IPSec Site-to-Site between a Palo Alto firewall and Cisco Router

2014.09.26

Palo Alto side:

1. create a tunnel interface:

Network Tab > Interfaces > Tunnels
new tunnel: name it, assign it to a Virtual Router(cisco parlance: VRF) and Security Zone

2. create IKE phase 1: (cisco calls it isakemp)

Network > Network Profiles > IKE Crypto
create a new profile, name it: assign a DH Group, authentication, encryption and lifetime (DH group 2, sha1, aes128, 1 day)

3. create IKE phase 2: (cisco: “transform set”)

Network > Network Profiles > IPSec Crypto
Create a new profile
DH group (pfs/no-pfs)
encryption
authentication

4. specify peer:

Network > Network Profiles > IKE Gateway
name it, interface, peer type, peer IP, pre-shared key, exchange mode, define which IKE Crypto profile (phase2)

5. Add an IPSec Tunnel:

Network > IPSec Tunnels

General Tab:
Add tunnel, name it, choose which tunnel interface to use
Autokey (since they’re defined in your gateway/phase1/phase2
Choose gateway
choose IPSec Crypto Profile (phase2)

Proxy ID tab:
add the IP address/network

Cisco router side:

1. Configure Phase-1 (“isakmp”)

# conf t
(config)# crypto isakmp policy 1
(config-isakmp)# authentication pre-share
(config-isakmp)# encrypt aes128
(config-isakmp)# hash sha1
(config-isakmp)# group 2
(config-isakmp)# lifetime 86400
(config-isakmp)# exit
(config)# crypto isamp key <<key>> address <<peer address>>

Change <<key>> to your preshared key and <<peer address>> to the other system’s IP address (e.g. the public address on the interface of the palo alto FW)

NB: note that ISAKMP Phase 1 policy is defined globally. So if you have five different remote sites and configured five different ISAKMP Phase 1 policies (one for each remote router), when our router tries to negotiate a VPN tunnel with each site it will send all five policies and use the first match that is accepted by both ends.

2. configure phase-2 (“transform-set”, ACLs, crypto map)

2a. set an ACL to match the traffic that will be encrypted in the tunnel:

The format is:
(access-list ### permit ip <<source-network>> <<source-netmask>> <<destination-network>> <<destination-netmask>>)
example:

(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

NB: If you’re NAT’ing outbound traffic, you need to disable NAT for the traffic that you want encrypted through the tunnel; deny via ACL, like so:

(config)# ip nat inside source list 100 interface fastethernet0/2 overload
(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 any

The deny applies specifically to traffic from 10./8 to 192.168.1./24 and then permits 10./8 going anywhere else.

2b. set the transform set (aka phase 2)

(config)# crypto ipsec transform-set IPSECSET esp-sha-hmac esp-aes
(cfg-crypto-trans)# exit

2c. set the crypto map to tie the elements together:

(config)# crypto map IPSECMAP 1 ipsec-isakmp
(config-crypto-map)# set transform-set IPSECSET
(config-crypto-map)# set peer <<peer address>>
(config-crypto-map)# match address 100
(config-crypto-map)# exit

3. Apply the crypto map to your outbound interface:

(config)# interface FastEthernet0/2
(if-config)# crypto map IPSECMAP

And you’re done.

useful commands:

show crypto isakmp policy
show crypto isakmp
show crypto isakmp detail
show crypto ipsec transform-set — shows you phase 2
show crypto map — shows complete crypto map
show crypto ipsec sa — shows how many packets encrypted/decryted/going through the tunnel

Categories : HowTo

Cory Doctrow on the need for easy to use security mechanisms

2014.09.18

Cory Doctrow via The Guardian:

Technical people need our non-technical friends to adopt good privacy practices. Every communications session has at least two parties, the sender and the recipient(s), and your privacy can leak out of either end of the wire. It doesn’t matter if I keep all my email offline, encrypted on my laptop, if it all ends up in the inboxes of people who leave it sitting on Gmail’s servers.

So this is critical, and not just for “normal people”. Even technically sophisticated people often find it difficult to follow security protocol in their own communications and computing. Things that aren’t usable just don’t get used. Making crypto as easy as your favourite websites and apps is the only way to make privacy a reality for everyone.

via Privacy technology everyone can use would make us all more secure | Technology | theguardian.com.

 

That’s all well and good, but how do you do it? If you’re reading this, it’s a safe bet you’re at least interested in the idea of data security. But how do you implement this among the nontechnical? It’s easy enough to tell a group of technical people “install PGP, encrypt and sign everything, don’t use weak keys” etc. But how do you get your mom to use it? Or the 62-year-old accountant that prefers to not have to deal with computers except to buy things online and email old friends or distant relatives?

Categories : News  Security

Port forwarding in Junos

2014.09.17

First, define your objects:

set security zones security-zone Internal address-book address TSserver1 192.168.1.151/32

and whatever service you need to:

set applications application MS-RDP protocol tcp destination-port 3389

and your destination nat pool:

set security nat destination pool dnat-192_168_1_151 address 192.168.1.151/32

set security nat destination pool dnat-192_168_1_151 address port 3389

and your NAT policy:

Define the NAT policy is configured which specifies the NAT pool that the traffic should be translated to.

set security nat destination rule-set dst-nat from zone Internet

set security nat destination rule-set dst-nat rule rule1 match destination-address 256.1.1.1/32

set security nat destination rule-set dst-nat rule rule1 match destination-port 63389

set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-192_168_1_151

and lastly, your security policy to allow the traffic through:

Use the internal (real) IP address and port of the server — the security/firewall aspect happens after the “networking” aspect of the connection:

set security policies from-zone untrust to-zone trust policy Internet_to_Internal_RDP match source-address any destination-address TSserver1 application MS-RDP
set security policies from-zone untrust to-zone trust policy Internet_to_Internal_RDP then permit

Once you’ve commited the change, an RDP connection to 256.1.1.1:63389 will get translated to 192.168.1.151:3389.

Categories : HowTo

A Few Thoughts on Cryptographic Engineering: What’s the matter with PGP?

2014.09.05

A Few Thoughts on Cryptographic Engineering: What’s the matter with PGP?.

TL;DR: keys suck, key management sucks, no perfect foward secrecy really sucks, implementation sucks, software sucks and we should rethink how to do this stuff slightly better.

If you’ve used PGP (or GPG), it’s hard to find fault with his arguments, though.

Categories : Security

ProtonMail Blog – News and Updates

2014.09.04

ProtonMail Blog – News and Updates.

Just got access to the public beta of this; here’s to hoping others follow suit.

Categories : Security

Out in the Open: Hackers Build a Skype That’s Not Controlled by Microsoft | Enterprise | WIRED

2014.09.03

The web forum 4chan is known mostly as a place to share juvenile and, to put it mildly, politically incorrect images. But it’s also the birthplace of one of the latest attempts to subvert the NSA’s mass surveillance program.

When whistleblower Edward Snowden revealed that full extent of the NSA’s activities last year, members of the site’s tech forum started talking about the need for a more secure alternative to Skype. Soon, they’d opened a chat room to discuss the project and created an account on the code hosting and collaboration site GitHub and began uploading code.

Eventually, they settled on the name Tox, and you can already download prototypes of the surprisingly easy-to-use tool. The tool is part of a widespread effort to create secure online communication tools that are controlled not only by any one company, but by the world at large—a continued reaction to the Snowden revelations. This includes everything from instant messaging tools to email services.

via Out in the Open: Hackers Build a Skype That’s Not Controlled by Microsoft | Enterprise | WIRED.

 

It’s a shame that w.a.s.t.e. died such an ignoble death — mostly because it was hard to set up, I think. Even so, IM was just a side-feature, not it’s raison d’etre, so you can still make an argument for Tox and against w.a.s.t.e., despite the very nice Pynchon reference.

A Google Site Meant to Protect You Is Helping Hackers Attack You | Threat Level | WIRED

2014.09.02
Categories : News

Mysterious Phony Cell Towers Could Be Intercepting Your Calls | Popular Science

2014.09.02

To show what the CryptoPhone can do that less expensive competitors cannot, he points me to a map that he and his customers have created, indicating 17 different phony cell towers known as “interceptors,” detected by the CryptoPhone 500 around the United States during the month of July alone.  Interceptors look to a typical phone like an ordinary tower.  Once the phone connects with the interceptor, a variety of “over-the-air” attacks become possible, from eavesdropping on calls and texts to pushing spyware to the device.

“Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says.  “One of our customers took a road trip from Florida to North Carolina and he found 8 different interceptors on that trip.  We even found one at South Point Casino in Las Vegas.”

via Mysterious Phony Cell Towers Could Be Intercepting Your Calls | Popular Science.

BYOD is a huge security problem in organizations, but this is just a friendly reminder: if you’re out in the world, you have to expect attacks.

 

Categories : Security