Tag Archives: security

Secure your Azure deployment with Palo Alto VM-Series for Azure

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

When I talk to customers and colleagues about cloud offerings, most of them are still concerned about the cloud, and especially about the security of public cloud offerings. One of the most mentioned concerns is based on the belief, that each and every cloud-based VM is publicly reachable over the internet. This can be so, but it does not have to. It relies on your design. Maybe that is only a problem in germany. German privacy policies are the reason for the two german Azure datacenters. They are run by Deutsche Telekom, not by Microsoft.

Azure Virtual Networks

An Azure Virtual Network (VNet) is a network inside the public Azure cloud. It is isolated from the underlying infrastructure and it is dedicated to you. This allows you to fully control IP addressing, DNS, security policies and routing between subnets. Virtual Networks can include multiple subnets to reflect different security zones and/ or multi-tier designs.  If you want to connect two or more VNets in the same region, you have to use VNet peering. Microsoft offers an excellent documentation about Virtual Networks. Because routing is managed by the Azure infrastructure, you will need to set user-defined routes to push traffic through a firewall or load-balancing appliance.

Who is Palo Alto Networks?

Palo Alto Networks was founded by Nir Zuk in 2005. Nir Zuk is the founder and CTO of Palo Alto Networks. He is still leading the development. Nil Zuk is a former employee of CheckPoint and NetScreen (was acquired by Juniper Networks). His motivation to develop his vision of a Next Generation Firewall (NGF) was the fact, that firewalls were unable to look into traffic streams. We all know this: You want that your employees can use Google, but you don’t want them to access Facebook. Designing polices for this can be a real PITA. You can solve this with a proxy server, but a proxy has other disadvantages.

Gartner has identified Palo Alto Networks as a leader in the enterprise firewall since 2011.

I was able to get my hands on some Palo Alto firewalls and I think I understand why Palo Alto Networks is noticed as a leader.

VM-Series for Microsoft Azure

Sometimes you have to separate networks. No big deal when your servers are located in your datacenter, even if they are virtualized. But what if the servers are located in a VNet on Azure? As already mentioned, you can create different subnets in an Azure VNet to create a multi-tier or multi-subnet environment. Because routing is managed by the underlying Azure infrastructure, you have to use Network Security Groups (NSG) to manage traffic. A NSG contains rules to allow or deny network traffic to VMs in a VNet. Unfortunately a NSGs can only act on layer 4. If you need something that can act on layer 7, you need something different. Now comes the Palo Alto Networks VM-Series for Microsoft Azure into play.

The VM-Series for Microsoft Azure can directly deployed from the Azure Marketplace. Palo Alto Networks also offers ARM templates on GitHub.

Palo Alto Networks aims four main use-cases:

  • Hybrid Cloud
  • Segmentation Gateway Compliance
  • Internet Gateway

The hybrid cloud use-case is interesting if you want to extend your datacenter to Azure. For example, if you move development workloads to Azure. Instead of using Azures native VPN connection capabilities, you can use the VM-Series Palo Alto Networks NGF as IPSec gateway.

If you are running different workloads on Azure, and you need inter-subnet communication between them, you can use the VM-Series as a firewall between the subnets. This allows you to manage traffic more efficiently, and it provides more security compared to the Azure NSGs.

If you are running production workloads on Azure, e.g. a RDS farm, you can use the VM-Series to secure the internet access from that RDS farm. Due to integration in directory services, like Microsoft Active Directory or plain LDAP, user-based policies allow the management of traffic based on the user identity.

There is a fourth use-case: Palo Alto Networks GlobalProtect. With GlobalProtect, the capabilities of the NGF are extended to remote users and devices. Traffic is tunneled to the NGF, and users and devices will be protected from threats. User- and application-based policies can be enforced, regardless where the user and the device is located: On-premises, in a remote location or in the cloud.

Palo Alto Networks offers two ways to purchase the VM-Series for Microsoft Azure:

  • Consumption-based licensing
  • Bring your own license (BYOL)

The consumption-based licensing is only available for the VM-300. The smaller VM-100, as well as the bigger VM-500 and VM-700, are only available via BYOL. It’s a good idea to offer a mid-sized model with a consumption-based license. If the VM-300 is too big (with consumption-based licensing), you can purchase a permanent license for a VM-100. If you need more performance, purchasing your own license might be the better way. You can start with a VM-300 and then rightsize the model and license.

All models can handle a throughput of 1 Gb/s, but they differ in the number of sessions. VM-100 and 300 use D3_v2, the VM-500 and VM-700 use D3_v2 instances.

Just play with it

Just create some Azure VM instance and deploy a VM-300 from the marketplace. Play with it. It’s awesome!

Using WP fail2ban with the CloudFlare API to protect your website

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

The downside of using WordPress is that many people use it. That makes WordPress a perfect target for attacks. I have some trouble with attacks, and one of the consequences is, that my web server crashes under load. The easiest way to solve this issue would be to ban those IP addresses. I use Fail2ban to protect some other services. So the idea of using Fail2ban to ban IP addresses, that are used for attacks, was obvious.

From the Fail2ban wiki:

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

That works for services, like IMAP, very good. Unfortunately, this does not work out of the box for WordPress. But adding the WordPress plugin WP fail2ban brings us closer to the solution. For performance and security reasons, vcloudnine.de can only be accessed through a content delivery network (CDN), in this case CloudFlare. Because CloudFlare acts as a reverse proxy, I can not see “the real” IP address. Furthermore, I can not log the IP addresses because of the German data protection law. This makes the Fail2ban and the WordPress Fail2ban plugin nearly useless, because all I would ban with iptables, would be the CloudFlare CND IP ranges. But CloudFlare offers a firewall service. CloudFlare would be the right place to block IP addresses.

So, how can I stick Fail2ban, the WP Fail2ban plugin and CloudFlares firewall service together?

APIs FTW!

APIs are the solution for nearly every problem. Like others, CloudFlare offers an API that can be used to automate tasks. In this case, I use the API to add entries to the CloudFlare firewall. Or honestly: Someone wrote a Fail2ban action that do this for me.

First of all, you have to install the WP Fail2ban plugin. That is easy. Simply install the plugin. Then copy the wordpress-hard.conf from the plugin directory to the filters.d directory of Fail2ban.

[[email protected] filters.d]# cp wordpress-hard.conf /etc/fail2ban/filter.d/

Then edit the /etc/fail2ban/jail.conf and add the necessary entries for WordPress.

[wordpress-hard]

enabled  = true
filter   = wordpress-hard
logpath  = /var/log/messages
action   = cloudflare
maxretry = 3
bantime  = 604800

Please note, that in my case, the plugin logs to /var/log/messages. The action is “cloudflare”. To allow Fail2ban to work with the CloudFlare API, you need the CloudFlare API Key. This key is uniqe for every CloudFlare account. You can get this key from you CloudFlare user profile. Go to the user settings and scroll down.

Cloudflare Global API Key

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Open the /etc/fail2ban/action.d/cloudflare.conf and scroll to the end of the file. Add the token and your CloudFlare login name (e-mail address) to the file.

# Default Cloudflare API token
cftoken = 1234567890abcdefghijklmopqrstuvwxyz99

cfuser = user@domain.tld

Last step is to tell the WP Fail2ban plugin which IPs should be trusted. We have to add subnets of the CloudFlare CDN. Edit you wp-config.php and add this line at the end:

/** CloudFlare IP Ranges */
define('WP_FAIL2BAN_PROXIES','103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/12,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,199.27.128.0/21,2400:cb00::/32,2405:8100::/32,2405:b500::/32,2606:4700::/32,2803:f800::/32,2c0f:f248::/32,2a06:98c0::/29');

The reason for this can be found in the FAQ of the WP Fail2ban plugin. The IP ranges used by CloudFlare can be found at CloudFlare.

Does it work?

Seems so… This is an example from /var/log/messages.

Jan 15 20:01:46 webserver wordpress(www.vcloudnine.de)[4312]: Authentication attempt for unknown user vcloudnine from 195.154.183.xxx
Jan 15 20:01:46 webserver fail2ban.filter[4393]: INFO [wordpress-hard] Found 195.154.183.xxx

And this is a screenshot from the CloudFlare firewall section.

Cloudflare Firewall Blocked Websites

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Another short test with curl has also worked. I will monitor the firewall section of CloudFlare. Let’s see who’s added next…

Important note for those, who use SELinux: Make sure that you install the policycoreutils-python package, and create a custom policy for Fail2Ban!

[[email protected] ~]# grep fail2ban /var/log/audit/audit.log | audit2allow -M myfail2banpolicy
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i myfail2banpolicy.pp

A strong indicator are errors like this in /var/log/messages:

Jan 22 12:06:03 webserver fail2ban.actions[16399]: NOTICE [wordpress-hard] Ban xx.xx.xx.xx
Jan 22 12:06:03 webserver fail2ban.action[16399]: ERROR curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=7c8e62809d4183931347772b366e621003c63' -d 'email=patrick@blazilla.de' -d 'key=xx.xx.xx.xx' -- stdout: ''
Jan 22 12:06:03 webserver fail2ban.action[16399]: ERROR curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=7c8e62809d4183931347772b366e621003c63' -d 'email=patrick@blazilla.de' -d 'key=xx.xx.xx.xx' -- stderr: ''
Jan 22 12:06:03 webserver fail2ban.action[16399]: ERROR curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=7c8e62809d4183931347772b366e621003c63' -d 'email=patrick@blazilla.de' -d 'key=xx.xx.xx.xx' -- returned 7
Jan 22 12:06:03 webserver fail2ban.actions[16399]: ERROR Failed to execute ban jail 'wordpress-hard' action 'cloudflare' info 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f49967edc80>, 'matches': '', 'ip': 'xx.xx.xx.xx', 'ipmatches': <function <lambda> at 0x7f49967edde8>, 'ipfailures': <function <lambda> at 0x7f49967edc08>, 'time': 1485083163.0328701, 'failures': 2, 'ipjailfailures': <function <lambda> at 0x7f49967eded8>})': Error banning xx.xx.xx.xx

You will find corresponding audit messages in the /var/log/audit.log:

type=AVC msg=audit(1485083254.298:17688): avc:  denied  { name_connect } for  pid=16575 comm="curl" dest=443 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

Make sure that you create a custom policy for Fail2Ban, and that you load the policy.

The Linux OOM killer strikes again

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

As a frequent reader of my blog, you might have noticed that vcloudnine.de was unavailable from time to time. Reason for this was, that my server was running out of memory at night.

Jan  1 05:22:16 webserver kernel: : httpd invoked oom-killer: gfp_mask=0x200da, order=0, oom_adj=0, oom_score_adj=0

Running out of memory is bad for system uptime. Sometimes you have to sacrifice someone to help others.

It is the job of the linux ‘oom killer’ to sacrifice one or more processes in order to free up memory for the system when all else fails.

Source: OOM Killer – linux-mm.org

The OOM killer selects the process, that frees up the most memory, and that is the least important to the system. Unfortunately, in my case it is Apache or MySQL. On the other hand: Killing these processes have never brought back the system to life. But that is another story. Something has consumed so much memory at night, that the OOM killer had to start its deadly work.

Checking the logs

The OOM has started its work at ~5am, and it killed the httpd (Apache).

Jan  1 05:22:16 webserver kernel: : httpd invoked oom-killer: gfp_mask=0x200da, order=0, oom_adj=0, oom_score_adj=0

While checking the Apache error_log, this log entry caught my attention.

[Sun Jan 01 03:51:04 2017] [notice] SIGHUP received.  Attempting to restart

The next stop was the Apache access_log. At the same time as in the error_log, the Apache logged a POST request wp-login.php in the access_log.

[01/Jan/2017:03:51:03 +0100] "POST /wp-login.php HTTP/1.1" 200 4168

And there were a lot more attempts… I did a short check of older log files. It was not the first OOM killer event, and the log entries were smoking gun. Especially the POST for wp-login.php.

[[email protected] httpd]# zgrep 'POST /wp-login.php HTTP/1.1' access_log | wc -l
876
[[email protected] httpd]# zgrep 'POST /wp-login.php HTTP/1.1' access_log-20161218.gz | wc -l
14577
[[email protected] httpd]# zgrep 'POST /wp-login.php HTTP/1.1' access_log-20161225.gz | wc -l
12368
[[email protected] httpd]# zgrep 'POST /wp-login.php HTTP/1.1' access_log-20170101.gz | wc -l
12054
[[email protected] httpd]# zgrep 'POST /wp-login.php HTTP/1.1' access_log-20170108.gz | wc -l
6814

The number below the command is the number of the POST requests logged in the access_log. The current access_log starts on Jan 08 2017. And since start, there are alreay 876 POST requests to wp-login.php. Looks like a brute force attack.

So there is nothing wrong with the sever setup, it simply breaks down during a brute force attack.

Using Microsoft certreq.exe to generate a certificate signing request (CSR)

This posting is ~7 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Generating a certificate signing request (CSR) is the first step towards a signed certificate. The requests is generated with the applicants private key and consists of the public key, a name and optional attributes.

To generate a CSR, you can use tools like OpenSSL on a Linux box, or sometimes the application itself can generate a CSR. But if you have a Windows box, you don’t have OpenSSL by default. And it’s unhandy to install something just for a single CSR. You can use certreq.exe to create a CSR. This tool is mostly unknown, but it’s included since Server 2000. The syntax slightly differs between the version, so I focus on the version that is shipped with Server 2008/ Windows Vista and newer.

To generate a CSR, you have to create a configuration file. This file specifies the key length, the common name, if the private key is exportable etc. This is a configuration file which includes additional names (subject alternative names, SAN).

[Version]

Signature= $Windows NT$

[NewRequest]

Subject = "CN=server1.lab.local, OU=Lab, O=vcloudnine.de, L=Cologne, S=NRW, C=DE"
KeySpec = 1
KeyLength = 4096
Hashalgorithm = sha256
Exportable = TRUE
FriendlyName = server1
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = Microsoft RSA SChannel Cryptographic Provider
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

[Extensions]

2.5.29.17 = "{text}"
_continue_ = "dns=server1.vcloudnine.de&"
_continue_ = "dns=app.terlisten-consulting.de&"
_continue_ = "dns=app.blazilla.de&"

This CSR includes three subject alternative names, which are listed below the [Extension] section. The syntax of this file is very important!

To create a CSR, open a CMD and change to the directory where the CSR is stored:

C:\Users\Patrick\Downloads>certreq -new request.inf csr-server1.req

CertReq: Anforderung erstellt

The csr-server1.req file can be used to create a CA signed certificate. The result is a signed certificate, based on the issued CSR. Very handy, especially in VMware Horizon View deployments in which you do not have access to a Windows-based Enterprise CA.

Stunnel refuses to work after update

This posting is ~8 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Yesterday I’ve updated a CentOS 6.6 VM with a simple yum update. A couple of packages were updated and to be honest: I haven’t checked which packages were updated. Today I noticed that an application, that uses a secure tunnel to connect to another application, doesn’t work. While browsing through the log files, I found this message from Stunnel.

LOG3[1145:140388919940864]: SSL_accept: 14076129: error:14076129:SSL routines:SSL23_GET_CLIENT_HELLO:only tls allowed in fips mode

I rised the debug level and restarted Stunnel. Right after the restart, I found this in the logs.

LOG5[1385:140679985747904]: stunnel is in FIPS mode
LOG5[1385:140679985747904]: stunnel 4.29 on x86_64-redhat-linux-gnu with OpenSSL 1.0.1e-fips 11 Feb 2013

So Stunnel was working in FIPS mode. But what is FIPS and why is Stunnel using it? I recommend to read the Wikipedia article about the Federal Information Processing Standards (FIPS). To be precise, Stunnel follows FIPS 140-2. My stunnel.conf is really simple and there’s nothing configured that is, or might be related to FIPS. A short search with man -K fips led me to the stunnel man page.

 fips = yes | no
           Enable or disable FIPS 140-2 mode.

           This option allows to disable entering FIPS mode if stunnel was compiled with FIPS 140-2 support.

           default: yes

This explains a lot. FIPS is enabled by default with this version. So it was enabled with the updated Stunnel version. With FIPS enabled, only TLS can be used. More interesting: FIPS is disabled by default with beginning of version 5.0. But I’m running version 4.29. So I had two options to get rid of this error:

  • Disable FIPS
  • Enable TLS

To disable FIPS, you have to add the following line to the stunnel.conf on the server-side:

fips = off

You can have FIPS enabled when you enforce the use of TLS. In my case, I added the following line on the server- and client-side:

sslVersion = TLSv1

After a restart of Stunnel on the server-side, the connection began to work again.

Replace HP iLO security certificates

This posting is ~8 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

When you access the HP iLO webinterface, you will be redirected to a HTTPS website. This connection is usually secured by a self-signed SSL certificate. To replace this certificate with a certificate that was issued by your own CA, you have to complete several steps. I will guide you to the steps. I focused on HP ilO 2, but the steps are similar for iLO 3 or iLO 4.

The requirements

We need:

  • an iLO interface that is connected to the network and that has an ip address assigned
  • access to this iLO interface
  • a CA and access to it
  • a web browser

Create the Certificate Signing Request (CSR)

Before we can issue the certificate, we need to create a certificate signing request. This request is used by the CA to create the digital certificate. The CSR contains information to identifying the applicant. This is e.g. the distinguished name (DN), which is the FQDN for a webserver. To create a CSR we have to login into the iLO webinterface.

Create the CSR, issue and install the certificate

I use a Microsoft Windows Server 2012 R2 CA in my lab. This CA is integrated into my Active Directory and I use it to issue certificates for my lab infrastructure. Because it’s my lab, I don’t use a two-tier CA with an offline root CA. ;) But if you are interested in how to setup this, I recommend this two excellent articles written by Derek Seaman and posted on his blog: Windows Server 2012 R2 Two-Tier PKI CA Pt. 1 & Windows Server 2012 R2 Two-Tier PKI CA Pt. 2.

To create a CSR we have to login into iLO and access the “Administration” tab. Then select “Security” from the left menu.

ilo2_ssl_cert_1

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Usually the lower fields are greyed out, so you have to enable “Customized CSR”. Then you can fill the lower, now enabled fields, with values. Don’t forget to hit apply.

A little further down the page, you can create a certificate request.

ilo2_ssl_cert_2

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Click the “Create Certificate Request” button. The certificate request will be generated and you will forwarded to the next page. Now you have to copy the request into a text file or you can past it directly into you CA. I use a W2K12 R2 CA which is running on another host. So I copied the text into a file and saved the file as ilo-esx1.csr.

ilo2_ssl_cert_3

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

No it’s time to issue the certificate. I copied the CSR to my CA into a temp directory. Open an elevated CMD, switch to the directory with the CSR and run the following command:

certreq.exe - submit - attrib "CertificateTemplate:WebServer" ilo-esx1.csr ilo-esx1.pem

A windows will pop up where you have to chose the CA. Because I only have on CA, I can’t choose much… Select you CA and click “OK”. Copy the pem file to you client (or whereever you have the browser with the iLO open), click “Next Step” and then paste the content of the pem file into the text field.

ilo2_ssl_cert_4

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Click “Install Certificate”.

ilo2_ssl_cert_5

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

If you click “Restart” a counter will appear. After 60 seconds you will be redirected to the login page. Please note, that you have to access the login page via the FQDN. Otherwise you will get a certificate error.

Summary

Essentially there is nothing special. It’s much more easier as to do this for a VMware environment… It’s a simple three-step plan: 1. Create the CSR, 2. issue a certificate by using the CSR and 3. install the certificate. Don’t forget to import the CA certificate into you browser. Otherwise you will furthermore get this nasty security warning…

HP Data Protector: Backup of DMZ servers

This posting is ~9 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Sometimes it’s necessary to backup system, that are behind a firewall. A good example for this are servers in a DMZ. When using HP Data Protector there are some things to know and consider, before you can backup systems behind a firewall. Lets start with some basics.

The components

Cell Manager: The Cell Manager (CM) is the backup server itself. It controls the whole enviroments, stores the licenses, clients, media, devices, backup specifications etc.

Backup specification: A backup specification describes WHAT has to be backuped and WHERE it should be written..

Backup Session Manager: The Backup Session Manager (BSM) starts MA and DA, controls the session and stores meta data to the DB.

Disk Agent: The Disk Agent (DA) is the backup client itself. It’s used to read or write data from or to the server, and send the data to the Media Agent (MA).

Media Agent: The Media Agent (MA) reads or writes data from or to a backup device. The data is sent or received by a DA. The MA can be installed on every server, that has a backup device (tape or disk) attached.

HP Data Protector Session Flow

The different components of HP Data Protector act with each other. The BSM is started on the HP Data Protector Cell Manager and it reads the backup specification. Then the BSM starts the DA and MA. The control data is exchanged between DA, MA and BSM. The actual backup data travels from the DA to the MA, and in case of a restore from the MA to the DA.

dp_session_flow

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Typically the MA is running in the same hosts as the BSM (which is started on the Cell Manager). But you can also use different servers for the CM/ BSM and the MA. Think about a virtualized HP Data Protector Cell Manager and a physical host, that has a tape library connected. If your BSM and MA are behind a firewall (from the DA perspective), you have to get the control data and the data flow through the firewall. For this, ports must be opened on the firewall.

dp_session_flow_with_fw

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

The requirements

One of the most important things in a HP Data Protector enviroment is DNS! Most errors I see are DNS related. This leads to the requirement, that there has to be a functional name resolution between Cell Manager, MA and DA. Before you proceed further, please check the name resolution. Please note that ping isn’t a qualified tool to test the name resolution! You should use nslookup or dig for this. The next step is to define port ranges that are used for the communication between BSM, MA and DA. Because HP Data Protector is a top notch backup product, you have to change the omnirc file with your favorite editor. Yes, even if you have a windows based Cell Manager. The omnirc file is located in:

Operating SystemPath
Windows < 2008C:\Program Files\Omniback\omnirc
Windows > 2008C:\ProgramData\Omniback\omnirc
Linux/ UNIX/opt/omni/.omnirc

You have to add the OB2PORTRANGESPEC parameter, which limits the amount of ports that are used for communication between the different components. Then you have to open this port ranges in you firewall. The ports will picked randomly from the range. The complete parameter looks like this:

OB2PORTRANGESPEC=xSM:20000-20250;CRS:18000-18005;xMA-NET:19000-19010

 xSM is used to define the ports that are used by Backup Session Manager (BSM), Restore Session Manager (RSM) and Database Session Manager (DBSM). For each session manager one port is used. You can define specific ranges for each session manager by replacing the x with B, R or DB. For example:

OB2PORTRANGESPEC=BSM:20000-20005;RSM:20006-20010;DBSM=20011-20020;CRS:18000-18050;xMA-NET:19000-19010

If the option “Reconnect broken connections” is enabled, each DA needs a connection to a xSM. DA to BSM when taking a backup, DA to RSM when doing a restore and DA to DBSM for IDB backup. So the xSM parameter limits the amount of concurrent sessions of your Cell Manager. Choose this wisely… Because the data flows directly from the DA to the MA, each DA needs a connection to a MA. With the above specified port range, you could have 11 concurrent connections from a DA to a MA. If the server you want to backup, runs an application like Oracle, Exchange or MS SQL, then you need additional connections to the Cell Manager, to be precise, the Cell Request Server (CRS). The port range for this connections are defined with the CRS part of the OB2PORTRANGESPEC parameter. If the MA runs in a different host then the Cell Manager, you have to add the xMA part of the OB2PORTRANGESPEC in the omnirc file on the server with the MA. After you changed the omnirc file you have to restart the HP Data Protector services.

The used port ranges in a clear table:

SourceTargetLocationTCP Source Port RangeTCP Destination Port Range
Cell ManagerDADMZ1024 – 655365555
DAMALAN1024 – 6553619000-19010
DAxSMLAN1024 – 6553620000-20250
DACRSLAN1024 – 6553618000-18005

I hope this article has helped to understand the functioning of HP Data Protector.

Juniper Firefly Perimeter

This posting is ~9 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

I’m a big fan of Juniper Networks! I work mainly with the SSG (ScreenOS) and SRX (Junos) series. The Juniper SRX is a network security solution, which can be positioned in the data center or at the branch. You will surely agree, that virtualization and cloud computing changed a lot from the network perspective. This demands security solutions that are not bound to hardware boundaries. Juniper Firefly Perimeter addresses this demands.

What is Juniper Firefly Perimeter?

Juniper Firefly Perimeter is a SRX Service Gateway and it’s delivered in form of a virtual appliance. You can compare it with HP VSR1000 Virtual Service Router or Cisco Cloud Service Router 1000V. Firefly Perimeter is available for VMware vSphere 5.x and Linux KVM. Microsoft Hyper-V is currently not supported. When you take a look into the datasheet you will notice, that Firefly Perimeter can all the cool things, that you expect from this kind of a virtual appliance: From simple routing, routing protocols (RIP, OSP, BGP, IS-IS…), MPLS, VPN, stateful/ stateless firewall, Network attack detection, a lot of management feature and many more.

A really cool thing is the Juniper Software Advantage for Security. With this licensing you can choose from multiple options and deploy the software on any platform, regardless if it’s hardware or a virtual appliance. The licensing is a perpetual licensing, so you buy once and use it indefinitely.

When using hardware based appliances it’s easy to track them. Go into the datacenter or the branch office and take a look into the rack. But a lesson I learned over the last years is: When you use virtualization, you need a lifecycle management. Otherwise you will often hear the question “What does server XYZ do??”. Junos Space Virtual Director addresses this demands. It’s a management application for Juniper Firefly Perimeter that helps you to automate the deployment and management of Juniper Firefly Perimeter appliances. To do so, you can use the REST API and attach the Junos Space Virtual Director to other platforms and tools (e.g. VMware Orchestrator).

Shut up and take my money!

If you want to test Juniper Firefly Perimeter in your lab, then you can simply download it. Juniper provides a 60 days evaluation. All you need is a Juniper Networks account and this link: *click*

juniper_firefly_download

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

I assume that you use VMware vSphere. In this case you have to download the OVA file and deploy it with the vSphere C# or Web Client. The virtual appliance is configured with 2 vCPUs, 2 GB RAM and two E1000 vNICs. If you want to build complex setups, you can add additional vNICs (up to 10). Simply deploy the OVA file.

After powering on the appliance, the appliance will try to get an IP address on interface ge-0/0/0.0 via DHCP. Web management is also enabled on this interface. If the VM gets an IP address, you can open a browser and enter the IP address. If everything went right, the Setup Wizard appears.

juniper_firefly_setup_wizard

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

The wizard helps you to do the initial configure of the appliance. It’s very handy if you have not much experience with Junos. If you’re versed with the configuration of Junos, you can configure the appliance using the CLI. Just login as root without a password. Juniper Networks has a really good documentation, so take a look into the Junos 12.1 documentation.

HP VSR1000: How to configure a IPsec tunnel

This posting is ~9 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

One possible use case for the HP VSR1000 is to build IPsec tunnels for secure data transfer. In this post I will show you how to configure a IPsec tunnel between two HP VSR1000. If you need a short introduction, feel free to take a look at this article.

The experimental setup

We have two server VMs (in this case Windows Server 2008 R2 with SP1) and two HP VSR1000 Virtual Service Router. To simplify I added a vSwitch without uplinks to my ESXi at home. This vSwitch has three port groups. While each VSR1000 is connected to only one site and the WAN port group, the server VMs are only connected to one site. The WAN port group should simulate the WAN link, but in reality WAN can be anything. This is a screenshot of the ESXi vSwitch and port group configuration, as well as the logical setup.

vsr1000_ipsec_lab

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

vrs1000_ipsec_lab_logical

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Site A uses the subnet 192.168.100.0/24. Site B uses the subnet 192.168.200.0/24. The subnet 10.0.0.0/30 is used on the WAN side. The ip addressing looks like this:

Site A
VSR1192.168.100.1/24
SRV1192.168.100.2/24
Site B
VSR2192.168.200.1/24
SRV2192.168.200.2/24
WAN
VSR110.0.0.1/30
VSR210.0.0.2/30

The VSR1000 uses HP Comware 7.1, so it’s possible that the IPsec configuration differs from Comware 5.

The configuration

I’ve described the initial configuration of a VSR in this article. So in this article I focus on the configuration of the IPsec tunnel itself. First of all we need to configure the interfaces. On VSR1 (the first router):

[VSR1]interface GigabitEthernet1/0
[VSR1-GigabitEthernet1/0]ip address 192.168.100.1 24
[VSR1-GigabitEthernet1/0]description LAN Site A
[VSR1-GigabitEthernet1/0]interface GigabitEthernet2/0
[VSR1-GigabitEthernet2/0]ip address 10.0.0.1 30
[VSR1-GigabitEthernet2/0]description WAN
[VSR1-GigabitEthernet2/0]quit

 And on VSR2 (the second router)

[VSR2]interface GigabitEthernet1/0
[VSR2-GigabitEthernet1/0]ip address 192.168.200.1 24
[VSR2-GigabitEthernet1/0]description LAN Site B
[VSR2-GigabitEthernet1/0]interface GigabitEthernet2/0
[VSR2-GigabitEthernet2/0]ip address 10.0.0.2 30
[VSR2-GigabitEthernet2/0]description WAN
[VSR2-GigabitEthernet2/0]quit

Sure, we could setup a small single area OSPF, but for now a static routing is sufficient. These two routes allow us to reach the other side. There is currently no default route (gateway of last resort). On VSR1:

[VSR1]ip route 192.168.200.0 24 10.0.0.2

And on VSR2:

[VSR2]ip route 192.168.100.0 24 10.0.0.1

I will show you how to configure a ACL-based IPsec tunnel. This happens in three steps:

  • Create an ACL
  • Create a IPsec policy
  • Apply the policy to an interface

The first step is to configure ACLs. These ACLs are used to determine what kind of traffic should be protected. The ACL number 3000 determines, that this is an advanced ACL (ACL number 3000 – 3999). The ACL consists of multiple rules, in this case two rules and a comment. The rules define, that every traffic from 192.168.100.0/24 to 192.168.200.0/24 (and vice versa) should be permitted. All other traffic will be denied. On VSR1:

[VSR1]acl number 3000
[VSR1-acl-adv-3000]rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
[VSR1-acl-adv-3000]rule 1 deny ip
[VSR1-acl-adv-3000]description IPsec ACL
[VSR1-acl-adv-3000]quit

And on VSR2:

[VSR2]acl number 3000
[VSR2-acl-adv-3000]rule 0 permit ip source 192.168.200.0 0.0.0.255 destination 192.168.100.0 0.0.0.255
[VSR2-acl-adv-3000]rule 1 deny ip
[VSR2-acl-adv-3000]description IPsec ACL
[VSR2-acl-adv-3000]quit

The next steps are to configure the transform set, the keychain, an IKE profile and an IPsec policy. The transform set is part of the IPsec policy and defines the security parameters for the IPsec SA negotiation. This includes the security protocol (AH, ESP), the encapsulation mode and the encryption and authentication algorithms. Because this is a site-2-site VPN the encapsulation mode “tunnel” is used. On VSR1:

[VSR1]ipsec transform-set ts1
[VSR1-ipsec-transform-set-ts1]encapsulation-mode tunnel
[VSR1-ipsec-transform-set-ts1]protocol esp
[VSR1-ipsec-transform-set-ts1]esp encryption-algorithm aes-cbc-256
[VSR1-ipsec-transform-set-ts1]esp authentication-algorithm sha1
[VSR1-ipsec-transform-set-ts1]quit

An on VSR2:

[VSR2]ipsec transform-set ts1
[VSR2-ipsec-transform-set-ts1]encapsulation-mode tunnel
[VSR2-ipsec-transform-set-ts1]protocol esp
[VSR2-ipsec-transform-set-ts1]esp encryption-algorithm aes-cbc-256
[VSR2-ipsec-transform-set-ts1]esp authentication-algorithm sha1
[VSR2-ipsec-transform-set-ts1]quit

Now the keychain is configured. The keychain includes the pre-shared key. On VSR1:

[VSR1]ike keychain keychain_vsr1
[VSR1-ike-keychain-keychain_vsr1]pre-shared-key address 10.0.0.2 30 key simple VPN-Passw0rd
[VSR1-ike-keychain-keychain_vsr1]quit

And on VSR2:

[VSR2]ike keychain keychain_vsr2
[VSR2-ike-keychain-keychain_vsr2]pre-shared-key address 10.0.0.1 30 key simple VPN-Passw0rd
[VSR2-ike-keychain-keychain_vsr2]quit

The pre-shared key is displayed encrypted in the configuration, even if it’s entered here in plain text format. The next step is to configure the IKE profile. In this example it’s simply called “1”. You can give it another name if you like. The IKE profile links the identity of the remote VSR and the keychain. On VSR1:

[VSR1]ike profile 1
[VSR1-ike-profile-1]keychain keychain_vsr1
[VSR1-ike-profile-1]match remote identity address 10.0.0.2 30
[VSR1-ike-profile-1]quit

And on VSR2:

[VSR2]ike profile 1
[VSR2-ike-profile-1]keychain keychain_vsr2
[VSR2-ike-profile-1]match remote identity address 10.0.0.1 30
[VSR1-ike-profile-1]quit

Now the second step (creating an IPsec policy) comes to an end. The IPsec policy links the transform set, the IKE profle and the ACL together. The 10 is the sequence number. You can choose another sequence number if you like. You can also choose another name. I named my policy “policy1”. On VSR1:

[VSR1]ipsec policy policy1 10 isakmp
[VSR1-ipsec-policy-isakmp-policy1-10]security acl 3000
[VSR1-ipsec-policy-isakmp-policy1-10]transform-set ts1
[VSR1-ipsec-policy-isakmp-policy1-10]local-address 10.0.0.1
[VSR1-ipsec-policy-isakmp-policy1-10]remote-address 10.0.0.2
[VSR1-ipsec-policy-isakmp-policy1-10]ike-profile 1
[VSR1-ipsec-policy-isakmp-policy1-10]quit

And on VSR2:

[VSR2]ipsec policy policy1 10 isakmp
[VSR2-ipsec-policy-isakmp-policy1-10]security acl 3000
[VSR2-ipsec-policy-isakmp-policy1-10]transform-set ts1
[VSR2-ipsec-policy-isakmp-policy1-10]local-address 10.0.0.2
[VSR2-ipsec-policy-isakmp-policy1-10]remote-address 10.0.0.1
[VSR2-ipsec-policy-isakmp-policy1-10]ike-profile 1
[VSR2-ipsec-policy-isakmp-policy1-10]quit

The last step is to apply the IPsec policy to an interface. On VSR1:

[VSR1]interface GigabitEthernet2/0
[VSR1-GigabitEthernet2/0]ipsec apply policy policy1
[VSR1-GigabitEthernet2/0]quit

And on VSR2:

[VSR2]interface GigabitEthernet2/0
[VSR2-GigabitEthernet2/0]ipsec apply policy policy1
[VSR2-GigabitEthernet2/0]quit
The result

Once the traffic comes, the IPsec tunnel is established. You can verify this with this command:

[VSR1]display ipsec sa
-------------------------------
Interface: GigabitEthernet2/0
-------------------------------

  -----------------------------
  IPsec policy: policy1
  Sequence number: 10
  Mode: isakmp
  -----------------------------
    Tunnel id: 0
    Encapsulation mode: tunnel
    Perfect forward secrecy: 
    Path MTU: 1427
    Tunnel:
        local  address: 10.0.0.1
        remote address: 10.0.0.2
    Flow:
    sour addr: 192.168.100.0/255.255.255.0  port: 0  protocol: ip
    dest addr: 192.168.200.0/255.255.255.0  port: 0  protocol: ip

    [Inbound ESP SAs]
      SPI: 949311587 (0x38955863)
      Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1843199/301
      Max received sequence-number: 16
      Anti-replay check enable: Y
      Anti-replay window size: 64
      UDP encapsulation used for NAT traversal: N
      Status: active

      [Outbound ESP SAs]
      SPI: 3361053318 (0xc8559a86)
      Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 1843200/3600
      SA remaining duration (kilobytes/sec): 1843199/301
      Max sent sequence-number: 16
      UDP encapsulation used for NAT traversal: N
      Status: active

That’s it!  :) If you are looking for more, take a look into the HP VSR1000 configuration guides. This is a 18 MB (!) PDF which covers all aspects of the VSR1000 and it includes a lot of configuration examples.

Regenerating expired vCenter SSL certificates

This posting is ~9 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

During a vSphere 5.0 > 5.5 upgrade I got this message:

The SSL certificate for this product is expired. See Knowledge Base article kb.vmware.com/kb/1009092.

The customer hasn’t installed CA-signed certificats, so the expired certificates are the out-of-the-box self-signed certificates. The certificates are valid for two (VirtualCenter 2.5) respectively 10 years (since vCenter 4.x), depending on the Version. The only way to continue the installation is to renew the certificates. After renewing the certificates, you can simply continue the setup due the fact, that the vCenter service is stopped at this point of the setup and it loads the new certificates during startup. It’s the setup which checks the validity of the certificates. KB1009092 describes in great detail what to do, so I will not repeat what is already written there. You should note, that you can’t use the ESXi busybox to renew the certificates. The necessary OpenSSL binary isn’t included. The KB articles recommends OpenSSL for Windows. I simply used my Linux root server. But you can also use a small Linux VM. After renewing the certificates for vCenter, Inventory server and Web Client I simply continued the setup and it ran without problems by. The deployment of CA-signed certifcates is planned.

I recommend to use CA-signed certificates. You need a CA (this can be your own CA) and the vCenter Certificate Automation Tool, which makes the deployment of your own certificates much more easy! There are a couple of excellent posts on this topic. Derek Seaman wrote an awesome four-part series about the usage of the vCenter Certificate Automation Tool. This posting of Craig Kilborn is also a good reference. Craig refers to other sources, like Michael Webster.

Dealing with certificates can bedifficult for unexperienced administrators. They have to clearly understand how certificates work, what the job of a CA is and how all works together. Don’t be a beginner and quickly deploy a CA, just because you need NOW CA-signed certificates. Just use the self-signed certificates for a couple of weeks and work out a CA design that satisfies the customers requirements. Maybe the customer can use a CA for other purposes. Be a trusted advisor, not Mr. Quick ‘n Dirty. ;)