I missed a sequence diagram for DHCP which not only shows the four basic messages (DISCOVER, OFFER, REQUEST, ACK), but also the used source/destination addresses and ports, the type of connection (unicast/broadcast), the differences between the initial and the renewing messages, and the needed firewall rules for allowing DHCP traffic to/from the own interface or to/from a DHCP relay agent.
Here it comes! :)
Short step-by-step screenshot guide for an initial configuration of NSRP on two Juniper ScreenOS firewalls, such as the SSGs. One screenshot pack for the https GUI and another one for the Network and Security Manager (NSM) since I am always searching for the positions of the commands on it. Finally, I am listing the appropriate CLI commands.
Continue reading Juniper ScreenOS NSRP: Configuration via GUI, NSM, and CLI
It was not easy for me to understand the type of zones and “from – to” policy definitions when working with a Palo Alto firewall that has multiple vsys’s and a shared gateway. I was missing an at-a-glance picture that shows which zones to use. (Though this document describes the whole process quite good.) So, here it comes…
Continue reading Palo Alto: Vsys & Shared Gateway – Zones, Policies, and Logs
In a basic environment with a Cisco ASA firewall I am logging everything to a syslog-ng server. As there aren’t any reporting tools installed, I am using grep to filter the huge amount of syslog messages in order to get the information I want to know. In this blog post I list a few greps for getting the interesting data.
Continue reading Grep Commands for Cisco ASA Syslog Messages
This post shows a guideline for a basic installation of the open source syslog-ng daemon in order to store syslog messages from various devices in a separate file for each device.
I am using such an installation for my firewalls, routers, etc., to have an archive with all of its messages. Later on, I can grep through these logfiles and search for specific events. Of course it does not provide any built-in filter or correlation features – it is obviously not a SIEM. However, as a first step it’s better than nothing. ;)
Short and very specific notice: How to remove the exclamation marks on the Juniper NSM device list for firewalls that have an outdated attack database version. This happens if the license for the deep inspection expires and the device still has an old sigpack version. Since the NSM later on has newer ones, it marks the firewall with a yellow symbol. To have a consistent “green” view of all firewalls, the following steps can be done to remove the exclamation mark.
Continue reading Juniper NSM: Exclamation Mark due to Attack Database Version Mismatch
Der Titel sagt eigentlich schon alles: Es geht um das Herstellen eines S2S-Tunnels zwischen einem Cisco Router (statische IPv4) und einer FRITZ!Box (dynamische IP). Ich liste nachfolgend alle Befehle für den IOS Router sowie die Konfigurationsdatei für die FRITZ!Box auf. Für eine etwas detaillierte Beschreibung des VPNs für die FRITZ!Box verweise ich auf diesen Artikel von mir, bei dem ich zwar ein VPN zu einem anderen Produkt hergestellt habe, aber etwas mehr auf die Schritte der Konfiguration eingegangen bin.
Continue reading IPsec Site-to-Site VPN Cisco Router <-> AVM FRITZ!Box
I am using a Cisco router for my basic ISP connection with a NAT/PAT configuration that translates all client connections to the IPv4 address of the outside interface of the router. Furthermore, I am translating all my static public IPv4 addresses to private ones through static NAT entries. I basically thought, that only the IPv4 addresses in the mere IPv4 packet header would be translated. However, this was not true since I immediately discovered that public DNS addresses are translated to my private IPv4 addresses, too. This was a bit confusing since I have not explicitly configured an application layer gateway (ALG) on that router.
“Google is my friend” and helped me one more time to find out the appropriate solution: The “no ip nat service alg udp dns” keyword to disable the DNS rewrite. (The synonym from Cisco for DNS rewrite is: DNS doctoring.) Here comes a basic example:
Continue reading Cisco Router: Disable DNS Rewrite ALG for Static NATs
This is a tutorial on how to configure the GlobalProtect Gateway on a Palo Alto firewall in order to connect to it from a Linux computer with vpnc.
Short version: Enable IPsec and X-Auth on the Gateway and define a Group Name and Group Password. With this two values (and the gateway address), add a new VPN profile within vpnc on the Linux machine. Login with the already existing credentials.
Long version with screenshots comes here:
Continue reading Palo Alto GlobalProtect for Linux with vpnc
Eine sehr praktische Variante, möglichst viele Sensoren übers Netzwerk abzufragen ohne dabei viel basteln zu müssen, ist die Ethernetbox von MessPC. Man kann sie zum Beispiel mit mehreren kombinierten Temperatur/Luftfeuchtigkeits-Sensoren bestücken. Die Auswertung erfolgt am besten über ein zentrales Monitoring-System.
Auf der Homepage von MessPC befindet sich zwar eine kleine Dokumentation für die Verwendung von MRTG, allerdings wird dort ein zusätzliches Skript vorgestellt, was dank der Verwendung von SNMP ja gar nicht nötig ist. Deswegen poste ich hier mein Template von einem MessPC mit zwei Kombisensoren für Temperatur/Luftfeuchtigkeit, welches für die Verwendung mit MRTG und Routers2 gemäß meiner Installation geeignet ist. Mit nur drei Suchen-und-Ersetzen Durchläufen hat man das Template angepasst.
In the legacy IPv4 world, the DHCP server allocates IPv4 addresses and thereby stores the MAC addresses of the clients. In the IPv6 world, if SLAAC (autoconfiguration) is used, no network or security device per se stores the binding between the MAC (layer 2) and the IPv6 (layer 3) addresses from the clients. That is, a subsequent analysis of network behaviour corresponding to concrete IPv6 addresses and their client machines is not possible anymore. The mapping of “identity to IP” is not done automatically somewhere.
A simple way to overcome this issue is to install a service that captures Duplicate Address Detection (DAD) messages from all clients on the subnet in order to store the bindings of MAC and IPv6 addresses. This can be done with a small Tcpdump script on a dedicated Ethernet interface of a Linux host.
In this blog post I will present a use case for storing these bindings, the concept of the DAD messages, a Tcpdump script for doing this job, and the disadvantages and alternatives of this method.
“We have two independent DSL connections to the Internet and want to share the bandwidth for our users.” This was the basic requirement for a load balancing solution at the customer’s site. After searching a while for dedicated load balancers and thinking about a Do-It-Yourself Linux router solution, I used an old Cisco router (type 2621, about 40,- € on eBay at the time of writing) with two default routes, each pointing to one of the ISP routers. That fits. ;)
Continue reading Basic ISP Load Balancing with a Cisco Router
Here comes an example on how to configure policy-based routing (PBR) on a Juniper ScreenOS firewall. The requirement at the customers site was to forward all http and https connections through a cheap but fast DSL Internet connection while the business relevant applications (mail, VoIP, ftp, …) should rely on the reliable ISP connection with static IPv4 addresses. I am showing the five relevant menus to configure PBR on the ScreenOS GUI.
[UPDATE] I later on wrote an article with policy-based routing with two different virtual routers. See it here.[/UPDATE]Continue reading Policy-Based Routing (PBR) on a Juniper ScreenOS Firewall
This is a small example of how to configure policy based forwarding (PBF) on a Palo Alto Networks firewall. The use case was to route all user generated http and https traffic through a cheap ADSL connection while all other business traffic is routed as normal through the better SDSL connection. Since I ran into two problems with this simple scenario, I am showing the solutions here.
[UPDATE] I also wrote an article about policy based forwarding with two different virtual routers on the Palo Alto firewall. See it here.[/UPDATE]Continue reading Policy Based Forwarding (PBF) on a Palo Alto Firewall
During the last few months, the concept of Perfect Forward Secrecy (PFS) was presented in many newspapers and guidelines. This concept is related to the session key generation for SSL/TLS as well as for IPsec tunnels. And even though many of these articles describe the benefit of PFS, I was still missing a picture that shows the main difference between the classical key exchange via RSA and the exchange via Diffie-Hellman with PFS. So, here comes my poster. ;)