Wednesday, September 25, 2019

Fortigate IPSEC site2site with RSA signatures

In this post, I will demonstrate how we can do  site2site vpns using x509 certificates.  In the ease of demo'ing this environment,  I did the following.

I set up a vdom-link between 2 vdoms( custA and root )

We use get a CAcert for our signing at  Getacert . The rootCA was installed into the firewall also

100k foot view




Okay,  so the 1st time that typically happens is the mechanism is used for generation of the CSR from the fortigate. In real life, your  CA would be a public or private PKI.

https://www.getacert.com


On each FGT, you would craft a CSR. I like to keep the subject line small and with only a CN value.


This makes it very easy to diagnose the solution.  So in this example, we are using. CN=root and CN=custA

e.g ( a very basic  CSR )



Now, when you have the  CSR signed, you can import it back into the FGT and you can verify the subject line.

e.g


openssl x509 -in fgt-2019-09-23-031604.cer -noout -subject 




Okay brilliant, a simple subject line. Now we will define the peer match statements that would check the rootCA and the CN string type


#vdom=custA

config user peer
  edit "root"
        set ca "CA_Cert_2"
        set cn "root"
    next
  end

#vdom=root

config user peer
  edit "root"
        set ca "CA_Cert_2"
        set cn "custA"
    next
  end


Okay let's apply the configurations for phase1 and phase2


( 1st fw )

 (root) # show vpn ipsec phase1-interface vpn1
config vpn ipsec phase1-interface
    edit "vpn1"
        set interface "vlink10"
        set authmethod signature
        set mode aggressive
        set proposal aes128-sha256
        set dhgrp 5
        set remote-gw 10.19.199.2
        set certificate "root"
        set peer "custA"
    next
end

 (root) # show vpn ipsec phase2-interface vpn1-2
config vpn ipsec phase2-interface
    edit "vpn1-2"
        set phase1name "vpn1"
        set auto-negotiate enable
    next
end




( 2nd fw is a reverse of the 1st ) The other firewall have the following details;


config vpn ipsec phase1-interface
    edit "vpn2"
        set interface "vlink11"
        set authmethod signature
        set mode aggressive
        set proposal aes128-sha256
        set dhgrp 5
        set remote-gw 10.19.199.1
        set certificate "custA"
        set peer "root"
    next
end

 (custA) # 
 (custA) # show  vpn  ipsec  phase2-interface
config vpn ipsec phase2-interface
    edit "vpn2-2"
        set phase1name "vpn2"
        set auto-negotiate enable
    next
end


In the fortiOS cfg you have to call up the local certificate and the peer string for validating the peer. The root CA and end-point needs to be imported into the  fortigate.








Diagnostics  cmds "diag vpn ike gateway" and "diag vpn tunnel list"




notice the  peer-id is the certificate CN name.




So always double-check the proposal and CN values in your config if you have issues setting up ipsec site2site  with rsa signatures.










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \



Wednesday, September 18, 2019

IPSEC route-based vpn Fortigate and TNSR

In this blog we will look at an IPSEC vpntunnel from a Fortigate to a TNSR appliance in the AWS cloud.

I just recently stroke a TNSR update cert and upgrade my virt-appliance to 19.08. The upgrade went fine , but I had numerous issues afterwards with the config daemon, which needs further investigations.



The vpn-IPSec configurations are very simple, but you need to watch all items in the configuration at the TNSR cli to ensure completeness

1st the FortiOS ( plain jane route-base-configuration ......nothing is complex here  )







A few items to point out.

  •   This is a route-based vpn  and a route was used for the TNSRnew interface
  •   I defined  phase1-idtype as fqdn and a simple value of  "fgt.socpuppets.com"
  •   I used the onboard wizard and cisco to build a basic configuration and later, I made changes to the proposals

The TNSR has a lot more work but the configuration is straight forward. Here's the snippet of the xml dump of the configuration




The configuration can be dump as "show configuration running" from the CLI




But to get to that cfg you have to do a few items; You can follow the IPSec example at the support site to get an idea of the items that need configuring for IPSEC.


Ensure you set the IKE version for version 1 or 2 and to match the FortiOS value that you defined in the FGT.

https://docs.netgate.com/tnsr/en/latest/ipsec/example.html



Now for diagnostic and if the needs should come up for trouble-shooting;

FortiOS

   diag sniffer packet <interface name > "udp 500 or 4500"
   diag debug enable
   diag debug application ike 10
   diag vpn tunnel list
   diag vpn ike gateway

 TNSR

Here we the show ipsec tunnel verbose cmd and the logs located at   /var/log/messages  will show IPSec logs details ( Strongswan is the IPSec engine for TNSR , btw )

https://en.wikipedia.org/wiki/StrongSwan

To get to the logs you should do the following from the tnsr-cli-cmds by opening a shell

    shell
    sudo  tail -n 40 /var/log/messages


Here are some screenshots from the Fortigate on a FGT-2-TNSR setup


phase1 details



phase2 details



 NOTE:  The SPI values for in/out would match the  TNSR out/in

TNSR ike  and child  SecurityAssociations details;


Take note of the local and remote identities for the two end-points. These are mandatory for AWS since the Elastic IP and interface IP are not the same. I used a "fqdn" type with a simple entry. The FQDN  does NOT need to exist in DNS btw.

e.g



Here our tnsr "show ipsec tunnel verbose" output executed from the cli




and a TNSR log file would look like the following;



TNSR interfaces from centOS bash shell for this demo AWS instance





You can learn more about TNSR at the following link,  Netgate's TNSR
  https://www.tnsr.com



They have software and appliances that can drive 100gbps or more and with hardware CPUs that can push 14Mpps per core. The folks at Netgate have built this system for mainly cli or api usage. I will post more about the API usages later,  and along with examples.


Enjoy










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

More on JumpCloud and with API examples

Integration into a cloud IAM-aaS  from OneLogin and JumpCloud is easy and fun here's some more working  examples for JumpCloud.

In jumpcloud we need to create a api-key , this api key will be  call up the correct api-version.

A api key looks similar to the following this 2a8a2f959020db33d068b79d78b05463b0ddb755

You can create for each administrator by click his name and generating a key;



We can pass json formatted data to JumpCloud API



{
"username":"jdoe",
"email":"jdoe@example.com",
"firstname":"juan",
"lastname":"doe",
        "password":"text1234"
}






A system entry for creating user is structured like the following ;


curl -H "x-api-key: c3f8dd2695e3eecb5c486d438b5113c721683c3c"  --data-binary  "@/JumpcloudCreate" -H "Content-Type: application/json" -H "Accept: application/json"  "https://console.jumpcloud.com/api/systemusers"


or



 curl -X POST  -H "x-api-key: c3f8dd2695e3eecb5c486d438b5113c721683c3c"  -d '{  "email":"jode@null.com","firstname":"jode","lastname":"last","username":"user1" }'      
  -H "Content-Type: application/json"  "https://console.jumpcloud.com/api/systemusers"





if you try to recreate the same user you will get a friendly error




curl -X POST  -H "x-api-key: c3f8dd2695e3eecb5c486d438b5113c721683c3c"  -d '{  "email":"jode@null.com","firstname":"jode","lastname":"last","username":"user1" }'      
 -H "Content-Type: application/json"  "https://console.jumpcloud.com/api/systemusers"

user1 has already been registered


You can retrieve users details and pass query string values


ken$ curl -H "Accept: application/xml"  -H "x-api-key: c3f8dd2695e3eecb5c486d438b5113c721683c3c" "https://console.jumpcloud.com/api/systemusers?fields=username&fields=email"
{"totalCount":5,"results":[{"username":"ldap","email":"ldap@socpuppets.com","_id":"5af0e038bf0eb553c7fb03fa"},{"username":"NGFW","email":"ngfw@null.com","_id":"5b7c56122b08836127e3a492"},{"username":"user11","email":"user11@null.com","_id":"5b7c56599e583e1899296370"},{"username":"ssn","email":"ssn@null.com","_id":"5bbe8313457a9c62030e16cd"},{"username":"smcldap","email":"kfelix@socpuppets.com","_id":"5d67537a65a85751406a8698"}]}supports- 

You can lock a user accounts by passing a boolean value of 1  and calling up that user by it's id

curl -X PUT -d '{ "account_locked":"1" }' -H "Content-Type: application/json"  -H "Accept: application/json"   -H "x-api-key: c3f8dd2695e3eecb5c486d438b5113c721683c3c" "https://console.jumpcloud.com/api/systemusers/5b7c56122b08836127e3a492 








 You can get creative and set random password at the time of account creation using perl or python

ken$ cat pass.py

import string

 from random import *

      chars = string.ascii_letters + string.punctuation  + string.digits


      passwd =  "".join(choice(chars) for A in range(randint(10, 14)))


print passwd


example of above script a password structure;


sh-3.2$ python pypass
oQL?HXq4.$


In order to delete a user, again a very similar operation to OneLogin,  and where you use a http.request.method DELETE and the id;

 curl -X DELETE -H "Content-Type: application/json"  -H "x-api-key: c3f8dd2695e3eecb5c486d438b5113c721683c3c"   -H "Accept: application/json"  "https://console.jumpcloud.com/api/systemusers/5d815b250bc54b194afeb1e0"




Notice the custom X header  x-api-key always has the API key in all the above examples.











NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \


Saturday, September 14, 2019

HOWTO use MFA with Fortigate and OneLogin

In this blog post. I will demo a simple but effective Onelogin RADIUS-aaS w/MFA & with a Fortigate firewall and give you a few free API tips

A few items;
  1. username "demosocpuppets"   
  2. a policy was created in OneLogin & with MFA set for the authentication policy and for the user
  3. Radius Server was configured in the  FGT as plain jane radius client
  4. the use username was set in onelogin with  passsword+otp for the password format

Let's 1st peek at the OneLogin configurational items, since most of the work is done here.

1st you need a RADIUS client defined. This is the FGT that would send the radius request




and set the username and password files , by default username==email and password=password





That concludes the radius client configurations. Now it'w best to build the Authenticator  & MFApolicy since you will use that for the radius-client and users. Do it in that order also!

1st we define our Authenticators, we want to use google-auth. So I built mine and selected google-authenticator. Google-Auth is widely accepted and it plain out works & works great. The temporal 6 numeric digits  OTP is pretty much hack proof.





The policy will call up the enablement of MFA and uses google-authenticator for this demo and user.







Okay we are almost done. You only need to apply a user and instructions in that user settings to use the MFA policy.




Make sure to set the user's "username field",  by default it is not required , but our radius cfg and attributes is using that for the username to authenticated and not via the email address




After the above has been done,  and the user has registered. We need to set his  MFA profile in the user portal.

I'm using  AUTHY for my token generators  https://authy.com/









The authentication would be similar to the following;

   Username="username in onelogin ......the user name field"
   Password="password<otp>"


Examples

 demosocpuppets 
 !test1234!435789 

Breaks down to;

   password = !test1234!
   otp= 435789

Here's a diag test from the fortigate  appliance that shows a PAP radius request , and the values sent to our Onelogin Radius Server.


Here's a ssh access being tested for the user demosocpuppets



And finally the boring radius configuration in FortiOS;

{ radius server }


{ group defined }


{User account set for External-Authentication )



OneLogin has a few advantages over Jumpcloud,  but both are equally great platforms.

1st off the logs are great and the format is very simple to read





And 2nd you can login failure times and hold out in the OneLogin Policy




This along with the on appliance lock-on-failure settings and really secure the appliance and users







Onelogin also has some pre-defined reports and better ease of using and assuming a user. The layout in the WebUI is just basically better.

The API interface is pretty awesome and uses a token granted based off your client id and secret. The life of the token is 1hour











Sample API calls using cUrl 

    { request a new token  }

 curl  -H "Authorization: client_id:<fromportal>, client_secret:<fromportal>" -k -H "Content-Type: application/json" -d '{ "grant_type":"client_credentials" }' https://api.us.onelogin.com/auth/oauth2/token



    { check rate limits  }

curl  -k -H "Authorization: bearer:bacf325e9fc62bd8314bb3293f714e8a9a27ebfabffc10b2f492131101e055e2" https://api.us.onelogin.com/auth/rate_limit

    { get a list of users }

 curl  -k -H "Authorization:bearer:bacf325e9fc62bd8314bb3293f714e8a9a27ebfabffc10b2f492131101e055e2" https://api.us.onelogin.com/api/1/users

   { get events }

curl  -k -H "Accept: application/xml"  -H "Authorization: bearer:bacf325e9fc62bd8314bb3293f714e8a9a27ebfabffc10b2f492131101e055e2" https://api.us.onelogin.com/api/1/events/

   { lock a user }

curl -X PUT   -k -d '{ "locked_until":"10" }'  -H "Accept: application/xml"  -H "Authorization: bearer:bacf325e9fc62bd8314bb3293f714e8a9a27ebfabffc10b2f492131101e055e2" https://api.us.onelogin.com/api/1/users/58498736/lock_user

   { change a user password }

curl -X PUT -H "Content-Type: application/json"   -k -d '{ "password":"socpuppets12345678", "password_confirmation":"socpuppets12345678" }'  -H "Accept: application/xml"  -H "Authorization: bearer:da242c58d2c76ef16b6652b163c5c25936f4b0a3a4e9dc841d69e68132c799da" https://api.us.onelogin.com/api/1/users/set_password_clear_text/58498736

    
 If you try something outside of your permission you will get a response similar to top photo vrs the bottom



And on passwords changes, the confirmation will quickly tell you if your a success or not;




All API admin activities are login in the event audit traces




In closing MFA is the method that we all should be using to secure access via  ssh, webgui, ipsec-dialup, and sslvpn.Onelogin can secure all aspect of the Firewall Access. You can read more at one of my earlier post;


I've been securing Fortigates and Fortimail with MFA authentication for over 6 years now. These same configuration apply to other vendor products ( JNPR, PANW etc...)






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \