Category: Security


PaloAlto Ignite 2012 notes: IPv6 Security

Filed under: IPv6, PaloAlto, Security2 Comments
November 15, 2012

This article is part of a series which depicts some of the notes I took during several sessions in the Palo Alto Networks Ignite conference in Las Vegas.

IPv6 Security Notes

- Ensure that the IPv6  Firewalling option has been enabled under device > settings otherwise the PaloAlto will just route IPv6 traffic. Post PAN-OS v5 will enable this option by default

- When writing IPv6 security policies targeting ICMP traffic, use the ipv6-icmp application object. Contrast this to IPv4 traffic which uses the icmp and ping address objects

- ICMP plays a much more important role in IPv6 than it did in IPv4, so do not completely block ICMP. This will definitely break some features such as Path MTU discovery and possibly others such as neighbor discovery.

Checklist when buying or migrating to IPv6 capable equipment

- Ensure routers and switches are IPv6 capable. Unless these are very old, they tend to be very feature rich and generally only a software upgrade is needed to obtain IPv6 capabilities

- IPv6 management capability

- IPv6 High Availability features

- IPv6 application and user based policies

- Reporting and visibility into IPv6 traffic

- IPv6 SSL decryption

- IPv6 Holistic threat prevention

- Check for IPv6 ready certification:

The above checks for compliance with several IPv6 features, such as:

  • Correct header processing
  • Extension header processing
  • Fragmentation behavior
  • Neighbor discovery and auto configuration
  • Router redirects
  • ICMPv6 behavior

- However, note that the above do not include any security considerations

Illustration of IPv6 security issues

- Tunneling and other transitional mechanisms can circumvent IPv4 based security policies

- Example: SLAAC [stateless autoconfiguration] attack

 

The above described attack is easy and normally successfully carried out because:

- IPv6 is now enabled and prefered by default

- Tunneling over IPv6 can provide an easy way out to the internet for an attacker

- Since world IPv6 day, more and more sites are switching on IPv6, meaning most PC prefer to use IPv6 to reach sites such as facebook, google, etc

 

Mitigation of IPv6 attacks

- Use a static IPv6 host configuration

- Disable IPv6

- Positive enforcement: use policy to shut down tunneling and other known mechanisms that are unneeded and can be used for nefarious purposes

IPv6 PAN-OS notes

Updated support for:

- USER ID

- SLAAC

- NAT64 (transition mechanism, NAT IPv6 addresses to IPv4

Caveats:

- OSPFv3 support still lacking

- MP-BGP support still lacking

About these ads
Tags: , , ,
Comment

Traffic shaping using PfSense in bridged mode

Filed under: Open Source, SecurityLeave a comment
October 23, 2012

Scenario: We needed an in-line, transparent traffic shaping solution. The solution we chose was pfsense due to it’s easy to use UI and effective QoS. The PfSense had to be placed in bridge mode, on a link that was carrying tagged traffic. It is important that the PfSense did not touch the vlan tagging, it was only to rate-limit the traffic.

The first step was to bridge the two interfaces. We first created allow rules on the firewall to allow all traffic to pass through the pfsense since filtering was not necessary. We then proceeded to bridge the interface via Interfaces > (assign) > bridges and creating a bridge interface containing the two interface in question. No further configuration was needed. PfSense retained the VLAN tagging so the L2 802.1q vlan tags were preserved across the bridge

An IP address was configured on one of the interfaces for management. Two points about configuring an IP address on the Pfsense:

  • It doesnt matter which interface you configure with the IP, the interfaces are bridged
  • The IP must be in the native vlan if you configure it on a physical pfsense interface

We next go on to defining queues for various traffic classes we needed. We decided not to use the wizard since that would introduce several feature we didnt need. The below is done via Firewall > Traffic Shaper.

  • Enable QoS on each interface by clicking on the interface on the left hand side and ticking “Enable/disable discipline and its children
  • Decide which scheduler type to use. We chose HFSC – this is the scheduler used by several industry firewalls such as Palo Alto.
  • Define the bandwidth available to the interface. In this case, since the firewall was internally placed, we set the bandwidth to 2GB/s
  • Proceed to define child queues by using the “Add new queue” button. How you place the queues (i.e. parent-child relationships) is highly dependent on what you want to achieve. In our case a single “layer” of queues was sufficient. we needed a queue for each customer and an “internal” queue which takes care of internal traffic – i.e. traffic not flowing out to the internet, which should not be rate limited. A couple of points about these queues:
      • You need at least one default queue per interface. This will act as a catchall. A default queue is defined as any other queue, with the difference of selecting the “default queue” option in “scheduler options”

      • It’s always a good idea to enable random early detection in your queues in case they get over-subscribed
      • When dealing with high-bandwidth environments such as the one presented here (internal traffic on a gigabit network) you need to increase the queue limit (this option can be changed per queue). We found a value of 2000 to be sufficient. If left as per default, your queues will not provide the maximum bandwidth you configure for them

      • The most efficient QoS is applied to egress traffic. In order to visualize this, imagine you are the firewall… egress traffic on your WAN interface is what we generally call “uploading” to the internet. Similarly, egress traffic on the LAN is generally called “downloading” from the internet. Keep this in mind when defining queues. If you need to define the same queue on two interfaces (symmetric traffic shaping) simply add a new queue to the interface and ensure you name the queue in exactly the same way as you did on the other interface, for example:

  • Last, apply the queues you just defined. In our case, since we had symmetric traffic shaping we wanted the queues to apply in all directions, whether egressing from one interface or the other. So we defined floating rules via firewall > rules > floating tab.

