Category Archives: Uncategorized

Searching for a gig – Cloud Security

Yes I have been offline for a year. Got married, quit the job, went around the world on a rock climbing fantasy tour, wound up in Germany semi-permanently.

So looking for a position in Cloud Security somewhere in Europe. My resume is HERE.

Hope all is well with you!

The Dreez

 

Advertisements

Humor only IT people will get

Thought I’d add a little humor to the blog.

Someone read my posts and sent this to me.

 

itdecisionmatrix

HTTPS Inspection – The Dark Side

So been playing with HTTPS Inspection on Squid and CP for URL filtering lately and am starting to understand why people avoid it. This is not a CP problem, but an industry problem. Sort of like when IPSEC came out, your IPSEC never talked to my IPSEC. Only HTTPS Inspection has been around since I had hair and I’m not sure we are any closer to nirvana then we were before.

So basically – HTTPS Inspection is where the proxy is a Man-In-The-Middle between a client and a server.  The proxy can then decrypt and inspect all data in the tunnel. Google will give tons of details so I won’t bore you. The key here is the certificates. How does the client get WELLSFARGO.COM server certificate if the proxy is in the middle and acting as the client? Well, the proxy generates a fake WELLSFARGO.COM certificate and sends it to the client. Here is a good diagram and slide show of how the fake cert is created and sent to the client. You might also want to research HTTPS CONNECT where the client connects to the proxy server for the HTTPS tunnel.

All sounds easy-peasy huh??? Not so quick…Before embarking on this journey I tried to google what are all the problems of forcing clients to install a new cert and proxy through a HTTPS Inspecting gateway. Only got bits and pieces. So here is my list of the fun times I am having doing HTTPS Inspection:

 

  • How do you work with humans that don’t even know what a cert is? Much less a proxy? How many times do you get the same phone call “What is a cert? Proxy what?”. Yeah deployment was automated via AD and magic just happened….right. Problem is there are too many pieces and unique components..proxies, certs, AD, Linux, OpenSSL, JavaCertStores, pinned certs, that automation will only get 80% and the others are YOUR phone call.
  • Client desktops are locked down. Have fun installing those certs or fixing problems for the client in Zambia speaking Bemba on a locked down desktop.
  • Not all servers use Windows so installing certs via command line on TinyLinux version .00000003  will be a great time.
  • Some applications use Java cert store or OpenSSL cert store or Bob and Jimbo’s cert store version 0.45. So make sure you install the right cert into the right cert stores.
  • Some clients apps just will not use fake signed certs signed by the proxy server.  They are pinned  and will only use the original cert and not one generated by the proxy server. 
  • BS you say. My ORG has AD or other friggin magic and we already distributed an ORG public cert to all our clients. That’s all you have to do is setup the proxy to sign certs as the ORG CA and wham-bam thank you mam its done. OK, so that means giving the ORG private key to the proxy server. Let me say that again….the ORG PRIVATE key. How do you control use of that private key? How do you know the proxy admin is not deep into hookers and blow and accidentally sends the private key to all his Russian friends? And malware these days are looking for private keys like crazy…is the proxy server secured???
  • No problem you say, I’ll just buy some fancy FIPS 140-2 certified  $1billion Hardware Security Module HSM with 126 pretty blinking lights and hook it up and push the GAZUNGA easy button to store all the private keys. HAHAHAHAH. Oh you make me laugh geek boy. Yet more technology on technology on technology. Have fun with that when it breaks. Interoperability, supportability, debugging, etc.
  • Speed. Generating fake certs and decrypting SSL kills CPUs. No problem you say, my vendor has XL5Billion hardware accelerator developed by some Nigerian guy for the KGB. HAHAHAHAHAH. You so funny. See above.
  • After your vendor wines and dines you with hookers and blow and single malt, in your drunken stupor ask them to allow you to log into their support site and type in HTTPS inspection or SSL decryption.

 

So my cost/benefit analysis is pretty negative right now as I work through all these HTTPS issues. I’ll keep you updated.

 

 

 

How To Change CMA/Domain Name – Preserve SIC

Our local MDS god figured this out. Renaming CMA/Domains

Verified on R77.10.

Note this procedure preserves SIC.

Check Point says this procedure is OK as long as the global policy doesn’t change under you.

 

  1. Remove CLM from FW cluster object logging.
  2. Old logs:
    1. User Tracker on CLM to issue log switch.
    2. Back up CLM logs (optional).
    3. Make sure to use “p” option to preserve log file timestamps:

“cp –p 2016* /var/temp-logs/”

  1. Delete CLM via MDG.
  2. Take CMA backup:
    1. mdsenv cma-xyz
    2. cd $FWDIR/bin/upgrade_tools
    3. ./migrate export /var/export_cma-xyz.tgz
  3. Delete entire old domain containing CMA.
  4. Create new domain & CMA with new names.
    1. Make sure GUI-clients is “any”.
    2. Use same IP address as old CMA so FW still talks to same CMA IP.
    3. Don’t start the CMA till after the import below.
  5. Import CMA objects using file /var/export_cma-xyz.tgz.
    1. Click “continue” to the global policy warning.
  6. Assign new CMA to appropriate global policy.
  7. Create CLM with new names.  Copy logs back in.
  8. Tell cluster to send logs to new CLM.
    1. Push policy
    2. Install database.

The World is Changing and so am I

The Cloud. Its Coming. Torpedo is in the tube and you are a WWII lumbering oil tanker. You will be automated like a $15 minimum wage McDonalds burger flipper.

I switched gigs and and am now working a cloud security gig. My Check Point role is diminished 50%…but worse I no longer have access to my #1 diamond support guy Taylor who fed me all the good juicy techie fixes that I shared with you all.

SOOOOO, not sure what the future blog will look like at this point, but the CP focused techie posts will be reduced and you’ll see more Cloud security chatter. Worst case you still have the archives.

Administrator Audit Made Easy – Create CSV of MDS user permissions

Darn auditors want to know who has what permissions in MDS……but want it in a spreadsheet! What’s up with that old technology?

Here it is, a matrix of users and their permissions.

adminperms

Python Program #2: Adminparser

NOTE: Goes hand in hand with my Cparser module.

Hopefully this will be easier with the R80 REST interface.

Audit OUT!

dreez

Zero Downtime Upgrade between major versions WITH/OUT dynamic routing

Good news:Can be done possible
Bad news: This is work in progress, hope to update with pictures. If you call CP support, they might be able to fish up the document.

Overview:

  1. Go through CP steps for zero time upgrades. But don’t take them toooooo seriously or you will have surprises. Make sure you do these steps.
  2. Run the upgrade on the standby – DO NOT REBOOT
  3. If you have to copy fwkern.conf from the ACTIVE member ..do it now
  4. control_bootsec – install initial policy and makes sure that the default filter (bricks the firewall) is not loaded. Run from UPGRADE file system, not old file system.

