RE: [fw-wiz] insecurity in internet connection thro cable modems

From: Noonan, Wesley (Wesley_Noonan@bmc.com)
Date: 02/17/03

  • Next message: Dave Mitchell: "Re: [fw-wiz] insecurity in internet connection thro cable modems"
    From: "Noonan, Wesley" <Wesley_Noonan@bmc.com>
    To: "'Bruce Platt'" <Bruce@ei3.com>, "'Dave Mitchell'" <dmitchell@viawest.net>
    Date: Sun, 16 Feb 2003 19:46:47 -0600
    

    This is good information (and has been saved by me in my archive folder
    <g>), but it kind of underscores my point. On the PIX it is a single command
    (OK, two, you need to save it):

    ca generate rsa key 1024
    ca save all

    BTW, you can also get it to work with MS Certificate Server, but the process
    isn't much better (and is probably worse actually) than having openssl.

    Thanks.

    Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
    Senior QA Rep.
    BMC Software, Inc.
    (713) 918-2412
    wnoonan@bmc.com
    http://www.bmc.com

    > -----Original Message-----
    > From: Bruce Platt [mailto:Bruce@ei3.com]
    > Sent: Sunday, February 16, 2003 19:39
    > To: 'Noonan, Wesley'; 'Dave Mitchell'
    > Cc: 'Brian Ford'; firewall-wizards@honor.icsalabs.com
    > Subject: RE: [fw-wiz] insecurity in internet connection thro cable modems
    >
    > It's not hard to generate a free SSL cert for a Netscreen if you have
    > access
    > to OPENSSL on a nice unix box.
    >
    > Here's quick step by step for use in securing a management interface:
    >
    > - Create a self-signed root certificate using openssl as follows:
    >
    > #openssl req -x509 -newkey rsa:1024 -keyout key.pem -out ca-public.pem
    >
    > remove the private key from it as follows:
    >
    > #openssl req -x509 -newkey rsa:1024 -keyout key.pem -out ca-public.pem
    >
    > - Create a local certificate request on the netscreen you want to manage.
    > Fill in the ip address field with the internet ip of the device. This
    > set's
    > one of the Cn fields in the cert to the IP of the interface.
    >
    > - Save it somewhere with an appropriate name like untrust-interface-
    > ip.pem.
    >
    > - Sign the certificate with the local root CA created there with a command
    > like:
    >
    > #openssl x509 -req -in untrust-interface-ip.pem -CA ca-public.pem -CAkey
    > ca-private.key \
    > -CAcreateserial -out untrust-interface-ip.crt -days 730
    >
    > - This is now a valid certficate for the netscreen which can be loaded
    > from
    > the certicicates tab.
    >
    > - The next step which is to load the self-signed root CA ito the
    > netscreen
    > by using the laod button on the CA tab. Do this by remaming the
    > ca-public.pem to a place where your browser can open as a file and rename
    > the file ca-public.cer. Then load it into the netscreen from the
    > Certificates, CA tab.
    >
    > Once you have loaded it you should reboot your netscreen. Then go to the
    > Administration tab and enable the certificate for web management, and
    > enable
    > SSL for the interface you want to manage, by choosing the local
    > certificate
    > you loaded earlier. Also choose the ciper method you want to use
    >
    > Then go to the interfaces tab and enable SSL on that interface.
    >
    > At this point you can log into the netscreen via https, however, your
    > browser is likely to "barf" due to the certificate coming from an
    > untrusted
    > root certifying authority. You can fix this in the next step.
    >
    > - Finally, open the capublic.cer file in your browser and open it. For
    > Internet Explorer, the certificate import wizard starts on your PC and you
    > should import this certificate into the "Trusted Root Certification
    > Authorities" store. From now on, your browser will accept the certificate
    > created in above and loaded as a valid certifcate from a trusted
    > authority.
    >
    > - Go to the interfacees tab, and disable the Web UI. You can still manage
    > the NS from the web via SSL, bot not via normal port 80 http.
    >
    > Simlar sets of commands will give you certs to use to negotiate the VPN.
    >
    > Just fine for use on a private network where no one needs to see the
    > validity of the CA.
    >
    > Regards,
    >
    > -----Original Message-----
    > From: Noonan, Wesley [mailto:Wesley_Noonan@bmc.com]
    > Sent: Sunday, February 16, 2003 6:44 PM
    > To: 'Dave Mitchell'
    > Cc: 'Brian Ford'; firewall-wizards@honor.icsalabs.com
    > Subject: RE: [fw-wiz] insecurity in internet connection thro cable
    > modems
    >
    >
    > Freely admiting that I am not a netscreen expert (and thus, I could have
    > missed something in the config or docs), I found that I was unable to get
    > it
    > to function and create keys without needing a certificate, which is a
    > hassle
    > for small shops that want a VPN and don't want to pay for a certificate
    > that
    > only has local significance. I also found their documentation to be
    > lacking.
    > This was true for setting up SSH connections to manage the device as well.
    >
    > With the PIX I can generate my own keys in 10 seconds with a single
    > command
    > and I am off and running. 10-11 commands later, the VPN is up.
    >
    > Like I said, I just kind of feel like netscreen is about where the PIX was
    > 2
    > years ago. I happen to like the CLI of the PIX as well, but that probably
    > has more to do with my router background than anything else. Beside, CLI
    > preference is such a highly subjective situation anyway.
    >
    > HTH
    >
    > Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
    > Senior QA Rep.
    > BMC Software, Inc.
    > (713) 918-2412
    > wnoonan@bmc.com
    > http://www.bmc.com
    >
    >
    > > -----Original Message-----
    > > From: Dave Mitchell [mailto:dmitchell@viawest.net]
    > > Sent: Sunday, February 16, 2003 11:39
    > > To: Noonan, Wesley
    > > Cc: 'Brian Ford'; firewall-wizards@honor.icsalabs.com
    > > Subject: Re: [fw-wiz] insecurity in internet connection thro cable
    > modems
    > >
    > > Wes,
    > > GlobalPro makes it easier to maintain a fleet of Netscreens. I'm
    > > confused
    > > as to why you feel their VPN support is lacking? I've been able to
    > > interoperate
    > > Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, Cisco VPN3k,
    > > FreeSWAN;
    > > just to name some. Support for preshared keys, x509 certs, ldap auth,
    > and
    > > securid
    > > auth make me feel that Netscreen's IPSec has quite a few features, not
    > to
    > > mention
    > > higher throughput due to their ASIC's.
    > >
    > > -dave
    > >
    > >
    > > On Sat, Feb 15, 2003 at 01:27:51PM -0600, Noonan, Wesley wrote:
    > > > Having used both, I strongly prefer a PIX. It is much easier to
    > maintain
    > > a
    > > > bunch of PIXen than it is to maintain a bunch of netscreens. It's not
    > > that
    > > > the netscreens are bad, it is just that the TCO is too high to try to
    > > > maintain a "fleet" of them. In addition, I find their (netscreen) VPN
    > > > support to be... well... lacking. It is a very convoluted process,
    > much
    > > like
    > > > the PIX was 2 years ago.
    > > >
    > > > HTH
    > > >
    > > > Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
    > > > Senior QA Rep.
    > > > BMC Software, Inc.
    > > > (713) 918-2412
    > > > wnoonan@bmc.com
    > > > http://www.bmc.com
    > > >
    > > >
    > > > > -----Original Message-----
    > > > > From: Brian Ford [mailto:brford@cisco.com]
    > > > > Sent: Saturday, February 15, 2003 12:56
    > > > > To: firewall-wizards@honor.icsalabs.com
    > > > > Cc: Dave Mitchell
    > > > > Subject: Re: [fw-wiz] insecurity in internet connection thro cable
    > > modems
    > > > >
    > > > > Dave,
    > > > >
    > > > > >More than
    > > > > >likely, natting a home network behind a linksys soho router would
    > be
    > > > > >sufficient.
    > > > >
    > > > > Yet another security policy that begins with "more than likely".
    > What
    > > > > happens in the "likely" case when someone figures out where you are
    > > and
    > > > > wants to get at your stuff?
    > > > >
    > > > > >Putting in PIX 501's at someones home would be insane. If you have
    > to
    > > > > >administer
    > > > > >it, a small Netscreen is much easier than dealing with PIX.
    > > > >
    > > > > Gee Dave. Why would it be insane to use a PIX?
    > > > >
    > > > > To set up a PIX at home all you need is the PIX. You don't need a
    > PC
    > > and
    > > > > the setup disk that NetScreen ships.
    > > > >
    > > > > The 501 ships with a default "plug and play" configuration that for
    > > many
    > > > > installs (including folks sitting behind a cable modem) requires no
    > > > > modification to get up and running.
    > > > >
    > > > > The PIX also supports Cisco AUS (Auto Update Server) so that
    > security
    > > > > policy, operating system image, and configuration updates can be
    > > securely
    > > > > downloaded to the PIX from a central site without end user
    > > intervention.
    > > > >
    > > > > You said "a small Netscreen is much easier than dealing with PIX".
    > > Have
    > > > > you really tried both products? Could it be that you just don't
    > like
    > > > > PIX? Or that you just don't know about the PIX?
    > > > >
    > > > > Liberty for All,
    > > > >
    > > > > Brian
    > > > >
    > > > > At 12:00 PM 2/15/2003 -0500, firewall-wizards-
    > > request@honor.icsalabs.com
    > > > > wrote:
    > > > > >Message: 5
    > > > > >Date: Fri, 14 Feb 2003 14:03:11 -0700
    > > > > >From: Dave Mitchell <dmitchell@viawest.net>
    > > > > >To: "Perrymon, Josh L." <PerrymonJ@bek.com>
    > > > > >Cc: "'Chapman, Justin T'" <JtChapma@bhi-erc.com>,
    > > > > > "'firewall-wizards@honor.icsalabs.com '"
    > > > > > <firewall-wizards@honor.icsalabs.com>
    > > > > >Subject: Re: [fw-wiz] insecurity in internet connection thro cable
    > > modems
    > > > > >
    > > > > >For normal users I'd recommend some sort of appliance filter or
    > > firewall.
    > > > > >More than
    > > > > >likely, natting a home network behind a linksys soho router would
    > be
    > > > > >sufficient. If you
    > > > > >want to do VPNing and what not, I think a Netscreen 5 would be the
    > > best
    > > > > >for the home
    > > > > >firewall. Putting in PIX 501's at someones home would be insane. If
    > > you
    > > > > >have to administer
    > > > > >it, a small Netscreen is much easier than dealing with PIX.
    > > > > >
    > > > > >-dave
    > > > > >
    > > > > >On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon, Josh L. wrote:
    > > > > > > Yeah... I ( Security Professional ) would implement IPChains or
    > a
    > > PIX
    > > > > @
    > > > > > > home...
    > > > > > > But don't you think Linux is completely out of the question for
    > a
    > > > > regular
    > > > > > > end user?????
    > > > > > >
    > > > > > > I'm looking for an application based firewall for my VPN users..
    > > > > > > So far ZONE ALARM is my choice.. I just wished I could
    > integrate
    > > it
    > > > > with
    > > > > > > the PIX VPN client like the concentrator can.
    > > > > > >
    > > > > > >
    > > > > > >
    > > > > > > Any Ideas??
    > > > > > > -JP
    > > > > > >
    > > > > > > -----Original Message-----
    > > > > > > From: Chapman, Justin T [mailto:JtChapma@bhi-erc.com]
    > > > > > > Sent: Friday, February 07, 2003 11:29 AM
    > > > > > > To: 'firewall-wizards@honor.icsalabs.com '
    > > > > > > Subject: RE: [fw-wiz] insecurity in internet connection thro
    > cable
    > > > > > > modems
    > > > > > >
    > > > > > >
    > > > > > > >
    > > > > > > >ipchains is old ( for the previous Linux Kernel 2.2 ), iptables
    > > > > > > >http://www.iptables.org would be a better choice.
    > > > > > >
    > > > > > > Agreed. If it's an option at all, choose iptables over
    > ipchains.
    > > > > It's
    > > > > > more
    > > > > > > flexable and it's a stateful packet filter, which makes for a
    > > > > "smarter"
    > > > > > > firewall. IPtables (and ipchains for that matter) can be a bit
    > > > > > intimidating
    > > > > > > to work with, especially if you're new to the syntax. If you're
    > > going
    > > > > to
    > > > > > > "rolll your own" firewall, I would suggest searching
    > > > > Google/Freshmeat.net
    > > > > > > for "iptables generator". There are plenty of scripts/web
    > > > > frontends/guis
    > > > > > > that make creating simple "consumer-grade" firewalls a snap.
    > One
    > > that
    > > > > I
    > > > > > > particularly like is a cgi-based one at:
    > > > > > >
    > > > > > > http://morizot.net/firewall/gen/
    > > > > > >
    > > > > > > Good luck!
    > > > > > >
    > > > > > > --justin
    > > > > > >
    > > > >
    > > > >
    > > > > Brian Ford
    > > > > Consulting Engineer
    > > > > Corporate Consulting Engineering, Office of the Chief Technology
    > > Officer
    > > > > Cisco Systems, Inc.
    > > > > http://www.cisco.com
    > > > > e-mail: brford@cisco.com
    > > > >
    > > > > _______________________________________________
    > > > > firewall-wizards mailing list
    > > > > firewall-wizards@honor.icsalabs.com
    > > > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > > > _______________________________________________
    > > > firewall-wizards mailing list
    > > > firewall-wizards@honor.icsalabs.com
    > > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > > _______________________________________________
    > > firewall-wizards mailing list
    > > firewall-wizards@honor.icsalabs.com
    > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



