NetworkJutsu

Network Security Consulting Services | San Francisco Bay Area

General

My Semi-Managed Switch – TL-SG2008

By 1 Comment

I bought three of the TL-SG2008 the same day I bought my EdgeRouter Lite. I’ve always wanted some form of managed switch at home to satisfy my wants and to segregate my lab environment.

tl-sg2008

In my old setup, I had three unmanaged switches and all-in-one router (with switch and access point built-in). While they worked fine, I wanted some SMB features – LACP, IEEE 802.1Q, etc. That said, I needed to buy some form of managed switches.

I checked for used Cisco Catalyst 3560CG on eBay but they are still expensive. I also checked for used prices of Cisco SMB products and they are also expensive for my needs. By then, I realized that I should look at other vendors.

The search begins

I checked Netgear and Linksys product pages because they are popular manufacturers in SOHO and SMB space. I found potential products but I wanted more options. That said, I also checked other manufacturers like D-Link, ZyXEL, and TP-LINK. After few days, I narrowed the potential products into two: TL-SG108E and TL-SG2008.

I like the TL-SG108E because of the price and meet my requirements. However, I did not like the fact that I can only configure the switch with a Windows machine because of the application that they provide. The CLI access, SNMP, etc. are the features I like to have so I went with the TL-SG2008.

Amazon review

When I was looking at TL-SG2008, there is a 1-star review in Amazon that caught my eye. The person who wrote the negative review is calling himself/herself as Mandrake. The review stated that the product includes security vulnerabilities and claimed that the company will not issue firmware to address them. The company, however, released a firmware that claims that they improved the security level. To me, this signals that the company patched the security vulnerabilities found in this report. This assumption is later confirmed by one of the commenters in Mandrake’s review.

While the company seems to have addressed the security vulnerabilities, reading the notes further reveals that they are still using weak security protocols. For example, the recent firmware includes SSLv3 and TLSv1 that addressed the security vulnerabilities of SSLv2. For general users, this might indicate that they’ve improved security but far from truth. Sure, removing SSLv2 does improve security level. However, replacing it with old or deprecated protocol does not.

SSLv3 is not sufficiently secure according to RFC 7568. With the release of POODLE type of attack, one should definitely disable this protocol. However, disabling SSLv3 means that we have to use TLSv1. This protocol, however, is no longer acceptable in new implementations per PCI DSS v3.2 document. The document also states that entities should start working towards migrating to new TLS version. Hopefully, TP-LINK will release new firmware that will remove SSLv3 completely and add TLSv1.2.

Vulnerability Reports

Knowing that the firmware is using outdated security protocols, I decided to run Kali Linux – just used it last month. Kali has a lot of security tools pre-installed that hopefully I can play with in the future. For now, I used it to install and run Nessus Home and OpenVAS to check for security vulnerabilities.

I did two scans for each of the vulnerability scanners: one default configuration for both HTTPS and SSH settings and then I made changes. Note: The switch comes with HTTP and Telnet as the default protocols for management. Users will have to configure the switch to use the secure protocols. Using non-secure protocols by default for management is bad practice. Did they really improve security level?

First vulnerability scan

The first vulnerability scan is my baseline. At this time, I enabled HTTPS and SSH then disabled HTTP and Telnet for management. I left the other settings alone in the HTTPS and SSH configuration section.

HTTPS

In HTTPS configuration section, there are two sections one could play with and these are: cryptographic protocols and cipher suite. For the cryptographic protocol section, we must use at least one protocol.

TL-SG2008(config)#ip http secure-protocol
 ssl3                 - Protocol levels (versions): SSLv3
 tls1                 - Protocol levels (versions): TLS1.0

For the cipher suite section, there are four ciphers that we can choose from. In order for HTTPS to work, we must enable at least one cipher. I actually tried disabling the all of them except 3DES-EDE-CBC-SHA but I lost connectivity using Chrome.

TL-SG2008(config)#ip http secure-ciphersuite
 3des-ede-cbc-sha     - Encryption type ssl_rsa_with_3des_ede_cbc_sha
                         ciphersuite
 rc4-128-md5          - Encryption type ssl_rsa_with_rc4_128_md5
                         ciphersuite
 rc4-128-sha          - Encryption type ssl_rsa_with_rc4_128_sha
                         ciphersuite
 des-cbc-sha          - Encryption type ssl_rsa_with_des_cbc_sha
                         ciphersuite

SSH

In the SSH configuration section, there are three sections one could play with and these are: version, encryption, and finally the data integrity. The output below shows the settings available for us to configure.

For the first configuration section, we must use at least one.

TL-SG2008(config)#ip ssh version
 v1                   - Protocol version v1
 v2                   - Protocol version v2

For the second section, we have six encryption algorithms to choose from. We must use at least one.

Lastly, we have two data integrity algorithm available to choose from: HMAC-SHA1 or HMAC-MD5. We must use at least one.

TL-SG2008(config)#ip ssh algorithm
 <algorithm>          - Enable SSH algorithm, AES128-CBC | AES192-CBC |
                         AES256-CBC | Blowfish-CBC | Cast128-CBC |
                         3DES-CBC | HMAC-SHA1 | HMAC-MD5

Results

Both Nessus and OpenVAS report summary shows seven medium severity vulnerabilities. If one does not read the report, one might conclude that both of the scanners reported the same thing. However, reading the report shows their similarities and differences.

Here is the Nessus summary report

Nessus Before Changes Summary

Here is the OpenVAS summary report

OpenVAS Before Changes Summary

I have uploaded both the reports. Click here for Nessus report and here for OpenVAS report. Feel free to view the documents if you want to follow along.

In the Nessus report, two of the vulnerabilities point to self-signed certificate used by SSL/TLS. Self-signed certificates pose a security risk because of man-in-the-middle attacks. However, I think this is fine in a home environment so I do not consider it being that bad. Though, security professionals may disagree with this thinking.

As mentioned earlier, SSLv3 is vulnerable to POODLE type of attack. Both Nessus and OpenVAS reports this vulnerability as well. As a reminder, SSLv3 does not provide sufficient security in this day and age.

I do not want to enumerate everything in this post, but I want to mention one more thing that is in the OpenVAS report. The vulnerability does not only affect TP-LINK but multiple manufacturers as well. The security vulnerability that I am talking about is the one that says “Known SSH Host Key”. You can find more information here. Unfortunately, there is no way around this because of TP-LINK did not include a way for users to generate new keys. Being able to generate new keys is a common practice in configuring networking devices.

Last vulnerability scan

In this last vulnerability scan, I disabled some settings so I can lessen the security vulnerabilities of my switches. With the current firmware, I will never able to reach zero security vulnerability.

HTTPS

In the HTTPS configuration section, I disabled SSLv3 and two RC4-based ciphers. Though, the two left are also weak ciphers in today’s standards. Today, TLS implementations are using stronger ciphers like AES in GCM mode, AES in CTR mode, or ChaCha20.

ip http secure-protocol tls1
ip http secure-ciphersuite des-cbc-sha 3des-ede-cbc-sha

SSH

In the SSH configuration section, I disabled the following lines. Any device with SSH should no longer use SSHv1. The manufacturer should have not included this version if they want to improve security level.

no ip ssh version v1

For the encryption algorithm, I disabled three of them. Though, all of the encryption algorithms available to us are weak anyway so it may not buy us anything. Encryption algorithm using Cipher Block Chaining (CBC) mode is weak. As a result, we will see that OpenVAS and Nessus will report that we are still using weak SSH ciphers.

no ip ssh algorithm Blowfish-CBC
no ip ssh algorithm Cast128-CBC
no ip ssh algorithm 3DES-CBC

For the data integrity algorithm, I disabled MD5 because it is vulnerable to collision attack as described in this paper. Though, SHA1 is also vulnerable to an attack as described in this paper.

no ip ssh algorithm HMAC-MD5

Results

As you can see below, I was able to reduce the number of medium severity vulnerabilities by disabling some settings. Interestingly enough, the OpenVAS increased to three low vulnerabilities. Again, I uploaded both of the reports. Click here if you want to see Nessus report and here for OpenVAS.

Here is the Nessus summary report

nessus.after.summary.report

Here is the OpenVAS summary report

openvas.after.summary.report

Things I like

There are few things I like about this switch that other smart switches don’t have

  • CLI access is big for me
  • SNMP/RMON is pretty cool to have for monitoring purposes
  • LACP support
  • 802.1X support (though, quite limited)

Things I don’t like

Aside from the security vulnerabilities, there are few things I do not like about this switch.

  • Lack of password complexity
  • No RADIUS support for device authentication
  • Lost configs after upgrading the firmware

Thoughts

I think it is unfair to for the reviewer to rate it as 1-star purely based on security vulnerabilities. Don’t get me wrong though. Security is very important and would probably lose one or two stars but giving it 1 out of 5 seems to be unfair. If one cannot eliminate the security vulnerabilities then mitigation becomes important. In this case, I was able to reduce the number of security vulnerabilities by turning off settings. In addition, I can reduce the number of medium severity vulnerabilities by disabling HTTPS for management. Speaking of management, the switch offers ACL capability so one can configure it to limit computer(s) that can access it.

Is it better to buy another product that does not include these security vulnerabilities? Sure. Will I return the product? Unfortunately, I will not be able to return them because I’ve had them for more than six months now. If I was able to return them, will I? I have to say no. I haven’t had any issues with the switch and I really like a switch that has CLI access. I have not seen one in the same price range that offers this feature. There is a possibility that I am not looking hard enough though. Will I recommend it? Sure, so long as the buyer is aware and understand the vulnerabilities that come with it.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

VMware ESXi Home Lab [2016]

By Leave a Comment

I recently bought an Intel NUC 6th generation (Skylake-based Core i3) as a VMware ESXi host. This is an addition to my existing host that I assembled back in 2012. It has served me well over the years and hope that it will continue to do so for several more years. Four years old in the computing world is obsolete, but I think it is still a very capable machine for what I use it for. Having said that, it will still be running as another ESXi host.

You might be asking why in the world would someone need two ESXi hosts at home that is not even studying for VMware certifications. I do, however, want to point out that I wanted to take the VCP certification back then that was why I attended VMware vSphere Install, Configure, and Manage [V5] class in a community college back in 2012 – check my tweet about it. Anyway, the primary reason is that the 32GB RAM on my first ESXi host is beginning to be too limiting for my CCIE lab purposes. I have to manage the amount of VMs that are turned on or I will be doing a memory overcommit.

The secondary reason, which is related to the first one, is that I really want to run vCenter Server so I could play with vSphere Flash Read Cache and other stuff. The Flash Read Cache feature was mentioned to me by @matthaedo on his response to my tweet. I did a quick search about this feature since I did not know what it was, how to do it, etc. and found out that one of the requirements to take advantage of the Flash Read Cache feature is vCenter Server, which I did not have. Yes, I could’ve installed the trial version of vCenter then test it out in my existing host and be done with it. But, I really wanted to add another host anyway so that it can handle my other VMs and add vCenter Server Appliance. Fortunately, I found out that we have VMAP (VMware Academic Program) campus subscription. One of the things that this subscription gives us is that it allows any student, staff, or faculty to use VMware infrastructure products for personal use to gain hands-on experience. The program is similar to the VMUG Advantage but only few products are included. For example, we do not have access to VMware Virtual SAN in the portal but the VMUG Advantage’s EVALExperience does. So, if one is looking for VMware licenses that are relatively inexpensive ($200) then the VMUG Advantage subscription is the way to go. I just wish it includes VMware NSX though.

Let’s go shopping

Intel NUC

At the time of writing, the Intel NUC 6th generation has four models shipping, two of them have identical Core i3 CPU and the other two have identical Core i5 CPU. The four models are NUC6i3SYK, NUC6i3SYHNUC6i5SYK, and NUC6i5SYH. The main differences between identical CPU models are the size of the enclosure and the SATA3. Models with SYH at the end have the space for 2.5″ HDD or SSD and of course the SATA3 connector for it. The NUC6i7KYK – Skull Canyon is now available for purchase and ESXi 6.0 U2 can be installed with BIOS changes.

Related: VMware ESXi on 10th generation Intel NUC (Frost Canyon)

There have been several virtualization folks who had been running Intel NUC for years. The earlier NUCs are not compatible with the official ESXi ISO so it requires a customized ISO that contains proper drivers to install ESXi. With the 6th generation, it is no longer needed to create a custom ISO making it a seamless install.

Without further delay, here are the parts of my ESXi host:

1 x Intel NUC6i3SYH
1 x G.SKILL 32GB (2 x 16GB) F4-2133C15D-32GRS
1 x Sandisk Cruzer Blade 8GB USB Flash Drive (not pictured)
1 x OCZ Deneva 2 C Series 240GB D2CSTK251A20-0240 (not pictured)

I just happened to have the USB flash drive and OCZ SSD drive so feel free to buy the alternative parts listed below:

1 x Crucial 32GB (2 x 16GB) CT2K16G4SFD8213
1 x Sandisk Cruzer Fit 8GB
1 x Samsung 850 EVO 250GB 2.5″ SSD and/or 1 x Samsung 850 250GB EVO M.2

If you decide that you want additional NIC, then you may want to purchase the StarTech USB 3.0 NIC. Right out of the box, it won’t work but with a little tweaking then you could definitely make it work.

At this time of writing, the Crucial ($165) is cheaper than the G.SKILL ($180) so buy the Crucial instead. I just happened to get the G.SKILL a little bit cheaper than Crucial when I bought the parts. If you do not need the SSD since you have a NAS (I have the Synology DS1812+) then forget about the links above. In fact, my other ESXi host does not have an HDD or SSD installed in it. Though, that may change in the future. I already have Samsung 850 EVO 1TB SSD in my NAS to speed the VMs up but I might still buy one for Flash Read Cache.

Installation

Before installing ESXi 6.0 Update 2 on the Intel NUC, I suggest checking the BIOS version first. Mine came with BIOS version 24, which was released in Oct 2015. The new version is 36, which was released last month, can be downloaded directly from Intel’s download page. The BIOS will work on all four models so be sure to download and apply it first before doing something else. Upgrading the BIOS was very easy. All I did was download the SY0036.BIO file, copied it to a USB flash drive, and powered on the NUC with the USB flash drive in it and hit the F7 key. Then, the NUC recognized that there was a BIO file then I followed the screen prompts to install the new BIOS.

After the BIOS was complete, I head back to my other computer and tried to create ESXi 6.0U2 ISO using UNetbootin. I’ve used that in the past and have successfully installed the different OS using the bootable USB created from UNetbootin. However, this time around, UNetbootin did not recognize my USB flash drive for some reason. My Windows recognized that there was a USB flash drive but UNetbootin did not. I then decided to use Rufus and created the ESXi bootable USB flash drive and it recognized the USB flash drive just fine.

Next, I booted the NUC with the USB flash drive and entered BIOS settings to make sure that the boot order was correct so that every time that the NUC reboots, it always tries to boot from the USB. Once ESXi installer files were loaded to the RAM, I followed the screen prompts and picked the same USB flash drive I used to boot it from as the destination drive for the ESXi files.

ESXi on Intel NUC

Thoughts

As you can tell from my tweet, I’ve only had the Intel NUC for two days but I am quite pleased with it. I am not going to lie but I wish my NUC had more oomph. I could’ve gotten the Core i5 or wait for the Core i7, which in theory, should provide more oomph but stay under $500 was important. The $90 difference in Core i5 is probably not much but I’ve spent quite a bit of tech stuff for that past few months, like my router, managed switches, and 1TB SSD. If I ever need more compute power, I could use the vMotion feature to move it to my Xeon-based ESXi host and run it from there.

I also noticed that the NIC doesn’t seem to work correctly when I set it to 9K MTU. I kept getting an error message and when I did a quick search one guy said that it means that the NIC does not support the jumbo frame. However, one reader said that the NIC itself supports the jumbo frame but the driver might be the culprit. It’s not really a big deal but it would’ve been great if I could’ve used 9K MTU without doing some tweaking. The majority of my wired devices are already set to 9K so this is another odd man out.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

How to configure sFlow on Nexus 3000

By Leave a Comment

I mentioned about sFlow in this blog post. Today, I want to show how to configure it on Nexus 3000 series. The configuration lines covered here were tested on both Nexus 3172 and 3048. Nexus 3524/3548 is not sFlow capable so please check the Cisco’s documentation to see if the switch supports it.

What is sFlow?

sFlow, short for sampled flow, is an industry standard sampling technology for monitoring traffic in data networks. It was originally developed by InMon Corporation, maker of Traffic Sentinel – a flow collector, and it is now defined by RFC 3176, for the most part.

Configuration

If you are familiar with NX-OS, then you know that the feature command is pretty much needed to enable the features you want on Nexus switches. This is no different from the other features such as BGP, OSPF, etc.

feature sflow

The command above enables the sFlow feature.

The next two settings are important and one needs to consider how it should be configured on his/her network devices. These two settings are sampling rate and polling interval. The sampling rate is the number of samples of packets that traverses the interface in a specified period of time (polling interval).

Let’s take a look at a scenario where the sampling rate is set to sample 1 of 5,000 and the polling interval is set to 60 seconds. Let’s say that in 60 seconds there were 50,000 packets traversed the interface. With the configured sampling rate, sFlow collected 10 out of 50K packets. This is quite a small number of packets collected and doesn’t really reveal the overall network traffic. Let’s say that sFlow collected five packets of HTTPS traffic, one of NFS, one of SSH, one of FTP, and one of ARP. One could speculate that there were more HTTPS traffic but one could never be 100% sure because 10 is a very small number.

Make sure to adjust the sampling rate and polling interval for your needs. The configuration below is just a sample based on the scenario above. Switches that support sFlow have an ASIC that is capable of handling more frequent collection. That said, feel free to collect as more often as you want since it will consume less resources than NetFlow does. Though, newer Cisco switch might have the necessary ASIC(s) that can handle NetFlow as good as the sFlow.

sflow sampling-rate 5000
! Sampling rate is configurable from 4096 to 1000000000. 0 disables the sampling. 4096 is the default value.
!
sflow counter-poll-interval 60
! Polling interval is configurable from 0 to 2147483647. 20 seconds is the default.

The next important command is the data source. With no data source, there is nothing to report to the collector.

sflow data-source interface e1/1 - 50
sflow data-source interface port-channel 1

If all the interfaces on the switch is defined as the data source, there will be an error if in the future one decides to use the interface for an EtherChannel. That said, they need to be taken out of the data source and added back in, if one needs to collect sFlow data. If the interface is a member of an EtherChannel, one has to add the logical interface as the data source and not the physical interface.

Now, we need to point the switch to the flow collector. Check with your flow collector vendor if it supports sFlow. I know that InMon’s Traffic Sentinel supports multiple flows like sFlow (obviously, they originally developed the protocol!), NetFlow/NetFlow-Lite/Flexible NetFlow, IPFIX, etc.

sflow collector-port 6343
! 6343 is the default and the official sFlow port.
!
sflow collector-ip 192.168.100.100 vrf default (or management)
sflow agent-ip 192.168.1.10

If it’s not obvious enough, the collector-ip is the IP address of the flow collector. The vrf option depends on how everything is set up. The management would be used if one is using the management port and the collector is reachable via that interface. If not, use the default option. The agent-ip is the source IP address that one wants to use. Use the management interface’s IP address if that is the one chosen in the vrf option.

The last two configurations are basically optional. They have default values but may want to configure depending on one’s environment.

sflow max-sampled-size 128
! This configure the maximum number of bytes that should be copied from a sampled packet.
!
sflow max-datagram-size 1400
! This configure the maximum number of data bytes that can be sent in a single sample datagram.

Thoughts

If you have a flow collector and Nexus switches that support sFlow, consider enabling it. It allows you to have some type of network visibility that may help you in the future. For example, the one I mentioned here, finding out who the target of a DoS/DDoS attack, top talkers of the network, etc.

Reference

Configuring sFlow

Want to learn more about NX-OS?

NX-OS and Cisco Nexus Switching: Next-Generation Data Center Architectures

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Building Your Own Proxy Server

By Leave a Comment

What is a proxy server? According to Wiki page, it is a server that acts as an intermediary for requests from clients seeking resources from other servers. There are many types of proxy servers out there and in this tutorial it will only show one type of it which allows someone to bypass most, if not all, of the poorly designed and/or implemented web content filtering services.

There are many ways to filter websites to avoid employees going to adult, gambling, social networking sites, and etc. The ones that I know of are the following: OpenDNS, Blue Coat, and Websense. While I haven’t been on a network were OpenDNS has been implemented, I’ve been on networks with Blue Coat and Websense appliances. With this tutorial, someone will most likely be successful in bypassing these web content filtering appliances if they are not properly configured or if a firewall is allowing outbound SSH traffic. In organizations where they allow any websites to be accessed, this tutorial can also hide HTTP/HTTPS traffic by encapsulating all of user’s traffic inside SSH, which is encrypted.

What you need

  • Extra computer or a new Virtual Machine (VM)
  • Know how to install and update Linux with OpenSSH installed. This tutorial will use Ubuntu Server edition.
  • Know how to use text editor on Linux. This tutorial will use VI editor.
  • Know how to configure port forwarding on your router
  • Account from DynDNS or other free Dynamic DNS
  • PuTTY (Windows) or Terminal
  • Firefox installed

Steps

Step one is to download, install and update Ubuntu Linux Server. In this tutorial, I used Ubuntu Server 12.04 LTS. My original installation still works with 16.04.

Step two is to install Squid package. To install the package, please follow the command below. If you want to learn more about Squid, then you might want to check out this book. I have no experience with the book so please read through the reviews.

networkjutsu@ubuntu:~$ sudo apt-get install squid
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-3.2.0-23-generic linux-headers-3.2.0-23 linux-headers-3.2.0-34
  linux-headers-3.2.0-36 linux-headers-3.2.0-34-generic
  linux-headers-3.2.0-36-generic
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
  libltdl7 squid-langpack squid3 squid3-common
Suggested packages:
  squidclient squid-cgi smbclient
The following NEW packages will be installed:
  libltdl7 squid squid-langpack squid3 squid3-common
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,012 kB of archives.
After this operation, 7,122 kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://us.archive.ubuntu.com/ubuntu/ precise/main libltdl7 amd64 2.4.2-1ubuntu1 [37.6 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu/ precise/main squid-langpack all 20111114-1 [307 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main squid3-common all 3.1.19-1ubuntu3.12.04.2 [123 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main squid3 amd64 3.1.19-1ubuntu3.12.04.2 [1,539 kB]
Get:5 http://us.archive.ubuntu.com/ubuntu/ precise-updates/universe squid amd64 3.1.19-1ubuntu3.12.04.2 [6,254 B]
Fetched 2,012 kB in 2s (753 kB/s)
Selecting previously unselected package libltdl7.
(Reading database ... 128431 files and directories currently installed.)
Unpacking libltdl7 (from .../libltdl7_2.4.2-1ubuntu1_amd64.deb) ...
Selecting previously unselected package squid-langpack.
Unpacking squid-langpack (from .../squid-langpack_20111114-1_all.deb) ...
Selecting previously unselected package squid3-common.
Unpacking squid3-common (from .../squid3-common_3.1.19-1ubuntu3.12.04.2_all.deb) ...
Selecting previously unselected package squid3.
Unpacking squid3 (from .../squid3_3.1.19-1ubuntu3.12.04.2_amd64.deb) ...
Selecting previously unselected package squid.
Unpacking squid (from .../squid_3.1.19-1ubuntu3.12.04.2_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
ureadahead will be reprofiled on next reboot
Processing triggers for ufw ...
Setting up libltdl7 (2.4.2-1ubuntu1) ...
Setting up squid-langpack (20111114-1) ...
Setting up squid3-common (3.1.19-1ubuntu3.12.04.2) ...
Setting up squid3 (3.1.19-1ubuntu3.12.04.2) ...
Creating Squid HTTP proxy 3.x spool directory structure
2013/02/18 11:32:01| Creating Swap Directories
squid3 start/running, process 1894
Setting up squid (3.1.19-1ubuntu3.12.04.2) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place

Step three is to configure the Ubuntu box to use static IP address or do address reservation on the home router. Since there are a lot of home routers available on the market, this tutorial will only cover assigning a static IP on Ubuntu box, which is shown below.

networkjutsu@ubuntu:~$ sudo vi /etc/network/interfaces

A new screen will show and will look like the one shown below.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

Change the configuration to something like this:

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.1.10
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
        dns-nameservers 192.168.1.1

Make sure to save and exit out of the text editor. Once saved and back to Linux prompt, make sure to restart the networking services to take effect of the new IP information.

networkjutsu@ubuntu:~$ sudo /etc/init.d/networking restart
 * Running /etc/init.d/networking restart is deprecated because it may not enable again some interfaces
 * Reconfiguring network interfaces...

Since this was done remotely, the SSH session was terminated once the changes took effect.

Step four is to configure port forwarding on the home router. Again, since there are many home routers available on the market, it is difficult to compile each and every model out there to include in this tutorial.

Step five is to sign up to a Dynamic DNS service like DynDNS. This is useful for folks that are using dynamic IP address for home Internet connection. How to configure the router with DynDNS service is out of the scope of this tutorial.

Step six is to verify that the Ubuntu box is reachable via another computer on a different ISP. This is the perfect time to use the office network to connect to the Ubuntu box. If the SSH session was successful, then that means the firewall is not blocking TCP port 22 (SSH) connection outbound. If the SSH wasn’t successful, this can mean two things: port forwarding wasn’t configured correctly or the firewall is blocking SSH. Try another computer on a different ISP with no firewall blocking SSH sessions.

Step seven is to change or add SSH port to port 80 (HTTP) or 443 (HTTPS). This step can be skipped if step six was successful using the default port of SSH. To change or add port what SSH service is listening on please follow the commands below.

networkjutsu@ubuntu:~$ sudo vi /etc/ssh/sshd_config

A new screen will show up and will look like this:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22

Change the configuration like the one shown below. Delete Port 22 line if desired. I’ve added port 80 and 443 in this configuration but either one is fine. Save and exit the text editor and reboot the server. I tried doing sudo service ssh restart or sudo /etc/init.d/ssh restart but didn’t work. Please feel free to let me know another way to do this other than rebooting the server.

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
Port 80
Port 443

Step eight is to reconfigure the port forwarding reflecting the new port that was configured earlier.

Step nine is to try connecting to the Ubuntu box from the office network using port 80 or 443, depends on how it was configured on Ubuntu box. This should be successful unless the deep packet inspection on Blue Coat or Websense has been turned on. Another one that will prevent this connection to be successful is when the organization has Palo Alto Networks firewall installed or any appliance that is capable of doing application layer filtering. That being said, this tutorial is useless for this type of network.

Assuming that step nine is successful, then step ten is to create a new SSH session but this time with different parameters. If Windows and PuTTY is being used, please follow the guide below. Please go to page four if Apple OS X is being used.

Windows and PuTTY

Enter the host name or IP address of the Ubuntu box and the port number as normal.

On the left side of the PuTTY (category section), expand SSH menu which is under Connection menu and click Tunnels option. A screenshot has been included below for your reference.

Tunnels

Once there, we need to add forwarded ports both local and remote. Screenshots has been included below for your reference.

Local ports

Local

Remote ports

Remote

Since this SSH session will be used a lot, it is a good idea to save it so all the parameters will be populated when we use it again. Please see below for a screenshot.

Saved Session

Apple OS X and Terminal

With Apple OS X and Terminal, it is really simple compared to Windows and PuTTY combination. Please see below on how to connect using Terminal on OS X.

ssh networkjutsu@networkjutsu.com -L 3128:localhost:3128

Since this is a long command, we should create an alias to shorten the command we need to issue when connecting to the Ubuntu box. To create an alias, we need to edit the .bash_profile which is on our home directory.

NetworkJutsu-MacBook-Pro:~ NetworkJutsu$ ls -ah
.                       .bash_profile           Documents
..                      .cups                   Downloads
.CFUserTextEncoding     .filezilla              Library
.DS_Store               .putty                  Movies
.Trash                  .ssh                    Music
.anyconnect             .viminfo                Pictures
.bash_history           Desktop                 Public

NetworkJutsu-MacBook-Pro:~ NetworkJutsu$ sudo vi .bash_profile

A new window will show up that will look like the one below.

~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
".bash_profile" 2L, 120C

Enter the line shown below then save and exit out of the editor.

alias networkjutsu='ssh networkjutsu@networkjutsu.com -L 3128:localhost:3128'

By creating an alias, we save keystrokes every time we connect to our Ubuntu box as shown below. The command above is assuming that we’re using the standard SSH port which is 22. If we’re using port 80 or 443, we need to add -p 80 (or 443) in the command.

NetworkJutsu-MacBook-Pro:~ NetworkJutsu$ networkjutsu
networkjutsu@networkjutsu.com's password:
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.2.0-37-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Mon Feb 18 13:44:53 PST 2013

  System load:  0.0               Processes:           74
  Usage of /:   47.1% of 6.62GB   Users logged in:     0
  Memory usage: 25%               IP address for eth0: 192.168.1.10
  Swap usage:   32%

  => /boot is using 91.2% of 227MB

  Graph this data and manage this system at https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.

Last login: Mon Feb 18 11:58:59 2013 from networkjutsu.com

Browser settings

Most organizations lock down their Windows machines so most likely the Internet Explorer’s Internet Options will be grayed out or parts of it will be. Having said that, we need another browser that will support changing out settings that is not tied with Windows GPO. Google Chrome does not do the job since it is tied to Internet Explorer’s Internet Options. Another popular browser is Firefox which does the job that we need it to do. While I know there are other browsers out there, this tutorial was only done on Firefox. Please feel free to test other browser of your choice. See the picture below for the configuration details to use our Ubuntu proxy server.

Firefox

With all steps are successfully performed, we can now start browsing to virtually all websites that we want to access from anywhere. While the tutorial mentioned only bypassing web content filtering appliances, this can also serve as our protection when we are in an open-authentication wireless network like the ones that you connect to local coffee shop, restaurants, and etc. With open-authentication, the wireless traffic are not encrypted so someone who knows what they’re doing can definitely decrypt your SSL sessions when connecting to your bank and/or email. To prevent that from happening, we can use this same method to tunnel all our HTTP and/or HTTPS traffic to our Ubuntu box. It won’t be as fast but at least our traffic is secure.

Thoughts

Tutorial such as this can easily be found on the web so I encourage network engineers who are also responsible for the network security or network security engineers out there to really find ways to mitigate ways to bypass the security in place. As more and more savvy users entering the workforce, it is becoming harder to really prevent users accessing what they shouldn’t be able to access while on organization’s network. As newer products or technologies gets introduced, always be open minded what these can do for the organization. Fortinet, Check Point, Palo Alto Networks, Cisco (with their ASA-CX), and etc they can definitely help with this type of situation. Yes, I understand that money can be tight since our economy hasn’t recovered fully yet but there are other ways to at least mitigate this type of bypass as briefly mentioned in the tutorial – deep packet inspection of the HTTP/HTTPS traffic on Blue Coat or Websense appliance and outbound firewall rules.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

IP Netmask Format

By 2 Comments

If you’re following me on Twitter then you might have seen my tweet last week about rebooting my CCIE studies. While I am moving really slow in reading, as usual, I am also taking notes as I go along. I am changing my strategy this time since I don’t retain information like I used to – the joys of getting older.

Chapter 1 of Routing TCP/IP Vol. 1 is really meant to be just a review. If you’re studying for the CCIE, then you’re at the level that you can skip this chapter. However, I’ve decided not to skip this chapter even though I’ve read this book already. Kind of glad that I didn’t skip it because I seem to have forgotten about the ability of Cisco IOS to change the display of the subnet mask. While not really important in CCIE studies, I just thought it is kind of cool to share it with you guys and girls.

Default Format

By default, the netmask is in a bit count format – meaning slash and bit count. The example of bit count format is shown below. Please look at the highlighted part of the show outputs.

R1#sh int s0/0
Serial0/0 is up, line protocol is up
  Hardware is GT96K Serial
  Internet address is 192.168.1.1/24
  MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, loopback not set
  Keepalive set (10 sec)
  Last input 00:00:01, output 00:00:07, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/1/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1158 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     368 packets input, 24236 bytes, 0 no buffer
     Received 185 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     415 packets output, 23696 bytes, 0 underruns
     0 output errors, 0 collisions, 8 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0/24 is directly connected, Serial0/0

Configuration

Configuring is really easy. There are two more formats that you can choose from, as shown below.

R2(config)#line con 0
R2(config-line)#ip netmask-format ?
  bit-count    Display netmask as number of significant bits
  decimal      Display netmask in dotted decimal
  hexadecimal  Display netmask in hexadecimal

Verification

As the command names imply, they can be used as bit-count or slash, decimal or dotted, or hexadecimal format. I am sure that you already know how it will look like, but for completeness’ sake I am including the show outputs on both decimal and hexadecimal format.

R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0 255.255.255.0 is directly connected, Serial0/0

R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0 0xFFFFFF00 is directly connected, Serial0/0

Thoughts

This is not a CCIE content in my opinion, but this may be good for someone who is struggling with bit-count format. Another purpose I can think of is when you want to have fun with your colleague(s), then change the format to hexadecimal to throw him/her off. Though, I suggest that you only do this on a lab environment. Changing it to hexadecimal on a production environment while someone is troubleshooting a routing problem may upset your colleague! Worst case scenario, you may get fired for pulling a stunt like this.

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.