    cd /opt/CPsuite-R77/fw1/bin

    bash

    control_bootsec

  5. Reboot standby
  6. Standby comes back up “Active Attention” – no problem has no cluster policy
  7. In dynamic routing, if you have “Wait for Clustering” enabled. Disable it. Let the routed startup without a cluster
  8. Start/Stop routed:
    tellpm process:routed
    tellpm process:routed t
  9. On mgt server change policy to latest version  R77.10/20/30 and push to upgraded member (uncheck mark in policy install for cluster push). Upgraded member now knows it has to be part of a cluster. It will go to READY state, waiting for the failover
  10. Use this script to export the routes off the ACTIVE firewall onto the Standby firewall. It will turn them into STATIC routes. NOTE: There is no ‘save config’ at the end. This are only temporary until the system reboots and get real OSPF routes. Make sure you differentiate between dynamic routes that will go away on reboot and real static routes that will be kept on reboot.
  11. Reboot the READY firewall just to clear out the cobwebs.
  12. Run the ospf script on the READY firewall. This will load all the OSPF and STATIC routes onto the firewall. NOTE: YOu will have to decide if you want to keep/delete the STATIC routes. You might have to SAVE CONFIG on the static routes if you want to keep them.
  13. Do a netstat -an | wc -l and fw tab -t connections -s to metric the routes and states
  14. Do a ‘cphaprob stat’ to get the IP and ‘number ID’ of the ACTIVE member.
  15. Now on the READY member PULL the state table from the ACTIVE member.cphaprob stat   –
    Retrieve the cluster NUMBER and sync IP of the ACTIVE membercphacu start <Active Member IP> <Cluster member Number>  –
    So if active was 1.1.1.1 and number 2 in cluster:
    cphacu start 1.1.1.1 2
    Will pull the state table from the ACTIVE onto the READY member. This is like the OLD fcu command…but snazzier somehow.
  16. Do a netstat and fw tab -t connections and make sure the numbers are about the same on both members
  17. On the ACTIVE member – drum roll.
    cphaprob stop
  18. On the DOWN member STOP the routing daemon because you don’t want it to fight with the new ACTIVE member. This is where the checkpoint cluster and routing teams never broke bread and coordinated cluster & routing activity and you have to do it manually.tellpm process:routed
  19. The READY member will now go to ACTIVE
  20. On ACTIVE member check out the state tables and network tables again. OSPF should be populating. Check the neighbor status to see if OSPF neighbors are negotiating. If not, they are stuck, then stop and restart. No worries you have static entries until you reboot.clish> show ospf neighbors
    clish> show route ospftellpm process:routed         ##### stop
    tellpm process:routed t        #### start
  21. You are over the hump, congrats
  22. Upgrade the OLD system
  23. Copy fwkern from the standby if required
  24. Reboot
  25. Push policy to both members
  26. Reboot both (to clear out static network entries and cobwebs)
  27. Done

Modify firewall config without authentication – Recover admin password and much more

Yes I’m back from bumming around this summer and yes I had a great time knowing all you were working and paying taxes while I was playing on a beach and climbing in Finale Ligure Italy. Who’s the smart one now????

Meanwhile I spent the summer and lately studying for my Amazon Web Services cert. The Cloud and SDN is changing the world as we know it so you better get on the train….or apply at Walmart. $15/hour isn’t so bad.

So once upon a time Joe Bob decided to retire and forgot to give us all the passwords for our gateways. Fun time. Wish I would of known this little trick. How to recover a gateway admin and expert password without having to log in! Or DVD boot the machine on recovery disk.

WARNING: This could be really dangerous. You can execute almost ANY command on ALL your gateways raining death and destruction. Logging is minimal and tying it back to a human user to blame could be very tricky. I would only use this for emergencies.

  1. Switch to the context of the involved Domain that manages your Security Gateway:

[Expert@HostName]# mdsenv <Domain_Name>

  1. Generate hash for new password – run the following command and save the generated hash string. This will prompt you for password and give you back a hash.

[Expert@HostName]# /sbin/grub-md5-crypt

  1. Ensure that the Clish database is unlocked on the remote Security Gateway:

[Expert@HostName]# $CPDIR/bin/cprid_util -server <IP_of_Gateway> -verbose rexec -rcmd /bin/clish -s -c ‘set config-lock on override’

  1. Change the admin user password:

[Expert@HostName]# $CPDIR/bin/cprid_util -server <IP_of_Gateway> -verbose rexec -rcmd /bin/clish -s -c ‘set user admin password-hash <Password_Hash_from_Step_2>’ 

  1. You can also change the Expert password:

[Expert@HostName]# $CPDIR/bin/cprid_util -server <IP_of_Gateway> -verbose rexec -rcmd /bin/clish -s -c ‘set expert-password-hash <Password_Hash_from_Step_2>’

Be careful out there!

dreez

SDN – Part Vier

So I have hinted how firewalls integrate into this new world. Up to now, firewalls were just virtual guests and you have to use network routing to direct traffic to them…just you like you do in the real world. So you can take a stock off the shelf ISO image of a firewall and load it into VMware and have it monitor traffic with no modifications. I actually do it all the time with my labs. So what has changed???

[QUALIFICATION: I have little experience in R80 or how PA or others operate in a VMware environment. This is just my gather of thoughts from speaking with others, CPX, and reading documentation. So put a grain of salt on this discussion. As I gain experience I’ll update the blog]

So what is about to change is the integration between VMware and the SmartCenter database. Currently a firewall only knows other about other VM guests if a user creates an object and types in the IP address of that VMguest. So if I create 1000000000 VMguests I have to type them in by hand.

Well, in the new world SmartCenter will automatically keep track of the VMware objects through the REST interface. SmartCenter will poll vCenter (see, they even named them similarly) to keep track of what VMware objects exist. SmartCenter will put all the VMware objects into the DataCenter bin in SmartCenter. From the DataCenter bin, you can use them in rules and push the rules to the firewalls in Vmware.

(Question: If a VMware object is deleted, and you are using the object in a rulebase, does that mean the rulebase gets updated automatically???. Not sure.That would be bad.)

So we have this Borg Cube with 30,000 processors on it and tens of thousands of VMobjects. Let’s say we get R80 going and it just sucks in all 30,000++++ objects and puts them into the DataCenter bin. Wouldn’t that be a mess? And its only going to get worst as the virtual world grows. Imagine what the naming scheme looks like, it will be all over the map.

mgt-implementation

But I diverge…So let’s talk about why CheckPoint might have the edge in the virtual market.

[This is all by word of mouth, so make sure you ask your vendors. Email me if I’m right/wrong]

There is a Facade that the firewall vendors want you to see, and its based on a VMware restriction and not a vendor restriction. Once a firewall is integrated into the hypervisor, (currently it is CheckPoint, PA, Fortinet) it is like having a host based firewall in each virtual guest. Well The Reality is that you will have to run a (many??) separate firewalls as ‘special’ virtual guests and the hypervisor will direct traffic to that ‘special’ firewall and it will emulate being embedded into the individual virtual guest.

As I said, I have been told that this is a VMware restriction and not a firewall vendor restriction. I am not sure if this applies to the native VMware firewalls (basicallly IPchains, pretty primitive). But MAYBE, IF Vmware is actually embedded within each virtual guest, that is all you really need and not all the wizbang that commercial firewall vendors offer. Ask your vendor.

firewallimplementation

So what does this architecture mean:?

  1. Hopefully the ‘special’ firewall(s) will be tuned to utilize CPUs for performance because they will need it if it is suppose to support a whole Borg Cube (CheckPoint SecureXL, CoreXL)
  2. Unfortunately there will be a performance hit as traffic has to be shuttled to a separate ‘special’ virtual guest to be filtered. Perhaps in the short term it makes sense to virtualize environments that do not have a performance requirement.
  3. Hopefully the management environment will be able to scale as Vmware environment scales (CheckPoint MDS – NOTE: R80 MDS details have not been released. Only SmartCenter. So not sure how VMware will integrate into R80 MDS.)
  4. I am not sure how service chaining will work. Recall that in VMware you can create a rule that says ” HTTP traffic from vmguest A to vmguest B go through firewall C”
    traffic steering
    in addition, I guess in R80 this can be dynamic so admins can isolate vmguest A as a ‘bad guest’, change it security tag, and require that its traffic be ‘filtered’ by a firewall. So I am not sure how service chaining will integrate into this architecture.

……

So I am here in Germany drinking a really nice  Weisbier, sunny, 6pm, my woman is cooking for me,  and I’m running out of things to rant on about. Maybe tommorrow, SDN can wait.

Play Time

Well, its that time of year again for my Hot German Babe – Gaby and myself to hit the road. 3 months of rock climbing NE USA and Europe while all the little people work and pay SSN taxes.

Little bummed because my SDN series is not finished and I feel its going to be a winner. BUT…I’m sure it will be there when I get back.

I’m sure the CP world will somehow continue without me…..

Dreez OUT!

summer 2014 101

Helen's Loom

"Peculiar travel suggestions are dancing lessons from God." - Kurt Vonnegut

Life Stories from Dreez

These are stories from my travels. Generally I like to write stories about local people that I meet and also brag about living the retirement dream with my #1 wife Gaby. She is also my only wife.