Posts filed under Security

Rsync And Encrypted Containers

My 'little' off-site Raspberry Pi backup/remote storage project will probably use a combination of Bittorrent Sync and rsync. The latter will be used to backup personal information, but I want that data to be absolutely secure. So I want to use encryption. Preferably by using container that I can mount (e.g. Truecrypt or the Apple OSX encrypted disk images).

The problem with containers is that many backup solutions tend to backup / transfer the entire container when a change occurred. Thankfully, rsync only copies the changes.

Posted on June 20, 2015 and filed under Raspberry Pi, Security, Software, Tips'n Tricks.

Create An 802.1x Evil Access Point

The last couple of weeks, I've been playing with Kali Linux to explore exploits on networks (wireless and switched networks). One of the exploits I'd liked to explore was that of an 'Evil Access Point' which can be done with Kali Linux and a suitable wireless LAN adapter.

An Evil Access Point creates an wireless network SSID to lure unsuspecting users/computers in to connecting to it. This network is pretending to use 802.1x for security (which is mainly used in corporate network environments), and those networks require typically a username and password (or certificate) to connect.

When the user/computer tries to connect, it (the evil AP) collects the user-name and a hash of the password. The password can be recovered by using dictionary files, rainbow tables, or by using brute-force. After the password has been found it can be used with the captured user-name to connect to the corporate network.

Posted on April 12, 2015 and filed under Security, Tips'n Tricks.

Apple OSX Server Firewall

My Apple OSX server (Mountain Lion) at home is the centre of my network and entertainment system. It provides provides the following services:

Since several (soft-, and hardware) upgrades and redesigns of my internal network (from a single VLAN to a multi-VLAN with firewall services and traffic inspection) several services failed under certain circumstances. E.g. Air-Video would work internally where the client was in the same network as the OSX server network interface. But trying to connect through the SSL VPN stopped working for some reason. Also, the VNC Viewer did work in the old days, but stopped working over time. Same for several static NAT entries; worked before, and stopped working without 'no reason'. Other services like ssh did work in the old and new network design....

Posted on September 3, 2014 and filed under Annoying, Apple, Security.

Juniper Unified Access Control With Junos Pulse

This blog post hold the key ingredients for successfully authenticating on layer 2 (802.1x or dot1x) and layer 3 with:

General Information

The setup consists of four networks (VLAN's) and Internet access. Inter-VLAN communication is handled by a Juniper SRX210. The four VLAN's are:

  • Untrust (VLAN 20)
    The Internet
  • Trust (VLAN 10 - 192.168.1.0/24)
    This VLAN hosts the UAC, Active Directory, DNS and DHCP services
  • Production (VLAN 100 - 192.168.100.0/24)
    Network where the normal workstations are placed
  • Quarantine (VLAN 200 - 192.168.200.0/24)
    This is where the naughty people/PC's are dropped

When a PC is placed in Quarantine, it looses all access to the Internet, but can still resolve domain names, access minimal internal services like the DHCP server and the UAC.

The components on the network are:

  • Domain Controller + DNS Server - 192.168.1.10
  • DHCP Server - 192.168.1.1
  • UAC - 192.168.1.11
  • Gateway(s) - .254
Posted on August 5, 2014 and filed under Security, Tips'n Tricks.

Juniper SRX210 Sudden Back-To-Factory Defaults

Earlier this week I configured an Juniper SRX210 for testing. The configuration consisted of several security zones, IDP, UAC (layer3 enforcement) and Application Firewall and Identification. The Junos version I used was JUNOS 12.1X46-D15.3.

This setup worked until today. Today, the SRX was unresponsive. No ICMP reply, no SSH access, nothing. Accessing the SRX via the serial console showed me the Amnesiac login. This means that the configuration is gone. At least the configuration I created was reset to the factory defaults config. A typical WTF!!! moment.

Fortunately, I had configured logging to an external source (Splunk). So I went to investigate. Turned out that the SRX stopped sending syslog messages around 01:30PM. Further investigation showed that the config was actually reset (UI_FACTORY_OPERATION event), and checking the event-codes, it was (probably) done by pressing the reset button on the device.

(the following logging should be read bottom-top)

May 28 13:28:30 10.0.0.1 1 2014-05-28T13:28:30.808+02:00 srx210 mgd 6211 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.36 message="finished copying juniper.db to juniper.data+"]
May 28 13:28:30 10.0.0.1 1 2014-05-28T13:28:30.369+02:00 srx210 mgd 6211 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.36 message="copying juniper.db to juniper.data+"]
May 28 13:28:30 10.0.0.1 1 2014-05-28T13:28:30.369+02:00 srx210 mgd 6211 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.36 message="finished loading commit script changes"]
May 28 13:28:30 10.0.0.1 1 2014-05-28T13:28:30.368+02:00 srx210 mgd 6211 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.36 message="no transient commit script changes"]
May 28 13:28:30 10.0.0.1 1 2014-05-28T13:28:30.368+02:00 srx210 mgd 6211 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.36 message="no commit script changes"]
May 28 13:28:30 10.0.0.1 1 2014-05-28T13:28:30.367+02:00 srx210 mgd 6211 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.36 message="start loading commit script changes"]
May 28 13:28:30 10.0.0.1 1 2014-05-28T13:28:30.133+02:00 srx210 rmopd 1350 PING_TEST_COMPLETED [junos@2636.1.1.1.2.36 test-owner="XS4ALL" test-name="testsvr"]
May 28 13:28:30 10.0.0.1 1 2014-05-28T13:28:30.355+02:00 srx210 mgd 6211 - - auto-snapshot is not configured
May 28 13:28:28 10.0.0.1 1 2014-05-28T13:28:28.814+02:00 srx210 mgd 6211 UI_LOAD_JUNOS_DEFAULT_FILE_EVENT [junos@2636.1.1.1.2.36 pathname="/etc/config//srx210h-defaults.conf"]
May 28 13:28:27 10.0.0.1 1 2014-05-28T13:28:27.823+02:00 srx210 mgd 6211 UI_LOAD_JUNOS_DEFAULT_FILE_EVENT [junos@2636.1.1.1.2.36 pathname="/etc/config//jsrxsme-series-defaults.conf"]  
May 28 13:28:27 10.0.0.1 1 2014-05-28T13:28:27.217+02:00 srx210 mgd 6211 UI_LOAD_JUNOS_DEFAULT_FILE_EVENT [junos@2636.1.1.1.2.36 pathname="/etc/config//junos-defaults.conf"]   
May 28 13:28:26 10.0.0.1 1 2014-05-28T13:28:26.808+02:00 srx210 mgd 6211 - - WARNING: activating factory configuration
May 28 13:28:25 10.0.0.1 1 2014-05-28T13:28:25.378+02:00 srx210 mgd 6211 - - WARNING: removing all configurations
May 28 13:28:25 10.0.0.1 1 2014-05-28T13:28:25.232+02:00 srx210 mgd 6211 UI_FACTORY_OPERATION -
May 28 13:28:25 10.0.0.1 1 2014-05-28T13:27:35.000+02:00 srx210 rmopd 1350 PING_TEST_COMPLETED [junos@2636.1.1.1.2.36 test-owner="XS4ALL" test-name="testsvr"]
May 28 13:27:19 10.0.0.1 1 2014-05-28T13:26:39.941+02:00 srx210 - - - - last message repeated 11 times
May 28 13:17:19 10.0.0.1 1 2014-05-28T13:16:34.309+02:00 srx210 - - - - last message repeated 11 times
May 28 13:07:19 10.0.0.1 1 2014-05-28T13:06:28.346+02:00 srx210 rmopd 1350 PING_TEST_COMPLETED [junos@2636.1.1.1.2.36 test-owner="XS4ALL" test-name="testsvr"]
May 28 13:05:33 10.0.0.1 1 2014-05-28T13:05:33.297+02:00 srx210 rmopd 1350 PING_TEST_COMPLETED [junos@2636.1.1.1.2.36 test-owner="XS4ALL" test-name="testsvr"]
May 28 13:04:38 10.0.0.1 1 2014-05-28T13:04:38.248+02:00 srx210 rmopd 1350 PING_TEST_COMPLETED [junos@2636.1.1.1.2.36 test-owner="XS4ALL" test-name="testsvr"]
May 28 13:04:19 10.0.0.1 1 2014-05-28T13:04:19.548+02:00 srx210 utmd 1380 AV_PATTERN_UPDATED [junos@2636.1.1.1.2.36 version="05/28/2014 12:36 GMT, virus records: 522178" file-size="18635751"]
May 28 13:03:42 10.0.0.1 1 2014-05-28T13:03:42.934+02:00 srx210 rmopd 1350 PING_TEST_COMPLETED [junos@2636.1.1.1.2.36 test-owner="XS4ALL" test-name="testsvr"]

This is strange, since there was no one around at the time. So it must have been some sort of bug that caused this.

Thankfully I had a backup of the config, so the device was up and running again within 10 minutes. So now I have to keep an out out for this. Especially the next couple of days.

UPDATE: There's is definitely something wrong with the hardware. I tried different Junos versions (also stable recommended versions), and different configs, but for some reason the device detect a 'Config button pressed' event and goes back to the default factory config. This happens within 12 hours.

The device keeps going back to the factory default config. Today I changed the behavior of the reset button. The reset button doesn't react to physical interactions when adding the following line to the config:

root@srx210# set chassis config-button no-clear no-rescue

Let's see if that helps. If it does, it means that the hardware reset button (mechanism) is malfunctioning.

UPDATE 2: looks like the config button config did the trick (so far). The device is still up-and-running for nearly 24 hours. -keepingfingerscrossed-

UPDATE 3: and we have a winner. The SRX210 is still operational. Just need to remember to add the command when I reconfigure it. Perhaps a sticker on top as a visual reminder :-)

Posted on May 28, 2014 and filed under Annoying, Junos, Security.

Domain User Membership check via LDAP

When you are using LDAP to determine Windows Active Directory group membership, and the group you are aiming for is the Domain Users group, than you're in for a surprise. It turns out that the LDAP interface doesn't have the Domain Users group listed for a user. It's missing the memberOf attribute for Domain Users. Just compare the following screenshots. The first screenshot shows the Active Directory user interface for the user Administrator, and the second shows the LDAP equivalent of that same user.

Active Directory group memberships

LDAP group memberships

The LDAP output doesn't show a 'memberOf: CN=Domain Users, CN=Users, DC=testdomain, DC=local' attribute.

The reason is that Active Directory has a so-called Primary Group attribute, and this is by default the Domain Users group. With that piece of information you might see a LDAP attribute called 'primaryGroupID' with a number. That number represents the Domain Users group.

So if you need to check for Domain User membership with LDAP, you should check the value of the primaryGroupID attribute. This value is (for as far as I know) always the same (513).

So if you're using Certificate based authentication on a Juniper Pulse Access Gateway or Pulse Access Control Service, and you need to check Windows Domain User group membership the primaryGroupID is the way to go.

B.t.w., if you're looking for a good cross-platform LDAP browser, I can recommend the Apache Directory Studio. It's intuitive, has a good interface and just works (oh... and it's free).

No EAP Protocol Was Agreed On

Having the opportunity to experiment with some Juniper security products at home has its (dis)advantages. Juniper offers a (limited) virtual appliance version for both the Unified Access Control appliance (aka the Infranet Controller or Pulse Access Control Gateway), and the SSL VPN solution (aka Secure Access or Pulse Secure Access Gateway).

The limited parts are:

  • SSL is limited to 3 concurrent users
  • UAC is limited to 5 concurrent users
  • You cannot add additional licenses
  • The UAC has no IF-MAP server capabilities, since that requires at least a 50 user license (and you cannot add additionel licenses).
Max. 3 concurrent SSL VPN users

Max. 3 concurrent SSL VPN users

Max. 5 concurrent UAC users

Max. 5 concurrent UAC users

So yes, it's crippled, but still very nice to play with in a lab or home/study environment.

Anyway, I have both the UAC and the SSL VPN running at home. Both running in  VMWare Fusion on a MAC OSX server (Mac Mini).

A couple of months ago, Juniper released a new major version for the software (v5 for the UAC, and v8 for the SSL VPN), so I wanted to upgrade the VM's to the latstes software (also because of the Heartbleed bug in OpenSSL). This was no problem for the SSL VPN. The upgrade went smooth. However, the UAC was a different story. For some reason, the upgrade package was corrupt or invalid (even though it could be used to do a clean install), so upgrading was out of the question.

So I tried to do a clean install and see if I could import the old config of the existing UAC (v4.4) in the new version 5. Something that didn't work in the older versions of both the SSL VPN and UAC. Importing a software version meant that you needed the correct software version on the device first.

Anyway, importing the system config seemed to work, because all visible settings were correct. The XML import (other configuration settings regarding authentication servers, realms, user roles, etc.) also imported correctly (or so it seemed).
I compared the two configs side by side, and everything checked out. That was until I tried to authenticate on a switch with 802.1x. That didn't work as it should.

The logging of the UAC showed numerous 'No EAP Protocol Was Agreed On' errors. This was weird, because everything worked correctly on the older version.
Since the EAP protocol relies (for a part) on the SSL certificate on the device, I swapped that one for a new certificate from my personal PKI service.

After having checked, and double checked everything (I even tried authenticating against the older UAC version... which still worked), I decided to do a clean install (back to factory settings), and reconfigure the entire UAC by hand instead of the import.

Guess what, everything worked great after I had copied everything by hand.

So I guess that the import of a XML file belonging to a earlier software version still doesn't work. Only difference is that in the old days I got a warning/error.

So if you're getting the 'No EAP Protocol Was Agreed On' error in your events logging, and you did a recent upgrade, you might want to try a fresh install and configure things by hand.

I have no idea if this is applicable to the 'normal' hardware appliances with the software.

Posted on April 13, 2014 and filed under Security, Software, Tips'n Tricks.

Use Cisco ISE for RADIUS Authentication with Juniper Junos Devices

While preparing for some Juniper exams, I wanted to test RADIUS authentication for Junos device access. This way of authenticating is helpful in larger networks. Instead of providing all the devices with several usernames and passwords you can use a centralized RADIUS server for authenticating on all those devices. If that RADIUS server uses the Active Directory as a user database you can login on your network devices using your regular username and password.

The RADIUS server of choice (at the moment of writing this) is Cisco Identity Service Engine (ISE). Overkill for this specific blog post, but fun to do.

Posted on January 22, 2014 and filed under Junos, Security, Tips'n Tricks.

Expired SSL Certificates

When I'm doing my thing on customer projects, and there's some SSL stuff involved, I always keep reminding them to make sure that they renew their certificates in time. Why, because they almost always forget it the renew them in time, and after the expire stuff stops working, and they call us.

Guess what? My certificates expired this evening, so I got numerous warnings and errors in several applications that use those SSL certificates. Thankfully I run my own CA (XCA), and I documented where I use them, and how to replace them, so I was back in business in 10 minutes.

Lesson(s) learned: make a notification in my calendar to replace them ahead of time.

Posted on January 5, 2014 and filed under Security, Tips'n Tricks.