original data is still present
       3: original datafile has not been modififed  ( even the  earlier sig file is still present )

So now we will delete the original data "file.txt" and then decrypt our  file.txt.gpg and then compare the md5-hash and you will find we have the original file again.

Notice that our data md5 hash matches, after the decryption?
( message digest  96c23e49e65c7fd37d612b369d6a1657 )

A few things to take away here;
   
                    1: the m5 128bit hash still matches after the decryption
                    2: the original data was decrypted
                    3: the file was compared against the embedded signature to our key

NOTE: If we would have used the  "-v" we would have gotten more verbose information & output

So easy, that a monkey or caveman can do it!

I hope this  demonstration has been helpful. You can learn more about GNU PGP implementation at the following link;

http://en.wikipedia.org/wiki/GNU_Privacy_Guard

and about PGP in general here;

http://en.wikipedia.org/wiki/Pretty_Good_Privacy


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

   ^      ^
=(  $  $ )=
       o 
      /  \

Verifying file signature using GNUgpg

In this post, you will see just how easy it is for file & signature verifications using GNU gpg. A little background;

• The  GNU PGP implementation has been around for a  decade +
•  it uses PKI 
•  keys are retrieved via public key-servers
• A file signed via a key, can be Digitally verified  for tampering or corruption
•  it also validates the author is actually the author

This is a how a typical PGP signature file looks;

Typically the  author of the  file, will make the signature publicly available. So by downloading the signature, we can validate the actual datafile that was signed.

When using gpg, and when the key is not on your key-ring, then gpg is smart enough to retrieve the key that's listed in  the  signature file. You can display this action if you use the "-v" verbose switch.

note: if you are on a restricted network or behind a firewall  the port could be blocked for the key-server.

To verify a pgp signature you need the following;

      1: the data to be verified
      2: the signature file
      3: the public-key of the author for the datafile

If any of the three are missing, you can't continue. If one of the three was tampered with, you verification would fail!

Here's an example of a verification process against a linux kernel filename = linux-2.2.0.tar

note: if the file is compressed and ends  with either a gz or bz2 extension, you need to un-compress the data before the verification. Linux Kernel sources are always signed b4 compression btw and I don't think that will ever change.

note: Once the key has been imported, any  other following  verifications would  use the local cached key. If you want to delete the key , use the cli  cmd  gpg --delete-keys  <key id>

So now you see just how easy it is to  verify a signature using gpg. It's so simple, that even a caveman  or monkey can do it.

Now, I will modify the signature to show you how  any corruption or tampering will invalidation the verification. I used  the unix vi cmd to change one character with in the pgp signature file, and now will attempt a new verification.

So with PKI, we have failsafes that if either ;  1> the datafile or 2> signature been tampered with, the verification process would fail. Even if we re-imported the key, and start fresh from the top, the  verification will still fail.

( the modified  PGP signature used for this last sample &  with the "I" on the 1st line change to uppercase )

I hope this  demonstration has been helpful. You can learn more about GNU PGP implementation at the following link;

http://en.wikipedia.org/wiki/GNU_Privacy_Guard

and about PGP in general here;

http://en.wikipedia.org/wiki/Pretty_Good_Privacy


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

How to digitally sign and verify with ecdsa keypairs

In this post we will take a ecdsa  key-pair  and create a ecdsa signature and verify our data. I will also demonstrate what happen if the date is compromised.

1st here's the ecdsa  key-pairs that I created earlier.

NOTE: So the file name myfileforblog.txt will be the file we sign and will validate.

Here's the files types in my  directory

Next, we will do a signature creation and then verification.

And finally, let's make a modification to the "data file named myfileforblog.txt"  and re-verify.

NOTE: It will now fail due to the whitespace added to the bottom of the file

So basically we can easily craft ecdsa signatures and with providing the  pubic-key and the data.signature, any person can validate the signature of the datafile for integrity or corruption.

Here's a sample we re-direct the output  of unix ls into openssl from the /usr/bin directory

If the validation fails we can assume;

   1: the wrong signature was provided
   2: data was corrupt
   3: signature was tampered with
   4: the hash was not match or correct

NOTE: if the verification passes, than we know the file and signature are correct and matches the owner public-key.

 
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  +  - )=
       o 
      /  \

Fortigate identity policies trouble-shooting

With fwpolicies that uses identity-based , you have a few means for diagnostics.

The 1st thing you need to do is to ensure that the expected-traffic is matching the policy that a user is having problems authenticating with. And ensure that traffic is arriving to the fortigate firewall. The easiest way for determining  this;

diag debug flow

or

diag sniffer packet 

The former is more acceptable.

If traffic is NOT hitting your policy,  than "Stop" and don't proceed until you ensure that any other network routing or filtering problems has been fixed.

