Technical

CCSE

On July 16, 2008, In Technical, Weblog, by Remko

Today I did the CCSE exam in Zoetermeer, this is the second exam you can do for checkpoint. After preparing it for around two months (in which time I went on holiday to Tunesia, been on business trip to Canada, had a weekend-holiday with Snow in Texel, searching for and arranging side-paths for a house which we are looking for, so basically study time was ~2 weeks) and spending a weekend and yesterday mainly to learn for the exam, it was time to do it.

I passed with a score of 85% (70% was required); so I didn’t do that bad. I got all kind of enthoustic responses from Snow, and I got a lot of text messages from my current assignment. Thanks folks! It’s appreciated!

Onward to CISSP (the materials seem boring so far) and Juniper (Which I am preparing already as next candidate) (also a dual track, the initial one, and the second level one), and then Cisco (if possible) and if then still possible, the BSDP (second level BSD certification) so that I have broad knowledge in multiple regions of the activities that Snow is offering .

The guide to a succesfull migration

On July 15, 2008, In Technical, Weblog, by Remko

Today at work I did a very succesfull migration from one machine to another pair of machines. I cannot say the details (ofcourse); but it went very well. All we had to do is pull out the old cables, unshut some network interfaces and plugin 2 detached cables (Additional security measure from us). So what lead to this succesfull migration?

Actually, it’s very simple. We planned the things properly. Ofcourse the company wanted to have it sooner, but hardware materials were not shipped on time, and we needed to do some additional testing before we could deploy this.

Because of that, I had more time then anticipated, so I did a “major” inventory, cleaned up old machines, network cables and stuff like that. That was the first big bullet that you should do. Before migrating anything, cleanup the old environment, so that it’s easier to get an overview.

Next thing I did was do an inventory on the switches that were used to connect the “old” facilities. After getting clear what all was running where and how, it was a simple step to reproduce a couple of networks on the new switches, connect up the old switches and the new ones, and have working switching connectivity. (First time I properly did a stack btw).

So, now we created space (overview by removing old unused stuff), and we did an inventory on the network to learn how that works and what was available and what not.

Next thing we did is bring in all the new goodies. While we put them in the racks, we made sure we had space left to glide cables were needed and things like that. So this is a next item, after cleaning up and knowing what lies in front of you, insert the machines, but keep cabling etc in mind, do not stick machines together, but leave a bit of space, it’s for cooling and cables!

So, after bringing in the goodies and powering them up, we had a couple of switches and some other material hanging around. OK next on this list, decide how we are going to cable the machines on the new switches and how we are going to cope with the cables. It’s important that you know upfront how you are going to do it. I had a basic idea in my head, and was very sure on how to approach the cabling thing (Robert from Snow learned me a couple of things on how cables should flow when binding them together). We placed the cables, and nicely made a couple of bundles (one going down, one returning back up, bundling the binding in the cables so that it had a nice half-round shape instead of being smashed together) and supported them on the side of the rack. Afterwards we put in some more cable gliders, now it’s really neath!

So the machines hang, ofcourse I configured them to be on the management network, and I cabled everything. Lets see whether we can reach them. Jip we could (ofcourse, we knew upfront what we were about to do!).

The next step I cheated myself and already did this with the machines in the test-lab, but in case you didn’t have that luxury, now is the time to easily configure the device and copy over the old settings from the old machine(s) where needed and improving them or doing them better (within the bounds of your project).

One or two days prior to the change, you should familiarize yourself with the goals, try to get someone else involved and look at the steps together. You have them in your head, but that’s not enough. Discuss the points with a collegue and write them down. Make sure you generate a worksheet from it. That way you know exactly what to do during migration and what is left and what not.

We did that today, (the final part) and we might have even broken a record with it. We were very quickly and had good grip on the cases. We didn’t see any problems afterwards so far, so I think the migration had succeeded very well.

One other thing I did throughout the migration is invite different people to help. The current team I am in, has 5 working people. I used them all to help me carry the machines, cables, attach them etc. Everyone now has feelings with the machines. They know which machines we are talking about, they all did something to help making this migration go smoothly. Ofcourse it could have been done without them, but it’s an team effort to make it happen, so use the people from the team to get a platform to build upon. (yes I realise that it’s not always possible to do it like this in the various environments).

Hopefully this helps you to do magic like we did today

Securing your DNS Server

On July 13, 2008, In FreeBSD, Technical, Weblog, by Remko

While most people think that Securing your DNS server is practically impossible, I want to give a few hints and tricks to make sure that it’s possible to mitigate problems from DNS to your local server.

This setup should actually be followed by everyone that cares about his DNS Server!

There are a few options to protect your DNS server as much as possible.

Split your DNS servers. The internal networks is most likely to do remote queries, the external network probably only serves your internet zone’s. Why have them in one instance? Split the machines where possible, or create different views, so that the internal people can only recurse and the external people can only lookup the domains you host. (SPLIT-DNS)
Add ACL’s and limit recursion; if you cannot do the above, you should try the best as possible to limit the amount of people that can use your DNS server to do remote lookups. Is it really necessary that joe-next-door uses your dns server to visit www.triplexdomain.com ? ISP’s are here to service these DNS queries for him
an Example of an ACL in named:

acl your-acl-name { 10.0.0.0/8; };

This matches any host in the 10/8 network.

Limiting recursion through the ACL

Add the following to the options {}; statement in named.conf:

recursion yes;
allow-recursion { your-acl-name; };

Do note the semicolons and the brackets!
Use random query ports. Whilst in the past people had been using static ports for doing remote DNS queries, to make it easily go through firewalls, that’s no longer an option. Recently ISC and CERT announced advisory’s to address static-query-ports. It makes you very vulnerable to be spoofed, and could mean that secure.yourimportantbusiness.com suddenly points to my evil.notsoimportanthost.com so that I can trick your users into submitting their data on my machine, which I can then use to do very nasty things (like having a free holiday to the bahama’s, I like it already!).
In this case one should point out a DNS server, and tell that it can do queries from port 53 and >1024, I have been using this setup for ages, and I do know that a lot of larger companies also have similiar rules in their external firewalls. This allows the DNS server to pick a lot of random ports to do queries from.

If you use a recursive DNS (because you are an ISP); then consider using only SSH and BIND on the machine (or whatever product you use). The machine does not need to be firewalled at all then , as long as you disable any unused applications. One could ofcourse filter away the SSH login, but having a stateful filter before a large DNS is just asking for problems (thanks Bjoern and Doug for this information!).
Use DNS-SEC where possible. Currently not many TLD’s support this, but if there is the possibility, you can add a security layer by using it. Ofcourse this does not prevent it forever, but it makes it again harder to do. And security is all about making the barrier too high to try (if the barrier is low, one will try, if it requires too much time or money, people will not do it that easily, though there is always someone that is willing to put in the required resources, keep that in mind).
Always use the latest available version from your vendor where possible. It’s sometimes a pain in your royal behind’s to update the services you host. But do realise that mostly by running the latest (stable) release from your vendor, you can close many known holes. Yet it leaves you open for things not yet found ofcourse (but isn’t that always the case): do plan these kind of actions and make sure you test such a setup first, or keeping the “old” machine alive till you are confident that everything works. You do not want to explain to some high-ranking boss that you didn’t test, or that you cannot return to the old situation. (Something I learned to do is; install a new machine, and it’s applications. Test whether the basic things that you expect it to do; still work. Unplug (yes do not power off!) the old machine and plugin the new one. If you worked through it for XX days, then you can backup the old machine (make sure you test the backup before really turning off the machine!) and turn it off.
Ofcourse managers and people around you will complain that it will require a lot of resources; properly planning things will demand tme and money etc. But you can easily counter that by telling your boss or manager that in case something does go wrong, the damage is most likely higher. Point at your risk-index numbers that you periodically create (right!?) to show what kind of risk is involved.

The above are ofcourse a couple of open-doors, though we (Security People) see enough in the real world to know that the above isn’t followed most of the time. Most bigger companies have the resources etc to properly do this, and some indeed use this to do the new setup, but many many many smaller companies are not using these kind of things at all, because it costs too much money. Please try to openly discuss these things with your company if you hit this. You are better off in the end if you properly discussed this, got a “no” anyway, and then things go wrong.

Hopefully the above helps a bit. I wrote this information stream based upon the latest CERT advisory for BIND, and having a few discussions here and there on the FreeBSD-Security Lists. Thanks Doug Barton, Bjoern A Zeeb to give me some thoughts about this (they might not be aware of this yet).

nginx logformat (awstats readable)

On July 6, 2008, In Technical, by Remko

I converted my nginx logformat to make sure I could keep using awstats to record my datatraffic etc. Since I needed to parse half a day of logging through Apache and then later through nginx, I needed to make sure the same formats where used. In Apache I configured the common logformat; which results in the following for nginx:

log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;

I also created a couple of include files so that standard stuff is included for every vhost, without it requiring me to denote everything (which is quite a lot if you do it properly).

Migrated towards nginx

On July 1, 2008, In News, Technical, by Remko

Today I made the step to move from Apache to nginx. While Apache had been serving me for ages, I think it’s time for something different. nginx does precisely what I need at this point, without dreaded much overweight that Apache has. All but two vhosts had been moved over to the nginx installation at this moment. One of them will be converted today or tommorrow, the other one might not be done at all, but proxied through nginx. The problem with that host is that it’s doing Subversion hosting, and I have yet to find a proper http(s) version that supports nginx

That said; I will ofcourse keep running Apache in various places and keep track of things, but my own masterpiece is now nginx.

Recent experiences

On June 15, 2008, In Technical, by Remko

So, recently I obtained several new experiences .

I am working with Fortigate machines (AFA1000’s) and Juniper Netscreen SSG550’s, which are both great machines to work with. I touched a couple of netscreens just a week before I started my new assignment, and now I work full time with them. Beyond that I also try to support the team I am in now with cisco/networking knowledge so that the team can keep on rolling (even if the grand-master will be on holiday within 2 months from now).

Apart from the work experience I also did some work in perl again and finished up check_honeynet.pl v2.0.3b (Which will eventually become v2.0) and I am playing around with svn and mirroring subversion stuff (For FreeBSD and my own projects).

Seeing my upcoming agenda makes it a bit challenging to properly give all my activities enough time, but I am sure I Can manage that just fine.

Services moved over

On April 19, 2008, In News, Technical, by Remko

Well well, All my services are migrated from the We-Dare colocated facilities to Germany, where I obtained a couple of accounts through hetzner.de, delivering me faster machines, more bandwidth, better agreements etc, for more or less the same price. I found myself a fool if I wasn’t going to persue this. So my personal colocated services and JR-Hosting colocated services moved over to Germany now, residing on dual core machines with a bit more ram then before, a lot more diskspace, and better bandwidth agreements.

Everything had been moved over now; so if you spot something interesting, please let me know so that I can fix it.

Sadly this will also call the end of the days for a couple of websites run by friends of mine, whom didn’t want to move over to Germany, so they will be resting in peace soon (since the contracts will be terminated at We-Dare), they are www.grunn.org, and www.elarial.com , with all attached subdomains with them. I think the three of us learned a lot with those mentioned websites, and I would like to thank HuMPie and Kees (Elarial founder) for their continues support and trust in me maintaining our shared colocated machine. I’ll post updates about the new machines soon (in the my machines list) and mark the soon to be dismantled onces as *A(rchived).

Checkpoint certified;

On April 11, 2008, In News, Technical, by Remko

On a work related note: I obtained my CCSA exam today. I passed with 81% out of the required 70%, so this is a nice start of the weekend!

Honeynet Mirror check tool 1.7 released

On March 24, 2008, In News, Technical, by Remko

So, Saturday and today I spend a bit of time updating my honeynet check mirror application, which retrieves information from various mirrors to do an educated guess on when the mirrors did a last sync (all in perspective ofcourse because it doesn’t tell the actual status, but at least it’s a guide, and if properly done, we can see what happends).

That ofcourse doesn’t mean the tool is honeynet only, you can easily change it for your own needs to enlist several own mirrors etc. It’s just that I named it for the honeynet project: check_honeynet, one could argue to name it “evil-mirror-validator” or something (evil- are prefixes of most of my projects).

Anyway: back to the discussion: v1.7 has a new way of parsing configuration records which is rather straight forward. I will be implementing the same for 2.0 (which is actually just a continued development on top of 1.7). This makes use of the Config::Simple module, which enables me to write it all ini-style based (it was already like that, but then resolved more ugly then it is now).

If you browse to the downloads section, you will find it there, with a published web-frontend and so on. If you have any comments please let me know. From what I saw from my local tests this just works fine.

For 2.0 I will be issueing a seperated statistics file, which I will write ini based (from the application) to gather statistics about [ok] [bad] [banned] hosts. This way we can more selectively send messages to the bogus mirror, and even ban them (which could result in an automated removal from the main site for example) if they trigger the (adjustable) thresholds.

Back from gone (technically)

On March 20, 2008, In News, Technical, by Remko

Hello,

It was a time ago already that I posted some updates to the site, I had been very busy with work and things around that, so E_NOTIME to bring in updates. Because I dont see that change anytime soon, I’ll stick with some Technical Contributions to the internet. I am playing a lot with Checkpoint at the moment, and I would like to document some trivial things, as well as some other things that are not as trivial as they seem. I know that others can use the information (hence even Elsevier contacted me recently to help write a book about Checkpoint NGX) so lets try to share and document it properly.

In the menubar you can see that I moved a lot of technical items to the “Technical” menu, I’ll place nice information there. I will probably bring in a seperated category for Checkpoint under the FAQ as well so that it’s even easier to spot.

I am also writing up more for FreeBSD in the near future (if time permits) and I am pondering in documenting a few PoC’s that I did recently.

So expect information back on the board soon, but not regarding my private life anymore, I just dont have enough time to do so.

Evilcoder.org