Stuff I'm Up To

Technical Ramblings

Fail2ban – Quick Reference — July 20, 2017
Juniper HA Woes — July 6, 2017

Juniper HA Woes

I spent quite some time messing around with a pair of Juniper SRX320’s trying to get the HA clustering setup. The documentation seems pretty straight forward, but I kept tripping over one fatal flaw.

Initially I configured HA using the J-Web interface and it configured successfully. I made some changes, set things up to test and then decided I didn’t like the direction I was taking and wanted to factory reset the devices.

The reset seemed pretty straight forward but then everything went wrong when I tried to follow the Command Line instructions for setting up an Active/Passive configuration. Every time I put the two systems into cluster mode and set the cluster ID and node the secondary node (node 1) always showed as lost and disabled.

Continue reading

Broken ARP — April 26, 2017

Broken ARP

Not a fun morning. We spent an hour or two trying to figure out why our GUEST networks was unable to route any packets to the Internet.

For many a GUEST network may be a trivial network, but for us we also us GUEST for unauthenticated devices to access our Virtual Desktop System – primarily including devices that are re-purposed laptops/desktops that no longer require a full Windows PC for domain access and just provide a VMware Horizon Client. So we had a large number of users unable to connect to the back office systems.

The strange thing here was that all other network traffic from the trusted networks worked as expected.

Continue reading

Sophos UTM HA —

Sophos UTM HA

We encountered a few problems with licensing when we looked at moving from the UTM525’s to UTM430’s so we had to delay the project until yesterday. On the one hand it gave us plenty of time to plan for the eventualities like Martians and be confident that the configuration restore testing worked whilst testing.

The one thing we didn’t expect was problem getting the two UTM430’s to configure themselves using High Availability (HA).

Continue reading

Preventing Martians — April 4, 2017

Preventing Martians

In the process of changing firewalls and routers around we encountered the Juniper detecting what it suspected were malicious MAC address changes that no longer match the IP address it last used. Which is understandable as we’re giving the same IP address to new hardware.

This MAC mismatch error triggers some Martian alerts, which results in the IP addresses for the new devices becoming unroutable. To try and prevent this we should try clearing down the IP ARP cache tables for various devices.

Juniper (ScreenOS)

-> clear arp [192.168.0.254]

or

-> clear arp all

Extreme Switches (XOS)

# clear iparp [192.168.0.254]

or

# clear iparp vlan [TRUST]

Martian addresses are host or network addresses about which all routing information is ignored. When received by the routing device, these routes are ignored. They commonly are sent by improperly configured systems on the network and have destination addresses that are obviously invalid.

CVE – Security Vunerability Datasource — March 18, 2017
STIG — March 17, 2017
Oracle Database Patches —
Setting the Killbit for an ActiveX Control — March 7, 2017

Setting the Killbit for an ActiveX Control

Adding a killbit for a control that Nessus says requires one.

https://support.microsoft.com/en-gb/help/240797/how-to-stop-an-activex-control-from-running-in-internet-explorer

In brief you need to find or create the classid in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility

However, on one I found I first had to hunt the name in HKEY_CLASSES_ROOT\CLSID

eg. Nessus reported

  Class Identifier  : {D63891F1-E026-11D3-A6C3-005004055C6C}
  Filename          : C:\Program Files (x86)\xxxx\Runtime\NCSECW.DLL
  Installed version : 1.6.6.32

But when I search for NCSECW.DLL I got a different Class ID and that was what I needed to use to add a killbit for.

Kali and OpenVAS — March 4, 2017
Diving Deeper into Windows SSL — March 2, 2017

Diving Deeper into Windows SSL

This response to a question raised some interest and I found it very interesting. I then went to investigate the keys and values on my own machine. This can also be controlled using gpedit.msc, but found it interesting to see the current entries for myself.

HKLM\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 Functions

While not “incorrect” Steven’s answer is incomplete.

The linked article is a very good description for how to enable and disable cipher suites like SSL 2.0 etc, but SH’s pen test comments posted are also concerned about the mode of operation of the ciphers used – specifically about removing the use of CBC (Cipher Block Chaining) and using Counter (CTR) or Galois Counter (GCM). This is not fully covered in that answer.

In order to direct how the transport security is negotiated in this more granular level, they will also need to look at the content and ordering of the Functions list. This controls the preferred order and what is acceptable when the transport security is negotiated between server/webserver and client/browser.

HKLM\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002  Functions

Removal of CBC modes of operation from the list would prevent their sucesful negociation, but removal of all CBC is likely to have negative impact. Adjusting this list must be done with great care as misconfiguration will prevent sucesful connections. Support for modern modes of block cipher operation such as e.g. AES-GCM are still not completely widespread (March 2016) in all clients/browsers and OS versions.

As with much of crypto, what might be appropriate for state top-secrets and what might be appropriate for information of very low confidentiality won’t always be the same. A balanced approach for information assurance is needed depending on the categorization of the specific information and not an approach like CBC is “bad” GCM is “good”.

S.H. should probably return to his/her pen testers to discuss whether their specific use of CBC modes may be acceptable for a while longer until GCM is better adopted, before testing any adjustements to the Functions list.

Tuesday, March 08, 2016 9:46 AM, Tom Hollinghurst

 

References: https://social.technet.microsoft.com/Forums/windowsserver/en-US/a51f9574-73b0-4808-ad5f-4db081d80e6f/disable-cbc-mode-cipher-encryption-and-enable-ctr-or-gcm-cipher-mode-encryption-disable-md5-and?forum=winserversecurity

OpenSSL Ciphers — March 1, 2017

OpenSSL Ciphers

OpenSSL is a very handy tool. Both on Linux and Windows. On both you can do all kinds of conversions and creations,  but equally of use you can view cipher details that are supported.

On Linux systems OpenSSL will look for /usr/local/ssl/openssl.cnf, or on some flavours /etc/ssl/openssl.cnf or even /usr/lib/ssl/openssl.cnf and on windows it will show a warning.

WARNING: can't open config file: /usr/local/ssl/openssl.cnf

Continue reading