I 've seen now on 1-to-2 dozen occasions or more, that a firewall engineer stumbles around just to find out a inside  interior  firewall or router ACL was preventing the traffic destine to the  identity-based firewall policies.

NOTE: With the diag debug flow, if you see "Denied by forward policy check",  than that  means you hit a policy with the action either set to  disable or  you have no policy to begin with.

If you are seeing a policy-id match that matches your traffic,  the following will be logged via the diag debug flow. This will show the policy-id  that's being matched, now you can dive in and find the problem.

e.g

msg="Allowed by Policy-124:"


Next, is this the policy-id that you have identity-based authentication set for? And does the group have the proper user defined ?

config firewall policy
    edit 124
        set srcintf "wan1"
        set dstintf "port1"
            set srcaddr "all"            
            set dstaddr "XXX_XXX_XXX_XXX"            
        set action accept
        set identity-based enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                        set groups "consultant"                        
                        set service "TELNET"                        
                next
            end
    next
end


Next, you will need to inspect the user  and the  user-group that's defined  for the above firewall-policy-id. Here it would be my group named "consultant" and it has one member  "kfelixsslvpn"

config user group
    edit "consultant"
        set sslvpn-portal "full-access"
            set member "kfelixsslvpn"            
    next
end

and

config user local
    edit "kfelixsslvpn"
        set type password
        set passwd ENC VLrvImdmeB0GbZs5ZG+D5Wzhyhy0xNHyfo0lnX0YmATrFc2pAiZ7T8dcAbOfbi+k2WA1i3ydO2m4jyHLusuWU0kVJot8e518qzyIqzi1IvewXug1
    next
end

In my case we are using local authentication So this user is authenticated locally against the user database. If the user doesn't exist or does not exist for the group, you will fail authentication. Also if the password is incorrect, you will fail authentication.

So if you suspect problems with the end-user,  have her/him double check the login/password or create a new password for the login.

If the user is  authenticated off-appliance, you need to  diagnostic  the  remote authentication services.
 (   radius, ldap, etc... ). Most AAA authentication platforms have local tools for testing  user validation or credentials. Research your platform for any local tools or diagnostics.

NOTE: If you see a group with multiple users & only ONE user is having problems that you can narrow down your diagnostics with just that "user".

Lastly, you can use the displayed output when your intercepted for authentication. If your getting that the authentication block that you know the identity policy is being matched.


You can also use the diag debug app authd -1 to report the status also.


( telnet  )

( http )

So based on the policy and identity the  fortigate will challenge the user with a login.

 

config firewall policy
    edit 124
        set srcintf "wan1"
        set dstintf "port1"
            set srcaddr "all"            
            set dstaddr "XXX_XXX_XXX_XXX"            
        set action accept
        set identity-based enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                        set groups "consultant"                        
                        set service "HTTP"                        
                next
            end
    next
end

With authentication  & identity-based policies, if the original session was via an un-encrypted services , than the authentication would also be un-encrypted. 

 What this means,  my above HTTP identity-based policy would authenticated me via "HTTP" and not "HTTPs".  The fortigate is actually intercepting the traffic src/dst and spoof'ing the  challenge on behalf of the destination.  Your NOT authenticating via the target but via the firewall and the packet spoof'ing.



Here's a tshark decode

No pun intended , but the user credentials clearly are in the clear ( username = sssss password = ssssssss )

This is bad thing ( lack of security ) but for diagnostics, you can packet capture the traffic and inspect the user credentials that's being presented.

A few useful authentication commands;

Diagnostic

 diag debug reset 
 dag debug en
 diag debug application authd -1

Operations & monitoring

 diag firewall iprope authuser
 diag firewall iprope resetauth

The former shows who authentication & from where. It will now show what policy-id trigger the authentication. The latter clears all authentications. Use with caution.

  diag firewall auth list

This will show you details about the user, timeout and policy-id that was triggered.


For my  very last item, you can adjust the authentication timeout. This can be done  from the webGu.

 user > device > authentication> setting 

or via the CLI;

config user setting
    set auth-cert "self-sign"
    set auth-timeout 436
end


NOTE: default timeout == 300secs


And for stricter and harsher controls, you can set the  authenticating parameters for blackout and the max failed-attempts. This is great protection for any  brute-force login attacks.

config user setting
    set auth-blackout-time 5
    set auth-invalid-max 3          < after 3  failures blacklist at above value 5mins.
end

NOTE: various  fortiOS exhibits failures on the blackout time value and it's ignored YMMV


I hope this gives you some ideals on identity-based authentications. IMHO  security methods exist such as 802.1x, FSSO , Radius SSO, Proxies or a combination with identity-based.

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^    ^
 =( #  # )=
      @
      /   \