Sunday, November 20, 2011

Using DDNS on ScreenOS Device

By default, DDNS (using DynDNS.org) does not work on ScreenOS device.

With everything correctly set, the system log still shows it does not work: PKI: Cannot build certificate chain for cert with subject name CN=members.dyndns.org,OU=Domain Control Validated - QuickSSL Premium(R),OU=See www.geotrust.com/resources/cps (c)10,OU=80401367,O.

The root certificate of members.dyndns.org (Equifax Secure Certificate Authority) is not installed on the ScreenOS device.  It is required to be installed manually.  Download the Equifax Secure CA root certificate to your local computer, then import it to your ScreenOS device.


After importing the CA cert, the DDNS works: Success response received for DDNS entry update for id 1 user "someuser" domain "someuser.homeip.net" server type "DYN" name "members.dyndns.org".

Monday, September 26, 2011

Experience with Hongkong Post e-Cert

In sort, frustrated.

(1) I waited 45 minutes at the designated post office. The staff members there are not so familiar with the system. Moreover, the system halt up and need a reboot. The reboot took 20 minutes. One of the staff members told me that the e-Cert system had not been updated for 10 years.
 
 
(2) They mail the smartcard to me, but for a wrong postal address. This is not the first time I apply for Hongkong Post e-Cert. I had put the postal address as my office address this time. However, they actually mailed to my home address.
 
 
(3) The smartcard I received is not windows CSP compatible. When I put it into a PC/SC compatible reader, Windows 7 prompt to install drivers. However, the card result in driver not found. The software come with Hongkong Post (downloadable online) actually extract the p12 (PKCS#12) file from the card and save it on to the file system - without the need for the a password/passphase. This means, the card is a memory card. If this is the case, no need to use smartcard as a delivery medium. The principle of using a smardcard is to make sure the private key is not able to be duplicated.
 
 
(4) The current CPS stated e-Cert for a person (personal/organizational/encipherment) cannot generate user's own key-pair. The key-pair is generated by Hongkong Post on behalf of the user. This post a risk of key leakage, as mentioned on (3), anyone with the p12 file can brute force the password/passphase. And Hongkong Post use 16-digit numeric only passphase. This make the possibility of getting the private key much easier.
 
 
After all, the risks and concerns are quite high in the overall e-Cert provisioning process. I think this should be reported to OGCIO, and the audit body of Hongkong Post e-Cert CA.

Saturday, June 18, 2011

ArcSight Logger L750MB

Recently, I found a free promotion code for ArcSight Logger L750MB (claimed at value USD 49). So I use the code and obtained a licensed copy of the said software.

The software supports only on linux platform. Officially supported linux platforms are CentOS, RedHat and Oracle. I also tried to install it on Ubuntu, the software installer said it is not supported. In order to test it out, I selected CentOS.

The installation of CentOS is not difficult. As I install it on a VMWare Workstation 7 platform, I install the base CentOS platform using Easy Install. After that, installing the Logger software is as easy as point and click. Finally I adjusted the iptables settings in order to allow incoming logs connections (default 514/TCP and 515/UDP) and administration (choosen at installation time, I used 443/TCP).

After all these, I configured my demo firewall's syslog point to the newly installed logger. It works!






Sunday, May 29, 2011

apache2 + mod_proxy as reverse proxy on Ubuntu 10.04 LTS (server)

I done this on VMWare workstation. Installing Ubuntu as usual - just select install a minimum virtual system. Afterwards, I use the following command to install apache2 and mod_proxy.

$ sudo apt-get install libapache2-mod-proxy-html

Installation should not be so difficult. The command will install all dependencies (like apache2, other modules, etc.) At this point of time, the installation is completed. Next come to setting the reverse proxy.

$ sudo a2enmod proxy proxy_html

This will enable the proxy and the html proxy protocol handler. Next, is to configure the reverse proxy. You need to edit /etc/apache2/mods-available/proxy.conf, adding the following line before .

ProxyPass /webgoat http://192.168.222.131/webgoat
At this point, you need to restart the apache2 service by using sudo /etc/init.d/apache2 restart.

I use this as an example to reverse proxy an application called WebGoat running on 192.168.222.131. My apache2 and mod_proxy on 192.168.222.130. So, when I use a browser to point to http://192.168.222.130/webgoat/attack, it will go through the reverse proxy (on 192.168.222.130) and reach the WebGoat application (on 192.168.222.131).

Next assignment is to install and configure mod_security. This will be my WAF, running in reverse proxy mode to prevent layer 7 attacks.

Wednesday, March 2, 2011

3G/3.5G/3.75G enabled UTM

Components:
  • An UTM device (FortiGate 50B with FortiOS 4.0 MR2 Patch 3 in this example)
  • A HSPA USB stick (Huawei 176G in this example)
  • A SIM with data plan enabled (Smartone-Vodafone in this example)

Steps:

  • Insert the SIM into the HSPA USB stick
  • Plug in the HSPA USB stick to the UTM device
  • Plug in the console cable to the UTM device
  • Connect the power of the UTM device
  • Log on the UTM device
  • Execute the following commands
config system modem
set status enable
set auto-dial enable
set wireless-custom-vendor-id 0x12d1
set wireless-custom-product-id 0x1003
set phone1 "*99#"
set extra-init1 "at+cgdcont=1,\"ip\",\"internet\""
set altmode disable
end