    Relevant Pages

    • RE: [fw-wiz] insecurity in internet connection thro cable modems
      ... > - Sign the certificate with the local root CA created there ... > to function and create keys without needing a certificate, ... > where the PIX was 2 ... >> GlobalPro makes it easier to maintain a fleet of Netscreens. ...
      (Firewall-Wizards)
    • RE: [fw-wiz] insecurity in internet connection thro cable modems
      ... It's not hard to generate a free SSL cert for a Netscreen if you have access ... - Create a local certificate request on the netscreen you want to manage. ... I just kind of feel like netscreen is about where the PIX was 2 ... >> bunch of PIXen than it is to maintain a bunch of netscreens. ...
      (Firewall-Wizards)
    • Re: [fw-wiz] insecurity in internet connection thro cable modems
      ... GlobalPro makes it easier to maintain a fleet of Netscreens. ... Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, Cisco VPN3k, FreeSWAN; ... Support for preshared keys, x509 certs, ldap auth, and securid ...
      (Firewall-Wizards)
    • RE: [fw-wiz] insecurity in internet connection thro cable modems
      ... missed something in the config or docs), I found that I was unable to get it ... I just kind of feel like netscreen is about where the PIX was 2 ... > Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, Cisco VPN3k, ... >> bunch of PIXen than it is to maintain a bunch of netscreens. ...
      (Firewall-Wizards)
    • Re: Microsoft SCEP Certificate Issuance Problem for PIX
      ... > I'm trying to set up certificate based VPNs on several PIX devices ... > enrollment to my devices throught the SCEP. ... My PIX authenticates to the ...
      (comp.dcom.sys.cisco)