Thursday, September 29, 2016

website headers report cards

if you deal with web on a day-2-day function almost everybody has heard of ssllab. slab is great for ssl reporting but how about http.

Will the folks at https://securityheaders.io  have a tool that analyze  http-server responses.

By inserting the URL in  the input box, you can get an ideal  of how your site looks and the grade.

Take Facebook;



A grade , but let's look at the raw headers and the summarize findings;








The  report-card grade is not a final and should be taken as your site fails, but as a suggestion for  improvements. The site owners own site https://securityheaders.io  reports a A+ grade ;)




Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 

        /  \

Adding a CA to curl

The unix SSL/TLS tool  "curl " uses a defined listed of  CAs. if you have your own private CA and want to add to the CA list or want to delete a CA, just find the CApath.  The  list can be based off the "system CAtrusted list" that pre-canned for the OS or a static file or directory.


You have a few methods to ID where your pulling the CA listings from ;


1: Run curl in  the verbose and look for the line CApath if present.

e.g

2: Run the curl command with a bad CAfile listing and look for the report CApath.

e.g


This will showing the pre-compiled  CApath that cURL checks for CAs.





MACOSX uses the system keychain  certificates for curl. You can override this behavior by specifying a cacertfile or pathfrom the CLI.




So if you want to add a certificate of a CA, just apply the file in the  /etc/ssl/certs  location in a PEM format. Most unix and linux deployments have the  certificates of the CAs list a synbolic link to another directory.

Remember not all curl versions  support the same features.




Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 

        /  \



F5 APM policy ClientSideChecks looping

We ran into a issue a while back with  VPN users and a F5 APM policy  ClientSideCheck looping. Within the CSC each check has a continuous enable|disable option.




By disabling the check, after the 1st success, that check will no long re-check.



Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 

        /  \

Tuesday, September 27, 2016

Cisco ACS 5.x and BIG-IQ 5.0 Radius Attributes

In this post I will show you  the relevant  radius cfg on the cisco ACS for attributes and the F5 BIG-IQ.


1st I download the VSA template that we will use for  inserting the f5 vendor specific attributes








I found it's much easier to export the cisco ACS template, modify, replace, and edit and re-import. The time trying to download the f5-support template and getting a flawless import is very time consuming.





2nd, we  after a successful import is wise  to click the show vendor attribute and check things over.







I kept my  radius attribute small and just only the attribute that I  required so the full VSA dictionary was not included.






Now we can define the attribute in our network authorization profiles mapping the attributes that's required such a specific  role.


Here's  a sample of my F5 authorization profiles.  They where generic defined to match a f5 "role" . Notice the  attributes are defined along with the generic_reply  which will we  help in further diagnostics & analysis.



by applingy a unique reply message per ACS  authorization_profile and then using just that profile in a policy,  can help you  narrow down what policy and  authorization_profile that's being used & matched


So here's the final  policies


On the BIG-IQ you will need to define the radius settings and remote-role. It's a good ideal to define a default  role of guest . If no role is found, the "no-access" becomes your default role btw.

( cli  cfg   BIG-IQ 5.0 )

Sys::Version
Main Package
  Product     BIG-IQ
  Version     5.0.0
  Build       0.0.3026
  Edition     Final

  Date        Tue Jun  7 00:17:51 PDT 2016



admin@(BIGIQCALITECH01)(Active)(/Common)(tmos)# list auth 
auth password-policy { }
auth radius system-auth {
    debug enabled
    servers {
        RAD1 
        RAD2
        RAD3
    }
    service-type default
}
auth radius-server RAD01  {
    secret test1234567890
    server 10.3.1.11
    timeout 30
}
auth radius-server RAD02 {
    secret test1234567890
    server 10.4.1.11
    timeout 30
}
auth radius-server RAD03 {
    secret test1234567890 
    server 10.5.1.11
    timeout 30
}
auth remote-role {
    role-info {
        operator {
            attribute F5-LTM-User-Info-1=operator
            console tmsh
            line-order 2
            role 400
            user-partition All
        }
        resource-admin {
            attribute F5-LTM-User-Info-1=resource
            console tmsh
            line-order 3
            role 20
            user-partition All
        }
    }
}
auth remote-user {
    default-role guest
    remote-console-access tmsh
}
auth source {
    type radius
}
auth user admin {
    description "Predefned Admin User"
    encrypted-password  myencpsssword_admin_user
    partition Common
    partition-access {
        all-partitions {
            role admin
        }
    }
    shell tmsh
}

(END)


During  debugging my  lack of attributes being sent via cisco ACS, I found out depending on what means you access  BIG-IQ the  radius request is pretty much different.

Check out this WebGUI and then SSHd access and notice the  attributes sent via the radius_client ( BIGIQ )




Also ,  another finding; "  the  security and audit logs" via the cli , will never shows the WebGUI access success or failures and nor do we have audit logging from  command-executions  that are done via the WebGUI.

(audit logging via cli)


( security logging via cli )



TIP: The   f5 security logs typically  display  either RAW: sshd(pam_audit): for SSH access  or RAW: httpd(mod_auth_pam): for webgui access


BTW: 

In the WebGUI, it's was  unclear to me if you need to define  user-groups, but if you do, the  groups needs to match the  F5 attributes that are being sent via ciscoACS ( see the above  Vendor-3375-Attr-12 =  aka  F5-LTM-User-Info-1   attribute#12 for VSA  F5 )


( example radius servers configuration and user-group via the webgui  )



(user-group  and specific RAdius-VSA attribute that's  expected for this role )



(  BIG-IQ roles  numbers-2-names  )







And lastly, I used the wrong browser initially ( safari ) and then later Firefox  rls.48 and the same bug where corrupt our ACS policies database. So even tho the  webgui of the cisco ACS shows the authorization_profile and policy being correctly configured, the  cisco ACS instance did not send the radius-attribute.


So we will look at the next patch ( #5 ) and see what the release note shows.


Tip if you are trying ssh access and can not get a shell, the log will show the following



Tip use the ACS reporter if your experiencing  authentication issues





Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 

        /  \

Monday, September 26, 2016

wildfireEU

I happen to login into my PALO_ALTO account,  and found that they have a EU portal.

Wildfire can be access via the  following URL links


https://wildfire.paloaltonetworks.com 
https://wildfire.paloaltonetworks.jp
https://eu.wildfire.paloaltonetworks.com

reference:

https://www.paloaltonetworks.com/company/press/2016/palo-alto-networks-unveils-new-wildfire-european-cloud-hosted-in-the-netherlands






It looks like PaloAlto also redirect  ARIN address spaces to  the general WF instance, RIPE to  the EU instance and  Pacific based users to Japan.












Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 

        /  \

OPENsense configuration backups

In this post I will demonstrate one of the best  new feature in  OPENsense firewall. In fact I'm surprise it took this long and why no other commercial firewall vendor has a means to "selective" cfg backup.

In OpenSense, you can now do full backups or selected areas.



Okay so what this allows;

  •  you can backup specific or all parts of the configuration for the firewall
  •  you can restore all or specific part
  •  you can still a option to  encrypt the backup  
  • this allows  you to make changes and restore only the area that the change was in  if you have a backup
  • great for also providing outside 3rd party  XML configurations for auditing purposes

Here's a interface cfg backup in xml format;





Here's the same configuration, but encrypted;







You have to love  open source networking and firewalls.






It would be nice if  the open source dev team would allow;

1; selected encryption methods
2:  "diffs"  just for  configurations files  before restore operations
3: automated  configuration backups via a schedule for a particular area

OpenSource  firewalls or manager are the an alternative. A few great solutions exist from; iptables firewalld iptables manager , monowall, pfsense, opensesne, Packet filter  firewall, untangle,etc...

Ken

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, September 14, 2016

My PCNSE7 exam review

I finally took and pass the Palo Alto PCNSE7  exam  this AM. It like the PCNSE6 straight forward  questions.




Since I could't find any PaloAlto  PCNSE7 study materials, I used the following;



  • re-study PANOS6 and 7 cli commands
  • review the PCNSE7 blueprint material from PaloAlto
  • look at the various ACC tabs
  • remember the hard to forget test commands
  • re-read a lot of paloalto live notes on panorama


The combination and experience with  PANOS6 was what let me   get a passing score on the PCNSE7. It's challenging exam but not very hard if you have experience and put a few hours aside to read and study up on PANOS.



I used the pearsonvue exam-test center in  NE Austin off Dessau ridge road & Howard ln.


The challenging issues with PaloAlto are;


  •  no press books
  •  very limit  study forums or community forums information available ( I start posting PANOS blog information here in the next few months )
  •  very little collaboration amongst  security engineers


The positives;


  •    nexgewnfw  with cool application decoders
  •    great videos



 



PANW
https://www.paloaltonetworks.com/services/live-community





Ken

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Friday, September 9, 2016

CRL certificate revocation checks

Here's a quick tutorial on how manually look &  query a CRL list for a certificate revocation status.

http://www.entrust.net/customer/crl_form.cfm

If you used Entrust  to sign a  certificate and you need to revoke it. You  can retrieve the  certificate serial# and the CA details from the certificate , and use the above link to query the certificate status.

Here's a certificate installed on a F5-LTM,  ( take note of the hex serialnumber  and the CA issuer  )



Next, we pop the serial# in the query input  ( after  selecting l1k ) and if it's revoked, you will get the status which includes the date/time of revocation







the openssl  utility is a good means also for gathering the certificate serial#,






eg

openssl x509 -in < certificatename.crt> -noout -serial




Ken

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Thursday, September 1, 2016

GNUtls serv for testing certficates and keys

openssl has s_client and s_server support for testing  certificates. Within GNUtls   { gnutls-serv }  we have the serve option which mimic the  s_server function in openssl

Here's an example for load a server.certificate and key


 you will need   sudo  if you want to bind to a address below 1024





Even if we have a bad key or mismatch of the key+certificate , gnutls-serv  will complain on the certificate  and will not launch.




The GUNtls server is great for SSL/TLS checks pre-launch and give you great diagnostics. If you use a -d option and specify a integer you can give verbose information.







Ken

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \