Tuesday, July 25, 2017

FTNT CSB-170616-1 bye bye bye

If you missed this, the standalone vpn_client days are finished.


FTNT CSB-170616-1

 This customer service bulletin is very simply put, "use the forticlient and the vpn components".



KenFelix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

Sunday, July 23, 2017

AWS subnet concerns

When laying out a AWS VPC  you will need to select a CIDR block for that VPC.

It critical that you  ensure  your VPCs subnets will not collide or overlap with any other VPCs or your  local-OnPrem-Corporate networks.

Take this simple multiple region layout and  with VPCs executed on /20 boundaries.



These 3 containers ( VPC ) are reachable back to Corp via  DirectConnections. Alternatively they could be VPN-ipsec tunnels. The  direct-connect would eliminate any IPSEC configuration, mtu  issues, and complexity.

At the HQ these terminations could easily be terminate at a  security edge device or a gatekeeper for the appearance into AWS and the respective VPC.

Traffic between  regions could be carried via AWS backbone or a internet-IPSEC connection. Traffic could indeed travel to a customer VPCs held in another AWS account.




Network layout and subnet allocations needs to be carefully craft and thought out.  Bad design upfront could lead into duplication networks and complexity and |  or  poor network routing in or out of the AWS instances.

Key CheckPoints;

  1. have a plan
  2. have a ip management solution like ipplan  http://iptrack.sourceforge.net/  or similar
  3. try to ensure growth  for the now and future
  4. maintain ipv4 address boundaries and contiguous networks from a routing concept
  5. be aware of the max numbers and sizes of CIDRs
  6. don't over look any  local on-Prem networks and what might need access both locally or remotely


KenFelix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

Saturday, July 22, 2017

CONTROL EXTERNAL ACCESS to a F5 VS data-group

HOWTO

Restrict access to a website via external source_address  & by using a  ltm  data-group.



1st ,  craft a DATA_GROUP and specify the  networks CIDRs blocks


ltm data-group MYAPPROVEDNETS {
    records {
        6.1.9.0/17 { }
        195.3.1.0/20 { }
        1.1.1.1/32 { }
        10.17.1.0/24 { }

    }
    type ip
}


2nd
  Build a simple iRule and reference the data-group for the client_address.



ltm rule MYACCESSRULE {
       when CLIENT_ACCEPTED {
   if { not ( [class match [IP::client_addr] equals MYAPPROVEDNETS ) } {
      reject
   }
}


when HTTP_REQUEST {
  switch [HTTP::host] {
  "GHjdev.examples.com" {
   persist cookie insert "HjDEVWEBS01" "1d 00:00:00"
   pool pool.GHjdev.examples.com
    }

  "GHjdev-admin.examples.com" {
   persist cookie insert "HjDEVWEBS03" "1d 00:00:00"
   pool pool.GHjdev-admin.examples.com
   }


  "GHjtest-admin.examples.com" {
   persist cookie insert "HjDEVWEBS02" "1d 00:00:00"
   set node 10.1.1.13:80
   }

  "dfdev.examples.com" {
   persist cookie insert "HjDEVWEBSx2" "1d 00:00:00"

   snatpool  POOLSNAT01
   pool pool.dfdev.examples.com
   }

  }
 }
}


NOTE:  so  the above   examples.com  website will only allow connections from the sources defined by the data-group.



ALTERNATIVELY

You could use mutual ssl authentication and only web-users with a valid cert can access the website. This is smarter in a long run,  since you don't have to  worry about web-client that changes  address on regular  basis.


Using this approach you could stand up  DEV or UAT environments and allow  trusted  networks access  to these DEV/UAT environments.


reference a typical  design with multiple pools that makes up various sites and a dev team in two network spaces.



Ken Felix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \



Friday, July 21, 2017

Finding traffic that's hitting a F5 vip via IRule

So let say you have  traffic hitting a f5 VirtualServer,  but you want to  find out what/who  is hitting it and what URI they are asking for,  you can do  a log Statement inside   a iRule defining what you want to log ( src addr, host_header URI )  


e.g

ltm rule HOSTSWITCHER {
    when HTTP_REQUEST {
    switch [HTTP::host] {
   "mysite.mydomain.com" {

    persist cookie insert "c00k3yM0nst3r" "7d 00:00:00"
    log local0. " The site name  [HTTP::host] and uri  [HTTP::uri]  is hitting  the mysite.mydomain.com"
    pool mysite.mydomain.com_pool
   }
  
 

   default {
   log local0. " The site name  [HTTP::host] and uri  [HTTP::uri] and client's address  [IP::client_addr]   is hitting  the default"
   persist cookie insert "de3fAUlt" "1d 00:00:00"
   pool default_pool
  }
 }
}
}


This helps to find DNS entries that could be lefted over and pointing to your public address. By generating a log message for the host and|or URI  you can easily debugged left over or bad configurations.

The f5 logs  for  ltm will show something similar ;



KenFelix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, July 19, 2017

TLS1.3 support

So TLS v1.3 has been out for some time. You can navigate to various  sites that are  TLS v1.3 and check the status connections for support,   but typically your browser needs to be  enabled for this  new TLS version


The common  browsers like firefox, requires you to navigate the  about:config  and search for the tls  security settings and set the max version to  "4". Other browsers are similar to some degree of fashion.



example:



Now validate using mail.google.com ( yes google is tls v1.3 supported )



vrs  1.2




If you mistakenly set the TLS v1.3 support , and  with no  fallback,  you will start seeing the following connection errors for know  operative websites.



So what's all the TALK  about tls v1.3 ?

A Simpilifed   handshake that speeds up the delivery of  the  1st byte sent for a website.  So speed is one major change.


 1: example of  TLS handshake improvement


2: Improvement  over all and with ciphers from tls v1.2

 https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3_.28draft.29


So what the major issues that can come up ?

  1.   it  very new and needs experimentation and trials by the internet community to become comfortable with
  2.   must  existing systems don't have support for it 
  3.   most management interface for  IT gear has no awareness of  TLS v1.3
  4.   most IT support staff from the network to security engineer,  has no working knowledge of TLS much less for  the latest version
  5. Various SSL deep inspection hardware can break 
  6. some forward proxies if not update will break 


Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \





Sunday, July 16, 2017

Understanding the BIG_IQ restore process

Here's some tips on BIGIQ restore.

1st it works great,  but you need to  know a few items


A: if you  restore the active f5 it will swack roles to "standby".  This is a standard function.







B: The unit will   go off-line and disconnect while the restoral takes places






C: than a oneline disconnect



D: you will probably need to  do  cfg-sync


During the restore the bigstart process will restart but the system will not reboot.

E: if you try to restore the same "file" twice you can see the following  error








Ken Felix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


Thursday, July 6, 2017

Cisco ACS 5.8 patch

Will our report monitoring  tool hasn't  been working with  various browsers.

Will our cisco ACS need to be patched in order to get our monitor tool up and running.

1st step was to execute  backup on the primary ACS

My repository was named TAC

acs backup  TEXT01 repository  TAC JUN062017BACKUP

2nd we copy the  gpg patch ball into the host that has the repository TAC

scp ./5-8-0-32-7.tar.gpg  ken.felix@1.1.1.1:

3rd
from witin the  ciscoACS, we only need to execute the acs install patch against the repository and the name patch ball

CISCOACSSERVER01/adminacsuser# acs patch  install  5-8-0-32-7.tar.gpg repository  TAC
 md5: ae3c92ed519471319132dfdbe9982d1a
 sha256: 62bd5e42f22c9f7e4c65480ffef8b8b46ac073e50ce6e92ae6940665c8080174
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ? Y
Installing ACS patch requires a restart of ACS services. Continue?  (yes/no) yes
Calculating disk size for /opt/CSCOacs/patches
Total size of patch files are 1763 M.
Max Size defined for patch files are 2000 M.
Stopping ACS.
Stopping Management and View............................................................./opt/CSCOacs/bin/acs-for-cars-cli: line 58: kill: (7633) - No such process
..
Stopping Runtime........
Stopping Database.......
Stopping Ntpd...
Cleanup...
Stopping log forwarding .....
Installing patch version '5.8.0.32.7'
Installing ADE-OS 2.0 patch.  Please wait...
About to install files
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Installing PBIS patch.  Please wait...
Installing TCP kernel patch.  Please wait...
nstalling new NSS.  Please wait...
This patch includes security fixes which requires ACS server reboot. It is highly recommended to proceed with reboot
Do you want to reboot the server ? Y/N : y
You have choosen to reboot the server, Rebooting ...


The system is going down for reboot NOW!
/opt/CSCOacs/patches/5-8-0-32-7
Patch '5-8-0-32-7' version '5.8.0.32.7' successfully installed
Starting ACS ....

To verify that ACS processes are running, use the
'show application status acs' command.



4th

Now sit back and wait for it to come back up ;)


5th

login into the  ciscoACS and goto  > about and validate that the patch_level is correct






Finally ,




run thru the logs and  account and ensure AAAclients are authenticating.

remember to repeat the above on the secondary if you have dual ciscoACS.


;)