Wednesday, October 12, 2011

Solarwinds Orion Automatic Login

I use Solarwinds Orion on a daily basis. I have been trying to add LDAP or RADIUS authentication to as many management systems as possible. When I started looking at Orion and RADIUS authentication I found that Solarwinds has not included that yet. However, there is good news! You can get automatic login to happen using pass through authentication. Here's how:

1. Log on to your Orion webpage as usual.

2. Log on to the server Orion is hosted on.
2a. Go to Start->Run and type in compmgmt.msc . This will open up computer management.
2b. Expand "Services and Applications", then expand "Internet Information Services (IIS) Manager"
2c. Expand "Web Sites" and right click on "SolarWinds NetPerfMon" and go to properties.
2d. Click on the "Directory Security" tab and under "Authentication and access control" click on "Edit"
2e. Uncheck "Enable anonymous access" and check "Integrated Windows authentication"
2f. Now click "OK", "OK"

3. Go back to your Orion web page and click on the "Admin" tab
3a. Under the "Accounts" section click on the "Account Manager" link.
3b. Click on the "Add" button to create a new account.
3c. For user name make sure you enter the domain account you will use for the integrated authentication. Make sure your username follows this format "domain\username". You will also need to enter a dummy password as well. Don't worry this password will not be required when you log in.
3d. Click "Submit" to create the account.
3e. Set your view settings and appropriate access levels. Then click "Submit" again.

4. Test your work. Open your Orion webpage in another browser and see if your current Windows log in gets you to your designated Orion home page without entering a password.


Wednesday, July 20, 2011

How to Encrypt Your Cisco VPN Pre-Shared Keys

If you are like me and you take the time to harden your network gear you have probably noticed that your VPN pre-shared keys stay in plain text even after applying password encryption. I never liked that. Why bother hardening your router when one of your most important credentials remain in clear text.

Here's what I mean:

VPN config before encryption:
******************************************************************

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key S3cr3tK3y! address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
******************************************************************

VPN config after encryption:
******************************************************************
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 6 V\OfYXeLVIdCaeS`HHQINQMBf\UDiG address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery
******************************************************************

Now when you look at your config, you can't see the actual key. It is very simple to configure. Here's how:

Go into "configure terminal"

key config-key password-encryption [master key]
password encryption aes

The "master key" is what the router will use to encrypt your pre-shared keys. If you do not enter this when you submit the rest of the command the router will prompt you.

The passwords are not actually encrypted until you enter the second command. After the passwords are encrypted they cannot be unencrypted on the router. You can change the master key if you want to by re-issuing the first command. The router will require you to enter the original key.

You can remove the master key by running:
no key config-key password-encryption

However, any current passwords will be rendered useless. Since the master key is no longer available the router cannot decrypt the password.

That's pretty much all there is to it. Now go out and harden your routers!

Here's a Cisco document on this procedure:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml




Cisco Access List Using Established Parameter


The above diagram is a rough drawing of my situation. I have two Cisco routers at my headquarters. Each router is on a separate ISP. The store router will create a DMVPN tunnel to each router and use it for failover. That way if we have a problem with a provider at our headquarters the stores can keep doing business as usual.

The store only needs access to a few things at headquarters. I need to keep the traffic from the store network into my headquarters as limited as possible.

I could apply an access list to the store router, but if the store router's physical security is compromised an attacker could perform a password reset and remove my access list. That means I need to apply my access list to the routers at headquarters. I can control their physical security and they would be much more difficult to gain access to.

I asked myself, how can I keep my store access very limited, but still allow any traffic originating from headquarters to get to the stores?

That is when I found out about the "established" parameter for an access list. Here's how it works:

This access list is applied to the outbound direction of the inside interfaces on the headquarters routers.


access-list 110 remark APPLIED TO INSIDE INTERFACE OUTBOUND
access-list 110 permit ip 192.168.10.0 0.0.0.255 host 172.16.1.197
access-list 110 permit ip 192.168.10.0 0.0.0.255 host 172.16.1.161
access-list 110 permit icmp 192.168.10.0 0.0.0.255 host 172.16.1.183
access-list 110 permit udp 192.168.10.0 0.0.0.255 eq snmp host 172.16.1.183
access-list 110 permit udp 192.168.10.0 0.0.0.255 eq 1645 host 172.16.1.203
access-list 110 permit tcp any 172.16.1.0 0.0.0.255 established

Let's break it down:


****Use remarks so you can easily see the purpose of the ACL****
access-list 110 remark APPLIED TO INSIDE INTERFACE OUTBOUND

****Allow traffic from my store to get to the reporting servers****
access-list 110 permit ip 192.168.10.0 0.0.0.255 host 172.16.1.197
access-list 110 permit ip 192.168.10.0 0.0.0.255 host 172.16.1.161

This is the most important to keep up. This section is what keeps my stores doing business.


****Allow SNMP traffic between my server and the store****
access-list 110 permit icmp 192.168.10.0 0.0.0.255 host 172.16.1.183
access-list 110 permit udp 192.168.10.0 0.0.0.255 eq snmp host 172.16.1.183

The SNMP server only needs ICMP traffic and SNMP traffic. This will allow me to know if the router goes down. Now you may say, why do you need these lines in the ACL if the SNMP server is polling the router and the ping is initiated from the server. I thought the same thing and I will explain it in just a minute.


****Allow RADIUS traffic from the store router to my server****
access-list 110 permit udp 192.168.10.0 0.0.0.255 eq 1645 host 172.16.1.203

This line allows my router to send authentication requests to my RADIUS server.


****Allow return traffic for any traffic sourced from headquarters.
access-list 110 permit tcp any 172.16.1.0 0.0.0.255 established

This line checks to see that the traffic headed to the headquarters was previously established from the headquarters.


Now that we have the ACL broken down let's look at the mechanics. Remember this ACL is applied on the OUTBOUND side of the headquarter inside interfaces. On the INBOUND side I am allowing any traffic from headquarters to go to the store. Since this is not a stateful firewall I must account for the return traffic.

The last line in the ACL uses the parameter "established". Basically, this will look at the TCP packet and see if there is an ACK or RST bit set. If the traffic coming is trying to create a new connection it will be denied, but if it is responding to a connection that was initiated from the headquarters network it will be allowed.

Now, back to the lines used for SNMP. While it is true, that the connection for SNMP originates on my headquarters network, this traffic will not be allowed back through without explicitly allowing it. This is because ICMP and UDP are connection-less (SNMP uses UDP ports). In other words, it does not use TCP and it does not have an ACK or RST bit to set.

This is sort of like a stateless firewall. It allows traffic that has already been connected. The difference is we don't know what the traffic is and we are assuming that the traffic is a legitimate response. This is not a replacement for a firewall by any means, but it is a nice enhancement for your access lists.

Friday, June 10, 2011

Cisco Access List Sequencing

How many times have you needed to add a line to an access list on a production device, but when you add the line it goes to the bottom and you need it higher in the access list sequence to work properly?

Access lists are processed from the top down. Let's say you are using access list 199 in the below example:
access-list 199 deny   ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.1
access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.2
access-list 199 permit ip 192.168.1.0 0.0.0.255 any

You would like to add a line to the access list that will deny access to the 192.168.10.3 host. You enter this line in your config:

access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.3

When you do a show run the access-list looks like this:

access-list 199 deny   ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.1
access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.2
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.3

If the access list processes from the top down and stops on the first match you can see that your new entry will never apply because the traffic will match the permit line. Your new line will never be used.

This is a production device and more specifically this access list is used as part of your VPN configuration. That means creating a new access list such as access list 200 and switching it over will break your connection. So how do we re-order the access list so we can get a new rule in there with out breaking our connection.

Here you go:

1. Type "show access-list 199" You will get something like this:

Router1#show access-lists 199
Extended IP access list 199
    10 deny ip 192.168.1.0 0.0.0.255 10.16.0.0 0.0.255.255 (2510369 matches)
    20 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.1
    30 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.2 (53699 matches)
    40 permit ip 192.168.1.0 0.0.0.255 any (7340 matches)
    50 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.3 (6 matches)

The highlighted data is what we are looking for. We can see this is an "extended" access list. You may also see "standard" here as well. This will matter when it comes to the syntax on typing our new rules in.

The numbers highlighted are sequence numbers. There are commands you can issue to change these numbers beginning in IOS 12.2 (15) T and 12.3 (2T), but you can typically get the job done without re-sequencing. 

*************NOTE*************
As a side note if your IOS is late enough you can re-sequence with this command "ip access-list resequence (access-list name) (starting number) (increment)" For example:
 "ip access-list resequence 199 10 2"

If I ran the resequence first you would see an output like this:

Router1#show access-lists 199
Extended IP access list 199
    10 deny ip 192.168.1.0 0.0.0.255 10.16.0.0 0.0.255.255 (2510369 matches)
    12 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.1
    14 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.2 (53699 matches)
    16 permit ip 192.168.1.0 0.0.0.255 any (7340 matches)
    18 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.3 (6 matches)

Notice our sequence started with 10 and incremented by 2 just like our command said. In the real world I would leave more space. By default cisco starts with 10 and increments by 10.
******************************

Now, back on track.

2. Go into "Configure Terminal" mode and type "ip access-list extended 199" 

*****NOTE*****
If you are using a "standard" access list from the previous show command you will need to substitute the word "extended" with the word "standard". The syntax in the next step will depend on which type you are using. Most of the time you see extended access-lists so that is the example I am going to walk you through. 
***************
If you did everything right you should have a prompt that looks something like this:

Router1(config-ext-nacl)#

3. Enter your new rule with a sequence number in front of it. For Example:

"35 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.3"

Based on our original access-list (before the re-sequence example) when you enter "35" as the sequence number it will give you an access list that looks like this:

Router1#show access-lists 199
Extended IP access list 199
    10 deny ip 192.168.1.0 0.0.0.255 10.16.0.0 0.0.255.255 (2510369 matches)
    20 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.1
    30 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.2 (53699 matches)
    35 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.3 (6 matches)
    40 permit ip 192.168.1.0 0.0.0.255 any (7340 matches)

Notice the new rule is now on sequence 35 and your rule will apply! If you do a "show run" it will look like this:

access-list 199 deny   ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.1
access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.2
access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.3
access-list 199 permit ip 192.168.1.0 0.0.0.255 any

*****NOTE*****
As long as you have a prompt that means you are editing the access list 
ie:Router1(config-ext-nacl)#

You can use the "no" command to remove lines based on sequence number. For example:

"no 35 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.3" would remove our new line. Please BE CAREFUL if you are not in the access list prompt and you type:

"no access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.3" you will remove the entire access list 199!
**************

Now you know how to re-sequence you access lists without bringing anything down.






Wednesday, June 8, 2011

Windows 7 Network Connections Shortcut

If you are like me you are tired of all the clicking to get to your network card settings. I figured out how to make a shortcut to it today!


1. Right click in blank space on your desktop.
2. Go to "New" and then "Shortcut"
3. When the create shortcut wizard opens paste the below text in the "Type the location of the item" field.


rundll32.exe shell32.dll,Control_RunDLL ncpa.cpl


4. Type "Network Connections" for the name, or whatever you would like.
5. Click Finish
6. Right click your new shortcut and go to "properties"
7. Click "Change Icon"
8 You can either copy and paste the below path or browse there and select this dll file.


C:\Windows\System32\netshell.dll


9. The default icon will be the first one that displays. Select your desired icon and then click OK.
10. Click OK one more time and you are done.




It's that simple. I personally pinned mine to my start menu, but you can treat it like any other shortcut now. The only question left is what to do with all the clicks you saved!