The rules allow you to classify traffic as any other firewall rule does, so you can limit by subnet, IP, service, protocol, etc… simply define the rule, and under the advanced section make sure to select the correct queue (second fiel – the first field is used for ingress QoS which we didnt use)

The nice thing is that pfsense doesnt limit the maximum number of queues that you define – much better than some commercial solutions out there!!! ;)

Tags: , , , ,
Comment

Clavister Firewalls: Top 5 useful console commands

Filed under: Security, workLeave a comment
July 11, 2012

This document provides a short description of the most widely used Clavister (click here for more information) console commands from experience. Note: for more information about any of the commands listed below, please type in help [command]. The below commands apply to Clavister CorePlus v8.9.x

  1. pcapdump

This command starts up the packet capture mechanism on the clavister. It provides filtering using wireshark-like expressions (eg source and destination IP) as well as filtering by interface and so on. This command is especially useful when troubleshooting connctivity issues, such as suspected ACL or site to site VPN issues.

  1. ha

This command only applies in high-availability environments. Simply typing in “ha” will return the HA status of the current unit (active/passive) as well as whether the peer unit is reachable or not. It will also display the time since this unit has been active (if any).

Another two forms of the command:

ha activate

ha deactivate

allow you to handover “master” (active) control to the peer, or vice versa.

  1. ipsectunnels and ipsecstats

These two commands allow you to check whether a particular vpn tunnel is up or not. The former command is a generic one, giving a quick overview of the current VPN tunnels. The latter command shows slightly more detail, and also allows filtering by remote peer IP.

  1. killsa

This command will kill any IPSec connections to a particular remote peer IP. This comes handy when a tunnel de-syncronisation occures, that is, if the tunnel does not use keepalives (example due to incompatibilities with different vendors), one side of the tunnel is up and the other side is down. In order to start over, the “killsa” command can be used

  1. ikesnoop

This command is immensely useful when troubleshooting IPSec vpn negotiation issues. It is very similar to the “debug ike” / “debug ipsec” in cisco units, but presents the information in a more user-friendly format.

It will help highlight mistakes int eh VPN configuration such as mismatches, PSK problems, and so on.

Tags: , , , ,
Comment

Update: SQUID transparent SSL interception : Squid v3.2

Filed under: Linux, Open Source, Security, Ubuntu2 Comments
July 5, 2012

In order to keep this blog post a bit more relevant, there have been some improvements since that post was written. Squid v3.2 has been released earlier this year, making ssl interception more seamless and easier. The new features for HTTPS interception can be found while reading through the man page for http_port:


http://www.squid-cache.org/Versions/v3/3.2/cfgman/http_port.html

More specifically:

1. The “transparent” keyword has been changed to “intercept“:

           intercept    Rename of old 'transparent' option to indicate proper functionality.

INTERCEPT is now better described as:

intercept	Support for IP-Layer interception of
			outgoing requests without browser settings.
			NP: disables authentication and IPv6 on the port.

2. In order to avoid more certificate errors when intercepting HTTPS sites, squid now can dynamically generate SSL certificates, using generate-host-certificates. This means the CN of the certificate should now match that of the origin server, though the certificate will still be generated using SQUID’s private key:

SSL Bump Mode Options:
	    In addition to these options ssl-bump requires TLS/SSL options.

	   generate-host-certificates[=<on|off>]
			Dynamically create SSL server certificates for the
			destination hosts of bumped CONNECT requests.When 
			enabled, the cert and key options are used to sign
			generated certificates. Otherwise generated
			certificate will be selfsigned.
			If there is a CA certificate lifetime of the generated 
			certificate equals lifetime of the CA certificate. If
			generated certificate is selfsigned lifetime is three 
			years.
			This option is enabled by default when ssl-bump is used.
			See the ssl-bump option above for more information.

Looks like the above is an offshoot of the excellent work here: 
http://wiki.squid-cache.org/Features/DynamicSslCert

Make sure to use the above two features for smoother HTTPS interception – though remember, always warn users that SSL traffic is being decrypted, privacy is a highly-valued right…

Tags: , , , , ,
Comment

Nugget Post : CCNP Security 642-627

Filed under: ASA, certifications, Cisco, SecurityLeave a comment
June 29, 2012

Finally finished the CCNP Security certification.

You can find my mind-map for CCNP security 642-627 / (Deploying Cisco IPS Solutions) here (click here)

You may download the image (File > Download, or simply press “ctrl + s”). In case the image refuses to open or is marked as corrupted, change the extension from .jpg to .png

Enjoy! :)

Tags: , ,
Comment
Follow

Get every new post delivered to your Inbox.

Join 90 other followers

%d bloggers like this: