Archive for the Security Category

Implementing Wireless Intrusion Detection System

Posted in Networking, Security with tags , on September 28, 2014 by muhrizky
Advertisements

NTP on Linux

Posted in Networking, Security with tags , on September 28, 2014 by muhrizky

A couple of months ago I have some task to create an environment of all network devices in order to be synchronize with differentiation of maximum 2 seconds. Which is impossible to set manually beside of using a Network Time Protocol (NTP) synchronization. This protocol works on Stratum number hierarchy where the lowest number should be the most reliable. NTP need TCP port 123 in order to communicate, do a further check on an exclusion inside the iptables script.

For those who wants a straight-forward setup, NTP can also run on Windows environment which is out-of-scope discussion within this blog. It was easy task anyway by using a left click of a mouse within a Windows interface.

Packages that we need to get from the repository are ntp and ntpdate.
Within Debian derivative run the command #apt-get install ntp ntpdatentp_install

In Slackware there is no automation for each installation, so that we exactly need to know those packages dependencies.

Next step is the most interesting computing experience for anyone who loves Linux environment, which is script editing in order to configure the synchronizing server. The script was located on /etc/ntp.conf then find a line that starts with:

# pool.ntp.org maps to about 1000 low-stratum NTP servers.
# Your server will pick a different set every time
# it starts up.  Please consider joining the
# pool http://www.pool.ntp.org/join.html
server 0.id.pool.ntp.org iburst
server 1.id.pool.ntp.org iburst
server 2.id.pool.ntp.org iburst
server 3.id.pool.ntp.org iburst

The security part was to restrict synchronization locally for a loopback adapter and for the primary host do a broadcasting.

# Local users may interrogate the ntp
# server more closely.
restrict 127.0.0.1
restrict ::1

# If you want to provide time to your
# local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 172.16.7.3

Restart the service where currently this is pre-configured as an Init script, including for the setup of IP config (static IP, gateway, DNS) by run command #service ntp restartntp_services

The last one is to monitor the synchronization between the public Stratum which is only possible to be done after all the configuration script and command was good. Run the command #ntpq -pntp_query

The local Clients synchronization can be determine by run command #ntpdc -c monlist
ntp_client

Update!!! This command was vulnerable of DoS attack as it was mention by this CVE-2013-5211

Below is the propose script modification to be applied and very recommended to create the egress filtering on each data packet flow on your firewall in order to prevent any further DoS attack inside of the network.

# By default, exchange time with everybody, but don't allow configuration.
restrict default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
restrict 172.16.7.0 mask 255.255.255.224 notrust

Cisco NAT Overload with CBAC

Posted in Operating System, Security with tags , , on June 4, 2012 by muhrizky

The reason behind this note that there is not many resource someone’s able to find by navigating Google, on how-to configure Network Address Translation (NAT) using Cisco routers. I do reread Todd Lammle book that i used to get my CCNA certification a couple of years ago, digging through Google tying to find a simple NAT configuration with dynamic IP address allocation from the ISP, and found several site (including which was wrote in the CCNA book) have configured it on the Cisco PIX firewall. I have that firewall in my personal lab so maybe i will write on that later.

Topology shown above is a simple diagram i draw it on Gliffy since they have sleek cloud-based drawing tools. The cable modem is getting a digital signal from the ISP, carried by a single coaxial cable which also have configured to be the DHCP relay in order to push IP address to consumer premises device. Cisco 2621XM modular access router came with 2 FastEthernet interface, 2 WIC, and 1 NM supporting up to 256 MB of RAM, mine is upgraded from 64 MB to 128 MB for CCNA Security certification requirements (Cisco SDM). I installed IOS version 12.2 with Advanced Security into this router so that it can be deploy as a router-based firewall supporting AAA, Radius, TACACS, SSH, Audit, CBAC, ZBF, IPS, IDS, and so on. Finally for daily internet usage, i used Linksys WAP610N dual-band access point. Actually we can expand this topology to create VLAN, Voice over IP (VoIP), secure them with PIX/ASA firewall for greater security for instance.

I mention a lot of terms above that i cannot explain this time, so everyone needs to find by ownself about what exactly is NAT and how it works, what is triple A, IPS, IDS, ZBF, and so on. So i assume that you are already know the basic if you want to continue reading. But here i will explain a brief on what is Cisco CBAC. Context-Based Access Control (CBAC) is Cisco stateful inspection firewall technology based on its Access List (ACL) configuration which will inspect TCP, UDP, and ICMP protocol up to OSI layer 7 and can prevent DDoS attacks. But since CBAC rely on the ACL, it can creates human error if we do not planning it well. Currently CBAC is been improved by Cisco Zone Based Firewall (ZBF).

Now for the configuration, first we need to configure the basic of Cisco router, i assume you are configuring from the scratch. We can start it by doing cables, set the router hostname, and IP addressing for each interfaces. For security, apply the console password, do password encryption, set username and privilege level for SSH or AAA or Radius, turn off HTTP/HTTPS service if you don’t do SDM or Cisco Network Assistant (CNA), and so forth. My suggestion: do this config accordingly to avoid your headache in further steps!

This following section is the main purpose for this article; to configure NAT and CBAC. Below is the NAT configuration, untrusted interface as the DHCP client and trusted interface resides as the DHCP server:

R18(config)#ip dhcp pool dhcp18
R18(dhcp-config)#default router 172.16.1.1
R18(dhcp-config)#network 172.16.1.0 255.255.255.224
R18(dhcp-config)#dns-servers 8.8.8.8 8.8.4.4
R18(dhcp-config)#exit
!---
set this to exclude router and wireless AP address.
R18(config)#ip dhcp excluded-address 172.16.1.1
R18(config)#ip dhcp excluded-address 172.16.1.7
!---
must be match on IP we get from the ISP
R18(config)#ip nat pool nat18 118.137.37.7 118.137.37.7 netmask 255.255.255.0
!---
ACL for NAT
R18(config)#ip access-list extended nat18-ol
R18(config)#permit ip 172.16.1.0 0.0.0.31 any
R18(config)#ip nat inside source list nat18-ol pool nat18 overload
R18(config)#interface fastethernet0/0
R18(config-if)#ip nat outside
R18(config-if)#interface fastethernet0/1
R18(config-if)#ip nat inside
R18(config-if)#do write memory

For CBAC auto secure firewall:

R18#auto secure firewall
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks ***
All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]:yes
Enter the number of interfaces facing internet [1]:1
Interface IP-Address OK? Method Status
Protocol
FastEthernet0/0 118.137.37.7 YES DHCP up down
FastEthernet0/1 172.16.1.1 YES NVRAM up down
Enter the interface name that is facing internet:FastEthernet0/0
Configure CBAC Firewall feature? [yes/no]:yes
This is configuration generated:
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
interface FastEthernet0/0
ip inspect autosec_inspect out
ip access-group autosec_firewall_acl in
!
end
Apply this configuration to running-config? [yes]:<strong>yes</strong>
Applying the config generated to running-config

I will not guarantee that the auto secure firewall will be running smoothly and trouble free since it depends on Cisco IOS and our exact configuration, this is why i mentioned before that you must configure it appropriately. AutoSecure can be a doom by locking all of your access to the router, including console access. Then of course we can configure CBAC manually but hence i do not want to explain it here, at least not for this part of note.

How 802.1x Authentication Works

Posted in Security with tags , on May 8, 2009 by muhrizky

If anyone ever visit HowStuffWorks there we can find a lot of information about how objects work. Furthermore, in relation to understanding, the site gave me a good example to inform or explain something technical. In this massive information era, definition of terms is often too simple. But in my view, a simple explanation is not enough to make someone understood. In my opinion, human can be truely understand about technical terms and not to be abandon the words from brain memory, can be happen only if we are not just know what is this or what is that but we also need to know how this or that works accordingly.

802.1x in term of computer technique is a method for authenticate client, whether the network transmission come from a valid sender. 802.1x authentication can be implement to secure wireless networking. Derived from several resources, sometimes this method is also known as RADIUS authentication. But actually RADIUS is a server that provide the authentication services. 802.1x is also can be merge with Active Directory or Lightweight Directory Access Protocol (LDAP) to increase the security. Explanation below will describes how 802.1x authentication works in procedural process:

  1. Wireless client sends a request to wireless access point,
  2. Access point requests wireless client for its identity information,
  3. Wireless client sends the identity information to wireless access point,
  4. Wireless access point sends wireless client identity information to the RADIUS server,
  5. The RADIUS server verifies its connection request policies to check whether the wireless access point is valid,
  6. If the access point is valid, the RADIUS server checks its remote access policies to verify whether the wireless client is authorized,
  7. The client identity forward to the domain controller for authentication,
  8. The domain controller returns the result to the RADIUS server,
  9. RADIUS server analyzes its policies to specify constraint in case the wireless client is authenticated by the domain controller,
  10. If the client still valid, then the RADIUS server sends an acknowledgement message to access point, indicating the acceptance of the request,
  11. Once the access point receives the message, it generates WEP keys and forward the keys to the wireless client,
  12. Client uses the WEP keys to access the network.

Types of authentication method for the RADIUS itself can be:

  • Protected Extensible Authentication Protocol (PEAP-EAP): Client authenticate by validating certificate supplied from the server and acquire the master key.
  • PEAP-EAP-Microsoft Challenge Handshake Authentication Protocol (MSCHAPv2): Same as PEAP-EAP but the authentication process must also passed the Active Directory validation from domain controller.
  • Secure Socket Layer/Secure Shell (SSL/SSH): Creates a tunnel in a separate network layer for authentication.

ARP Poisoning

Posted in Security with tags , on December 15, 2008 by muhrizky

ARP (Address Resolution Protocol) is a method to generates an IP (Internet Protocol) address from one or multiple hosts. TCP/IP (Transmission Control Protocol/Internet Protocol) shows that every single packet in this type of communication protocol must contains MAC (Media Access Control) address from sender and also receiver. This kind of information is stored in the header. It means that packets, e-mail for example, cannot be send or we will get a transmission errors if it doesn’t contains a MAC address in their header. Well of course you cannot send package without the recipient address right?

ARP works by broadcasting inside particular network and after it gets the information, ARP stores it inside a cache. This term cache means volatile. One day, there is a confidential e-mail that you only want someone can read it. This packet also include with a single unique IP and MAC address which are 63.8.8.64 for the IP and AE:19:D2:33:4B:FC for MAC. Now, what will happen if your ARP cache has been poisoned before it? The actual recipient that you want to be able to read is only a person who got an IP 65.8.8.66 Not 63.8.8.64!! Sorry to say that your e-mail is not confidential anymore.

How can it be?? It is positively confidential e-mail!! Simple. This is because your ARP cache is being poisoned and someone clone their MAC address (yes, it is possible) into AE:19:D2:33:4B:FC and so be recognized as a true recipient of your e-mail.

Cross Site Scripting (XSS)

Posted in Security with tags , on October 24, 2008 by muhrizky

XSS happens when a malicious website could load another false website into another frame or window, then use Javascript to read/write data on it. The data could be your authentication, like username and password, or any other private information. XSS attacker could convince a user to follow a malicious URL which injects code that will giving him a full access to the page content.