RE: [fw-wiz] insecurity in internet connection thro cable modems

From: Bruce Platt (Bruce@ei3.com)
Date: 02/17/03

  • Next message: Volker Tanger: "Re: [fw-wiz] Query on OS hardening"
    From: Bruce Platt <Bruce@ei3.com>
    To: Bruce Platt <Bruce@ei3.com>, "'Noonan, Wesley'" <Wesley_Noonan@bmc.com>, 'Dave Mitchell' <dmitchell@viawest.net>
    Date: Mon, 17 Feb 2003 09:06:53 -0500
    

    A list member pointed out that I made en error in my original post.

    When removing the private key, the following is what should be used:

    # openssl rsa -in key.pem -out ca-private.key

    Regards

    > -----Original Message-----
    > From: Bruce Platt [mailto:Bruce@ei3.com]
    > Sent: Sunday, February 16, 2003 8:39 PM
    > To: 'Noonan, Wesley'; 'Dave Mitchell'
    > Cc: 'Brian Ford'; firewall-wizards@honor.icsalabs.com
    > Subject: RE: [fw-wiz] insecurity in internet connection thro cable
    > modems
    >
    >
    > It's not hard to generate a free SSL cert for a Netscreen if
    > you have access
    > to OPENSSL on a nice unix box.
    >
    > Here's quick step by step for use in securing a management interface:
    >
    > - Create a self-signed root certificate using openssl as follows:
    >
    > #openssl req -x509 -newkey rsa:1024 -keyout key.pem -out
    > ca-public.pem
    >
    > remove the private key from it as follows:
    >
    > #openssl req -x509 -newkey rsa:1024 -keyout key.pem -out
    > ca-public.pem
    >
    > - Create a local certificate request on the netscreen you
    > want to manage.
    > Fill in the ip address field with the internet ip of the
    > device. This set's
    > one of the Cn fields in the cert to the IP of the interface.
    >
    > - Save it somewhere with an appropriate name like
    > untrust-interface-ip.pem.
    >
    > - Sign the certificate with the local root CA created there
    > with a command
    > like:
    >
    > #openssl x509 -req -in untrust-interface-ip.pem -CA
    > ca-public.pem -CAkey
    > ca-private.key \
    > -CAcreateserial -out untrust-interface-ip.crt -days 730
    >
    > - This is now a valid certficate for the netscreen which can
    > be loaded from
    > the certicicates tab.
    >
    > - The next step which is to load the self-signed root CA ito
    > the netscreen
    > by using the laod button on the CA tab. Do this by remaming the
    > ca-public.pem to a place where your browser can open as a
    > file and rename
    > the file ca-public.cer. Then load it into the netscreen from the
    > Certificates, CA tab.
    >
    > Once you have loaded it you should reboot your netscreen.
    > Then go to the
    > Administration tab and enable the certificate for web
    > management, and enable
    > SSL for the interface you want to manage, by choosing the
    > local certificate
    > you loaded earlier. Also choose the ciper method you want to use
    >
    > Then go to the interfaces tab and enable SSL on that interface.
    >
    > At this point you can log into the netscreen via https, however, your
    > browser is likely to "barf" due to the certificate coming
    > from an untrusted
    > root certifying authority. You can fix this in the next step.
    >
    > - Finally, open the capublic.cer file in your browser and
    > open it. For
    > Internet Explorer, the certificate import wizard starts on
    > your PC and you
    > should import this certificate into the "Trusted Root Certification
    > Authorities" store. From now on, your browser will accept
    > the certificate
    > created in above and loaded as a valid certifcate from a
    > trusted authority.
    >
    > - Go to the interfacees tab, and disable the Web UI. You can
    > still manage
    > the NS from the web via SSL, bot not via normal port 80 http.
    >
    > Simlar sets of commands will give you certs to use to
    > negotiate the VPN.
    >
    > Just fine for use on a private network where no one needs to see the
    > validity of the CA.
    >
    > Regards,
    >
    > -----Original Message-----
    > From: Noonan, Wesley [mailto:Wesley_Noonan@bmc.com]
    > Sent: Sunday, February 16, 2003 6:44 PM
    > To: 'Dave Mitchell'
    > Cc: 'Brian Ford'; firewall-wizards@honor.icsalabs.com
    > Subject: RE: [fw-wiz] insecurity in internet connection thro cable
    > modems
    >
    >
    > Freely admiting that I am not a netscreen expert (and thus, I
    > could have
    > missed something in the config or docs), I found that I was
    > unable to get it
    > to function and create keys without needing a certificate,
    > which is a hassle
    > for small shops that want a VPN and don't want to pay for a
    > certificate that
    > only has local significance. I also found their documentation
    > to be lacking.
    > This was true for setting up SSH connections to manage the
    > device as well.
    >
    > With the PIX I can generate my own keys in 10 seconds with a
    > single command
    > and I am off and running. 10-11 commands later, the VPN is up.
    >
    > Like I said, I just kind of feel like netscreen is about
    > where the PIX was 2
    > years ago. I happen to like the CLI of the PIX as well, but
    > that probably
    > has more to do with my router background than anything else.
    > Beside, CLI
    > preference is such a highly subjective situation anyway.
    >
    > HTH
    >
    > Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
    > Senior QA Rep.
    > BMC Software, Inc.
    > (713) 918-2412
    > wnoonan@bmc.com
    > http://www.bmc.com
    >
    >
    > > -----Original Message-----
    > > From: Dave Mitchell [mailto:dmitchell@viawest.net]
    > > Sent: Sunday, February 16, 2003 11:39
    > > To: Noonan, Wesley
    > > Cc: 'Brian Ford'; firewall-wizards@honor.icsalabs.com
    > > Subject: Re: [fw-wiz] insecurity in internet connection
    > thro cable modems
    > >
    > > Wes,
    > > GlobalPro makes it easier to maintain a fleet of Netscreens. I'm
    > > confused
    > > as to why you feel their VPN support is lacking? I've been able to
    > > interoperate
    > > Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, Cisco VPN3k,
    > > FreeSWAN;
    > > just to name some. Support for preshared keys, x509 certs,
    > ldap auth, and
    > > securid
    > > auth make me feel that Netscreen's IPSec has quite a few
    > features, not to
    > > mention
    > > higher throughput due to their ASIC's.
    > >
    > > -dave
    > >
    > >
    > > On Sat, Feb 15, 2003 at 01:27:51PM -0600, Noonan, Wesley wrote:
    > > > Having used both, I strongly prefer a PIX. It is much
    > easier to maintain
    > > a
    > > > bunch of PIXen than it is to maintain a bunch of
    > netscreens. It's not
    > > that
    > > > the netscreens are bad, it is just that the TCO is too
    > high to try to
    > > > maintain a "fleet" of them. In addition, I find their
    > (netscreen) VPN
    > > > support to be... well... lacking. It is a very convoluted
    > process, much
    > > like
    > > > the PIX was 2 years ago.
    > > >
    > > > HTH
    > > >
    > > > Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
    > > > Senior QA Rep.
    > > > BMC Software, Inc.
    > > > (713) 918-2412
    > > > wnoonan@bmc.com
    > > > http://www.bmc.com
    > > >
    > > >
    > > > > -----Original Message-----
    > > > > From: Brian Ford [mailto:brford@cisco.com]
    > > > > Sent: Saturday, February 15, 2003 12:56
    > > > > To: firewall-wizards@honor.icsalabs.com
    > > > > Cc: Dave Mitchell
    > > > > Subject: Re: [fw-wiz] insecurity in internet connection
    > thro cable
    > > modems
    > > > >
    > > > > Dave,
    > > > >
    > > > > >More than
    > > > > >likely, natting a home network behind a linksys soho
    > router would be
    > > > > >sufficient.
    > > > >
    > > > > Yet another security policy that begins with "more than
    > likely". What
    > > > > happens in the "likely" case when someone figures out
    > where you are
    > > and
    > > > > wants to get at your stuff?
    > > > >
    > > > > >Putting in PIX 501's at someones home would be insane.
    > If you have to
    > > > > >administer
    > > > > >it, a small Netscreen is much easier than dealing with PIX.
    > > > >
    > > > > Gee Dave. Why would it be insane to use a PIX?
    > > > >
    > > > > To set up a PIX at home all you need is the PIX. You
    > don't need a PC
    > > and
    > > > > the setup disk that NetScreen ships.
    > > > >
    > > > > The 501 ships with a default "plug and play"
    > configuration that for
    > > many
    > > > > installs (including folks sitting behind a cable modem)
    > requires no
    > > > > modification to get up and running.
    > > > >
    > > > > The PIX also supports Cisco AUS (Auto Update Server) so
    > that security
    > > > > policy, operating system image, and configuration updates can be
    > > securely
    > > > > downloaded to the PIX from a central site without end user
    > > intervention.
    > > > >
    > > > > You said "a small Netscreen is much easier than dealing
    > with PIX".
    > > Have
    > > > > you really tried both products? Could it be that you
    > just don't like
    > > > > PIX? Or that you just don't know about the PIX?
    > > > >
    > > > > Liberty for All,
    > > > >
    > > > > Brian
    > > > >
    > > > > At 12:00 PM 2/15/2003 -0500, firewall-wizards-
    > > request@honor.icsalabs.com
    > > > > wrote:
    > > > > >Message: 5
    > > > > >Date: Fri, 14 Feb 2003 14:03:11 -0700
    > > > > >From: Dave Mitchell <dmitchell@viawest.net>
    > > > > >To: "Perrymon, Josh L." <PerrymonJ@bek.com>
    > > > > >Cc: "'Chapman, Justin T'" <JtChapma@bhi-erc.com>,
    > > > > > "'firewall-wizards@honor.icsalabs.com '"
    > > > > > <firewall-wizards@honor.icsalabs.com>
    > > > > >Subject: Re: [fw-wiz] insecurity in internet
    > connection thro cable
    > > modems
    > > > > >
    > > > > >For normal users I'd recommend some sort of appliance filter or
    > > firewall.
    > > > > >More than
    > > > > >likely, natting a home network behind a linksys soho
    > router would be
    > > > > >sufficient. If you
    > > > > >want to do VPNing and what not, I think a Netscreen 5
    > would be the
    > > best
    > > > > >for the home
    > > > > >firewall. Putting in PIX 501's at someones home would
    > be insane. If
    > > you
    > > > > >have to administer
    > > > > >it, a small Netscreen is much easier than dealing with PIX.
    > > > > >
    > > > > >-dave
    > > > > >
    > > > > >On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon,
    > Josh L. wrote:
    > > > > > > Yeah... I ( Security Professional ) would
    > implement IPChains or a
    > > PIX
    > > > > @
    > > > > > > home...
    > > > > > > But don't you think Linux is completely out of the
    > question for a
    > > > > regular
    > > > > > > end user?????
    > > > > > >
    > > > > > > I'm looking for an application based firewall for
    > my VPN users..
    > > > > > > So far ZONE ALARM is my choice.. I just wished I
    > could integrate
    > > it
    > > > > with
    > > > > > > the PIX VPN client like the concentrator can.
    > > > > > >
    > > > > > >
    > > > > > >
    > > > > > > Any Ideas??
    > > > > > > -JP
    > > > > > >
    > > > > > > -----Original Message-----
    > > > > > > From: Chapman, Justin T [mailto:JtChapma@bhi-erc.com]
    > > > > > > Sent: Friday, February 07, 2003 11:29 AM
    > > > > > > To: 'firewall-wizards@honor.icsalabs.com '
    > > > > > > Subject: RE: [fw-wiz] insecurity in internet
    > connection thro cable
    > > > > > > modems
    > > > > > >
    > > > > > >
    > > > > > > >
    > > > > > > >ipchains is old ( for the previous Linux Kernel
    > 2.2 ), iptables
    > > > > > > >http://www.iptables.org would be a better choice.
    > > > > > >
    > > > > > > Agreed. If it's an option at all, choose iptables
    > over ipchains.
    > > > > It's
    > > > > > more
    > > > > > > flexable and it's a stateful packet filter, which
    > makes for a
    > > > > "smarter"
    > > > > > > firewall. IPtables (and ipchains for that matter)
    > can be a bit
    > > > > > intimidating
    > > > > > > to work with, especially if you're new to the
    > syntax. If you're
    > > going
    > > > > to
    > > > > > > "rolll your own" firewall, I would suggest searching
    > > > > Google/Freshmeat.net
    > > > > > > for "iptables generator". There are plenty of scripts/web
    > > > > frontends/guis
    > > > > > > that make creating simple "consumer-grade"
    > firewalls a snap. One
    > > that
    > > > > I
    > > > > > > particularly like is a cgi-based one at:
    > > > > > >
    > > > > > > http://morizot.net/firewall/gen/
    > > > > > >
    > > > > > > Good luck!
    > > > > > >
    > > > > > > --justin
    > > > > > >
    > > > >
    > > > >
    > > > > Brian Ford
    > > > > Consulting Engineer
    > > > > Corporate Consulting Engineering, Office of the Chief Technology
    > > Officer
    > > > > Cisco Systems, Inc.
    > > > > http://www.cisco.com
    > > > > e-mail: brford@cisco.com
    > > > >
    > > > > _______________________________________________
    > > > > firewall-wizards mailing list
    > > > > firewall-wizards@honor.icsalabs.com
    > > > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > > > _______________________________________________
    > > > firewall-wizards mailing list
    > > > firewall-wizards@honor.icsalabs.com
    > > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > > _______________________________________________
    > > firewall-wizards mailing list
    > > firewall-wizards@honor.icsalabs.com
    > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards