Friday, February 26, 2016

F5 tacacs accounting

To enable tacacs+ accounting on a LTM you need to make the changes from the tmsh. This our configured on  11.6.x


ken.felix@(BIGGIESMALLS)(cfg-sync Standalone)(Active)(/Common)(tmos)# list auth tacacs
auth tacacs system-auth {
    debug enabled
    protocol ip
    secret  T3jd83k3l31GE00f
    servers { 172.16.18.11  172.16.19.11}
    service ppp
}



and the following for  the logging accounting was set via the modify;

ken.felix@(BIGGIESMALLS)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db config.audit*
sys db config.auditing {
    value "enable"
}
sys db config.auditing.forward.destination {
    value "10.52.1.10"
}
sys db config.auditing.forward.sharedsecret {
    value " T3jd83k3l31GE00f*"
}
sys db config.auditing.forward.type {
    value "tacacs+"
}
sys db config.auditing.truncate {
    value "disable"
}


e.g

modify sys db config.auditing.forward.sharedsecret value T3jd83k3l31GE00f




For tacacs+ roles ;


auth remote-role {
    role-info {
        F5operator {
            attribute F5-LTM-User-Info-1=operator
            console tmsh
            line-order 4
            role operator
            user-partition All
        }
        ResourceAdministrator {
            attribute F5-LTM-User-Info-1=resource
            console tmsh
            line-order 3
            role resourceadmin
            user-partition All
        }
        auditor {
            attribute F5-LTM-User-Info-1=auditor
            console tmsh
            line-order 1
            role auditor
            user-partition All
        }
        guest {
            attribute F5-LTM-User-Info-1=guest
            line-order 2
            role guest
            user-partition All
        }
    }
}


And for tac_plusd


group = F5admin {
     default service = permit
     pap = PAM
      service = ppp protocol = ip {
      F5-LTM-User-Console = 0
      }

}




group = F5resource {
 pap = PAM
 service = ppp protocol = ip {
 F5-LTM-User-Info-1 = resource
 F5-LTM-User-Console = 1
 F5-LTM-User-Role = 20
 }
}


group = F5operator  {
 pap = PAM
 service = ppp protocol = ip {
 F5-LTM-User-Info-1 = operator
 F5-LTM-User-Console = 1
 F5-LTM-User-Role = 400
 }
}


group = F5manager {
 pap = PAM
 service = ppp protocol = ip {
 F5-LTM-User-Info-1 = manager
 F5-LTM-User-Console = 1
 F5-LTM-User-Role = 100
 }
}



group = F5guest {
 pap = PAM
 service = ppp protocol = ip {
 F5-LTM-User-Info-1 = guest
 F5-LTM-User-Console = 1
 F5-LTM-User-Role = 700
 F5-LTM-User-Partition = all
 }
}




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Thursday, February 25, 2016

Hotfix PaloAlto

Palo sent me a email a few days ago about a alert and I seen that they have a new name "h2" which I guess means hotfix .



I thought was very interesting. The advisory was pretty good in giving a quick update.





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Friday, February 19, 2016

howto enable fips mode NX-OS

To enable fips mode is quite simple under nexus OS. Here's a screenshot.


The show fips status can be used for validations.

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Thursday, February 11, 2016

blackhole problems within fortiOS

I ran into something interesting with blackhole  routes  in the past for  ipv4 and ipv6 that I wouuld like to  share.

The native behavior  in fortiOS has limitations with blackhole'ing routes for networks that we deem as a BOGON/MARTIANs.

Even with  ipv6 , we have no ability to set  "blackhole"  interface like that within ipv4,  which plain out sucks. Even if you tried to stick it off on a loopback interface,  the ipv6 bogon sources can't be applied as  ipv6 extra addresses since FortIOS doesn't see  them as valid networks to begin with.

Here's a typical standard blackhole route listings for ipv4 and with the keyword of "blackhole" in the "config router static"




ipv4




These are source networks that should never enter a public network interface. Now ideally you will enable  this on a router or as  remote  trigger blackhole  route injection  aka  ( Remotely triggered black hole  RTBH )

Or even better yet have your upstream ISP(s)  blackhole these networks for  your business.

https://en.wikipedia.org/wiki/Martian_packet
https://en.wikipedia.org/wiki/Bogon_filtering


But let's look at what's wrong with the fortigate and blackholes..

1st ; various  ipv4 source can not be added as with the true standard blackhole methods.


e.g ( a packet with a src of 0.0.0.0/8 ) can not have a route installed as blackhole route the typical fashion and the same holds true for the multicast networks or the reserved class E network.




IPv6 static routes also has no means for applying a static route for ipv6 with blackhole enabled per network source.

That option just doesn't exists in FortiOS which is just shocking


So what's a security engineer todo? 

1st: You should never use the old method of a  fwpolicy at the top of sequence with the action set as "deny"

The above still requires action via the firewall and generates excess noise and logging. It also requires  the packet to transverse your local interfaces jus to be dump and dropped.

2nd: You should review your ISP blackhole'ing capabilities and if your receiving a full-bgp table, always use  unicast RPFs checks  aka  unicast source verify.

3rd, blackhole bogon and martians at the edge via static route and with the distance or admin value set for the highest.

The goal is for the unicast rpf checks to fail traffic that could be spoof'd with a martian as a source. This is a simple means for eliminating bad sources from entering from the untrusted networks and  provides for a mean to ensure that you don't cause  leakage of bad source packets to  the public internet which is common with Windows/MAC hosts that uses APIPA (Automatic Private IP Addressing).

BLACKholes routes is a good way to  mitigate not only BOGONs but  just  about any other bad sources. In the DDoS communities we use RTBH routes on a /32 to drop bad or known bot hosts or malicious sources.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Monday, February 8, 2016

How to configure  ssh  for maximum security with in  IOS. Cisco has started to include the  ability not only to select ssh version ( version #2 is the default btw for most items ) but the ability to  set the RSA key size and the DHGRP.


Here's the bare minimum that you should do when security ssh on a cisco router and for a interface that must face the  untrusted internet

1: Set the version to sshv2

ip ssh version 2

2: specify the  dhgrp size to a minimum of 2K or 4K bits

ip ssh dh min size 2048


3: define a RSA key size of at least 2K bits

router#crypto key generate  rsa
% You already have RSA keys defined named  router.mydomain.com
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)


Once you have this all done, you should set trusthost ACL for inbound ssh access and  only from networks you deem trust worthly.

config t

access-list 10 permit 192.0.2.0 0.0.0.255
access-list 10 permit  host 1.1.1.1
access-list 10 permit  host 1.1.1.2
!
!
!
line vty 0 15
 access-class 10 in
 transport input ssh




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \



Saturday, February 6, 2016

FIPS known answer test stops fortimail

I'm posting this info for anybody that conducts fips execute commands in a fortimail appliance. The appliance will stop processing mail upon  execution of the ALL fips KAT .

Take a look at these screenshots for a FEC100 appliance;





and after the all KAT tests the  unit stops accepting access on port 25 and 443 ( fortimail webui )


*****The only way from recovering from this state, requires a execute reboot from the console or remote cli ******




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, February 3, 2016

HOWTO install a certificate for fortimail

In this post I will show you how to install a comodo  DV ( domain validation ) certificate for the fortimail appliance. I'm using a free 90day certificate in this example and crafting a CSR from within the appliance.

The CSR is the 1st starting point.

From my pass experiences you want to  use no "abbr"  states names.


System > certificate


Next you will submit the CSR to  CA in this we are using  comdo for  the signing . They will sign the CSR and issue the certificate. Your private-key at this point is private and not submitted with the CSR.





The will issue the  certificate and intermediate certificate back to you in a  zip file.







The certificate process will need to validate you during the process for a DV certificate. So a domain will require a email and it's best to use the email address attach as  the admin/technical contact from the  whois.




Finally we can upload the certificate once it's been signed.





Make sure you install any CA intermediate in the appliance also.







Finally having a certificate install is part A of  the step, you need to make the appliance aware and use the certificate. The easiest way is to use the cli command

"set default-certificate < the named certificate>"







IMHO it's best to restart the  https daemon or reboot the appliance






Finally, running a CA chain check will show a validate certificate that's trusted & it won't hurt to complete a  a free SSL score check.







Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Tuesday, February 2, 2016

displaying logs in a FGT via the cli

The FortiOS Fortigate has a cool feature  that's available from  the cli. If you do a lot of ssh remote access and need to review logs you can use the execute log display and set filters.

e.g let's say  you want to monitor just fwpolicy traffic

You will need to  set the category of "0" and then execute the display log for that category.



list of categories







defining a filter based on  traffic






 defining a filter based on policyid




 Here's a few other filters types;

execute  log filter  field   dstcountry
execute  log filter  field   policyid

Execute "execute  log filter  field   ? " to get a list of the available fields.


And one last tip, if you ever need to get a list of how many log by categories the following command will display the counts  execute  log list < category number >

e.g





Using this method will allow you to ensure log messages are being sent without looking with fortianalyzer or syslog or webGUI.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Monday, February 1, 2016

This is a reminder for the set match-vip enable. If you ever deide to build BL entries and have VIP this feature is easily missed and unexpect traffic will hit the vip if you don't have the set match-vip enable on the regular policy(s)

The the following policy-id #10 + 22 with  #22 having a VIP

 config firewall policy
    edit 10
        set srcintf "wan1"
        set dstintf "inside"
        set srcaddr "MYBLACKLIST_GROUPl"
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "ALL"
        set comment " BL bad known bots"
    next
    edit 22  
        set srcintf "wan1"
        set dstintf "inside"
        set srcaddr "all"
        set dstaddr "MYVIPWEB01"
        set action accept
        set schedule "always"
        set service "HTTP"
    next


Policy #10 will NOT block traffic to a VIP without the set match-vip enable. The correct method to ensure the VIP is protected would be  to change the policy


 config firewall policy
    edit 10
        set srcintf "wan1"
        set dstintf "inside"
        set srcaddr "MYBLACKLIST_GROUPl"
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "ALL"

        set match-vip enable     <------HERE!
        set comment " BL bad known bots"
    next
    edit 22  
        set srcintf "wan1"
        set dstintf "inside"
        set srcaddr "all"
        set dstaddr "MYVIPWEB01"
        set action accept
        set schedule "always"
        set service "HTTP"
    next



This is a command that's only available from the cli and not the webGUI.




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \