more key tricks openssl

Have you ever want to  change a passphrase on a RSA private-key? With openssl the steps are easy

1: determine your encrypted key encryption by reading in  the existing  private-key and look at the top lines that shows the key type and encryption

2: Now re-read and apply encryption on the target key with the new name and passphrase

3: If you ever decide on removing the existing passphrase all together, just read in the existing  private-key and write a new output

 

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

whats my RSA keysize

If you have a RSA key generate, you can use openssl to  query the key-size. Great  tip if you have a few  key files sitting around and not sure which size the keys are.

e.g ( determining a RSA  private-key-size )

note: if you have a passphrase set, you will need to supply it in order to read the priv-key

e.g ( determining a RSA pub-keysize )

Since the public key is not a "private" key grep on the modulus field. You don't need the private-key file in order to read a public keyfile.

 note: use  the -pubin  for a public key



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Fortigate Securing for remote access ( untrust networks )

If you remember the use of  SSLVPN for remote management  in this blog;

http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html

And running ssh management on a not-so-well known port;

http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html

Will the final wrap, is for clients that need to allow pings access. Within fortiOS you allow ssh ping http https etc... via the set allowaccess command.

 Than allow the "admin" accounts access via the trusthost for ipv4 or ipv6

e.g  ( allow access)

So if you need to allow ping access, how do we do this securely. Simple, if you need to deploy the wildcards "any", you can define a user with  no access and then apply that user with a trusthost set for 0.0.0.0/0

e.g ( NOACCES user on my fgt & accprofile )

In the above we have an account profile named "NOACCESS"    for the users. A combination of two-factor authentication and with the token sent to a null email-account will ensure that NOBODY could brute-force the account via the admin account that has a trusthost of ANY for ipv4 or ipv6 networks.


And if he/she could access the unit ( the hacker ) , the account profile will ensure they have ZERO access.

e.g ( webgui and ssh.....both are blank with no permissions )

You still need to analyze any risk,  and if you need ssh/webgui open. And if yes to who, but restricting access via admin and accounts can easily be controlled and by deploying 2-factor authentication, you can almost with 120%  surety ensure that the account would not be hacked.

two-factor authentication should still deploy a strong based password, I like to use a 20+ character password and a not-common "administrator" name.



With the sslvpn management, you can stack various authentication requirements to ensure strong  security protocols for accessing the firewalls from remote networks that are deemed un-trusted.

Running https and ssh services on not-to-well-known ports, will eliminate like 99% of the script kiddies which is typically of obnoxious  & persistent group.

Ensuring stroing cipher support for ssh/https and eliminating "SSLv3" from WebGUI managements will ensure you can go to sleep without any worries.



Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

ipv6 stratum clock servers ( options )

To build a ntp clocker server, you can use opensource linux and the ntpd pkg with a time-sync card like meinberg. Install the card and support drivers will give you a quick and simple to managed time-server.

https://www.meinbergglobal.com/

Alternative you can use a EndrunTechnologies & it's ipv6 server, these plug and play devices are simple and reliable. They are used in most major carriers. Unlike symmetricom they have been supporting ipv6 ntp-clients for some considerable time.

http://www.endruntechnologies.com

With either solution, your ipv6 clock needs will be reliable. The endruns are gret ipv6 servers that are affordable and has a simple management. They offer CDMA and/or  GPS and with external clock inputs.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

The NTP server for ipv6 v5.2.3 FortiOS

In a pinch you can use a  fortigate as a local LAN ntp-server for ipv4 or ipv6 clients. It's not ideal imho due  that excess clients can create various issues. Also you have no  reliable means for filtering who can query your fortigate firewall as a ntp_client without deploying a local-in firewall policy.

Here in this blog, we've have a basic ntp-configuration  with the interface wifi set for answering ntp queries.

To debug ntp,  you can use fortinet wonderful diagnostic application function;

On my mac,  I'm  used the ntpq  or ntpdc query application for validate of sync.

ntptrace did not work btw





Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

config session ( HOWTO uses )

In the cisco ASA, we have the means to config term but did you know you have a config session  option?

Almost every uses the config terminal in a day to day operations, but the  config session has it's own benefits.


1: Here's a few of the highlights;

> it allows you to deploy configuration at a later time
 ( e.g your working on a large ACL and need to take a cafe break or go out to lunch )

> it provides a delay time to review any configurations before committal
 ( great if you have OPS group that QA fwpolicies changes)

> configuration are manually commit by the user
 ( by the creator or another... great if you a administrator and senior lead you commits the changes after review and approval )

> you can abort or revert any change in the configuration process
  ( e.g your configuration a new ACL for  specific filtering event and later you need to abort  the configuration )

> !!!!!WARNING configuration sessions don't survive reboots/power lost  or synced to any slaves WARNING!!!!

With the config session is easy to deploy. Just craft a name for the session. The name can be any characters and with a limit in the length of the session_name to 32 characters;

in most  MSSP we have used case/tickets# or change_control_numbers# in our names and that seems to works out great


And you can only have a max of 3 config sessions active at any one time and the ASA will deliver a warning if you try to exceed that;

 The session name can also start with !#@  but can not contain any spaces




The uses of the config session is a must in a SOC/MSSP arena where you have numerous changes underway IMHO.

Here's a dialog of a session name TEXT using the session command for a access-list creation



config session test 
     access-list KENFELIX remark BLOG
     access-list KENFELIX  line 10 permit tcp host 1.1.1.1 host 1.1.1.2 eq 22 

notice how the  changes are shown as un-committed, when executing the show configure session command ?




Now we can, at this point either commit or abort the changes after re-execution of our  config session <session name >. If we decide on starting a new session we will be warn of the pending session.

Also the ACL list is not part of the running or saved startup configuration  since it was never committed.

If we so happen to abort the session, all changes would be eliminated.

up to this point nothing has been changed





If we should issue a commit noconform the changes would be pushed into the running-config & the session will be completed and terminated.

It you find any sessions  that needs to be eliminate, please use the clear configuration session command


e.g

show configure session

configure session !123456789012345688901234567890 (un-committed)

clear configuration session  !12345678901234568890123456$

It's advisable to review all pending config sessions  before starting a new sessions



I've worked with a few  SOC groups that fought over configurations and you will find that 2 operators configuring the same item & causing confusion can be avoid.

Good luck

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

play around with ipv6 NTP services

We have a symmetricon  TP5500 on our network. This GPS clock receiver is used for ipv4 clocking. Surprise that we have no ipv6 clock support.

So a ASR9K was used to sync to our ipv4 clock source,  and I configured a interface with a ipv6 address for testing.


Tue Sep 15 7:10:06.499 CST
interface GigabitEthernet0/0/0/1
 description SOCPUPS_ASR9K_TEST_LAB-ipv6
 bandwidth 1500
 mtu 1514
 ipv6 address 2001:db8:199::1/64
 ipv6 enable
 speed 1000
 shutdown
 load-interval 30
 transceiver permit pid all
!

To control the interface and ipv6 ntp-services you can use the  following commands.

ntp
  interface <interFaceName>
     disable


Better yet, a simple clock access-group for the peers that you want and applied for both ipv4 & ipv6 would work also.

e.g

ntp
 max-associations 100
 server 191.21.3.6 source Loopback0
 access-group ipv4 query-only NTP_CLIENT_ACL
 access-group ipv6 query-only  DENY_ACL
 update-calendar
 log-internal-sync
!


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Forticlient Woes MACOSX

I ran into a annoying problem on my mac airbook & with the Forticlient. The client will not delete ipsec-vpn entries. This was done using both the lock icon unlock or locked and the entries will flat out not delete.

Now the next problem, the backup fails. It shows it has completed, but we have no backup file found.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

ASA 9.5.1 ASA5558-X

Will I couldn't wait, we finally pushed  the ASA new software  9.5.1 to one member of a cluster in multi-context mode. The upgrade went smooth.

And now we have one 5558-X on 9.5.1.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

Various FortiOS interfaces you should know of

Here's a few virtual interface that you will find in the fortigate series of firewall. They have various purposes but outside of the  ssl.root, they are not really used for user traffic and nor can you define these in any static routes or firewall-policies


( interfaces virtual )

   port_ha  =  "used primarily for ha sync messages "
 
   havdlink0  =  " I have no clue ;) "

   eth0    =  used for IPS related activities ( I believe it routes interfaces to the ips engine )

   root  = "interface loopback similar to  lo in unix"

    ssl.root = "used for sslvpn access"

carries sslvpn traffic from sslvpn end users , you can define this in fw-polciies,static routes, and even use it in management applications uses ssh , https, pings, etc......


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

vdom limits and why?

With the fortigates, you have the means for deploying vdom resources limits. This is a must in a multi-tenant and where you have concerns for  resources exhaustion.

If you have concern over one tenant abusing the resources and within that vdom, you can set limits for the resource available such as

• firewall address
• firewall policies
• local users
• vpn-tunnels
• etc...

When a firewall admin tries to add a item that exceeds the set limits, they will have awarning display the request action denied

examples

It best to learn the max values for your model and the installed fortiOS. The following link shows various max values for FortiOS.

http://docs.fortinet.com/d/fortigate-maximum-values

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

GRE tunnels fortigate

In this example, I will show you just how simple it is for building a GRE tunnel. In this case, I have 2 vdoms ( root and custA ). We will source the  GRE tunnels using the vdom-interlinks between the 2.

With  Fortinet method, you define the GRE tunnel under config system gre-tunnel  and  then you can modify the  parameters of this interface under the
config system interface.






   

Now here's the cfgs.

And a simple ping across the  output interface and capture.

 I've toggle the data pattern with 0101 using the execute ping-options


Take away points;

1: GRE has overhead so the 1500bytes mtu will not fit over this link
2: treat the actual GRE interface like a point 2 point link ( no arp )
3: ensure that the GRE end-points are  reachable
4: you can enable any allowaccess methods such as ping ssh https http
5: be aware of any trusthosts settings
6: no firewall-policy is needed for packets source from  the firewall for GRE


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \