Security

Brocade Authorization against Cisco ACS 5.3

Joseph Jenkins1 Comment

As I have continued my on the job training with Brocade I came across the fact that we were just using a simple username/password for login.  I decided to integrate it into our production Cisco ACS environment.  Unfortunately there wasn’t a document on doing this for version 5.3.  I had to amend the 4.x information from Brocade.  I figured I would document it here for anyone else that was interested.

I am making the assumption you are:

  1. comfortable with the CLI on Brocade
  2. that you know how to add RADIUS VSA attributes to the ACS server

I used two documents from Brocade to set this up.  The first was Chapter 5 of the FOS admin guide.  This was useful in setting up the Radius Server and setting up the auth parameters.  Namely Radius First, Local second only if the Radius server is not reachable.  Here are the important parts out of the FOS admin guide:

Adding a RADIUS or LDAP server to the switch configuration
1. Connect to the switch and log in using an account with admin permissions.

2. Enter the aaaConfig –add command.

Configuring local authentication as backup
It is useful to enable local authentication so that the switch can take over authentication locally if the RADIUS or LDAP servers fail to respond because of power outage or network problems. Example of enabling local authentication, enter the following command for RADIUS

switch:admin> aaaconfig –authspec “radius;local” –backup

The other document that I used was an ACS_FOS Doc from Brocade.  The important part out of that were the FOS attributes for Radius, so from this:

[User Defined Vendor]
Name=Brocade
IETF Code=1588

VSA 1=Brocade-Auth-Role
VSA 2=Brocade-AVPairs1
VSA 3=Brocade-AVPairs2
VSA 4=Brocade-AVPairs3
VSA 5=Brocade-AVPairs4
VSA 6=Brocade-Passwd-ExpiryDate
VSA 7=Brocade-Passwd-WarnPeriod

[Brocade-Auth-Role]
Type=STRING
Profile=OUT
[Brocade-AVPairs1]
Type=STRING
Profile=OUT
[Brocade-AVPairs2]
Type=STRING
Profile=OUT
[Brocade-AVPairs3]
Type=STRING
Profile=OUT
[Brocade-AVPairs4]
Type=STRING
Profile=OUT
[Brocade-Passwd-ExpiryDate]
Type=STRING
Profile=OUT
[Brocade-Passwd-WarnPeriod]
Type=INTEGER
Profile=OUT

I set up this:

The other part that was useful was this section on what to put in for the admin section:

Under “Brocade-Auth-Role” enter “admin” for administrator

This value is the pre-defined user roles in FOS. Examples are:

admin
basicswitchadmin
user
switchadmin
zoneadmin
operator
fabricadmin
securityadmin

Which on ACS gave me this:

Now based on the User that logins I can control what access they have into our Brocade environment. This also has the added benefit of allowing us to audit the users that are logging into Brocade so that I don’t have to worry about changes being made by unauthorized/authorized people. I hope this helps someone else and saves them from having to hunt around and find the information.

Cryptocard and Anyconnect are my bain at 2am

Joseph JenkinsLeave a comment

we use Cryptocard as our security authentication mechanism at my company.  That what you have and the what you know.  I recently ran into an issue with the hardware tokens that was quite perplexing and caused me some grief at 2am.  We require a vpn from the inside of our company to get to PCI systems, this ensures that no one is listening on the wire and isn’t trying to steal our credit card or other vital data.  So my night operators need to use VPN along with Cryptocard to login to just about everything they want to do.  So this morning at 2am I got a call from one of the night operators who was trying to login to the VPN and getting a prompt to log back in again.  When logging into the Cryptocard status screen I saw this for his status:

Unfortunately it doesn’t seem like the Cisco Anyconnect client doesn’t seem to be able to handle the next token code appropriately and the user was getting a login failed message.

Usually when we have this problem with the software tokens we just resync the users token with the console.  No big deal except trying to get a user to enter a 8 digit challenge code that consists of upper/lower case and special characters can be tough.

However we are now switching to the hardware tokens and they only have one button on them.  This makes it extremely tough to enter a challenge code into the hardware token.  In this case since it was an internal user I just gave them the lowest possible operator rights “snapshot” in the console and allowed them to login there.  Then when it asked for the next code they were able to put it in and get their token code + pin and it resynced correctly.  Not sure what I will do when a user is remote with a hardware token and can’t login.  Probably have to issue them a software token at that point and then work with them when they are back in the office.

Upgrade Cisco ACS from 5.2 to 5.3

Joseph Jenkins3 Comments

I am in the process of upgrading my ACS deployment from 5.2 to 5.3.  When I first got to this company we had one 3.x ACS Appliance that was woefully unsupported and out of date.  Since I started I managed to purchase two vmware servers with the large deployment license.  So my configuration is this:

Primary Server + Log Collector at the main site

Secondary Server at our remote site

As I read through the documentation for the upgrade and tried to understand Cisco’s convoluted process of actually upgrading stuff, I came to a stark realization.  The DB from 5.2 can be directly imported into 5.3….

I quickly ditched all plans I had to follow Cisco’s cruddy upgrade process and just made sure all of my equipment had both the primary and secondary ACS servers setup.  I then created a brand new 5.3 server and performed all of the necessary patches to get it to the latest and greatest.  After that I exported my 5.2 database then imported it into 5.3.  Once I had done some testing and was sure my new 5.3 was good I then shutdown the 5.2 Primary and swapped the ip to the new Primary 5.3.  I then did the same process for my secondary and then restarted the distributed database.

Much easier upgrade and didn’t require more than 5 minutes of downtime and since I had two ACS’s nothing was missed during the time and no one was denied access to the network.

Thanks Cisco for making at least one thing in life easy and keeping the databases compatible.

REGEX – What a pain…

Joseph JenkinsLeave a comment

As I have embarked on my path towards the CCIE I have come across a lot that I am not familiar with.  One of those that has given me great pause has been regex.  At its surface it seems simple enough text matching.  As I have gone through my studies it has been anything but.  I am still learning all of the nuances of this and luckily I have had some projects at work that have helped strengthen that knowledge.  So here are some of the regex’s that I have been working on for work and why I did them.

We are whitelisting allowed websites on our Websense appliance initially I went with this webex:

(http://|https://) *.facebook.com

Yes we do allow Facebook from our registers, we are a hip social company and our stores need to be able to inform the kids as to what is going on.

However I ran into an issue when some did something like this and was able to bypass the whitelist or I guess I should say was able to use the whitelist to get out:

http://www.yahoo.com/?www.facebook.com

I then did some looking and realized what I needed to do was disallow special characters before the domain.  DNS doesn’t allow for certain special characters to be in the domain name and they should never show up between http:// or https:// and the domain name, so I then came up with this:

(http://|https://)[^/?//()]*.facebook.com

That managed to fix everything, the pen tester’s weren’t able to get past it and it managed to save us a fair bit of trouble.  However I ran into one additional problem, what happens if the website or the user didn’t put a subdomain in front of facebook.com?  Well then it would fail.  So I ended up going with this regex which has solved all of my problems and everything seems to be working fine now.

(http://|https://)[^/?//()]*facebook.com

Throughout all of this I was using the ASA as my primary vehicle for testing the regex expressions.  With the command:

Test regex (regex) (pattern to match)

caasa1(config)# test regex http://www.facebook.com “(http://|https://)[^///()]*facebook.com”
INFO: Regular expression match succeeded.

caasa1(config)# test regex http://www.yahoo.com/?www.facebook.com “(http://|https://)[^///()?]*facebook.com”
INFO: Regular expression match failed.

The only main gotcha with this is remember to hit ctrl+v before you put in the ? or the ASA will think you are querying for help and take you to the help menu.

IPsec Tunnels, ASA, and the pitfalls of the Wizard

Joseph JenkinsLeave a comment

I am working on a project right now to decommission an older VPN3k and install an ASA5520 to act as a VPN Concentrator.  While working on this project I figured it would be a good time to train some junior admins in the finer points of VPN tunnels.  So we started the project off by getting all of the users moved to the new device, luckily we were using hostnames for the destination and the same IPsec client was going to work for everyone.  We aren’t ready to upgrade to Anyconnect yet and probably won’t do that until after the new year.  All of the Remote Access users have been moved and we cleaned up the stragglers who did have a hardcoded IP.

Now on to the fun part of moving over site to site VPN tunnels.  We use VPN tunnels to allow our external vendors access into our systems to help us and support their software.  We have quite a few tunnels.  So this is where the fun comes in.  I am trying to teach the junior admins how to build a tunnel manually on the ASA in 8.4 code and they come across the ASDM and the tunnel wizard.  They think this is the greatest thing and figure they can do all of their work with this and bypass that messy command line.

I say to them neigh neigh, the command line is always important and if you don’t understand what commands are being put in by the wizard how can you fix it if it breaks.  They look at me with the look of whatever, it’s here so it must work.

I decide that a test is in order, so I gave them a tunnel to move and someone to work with on the tunnel at the remote site.  I let them use the fancy wizard to do their work instead of the command line.  So as they are going through the point and click interface they mess up and flub the ip address for the local side.  I ignore the flub and allow them to continue going forward just to see what they do.  They start testing with the remote peer and don’t understand why the tunnel won’t come up.  They look at it and then they double check their work and realize they flubbed the ip range on the local side.  So they figure that if they just change it in IPsec configuration then it will magically start working.  Well 20 minutes later they are still questioning why it isn’t working, and I ask the question of do you know what the wizard did?  Now they look at me blankly…..

What ended up happening is that when the wizard is run it creates the NAT entry on the firewall so that the interesting traffic is bypassed for NAT and allowed to go through the tunnel.  Once the wizard is done however any changes to the IPSec Tunnel Group require manual NAT entry changes because just changing the tunnel group doesn’t update anything else.

Key learning for the junior admins, wizards are nice and can make life easy.  However know all of the steps involved and how to fix it on the command line in case something goes wrong.

Random Thoughts for the Week

Joseph JenkinsLeave a comment

This week we had an additional PCI audit, the new boss didn’t trust what we had done and the fact we had already passed for this year didn’t seem to make him happy.  PCI 2.0 compliance isn’t a small thing, but he didn’t trust us.  So he brought out his own people who decided they needed to go through our environment with a fine tooth comb, whether that was actually looking for vulnerabilities or how easy it would be to take over my job I won’t know for a little while.

I played the game gave the person what they wanted, although they did make a couple of good recommendations.  Which is why I was reading the CIS server hardening guide over the weekend.  Why am I a Network Engineer reading this?  Because we fired the Windows Server Admins and someone has to do it and since I seem to be one of the few left I guess it is up to me to get the Wintel environment into shape.  The routers, IPS, Firewalls,  and overall network passed with flying colors.  The Windows/VMWare environment not so much, so hence my reading that is taking me away from my studying.

So while taking one of my breaks from working I decided to go through XKCD for the week and came across this gem of a cartoon.  Which is really rather fitting and really drives home a point, that while the password may be difficult to remember it isn’t necessarily hard for a computer to guess.  Gotta love technology.

Studying for CCIE Security and using GNS3 for now

Joseph JenkinsLeave a comment

I am in the process of studying for my CCIE Security Lab and at this point I am still trying to collect hardware as cheaply as possible, since money is an object for me.  So in the meantime I am working with GNS3 and trying to use virtual equipment to help me along and get some of my studies accomplished.  So far I have ran into a few issues that are killing me:

1. The issue with c3700 units.  No matter what I did I couldn’t save the configurations out of the 3700s.  Turns out there is a bug in the code that doesn’t allow you to save the configurations to the startup config for this model of router.  Solution, don’t use them.

2. Transparent mode in the ASAs doesn’t work at all.  You can create the configuration for the ASA and put it into transparent mode, good luck getting it to pass traffic.  Solution, buy em or rent em.

3. The setup for Micro Linux running in QEMU.  Got it loaded and hooked up to a router, but actually configuring the interface was a little more of a pain.  Logging in as root isn’t the same thing as logging in as root on a normal linux machine.  Here is brief snippet for configuring a Micro Linux instance and giving it an IP address.

tc@box:~$ sudo su
root@box:~# ifconfig eth0 10.0.0.100 netmask 255.255.255.0 up
root@box:~# route add default gw 10.0.0.1

4. Multiple context mode is a no go on the ASA as well.  Solution, buy em or rent em.  Looking for some cheap prices on them at this point.

Other than these issues things are working out pretty well on my virtual lab.  I still have a long road ahead of me before I will be ready to take the test.  I am working on speed at this point and doing the workbooks from INE.  I hope to be ready by Jan or Feb of next year.

Mostly put this together so that anyone else trying to do what I am doing can find the information in one place.