RE: [fw-wiz] insecurity in internet connection thro cable modems
From: Bruce Platt (Bruce@ei3.com)
Date: 02/17/03
- Previous message: m p: "Re: [fw-wiz] Query on OS hardening"
- Maybe in reply to: Perrymon, Josh L.: "RE: [fw-wiz] insecurity in internet connection thro cable modems"
- Next in thread: Scot Hartman: "RE: [fw-wiz] insecurity in internet connection thro cable modems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Bruce Platt <Bruce@ei3.com> To: Bruce Platt <Bruce@ei3.com>, "'Noonan, Wesley'" <Wesley_Noonan@bmc.com>, 'Dave Mitchell' <dmitchell@viawest.net> Date: Mon, 17 Feb 2003 09:06:53 -0500
A list member pointed out that I made en error in my original post.
When removing the private key, the following is what should be used:
# openssl rsa -in key.pem -out ca-private.key
Regards
> -----Original Message-----
> From: Bruce Platt [mailto:Bruce@ei3.com]
> Sent: Sunday, February 16, 2003 8:39 PM
> To: 'Noonan, Wesley'; 'Dave Mitchell'
> Cc: 'Brian Ford'; firewall-wizards@honor.icsalabs.com
> Subject: RE: [fw-wiz] insecurity in internet connection thro cable
> modems
>
>
> It's not hard to generate a free SSL cert for a Netscreen if
> you have access
> to OPENSSL on a nice unix box.
>
> Here's quick step by step for use in securing a management interface:
>
> - Create a self-signed root certificate using openssl as follows:
>
> #openssl req -x509 -newkey rsa:1024 -keyout key.pem -out
> ca-public.pem
>
> remove the private key from it as follows:
>
> #openssl req -x509 -newkey rsa:1024 -keyout key.pem -out
> ca-public.pem
>
> - Create a local certificate request on the netscreen you
> want to manage.
> Fill in the ip address field with the internet ip of the
> device. This set's
> one of the Cn fields in the cert to the IP of the interface.
>
> - Save it somewhere with an appropriate name like
> untrust-interface-ip.pem.
>
> - Sign the certificate with the local root CA created there
> with a command
> like:
>
> #openssl x509 -req -in untrust-interface-ip.pem -CA
> ca-public.pem -CAkey
> ca-private.key \
> -CAcreateserial -out untrust-interface-ip.crt -days 730
>
> - This is now a valid certficate for the netscreen which can
> be loaded from
> the certicicates tab.
>
> - The next step which is to load the self-signed root CA ito
> the netscreen
> by using the laod button on the CA tab. Do this by remaming the
> ca-public.pem to a place where your browser can open as a
> file and rename
> the file ca-public.cer. Then load it into the netscreen from the
> Certificates, CA tab.
>
> Once you have loaded it you should reboot your netscreen.
> Then go to the
> Administration tab and enable the certificate for web
> management, and enable
> SSL for the interface you want to manage, by choosing the
> local certificate
> you loaded earlier. Also choose the ciper method you want to use
>
> Then go to the interfaces tab and enable SSL on that interface.
>
> At this point you can log into the netscreen via https, however, your
> browser is likely to "barf" due to the certificate coming
> from an untrusted
> root certifying authority. You can fix this in the next step.
>
> - Finally, open the capublic.cer file in your browser and
> open it. For
> Internet Explorer, the certificate import wizard starts on
> your PC and you
> should import this certificate into the "Trusted Root Certification
> Authorities" store. From now on, your browser will accept
> the certificate
> created in above and loaded as a valid certifcate from a
> trusted authority.
>
> - Go to the interfacees tab, and disable the Web UI. You can
> still manage
> the NS from the web via SSL, bot not via normal port 80 http.
>
> Simlar sets of commands will give you certs to use to
> negotiate the VPN.
>
> Just fine for use on a private network where no one needs to see the
> validity of the CA.
>
> Regards,
>
> -----Original Message-----
> From: Noonan, Wesley [mailto:Wesley_Noonan@bmc.com]
> Sent: Sunday, February 16, 2003 6:44 PM
> To: 'Dave Mitchell'
> Cc: 'Brian Ford'; firewall-wizards@honor.icsalabs.com
> Subject: RE: [fw-wiz] insecurity in internet connection thro cable
> modems
>
>
> Freely admiting that I am not a netscreen expert (and thus, I
> could have
> missed something in the config or docs), I found that I was
> unable to get it
> to function and create keys without needing a certificate,
> which is a hassle
> for small shops that want a VPN and don't want to pay for a
> certificate that
> only has local significance. I also found their documentation
> to be lacking.
> This was true for setting up SSH connections to manage the
> device as well.
>
> With the PIX I can generate my own keys in 10 seconds with a
> single command
> and I am off and running. 10-11 commands later, the VPN is up.
>
> Like I said, I just kind of feel like netscreen is about
> where the PIX was 2
> years ago. I happen to like the CLI of the PIX as well, but
> that probably
> has more to do with my router background than anything else.
> Beside, CLI
> preference is such a highly subjective situation anyway.
>
> HTH
>
> Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
> Senior QA Rep.
> BMC Software, Inc.
> (713) 918-2412
> wnoonan@bmc.com
> http://www.bmc.com
>
>
> > -----Original Message-----
> > From: Dave Mitchell [mailto:dmitchell@viawest.net]
> > Sent: Sunday, February 16, 2003 11:39
> > To: Noonan, Wesley
> > Cc: 'Brian Ford'; firewall-wizards@honor.icsalabs.com
> > Subject: Re: [fw-wiz] insecurity in internet connection
> thro cable modems
> >
> > Wes,
> > GlobalPro makes it easier to maintain a fleet of Netscreens. I'm
> > confused
> > as to why you feel their VPN support is lacking? I've been able to
> > interoperate
> > Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, Cisco VPN3k,
> > FreeSWAN;
> > just to name some. Support for preshared keys, x509 certs,
> ldap auth, and
> > securid
> > auth make me feel that Netscreen's IPSec has quite a few
> features, not to
> > mention
> > higher throughput due to their ASIC's.
> >
> > -dave
> >
> >
> > On Sat, Feb 15, 2003 at 01:27:51PM -0600, Noonan, Wesley wrote:
> > > Having used both, I strongly prefer a PIX. It is much
> easier to maintain
> > a
> > > bunch of PIXen than it is to maintain a bunch of
> netscreens. It's not
> > that
> > > the netscreens are bad, it is just that the TCO is too
> high to try to
> > > maintain a "fleet" of them. In addition, I find their
> (netscreen) VPN
> > > support to be... well... lacking. It is a very convoluted
> process, much
> > like
> > > the PIX was 2 years ago.
> > >
> > > HTH
> > >
> > > Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
> > > Senior QA Rep.
> > > BMC Software, Inc.
> > > (713) 918-2412
> > > wnoonan@bmc.com
> > > http://www.bmc.com
> > >
> > >
> > > > -----Original Message-----
> > > > From: Brian Ford [mailto:brford@cisco.com]
> > > > Sent: Saturday, February 15, 2003 12:56
> > > > To: firewall-wizards@honor.icsalabs.com
> > > > Cc: Dave Mitchell
> > > > Subject: Re: [fw-wiz] insecurity in internet connection
> thro cable
> > modems
> > > >
> > > > Dave,
> > > >
> > > > >More than
> > > > >likely, natting a home network behind a linksys soho
> router would be
> > > > >sufficient.
> > > >
> > > > Yet another security policy that begins with "more than
> likely". What
> > > > happens in the "likely" case when someone figures out
> where you are
> > and
> > > > wants to get at your stuff?
> > > >
> > > > >Putting in PIX 501's at someones home would be insane.
> If you have to
> > > > >administer
> > > > >it, a small Netscreen is much easier than dealing with PIX.
> > > >
> > > > Gee Dave. Why would it be insane to use a PIX?
> > > >
> > > > To set up a PIX at home all you need is the PIX. You
> don't need a PC
> > and
> > > > the setup disk that NetScreen ships.
> > > >
> > > > The 501 ships with a default "plug and play"
> configuration that for
> > many
> > > > installs (including folks sitting behind a cable modem)
> requires no
> > > > modification to get up and running.
> > > >
> > > > The PIX also supports Cisco AUS (Auto Update Server) so
> that security
> > > > policy, operating system image, and configuration updates can be
> > securely
> > > > downloaded to the PIX from a central site without end user
> > intervention.
> > > >
> > > > You said "a small Netscreen is much easier than dealing
> with PIX".
> > Have
> > > > you really tried both products? Could it be that you
> just don't like
> > > > PIX? Or that you just don't know about the PIX?
> > > >
> > > > Liberty for All,
> > > >
> > > > Brian
> > > >
> > > > At 12:00 PM 2/15/2003 -0500, firewall-wizards-
> > request@honor.icsalabs.com
> > > > wrote:
> > > > >Message: 5
> > > > >Date: Fri, 14 Feb 2003 14:03:11 -0700
> > > > >From: Dave Mitchell <dmitchell@viawest.net>
> > > > >To: "Perrymon, Josh L." <PerrymonJ@bek.com>
> > > > >Cc: "'Chapman, Justin T'" <JtChapma@bhi-erc.com>,
> > > > > "'firewall-wizards@honor.icsalabs.com '"
> > > > > <firewall-wizards@honor.icsalabs.com>
> > > > >Subject: Re: [fw-wiz] insecurity in internet
> connection thro cable
> > modems
> > > > >
> > > > >For normal users I'd recommend some sort of appliance filter or
> > firewall.
> > > > >More than
> > > > >likely, natting a home network behind a linksys soho
> router would be
> > > > >sufficient. If you
> > > > >want to do VPNing and what not, I think a Netscreen 5
> would be the
> > best
> > > > >for the home
> > > > >firewall. Putting in PIX 501's at someones home would
> be insane. If
> > you
> > > > >have to administer
> > > > >it, a small Netscreen is much easier than dealing with PIX.
> > > > >
> > > > >-dave
> > > > >
> > > > >On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon,
> Josh L. wrote:
> > > > > > Yeah... I ( Security Professional ) would
> implement IPChains or a
> > PIX
> > > > @
> > > > > > home...
> > > > > > But don't you think Linux is completely out of the
> question for a
> > > > regular
> > > > > > end user?????
> > > > > >
> > > > > > I'm looking for an application based firewall for
> my VPN users..
> > > > > > So far ZONE ALARM is my choice.. I just wished I
> could integrate
> > it
> > > > with
> > > > > > the PIX VPN client like the concentrator can.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Any Ideas??
> > > > > > -JP
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Chapman, Justin T [mailto:JtChapma@bhi-erc.com]
> > > > > > Sent: Friday, February 07, 2003 11:29 AM
> > > > > > To: 'firewall-wizards@honor.icsalabs.com '
> > > > > > Subject: RE: [fw-wiz] insecurity in internet
> connection thro cable
> > > > > > modems
> > > > > >
> > > > > >
> > > > > > >
> > > > > > >ipchains is old ( for the previous Linux Kernel
> 2.2 ), iptables
> > > > > > >http://www.iptables.org would be a better choice.
> > > > > >
> > > > > > Agreed. If it's an option at all, choose iptables
> over ipchains.
> > > > It's
> > > > > more
> > > > > > flexable and it's a stateful packet filter, which
> makes for a
> > > > "smarter"
> > > > > > firewall. IPtables (and ipchains for that matter)
> can be a bit
> > > > > intimidating
> > > > > > to work with, especially if you're new to the
> syntax. If you're
> > going
> > > > to
> > > > > > "rolll your own" firewall, I would suggest searching
> > > > Google/Freshmeat.net
> > > > > > for "iptables generator". There are plenty of scripts/web
> > > > frontends/guis
> > > > > > that make creating simple "consumer-grade"
> firewalls a snap. One
> > that
> > > > I
> > > > > > particularly like is a cgi-based one at:
> > > > > >
> > > > > > http://morizot.net/firewall/gen/
> > > > > >
> > > > > > Good luck!
> > > > > >
> > > > > > --justin
> > > > > >
> > > >
> > > >
> > > > Brian Ford
> > > > Consulting Engineer
> > > > Corporate Consulting Engineering, Office of the Chief Technology
> > Officer
> > > > Cisco Systems, Inc.
> > > > http://www.cisco.com
> > > > e-mail: brford@cisco.com
> > > >
> > > > _______________________________________________
> > > > firewall-wizards mailing list
> > > > firewall-wizards@honor.icsalabs.com
> > > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards@honor.icsalabs.com
> > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@honor.icsalabs.com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Volker Tanger: "Re: [fw-wiz] Query on OS hardening"
- Previous message: m p: "Re: [fw-wiz] Query on OS hardening"
- Maybe in reply to: Perrymon, Josh L.: "RE: [fw-wiz] insecurity in internet connection thro cable modems"
- Next in thread: Scot Hartman: "RE: [fw-wiz] insecurity in internet connection thro cable modems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
