Wednesday, April 27, 2016

infoblox and cisco ACS 5.x

Here's a short  "HOWTO"  for  enabling AAA tacacs+ between infoblox and cisco ACS with authorizations for roles. You will  need to 1st define the AAA client ( infoblox ) and common key within ciscoACS.

Once you have your devtype and tacacs+ key create you can start the rest of the configuration tasks.

1: within  ACS  we will craft a  shell profile for authorization with a defined custom  attribute that will be our group that we will use in   infoblox AAA settings





Next, we will jump to the  infoblox server and under the general setting authentication servers, we will define the following;

  • The AAA profile  name
  • Define AAA servers
  • Craft a role-map to systems ROLEs







 Take note that the  1st figure above has disable authorization unchecked.This allows for ciscoACS shellProfile custom attribute to be applied for authorization.


So at this point we have  group mapping to our roles, AAA servers defined with the right ipv4 address and key+port and a AAA definition name "ACSaun" crafted.

So the only piece left is a policy for this AAA client with the earlier shell built profile. For the roles we can map multiple defined roles to our role-group and/or craft multiple roles mapping.


e.g


( a new role map name REPRT )



When you have the correct groups and access-policy in ciscoACS you can now execute a systems test b4 setting the remote-auth as priority for user authentication via Tacs_Plus







and finally you can login if the above testing from  infoblox was  a success








Don't  forget to sequence the  order of authentication profiles from local to tacacs+.



For roles access you will one of the following  pages display if your role doesn't allow that task.

Here my REPRT ( reports and event role ) does NOT allow for configurations changes.So if I try to execute any configuration changes the following will be displayed.




Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Saturday, April 23, 2016

Tacacs ACS 5 authentication and cmd-set reports

One of the coolest feature in the cisco ACS reports, you can determine what  cmd-set allows or dis-allowed a certain command.

By running the report AAA protocol > Authorization you can use the  output to see what command-set(s) allowed  the cmd.

Take myself activating the fex locator-id


Now if I deny that command in my cmd-set "DCENGLVL3_cmd" watch the new output;


and the authorization report;



Keep in mind  with policies with  multiple command-sets allowed, that you  need to be aware of what's being allowed and deny in each command-set. In rule id #3 we have allowed 3 command-sets with  "DCENGLVL3" being a "ANY-ALL commands". So this command deny locator-led fex was only enabled in the DCENGLVL3 command-set since it trumped all of the lower numbered  cmd-sets.

Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, April 20, 2016

fortiOS behavior for tacacs authen-type

Tacacs+ or radius can use PAP / MSCHAP  / or CHAP for authentication to a AAA server. We found out that the above sequence was not being honored under fortiOS 5.2.1  with our newly installed  ACS5.8.

So if  see CHAP related authentication failures with AAA servers similar to these;

Hardcode the  authen-type to PAP since PAP is pretty much playing it safe.




config user tacacs+

 edit "tac+"
        set server "10.10.10.10"
        set secondary-server "10.10.10.11"
        set key mysecretsecretdonttellnoone
        set authen-type pap
        set authorization enable
        set source-ip 192.0.2.2
    next
end


Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Thursday, April 14, 2016

GoGonet is going byebye

Gogonet was one of the few who had a strong  v6 membership and is finally shutdown doors. I open my  email this AM and found this in my  inbox


http://www.gogo6.com/main

Maybe google will pickup the  pieces and starting offering something for the  end-users and promoting ipv6.


https://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers


Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, April 13, 2016

gpg ciphers and data size

with symmetric  encryption and GUNpgp we can get a baseline of the size impact based on the data and ciphers that are  used.

I was bored and decided to just see what my GNUpgp version could do;

example  a text file with the date



example a mpg3 music file



In cases, I used a simple and same passphrase "testtest" for all ciphers.



You can validate your  cipher preference in your conf  file.








Enjoy.


Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Tuesday, April 12, 2016

DNS CAA records for certifications

SSL/TLS  certifications can be crafted for any sites by using any of the  400+ Public Certificate Authorities and thousands upon thousands private CAs.

Not all CA are trusted by a browser btw which is another topic in a centralize authority schema which is a good and bad thing that need a separate thread to understand "truststore".

Since a domain and site could be deployed anywhere, any time,  and by anyone, the chance of a successful hijack could take place if one could steer  or hijack a dnsserver or  redir a client DNS response by the modification of the DNS payload.

Take this approach,

1> a  blackhat hijacker crafts a site name  "www.ebay.com" and installs a frontend server(s) for collecting   accounts and logins,  or just  to distribute  malware.

2> He uses a valid CA and has a valid  certificate signed.

3> He inject a response to a client  browser  for a DNS query that says "go to  my fake www.ebay.com  address"

Now at this point, the browser see the certificate as valid, and the user  now is at the mercy of the fake www.ebay.com and whatever  the hijackers are trying todo ( delivery  of a malware/trojans, account /password spear fish, or other targeted theft of information ,etc....)

I call this the same  thing as  bait and switch with a decoy while hunting doves or turkey. If it looks real,  it would draw in the prey with no scrutiny  ;)"



So what keeps someone from  registering a SSL certificate against your domainnames?  This type of hijack has been feasible  & can not be 100% controlled,  but we can do some things along with DNSSEC  to reduce this risk.

Read one of my previous  post about  DNSSEC http://socpuppet.blogspot.com/2013/12/dnssec-godaddy-style.html


The  DNS RR type CAA ( type257 ) does mitigate some of this threat , but it's not 100%  Guaranteed.

How this  ResourceRecord works, is that you  will craft a  DNS  CAA record type listing your  preferred CA(s)  that  your domain trusts & uses for issuance of certificates. This record is used by some  CAs for pre-validation of a preferred CA(s) for domainname  b4 creating a certificate for that domain.

e.g

letsencrypt does  this for any certificate that it creates
https://letsencrypt.org/



Tip: To query for a  type257 ( CAA dns record type ) you can use  dig or host

e.g




So goog has set  specific instructions for other CAs for the "domain google.com".


How much protection you gain from a CAA is hit/miss since it's used only from a CA function & standpoint. Very few organizations ( CA)   uses or check for  CAA records types. If more domains  would deploy CAA RRs & more  CA conduct lookups, it would be helpful in ensuring a rogue or hijacked site is not being deployed.

Each CA has it's own strategy on CAA validations. You can see  Google stance by reading their pki policy page

https://static.googleusercontent.com/media/pki.google.com/en//GIAG2-CPS-1.2.pdf


Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \



Monday, April 11, 2016

TIP: IKEv2 MACOSX

The latest  offering of MACOSX 10.11.x supports IKEv2 for IPSEC vpns. It very easily to over look this when using the native vpn client.

When selecting VPN ipsec you have choices for Cisco-Client ( aka ikev1 ) or L2TPipsec or IKEv2



Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

HOWTO: to determine in a ACT-ACT Fortigate HA cluster which unit is handing traffic

HERE's a few tips/tricks on  locating the ACT fortigate in a HA ACT vcluster1 & 2  setup where you have  vdoms  over clustered units



First you have to use the  ha management command ( similar to switch context  in  a cisco ASA )

e.g

execute ha manage <id#>

1:  You can  use the cli diag debug flow command

2:or the cli cmd  diag system session list  ( which filters if you have a lot of traffic ) will reflect  if that unit is active

and lastly,

3: And with any  remote logging ,  the devname=YYYYYYY and devid=XXXXXXX will be populated of the fortigate unit chassis  that handle that particular session.

Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Sunday, April 10, 2016

locking down SSL/TLS version fortimail

Here's a quick tip on restricting the TLS versions that are used on the fortimail appliance. The setting is done from t he CLI and global configuration.



To test, you can  use  openssl  or curl.



Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Saturday, April 9, 2016

cisco NX-OS logging woes

Within  NXOS and version "system:    version 7.0(5)N1(1)"  we found a strange issue with the log entries upon execution of "show logging last 30" or "show logging" where out of order. The year and month and in top-2-bottom or bottom-2-top was not following in any normal sequence.

This made it hard to track most current events. The only way we got around this was to clear the logging buffer. During the course of this investigation I found under this same code version that you could  add duplicate server entries

e.g

   logging server 10.10.10.10  4 use-vrf default
   logging server 10.10.10.10  4 use-vrf default

With previous and other IOS or NXOS version the above would never happen.

The next issues that was found, "when clearing the logs", our Nexus switch would not display the actual "user" who cleared the logs.



Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Friday, April 8, 2016

NX-OS bash access again

if you recalled the recent  earlier post { http://socpuppet.blogspot.com/2016/04/howto-enable-linux-bash-nx-os.html },
 we have one more means for execution of a bash shell. It's to use the guestshell service with NX-OS.

You only need to enable  the guestshell service to use it & for runn linux commands.

example

(from cli )

   guestshell enable
   show guestshell detail

Now you can now  run "unix" like commands  from the NX-OS  cli ;

examples







Be aware that you should enclose commands in  between " " quotes but it's not always required and if you use  any "s in any commands execution to escape them;

example






Within the NXOS guestshell you can execute a full shell via the following;


example





To disable the guestshell feature;




SOCNX01SW# guestshell disable
You will not be able to access your guest shell if it is disabled. Are you sure you want to disable the guest shell? (y/n) [n] y


Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Thursday, April 7, 2016

turnning off pager display F5LTMos

Within various network devices, the pager display can become problematic. On the F5 LTMs we can disable the pager display pause  with the classic "Y/N"

Review this screenshot of the b4 and after to see the differences





Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \