Unflappings

Today I caught word of a next generation of Cisco Adaptive Security Appliances (ASAs) that will be released in Q3 2010. Details are low, but it sounds like the focus of the next series will be around performance, and bundling the IDS functionality right on box.  So to spare the marketing crap, here are the actual figures that I have heard.

• Cisco 5555, 5565, 5575, 5585 appliances.
• The 5555 Firewall performance starts out at about  4 Gbits/s with IDS functionality running at around 2 Gbits/s
• The 5585 performance is topping out at around 15 Gbits/s with IDS functionality into the 10 Gbit/s range.
• These devices will support ASA software version 8.4 which is also coming out soon, the main feature from that is direct Active Directory support, no more RADIUS/TACACS+ integration in between, but being able to directly talk LDAP and Active Directory.
• For the new appliances, the firewall services basically sits in its own unit, and an IDS/IPS is bolted onto the top, with both systems able to be logically configurable from each other. Each one of these systems also carries its own set of physical ports in case segregation beyond contexts is required.

To me this sounds like a response ( or at least a much needed hardware revision) to Juniper’s SRX platform which offers ASA type functionality with better performance numbers than Cisco’s current ASAs at the same price point.

However while my experience with Juniper is limited, I would be very interested to see their offerings since beyond the security aspects such as firewall/IDS/IPS and VPN, their SRX platforms offer full router functionality, and not the bizarrely crippled ASA software which does not support things such as GRE tunnels or full routing protocol suites.

Fun times ahead.

Bold indicates a button clicked or key pressed.
“quotes” indicates a value which has been entered.

Grey block quote is a command typed directly into the console.

Purpose

The following steps allow you to convert a PFX certificate file in Windows Server to a PEM file. This is important since most Linux/Unix systems prefer a PEM format for certificate use, especially something like an Apache web server.

1. Download and install the Win32 OpenSSL (v0.9.8i) package from http://www.slproweb.com/products/Win32OpenSSL.html
2. Create the folder C:\certs and copy your exported PFX certificate file inot the C:\certs folder. The name yourcert.pfx is used in this example.
3. Go to Start, then click Run and type in “cmd” and press enter. This should bring up a command prompt which you can use to change into the OpenSSL bin directory.

cd %homedrive%\OpenSSL\bin

openssl pkcs12 -in C:\certs\yourcert.pfx -out c:\certs\newcertname.pem -nodes

4. This should convert the file from a PFX format to a PEM format, feel free to substitute your own name instead of “newcertname.pem”. Also be sure this command is entered as one line, regardless of how it appears on this site. When prompted, enter the password you used when exporting the PFX file from the Windows certificate store. You should then receive the message “MAC verified OK”.
5. Open “newcertname.pem” in notepad, and cut out the private key into C:\OpenSSL\bin\private\privatekey.pem (or another path and name as you see fit).
6. Also cut out the CA Certificate into C:\OpenSSL\bin\cacert.pem
7. Modify c:\OpenSSL\bin\openssl.cfg configuration file and change the [alt_names] to whichever alternative names you wish.
8. Create a new request, by typing the following commands.

openssl req -new -nodes -keyout privatekey.pem -out cert-request.pem

openssl ca -out issued-cert -in cert-request.pem

9. This should have created a new request and signed it with the CA’s private key. Keep in mind the path to these certificate files are not included here so make sure you are in the proper directory (i.e. the same directory) for those files.
10. If you get errors during this procedure, clear the index.txt and serial files within the OpenSSL directory to be sure it is working with a fresh batch. Below is the configuration file for OpenSSL and is to be used as reference. Not all of the configuration is the same, so be sure to double check names of certificates and paths.

Continue Reading »

This tutorial will show you how to manage your computers remotely while on the go with your Droid. This is helpful especially while on the go. You can now monitor your active torrents or grab an important file your forgot to sync while on the move and while at the office. Speaking of monitoring torrents from your device, a new lightweight option is to use this guide of monitoring and downloading torrents directly on the go. If you need help setting up a VPN on your home network, stay tuned to this site as a follow up article will be written soon.

On you Motorola Droid (Android 2.0 and 2.1)
1. Navigate to the menu and click “Settings”
2. Click “Wireless and Networks”
3. Click “VPN Settings” and click “Add VPN”
4. For this example we will be using a PPTP vpn. If you have another type of VPN set up at school, work or home, the directions will differ slightly.
5. After clicking “PPTP VPN”, give the VPN a name, this can be anything
6. In the box that says “set VPN server”, this is where you are going to inset a dns name or an ip. If you are unsure what the name is, contact your work or school to see if their is some kind of document. If this is a home VPN, you can get a DNS name through dynamic DNS.

http://www.dyndns.com/

7. For this example, I will use “MytestVPNname.selfip.com”
8. If encryption is enabled on the VPN, be sure to check the next box
9. Make sure you have cell service (3G not required but recomended) and click connect. The droid should bring up a notification stating that you are successfully connected.

So now that you are connected to the VPN, you can access any computer remotely on that network in which you have credentials for. The best way to do this is to head to the marketplace on your Droid and download the free version of Remote Desktop. This will allow you to RDC into any machine on the VPN network as stated before, allowing you to monitor your torrents, stream music, or grab an important file from work while on the go. The RDC program I have been using is “Remote RDP Demo”.

Bold indicates a button clicked or key pressed.
“quotes” indicates a value which has been entered.

Grey block quote is a command typed directly into the console.

Purpose

An SSL VPN provides a tunneled connection which may be authenticated using PKI, or shared secret credentials. It is helpful in the sense that all it needs to operate is TCP port 443 open for SSL traffic, which may work better with existing firewall situations.

Procedures

First a reference of IP addresses and interfaces is needed to make this go a bit smoother.

pfSense version 1.2.1
WAN Interface: 172.17.100.3/24
LAN Interface: 192.168.101.1/24

1. Loaded pfSense web interface by navigating to http://192.168.101.1/
2. Navigated to VPN tab then OpenVPN underneath that.
3. Clicked + symbol on right side of the blank table inside the server tab.
4. Set protocol to TCP
5. Placed a check in the box to assume dynamic IPs, so that DHCP clients can connect.
6. Used address pool of “10.0.8.0/24″ for VPN clients.
7. Selected BF-CBC (128-bit) cryptography.
8. Selected Shared Key as Authentication Method.
9. Inserted the shared key that was generate by the OpenVPN software which was generated on the client side.
10. Checked the box to enable LZO compression.
11. Entered “Client Access SSL” under Description.
12. Save

Client Configuration

1. Downloaded and installed OPenVPN and the OpenVPN GUI on client machine (Windows XP in this case).
2. Navigated to Programs->OpenVPN->Generate a static OpenVPN key
3. Clicked Enter to close the command prompt
4. Navigated to “C:\Program Files\OpenVPN\config”
5. Found “key.txt” and renamed to “client-access-vpn.key”
6. Navigated to “C:\Program Files\Open VPN\sample-config”
7. Copied the file “client.ovpn”
8. Navigated back to the “config” folder and pasted the “client.ovpn” file
9. Edited the file as seen below

remote 172.17.100.3
proto tcp-client
dev tun
tun-mtu 1500
ifconfig 10.0.8.2 10.0.8.1
secret client-access-vpn.key
ping 10
comp-lzo
verb 4
mute 1
route-delay 2
route-method exe
route 192.168.101.0 255.255.255.0 10.0.8.1

Client Connection

1. Navigated to Programs->OpenVPN->OpenVPN GUI
2. Right-clicked OpenVPN GUI icon
3. Clicked Connect