Monday, May 23, 2016

Palo Alto interface types

PANOS supports various interfaces. Just like in  juniper SRX, the interface is assigned to a zone. A interface can be in only one zone but a zone could have multiple interfaces.

Here's a few interfaces

  • Mgt = for management of the device, does not carry user traffic
  • loopback = used for dynamic router router-ids
  • vlan =  802.1q tagged interfaces
  • vwire = uses no switching has a ingress and egress , can be used with vlan-tags
  • layer2 = used in vwire carries no layer3 address , has a vlan object define
  • latey3 = has either a ipv4 or ipv6 address or both, can be used with 802.1q tags
  • PPPoE = used for DSL pppoe services
  • TAPs =  a passive monitor that's used for inspection and does not route or switch traffic aka as a "one-arm"


note: The "tap" interface policy  src and dst zones are always the same.


Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \



Sunday, May 22, 2016

Deleting SSH keys FortiOS

In a fortigate firewall, you have the ability to have either RSA or DSA keys. How do you delete a pair of keys for the sshd server?

Will it's simple, you only need to find the key storage (dir  /etc/ssh ) via the hidden fnsysctl cli  command  and  then you need to delete the key-pair using the same fnsysctl command.


See  the screenshots for  ssh key deletions.





Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, May 18, 2016

Unique NXOS roles

Various nexus core  switches have a few unique roles that an be overlooked. A  Nexus gear that has support for storage will have a storage admin role.

Here's a screenshot of  the can'd defined roles in a nexus lineup.


Take notice of the san-admin and  the dev-ops roles. You will not find a san-admin role on a non-storage  enabled nexus. And not all   nexus switches have a dev-ops role.



Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Wednesday, May 11, 2016

cisco ACS database corruption CSCuo93378

We where very badly with the  cisco bug "CSCuo93378" and ACS 5.8.0.32. A primary/secondary cluster has all policies zapped.

What saved used was acs restoral and  we ended up  craft a acs-support bundle case.




Make sure you  setup a remote repository and schedule  daily backups.





Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Friday, May 6, 2016

my last bash access NXOS bcm-shell

The cisco Nexus has a special shell  that cisco TAC  software engineer might have you access under limited  scenario. It's support under the  network-admin and dev-ops roles.


bcm-shell  broadcom shell

rarely if ever you will access it,  but if you do it's simple to access;





!!!!!!Take note of the warning !!!!!




I'm only aware of a few models within the nexus lineup that supports the bcm shell.

Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Thursday, May 5, 2016

HOWTO: The HP virtual connect role AAA cisco ACS 5.8

The HP vc chassis has  predefined 4 roles ;

DOMAIN
NETWORK
SERVER
STORAGE

By default the local admin as  all 4 role which give RW in all 4 areas. When crafting a local user, you have to define a role or multiple roles.

In cisco ACS we can do  the same by issuance of the "autocmd" in a custom attribute for the shell-profile. if you list ALL 4 of the above roles you will gain access for RW for all 4 roles

e.g

autocmd=domain
autocmd=network
autocmd=server
autocmd=storage


if you don't define that role you get "RO" access to  that role function also you don't need the mistaken  hp-vc-mgmt attribute in  cisco ACS 5.X



Here's a few snapshost and  screen view of the landing page when you login and the permissions you have.


e.g  ( all 4 roles )

cisco ACS


HP-VC-landing page ( see roles defined on left and the manage/view columns RW/RO



( just2 domain + network )

cisco ACS


HP-VC-landingpage


And finally if we dfine "NO" roles we will get RO

HP-VC landing page when we have nothing defined.



So  that's how you do it. Keep in mind you control  roles defined via the autocmd and custom attributes in the shell profile.

I haven't yet figure out a means for issuance of a "show user *" cmd and to current remote-user and the role access  in HP-VC version  " v4.45"

Also if you make any typo in the custom attribute, you can brick that access.  So 1> ensure the role is correct  2> lower case 3> don't string the roles

if you have type or mix or uppercase this is what happens

( cisco ACS autocmd with intentional typo in the form of uppercase )




( And now the HP Virtual Connect falls back to RO for the roles that where not define correctly )




















Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, May 4, 2016

HOWTO: setup replication for cisco ACS servers 5.8

In this blog I will show you how simple the process for  setting up  ACS AAA server for replications.

This process requires you to have admin accounts available on the primary and secondary unit.

NOTE:  If you do not have  a valid  CA certficate installed, you must disable trust communications under the system administration global settings.


Now on the "secondary you will need to set the name ( DNS ) or ip-address of the primary under;

System Administration

Operations > 

Local Operations > 

Deployment Operations


This section is what enabled the secondary as a "secondary" or dereigster or promoting it as a primary.


 

 
When you 1st register, the secondary will restart the acs process.
And you will have a screen similar and unavailable login.





Standby,  this can take 5-10 min to complete. 




You can monitor the status on the  primary unit 
and after the pending status has completed you will know if the  secondary is up.





Next, we will test replication by crafting a user account on the primary and monitor the replicate. 


( here's the account creation on the primary )


( and now it's replicated on the secondary )



NOTE:  The login on the secondary when made available will have the key words of  "secondary"





 Key notes;

1: once you are set as primary--> secondary ;  all changes are executed on the  primary unit
2: if the primary is down, you can promote ( secondary ) as primary  from the secondary



3: if you make a mistake  and are not running in  standalone alone, you mistake is transferred to the secondary
4: For #1, only a handful of items are configurable on the secondary but typically you can't configure  the following;

    cmd-set:shell:polices:devices:user-acct:system-accounts:etc... 


hint: For  items that's not configurable on the primary the export/create/duplicate buttons are missing.






You can use the system options command to validate replication by reviewing the replication ID, status 
   and last replication date/time.







System AdministrationOperations > Distributed System Management > 






Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \






Tuesday, May 3, 2016

Voice phone calls how secured are they?

I was doing my company "advance security awareness training " and had to laugh at this slide presentation


The truth is, any communique that has no "encryption between parties" is unsecured regardless if your whispering in a phone or not.

Take a cell or landline phone, that's routed thru a VoIP service that travels over the internet or any a private network. Any person in the middle can easily decode the RTP stream and playback any voice from that transmission. Worst, you would have zero clue if this is happening !

So , yes calling your bank and providing  Person information ( acct#, PIN,name, DOB, etc.... ) is all unsecured and you have no ideal what and where your call was routed and if it used any part of a unsecured ip-network.

 Now the truth of the matter, anybody whos not in a military intelligence community frankly don't know about the risks of using a phone line. The days of  wiretap or the spy hanging off the telephone or the use of  directional mics point at you window,  are pretty much  just about gone.

We made it much easier to just tap into a audio stream over any VoIP network.

Why VoIP calls and encryption are overlooked is due  primarily to any of the following;

1: the voice subscriber  just don't care, or even know
2: the managing  of  key-exchange between devices would be difficult to perform
3: the managing of  key-exchange between a call multi-party ( conference ) would be even more difficult 
4: phone instrument have very little no  encryption support for voice bear channels
5: calls that transverse multiple trunk types could be very hard to secured end2end



Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \