Transparent Firewalling using Palo Alto Virtual Wire

Posted on by jimmy 8 Comments ↓

We all know the story. You deploy a network to extremely tight specifications, and when you ask – just to make sure you understand the requirements, of course – if it’s absolutely certain that the client IP ranges will never change, that this system will never need to be accessible from the Internet and that there is no way they will need more than eight host addresses; people just laugh at you and say things like “a fully built-out system can’t physically handle more than five servers, so yeah – we’re never even going to need the eight you’ve given us!”.  Of course you know better than to trust project design engineers, so you make sure the system runs on public IP addresses, accessible from anywhere in your network and you set aside 27 (or better make it 59) IPs for host addresses just to be sure; so when they sheepishly come back after three months and say “Umm, we need some help…” you can do the whole Told-You-So-routine and then magically appear to fix the issue within a few minutes.  (It’s okay to keep complaining for a couple of hours first.)  Again, you’re the hero!

After a couple of years in the industry, you’re bound to run into situations that, while you may have predicted them, you can’t engineer around them easily. I ran into one of those a few years back.  We deployed a platform that includes components that were accessible to our end-customer CPEs; and when our customers access certain services, a connection from CPE to server is automatically initiated.  The IP address of this system is provided to the CPE from a catalogue server, and due to the architecture of the platform (as given to us by the integrator), there is no way to change this IP once it’s been set – it is hardcoded in too many places.  What really tripped me up here was that specific issue, in combination with the two first statements above – from initially being accessible from three private IP ranges, strictly controlled by us, we needed to make sure that this server was suddenly accessible to the Internet.  Yay.  (Good thing I was clever enough to use a public IP address for the server, huh?)

The system, let’s call it DAVE, is connected in a VLAN with a number of other devices that do not need to (in fact, should not) be accessible from the outside world.  Before, we knew that all clients allowed through the Cisco ACL was an authorized CPE (there was no way to get an IP address in that range and get so far as to be able to make a request to this server otherwise) but with a wide open ACL, the attack vector is so much bigger, and I want to make sure that DAVE is as secure as possible – there are some strange people on the Internet.  After a few false starts with a half-hearted NAT attempt and an attempt at placing DAVE behind a load-balancer and do some clever stuff with layer-7 filters there I gave up (apparently, that version of AlteonOS would only load balance that particular protocol on its IANA assigned port number, not the non-standard port we used) and contacted a consultancy company we work with for assistance, and they came up with a pretty neat solution – using a “Virtual Wire” on a Palo Alto Networks firewall.  A true square plug in a square hole solution.

This works exactly like you envision a firewall to work – you have your interfaces, your trust zones, your policies and enough host and group objects to force you to come up with a naming convention for them… There’s only one thing missing that you’d normally expect to find – you don’t actually have any IP addresses on the firewall itself.  The firewall acts like a transparent bridge between the two ports – it’s essentially a layer-7 aware patch cable* that you insert between the 6500 and DAVE.  (* = Patch cable not included.)  DAVE keeps his old IP configuration and the 6500 – and the rest of the VLAN – is none the wiser.  In fact, the PA will even bridge DAVE’s MAC address to appear directly on the 6500 access port.  (I understand that the Cisco ASA can do something similar – Jimmy will cover this in a later post.)

Configuration is simple – you need to configure the participating interfaces as Virtual Wire interfaces, then create the Virtual Wire itself, and finally configure the zone mappings for the interfaces before you proceed to configure the actual policies as usual.  These steps can be performed through the web GUI or via the CLI, and I’ll show you the CLI style here.  Policies are better configured through the web GUI, though; but we’ll leave that to a future post if there is interest.

set network interface ethernet 1/1 virtual-wire
set network interface ethernet 1/2 virtual-wire

set network virtual-wire DAVE interface1 ethernet 1/1
set network virtual-wire DAVE interface2 ethernet 1/2
set network virtual-wire tag-allowed 123,456**
set network virtual-wire link-state-pass-through enable yes***

set zone DAVE network virtual-wire 1/1
set zone UNTRUST network virtual-wire 1/2

(**= Allow tagged VLAN’s 123 and 456 through.  If you’re on an untagged port, just skip this line.
***= This means that if the link between DAVE and the PA goes down, the PA will bring down the link between PA and 6500; effectively telling the Cisco “DAVE’s not here, man.”.)

That’s the Virtual Wire configured (remember to commit your changes).  Now you can have the Palo Alto policies delve into the actual packets and verify the layer-7 contents: Is it properly formed?  Does it go to a valid URI?  Has it got the correct User-Agent?  Does it have a valid session-token?  Et cetera.  This is another layer of protection the evil-doers will need to get through in order to access DAVE; and it makes me as an admin sleep better at night.

Tagged with: , , , , , , , ,
Posted in Palo Alto Security

Do not force Period Password Changes

Posted on by jimmy No Comments ↓

Every 90 day my employer forces me to change my password to our systems. And I hate it!

But I don´t hate it that much anymore since I found out that they only keep track of my 10 latest passwords. And that the password lenght is just 10 characters. So I have invented a password short enough to remember and just changes the last digit from 0 to 1, to 2, to 3 and so on. And after 10 times 90 days it is time for me to change my password back to the originally Beefb4b3!0 again.

 

So, what good does it do to enforce me to circulate between Beefb4b3!0, Beefb4b3!1, Beefb4b3!2 and so on every 90 days?

 

“Oh, the hacker that gets your password will lose access within 90 days when you change your password”

Yeah. So if someone gets my password without my knowledge, do you really think that I will never notice that? Will the haxxer not destroy anything that makes me aware that I have been hacked? And most important: will the haxxer not first of all install some kind of backdoor to get access to my system/computer even without future access to my current password?

 

If the reason to change password periodically is to make sure that noone can reuse my current password, then we should have ONE TIME passwords. Those are safe! If someone peeks over my shoulder to see my OTP they are welcome. .-)

 

If I will ever be a sysadmin or in a position where I set the rules for password I would do like this in my organisation:

  1. Educate the users to NEVER share password with anyone and NEVER write them down. And IF they suspect that someone knows their password, they should treat it like a lost credit-card: report it immediately!
  2. Stimulate the users to be creative with their passwords in order to make passwords that they never forget.
  3. Set the minimum password lenght to at least 15 characters. Not require caps/numbers or special characters.
  4. Most important: NOT force users to change password periodically.

 

That´s my dream! 😉

 

Do you agree? Disagree? There are many strong opinions in this subject. Please comment and give feedback on this post, I appretiate it!

Tagged with: , ,
Posted in General Networking

Allow me to introduce myself…

Posted on by jimmy No Comments ↓

Hello, world!   I’m the first contributor that Jimmy has brought on to help flesh out nat0.net a bit.  I’m Henrik, a thirty-something (I’m milking the term now, as my 40th birthday is 29 days from now…) married man in a medium-sized Swedish town. I’ve been working with computer networks full time since 1997, and since 2007 I hold the title of Senior Network Architect IP/MPLS for an ISP, or rather Multi-Service Operator,  in another European country – I work from home full-time, but occasionally honour my colleagues with visits in person.

For reasons of confidentiality I won’t disclose the company I work for, but I can tell you this much background:  We started out as a cable-TV company and later branched out into the usual triple-play offering (TV, Internet, telephony); and through partnerships, expansions and aquisitions, we now deliver our services across a multitude of access platforms (ranging from DSL via PON and active ethernet deployments, and of course the ubiquitous HFC networks, as well as wholesale capacity) to both residential and small-and-medium business customers.  We are also the country’s largest IPv6 provider, except for the university network; a deployment project I’m in charge of.

From a skill-set standpoint, I got into networks by the way of Novell Netware server administration, and later moved on to Cisco networking equipment, interspersed with various other vendors, such as Extreme Networks, Foundry (now Brocade) and Alteon (now part of the Radware family).  Some ten years ago, I started working with Juniper Networks products, and that’s become more and more of my focus in the last few years; we run pretty much all of our critical infrastructure (be it routers, switches or firewalls) across Juniper equipment – peering edge, core or data centre networks makes no difference.  Naturally we also still have quite a bit of Cisco equipment in our network, as well as some other vendors – RadwareAlteon and Palo Alto Networks spring to mind.  I don’t exclusively work with security – my core skills are really IP routing and MPLS as well as firewalls – however as an architect, security is always part of my job description…

And that’s what I hope to bring to this blog from a purely product standpoint.  Juniper and it’s JunOS contains a lot of security features, and a big bonus is that configuration is identical between platforms (except of course very platform-specific features – a layer 2 switch doesn’t know about trust zones, and a core router doesn’t know VLANs (although they do know bridge-domains!)) – something us network admins really appreciate.  Also, both Palo Alto’s PanOS and Alteon’s AlteonOS (seriously, who comes up with these clever and unique names?) are somewhat strange beasts that might need some explanation.  I’ll try to do my best here.

On a more philosophical note, network security can sometimes feel like a lost cause – I mean, the whole purpose of interconnecting devices is to allow them to communicate, right?  The whole concept of network security, on a very high level, might seem to be to PREVENT devices to communicate – but it’s so much more than that.  In an era where we trust more and more of our personal business and information to the Internet – be it banking, shopping, dating, gaming, chat, emails, photo sharing or whatever – we need to know that the data we transmit can’t be intercepted, and that the fluffy little cloud that stores it can’t be accessed by unauthorized and evil people.  Of course, you should strive to always build network security into everything you build from scratch, but you must also constantly evaluate the platforms you have and critically assess where what you have is Secure Enough, or if you need to make changes to improve it.

Anyway – that’s a little bit about me.  I’ll be posting my first proper article in a few days, and I think it’ll be a Palo Alto-related post…  Look forward to hearing from all the readers once we get going!

(Now if I can only get Jimmy to add some new, non Cisco-related categories to the list…)

Tagged with:
Posted in Meta

New authors will join this site.

Posted on by jimmy No Comments ↓

There are upcoming changes to this site. So far I (Jimmy) have been the only author here and the focus has primarily been on security-issues I stumble upon.

I have invited a few friends of mine to be co-authors on nat0.net. These people have different backgrounds and different skills. The one thing common to all are that they are in the networking security business and that they are highly talented. So stay tuned…

 

/Jimmy

Posted in Meta

Make drawings to understand the topology of firewall implementations

Posted on by jimmy 1 Comment ↓

Every time I see a new implementation of a Cisco ASA firewall I need to know how it is connected. Before doing any changes in the configuration and before answering any answers regarding the functionality of the FW i first need to have the full picture of the topology.

 

Often the only source of information about a firewall that I have is a configuration file. If I don´t even have that I need to see it. Trust no humans! 🙂

 

When processing FW configurations I always go thru the same steps:

 

1. Topology

What interfaces does the firewall have? Draw a circle in the center of an empty paper and make as many lines out of that circle as there are interfaces in the firewall. And when I say interfaces, I mean firewall zones, not physical interfaces. I don´t care very much about Ethernet0/1.123, I am more interrested in “inside”, “outside” and “dmz12”.

Which IP subnets are directly connected? Add the subnets with its mask to each line.

2. Routing

What routes are defined in the firewall? Add an arrow for each static route in the configuration, pointing towards next-hop direction. I don´t bother adding the ip of the next-hop, it´s already in the config. I just need to know which subnets are where in the world in the eyes of the firewall. I usually mark the default route with “def”.

Also add vpn-pools and remote networks beyond vpn tunnels to the drawings. In my example drawings I have no vpn-tunnels configured but if I had a vpn-pool of 192.168.111.0/24 I would really need to know that that address range was beyond the outside interface, not beyond inside and its 192.168/16-route. (of course my example wouldn´t work with a outside vpn-pool without also a static route of that pool pointing outwards overriding the /16-route).

If the firewall is running a routing protocol (search for “router” in the config”), of course it gets more complicated. Then you NEED to have access to the live firewall to see the output of “sh route”.

 

 

3. Access-lists

As you might know, acl:s an be applied both inbound and outbound relative to a specific interface. Also, an acl can be applied globally. To know which acl:s that affects a specific traffic flow it is really needed to have a full view of all applied access-list. I usually draw a line across the junction between an interface line and the firewall for each acl and add an arrow in the direction of the applied acl. Then I add the name of the acl next to it. See my picture below as an example of 2 cal:s applied IN-bound on each interface. If they were applied OUT-bound (please don´t do this!) the arrow would be in the other direction, from the center of the firewall circle towards towards the “blocking line”.

 

But what if there is no acl applied? That´s when the security-level comes in! In my example below there is no acl for the DMZ-interface. That means that the security-level-rules applies, you know lower-to-higher is blocked while higher-to-lower is allowed.

 

So, if there is not an acl applied to ALL interfaces, add the security-levels to the drawing as well.

4. NAT

Next step is to understand where and how the firewall does address translations. In small configurations I try to add this to the same drawings but NAT tends to be messy and complicated so  most often I make my own NAT table on a separate piece of paper. This can be tricky because depending on which version you run there are different syntaxes for NAT configuration. This is a completely separate topic to big to cover in this blog post.

As a minimum I do this when I map the NAT-configurations:

  1. Find the overload-NAT that makes inside hosts share a common public IP to reach internet. It´s a nat/global-combination in older syntaxes and probably a dynamic object-nat statement in newer versions. Add to the paper which 2 interfaces this applies to and an arrow defining the direction. Then add which source ip:s this applies to above the source interface and the public ip (or “interface”) above the destination (outside) interface.
  2. Add all static NAT:s one by one with a dual-direction arrow between the interfaces and add each static´s real and natted ip above the interface names.

 

5. Services

If the configurations not too complicated I tend to also add allowed inbound port for public server into the nat-table. For example, mark that for the first static NAT 10.0.0.100 – 1.2.3.100 ANY is allowed for inbound http and https, and for the second NAT ANY is allowed for inbound SMTP. By doing that I know about the (probably) most important services going thru the firewall.

 

I don´t write this down every single time. However when upgrading from 8.2 to 8.3+ this is a very important step since the real-ip migration messes with the acl:s and after the migration you need to make sure that the services are available.

 Conclusion

If you don´t know the big picture of a firewall when you start modifying its configuration, the risk is huge that you will do more damage than good then configuring it. So don´t touch anything until you have a general view of how the firewall works!

The two pieces of paper that outcomes this process will never be a complete documentation. But for me the process of making the drawings will make me “learn” the topology and understand the directions of traffic flow. So far I haven´t touched a firewall without making a topology drawing. The NAT-table is optional but for me the topology-draft is mandatory!

Tagged with: , ,
Posted in Cisco Security

Signuppp

[mc4wp_form id="2457"]
Website Security Test