New Standards – HTTP2

A great article I came accross explaining how HTTP2 works is availible at http://daniel.haxx.se/http2/http2-v1.6.pdf

It has some intresting challenges for adoption and implications for Network Security and vendors of the associated devices used to secure them.  One of the main challenges being that the format moves from an easy to read text form, to a binary blob.  This means Deep Packet Inspection (DPI) of these frames becomes a lot more intensive.

It will also be interesting how this gets adopted for the ‘average’ site.   I can see the Goog, Facebook and Microsoft adopting it but how long did it take for HTTP 1.1 to become adopted ?

One to monitor……

 

So that went well…… The pains of multi factor Authentication

First day in my ‘post a day’ challenge for November went well with me missing a post…so I shall indevor to catch back up 🙂  ..

There is a few reasons for this but one of the reasons is that I can’t just post from any device.  I took the plunge a good while back and protect the site using the fantasic Duo Security two factor authentication system which means I have to have my phone to hand when logging into my Blog.

Yes, multi factor authentication is a  pain in the ass but thats security.  Its about balancing security with usability.  I’d rather have the pain than allowing someone else to blog as me.

I also recomend using two factor authentication for all of your ‘primary’ accounts such as Microsoft (Technet, Outlook, Office 365), Google (+, gMail, Webmaster Tools), Apple  (iTunes, iCloud), Twitter and Facebook.   Using Windows Phone, I use the Microsoft Authenticator app which can be used for all of the sites listed here.

Logging on can be a pain, but I’d rather have the extra security.

Is there such thing as a ‘crap’ PC anymore ?

Like most folks who work in the tech/IT field, people are always asking for my opinion about kit, especailly PC’s.

My reply was usually ‘how much do you want to spend ?’     Today, this got me thinking……. is there any such thing as a ‘crap’ PC any longer ?

With the advent of cheap tablets  (some are just piles of shite that will end up in landfill) the PC makers seem to be giving PC’s away that have better, and better spec.    For instance i3, 4GB RAM, 1TB hard disks on budget £350 laptops.

Whist the screen will be a crap 1366 x 768 resolution screen and the battery will probably last 3 hours (mainly due to all of the OEM junkware thats installed) you can still do far more than you ever will on a tablet computer device.  Perhaps peoples habbits are changing and if all they do is use email and FaceTwatterBook then good riddance, It means I dont have to fix the bloody thing.

However people who actually need a PC for Media, iTunes, Photo/Video editing then its still the best for the job.   They are eminantly flexible and can still be customised to do what you like.   Depite what the press may say, Windows 8.1 (with the new Update 1) makes switching between the Metro/Modern Start Screen apps and traditional desktop a breeze.  If you are still suffering the $5 spent on Start8 will soon sort you out.

Remove all of the cack the thing comes with.  Whatever you do dont buy or run McAfee or Norton AV.  Remove it and Microsoft Defender will be activated which is fine for most users.  Dont waste your cash….. seriously…

They arent the same as the crap that was pushed when the whole Netbook craze came around.  Bit like 3D TV’s really, it was just a fad.  Luckilly the Atom seems to be have relegated to small headless kit, tablets and even phones.  Its even now pretty good 🙂

So thats my opinion as of today, even thought I have just dropped the best part of £1800 on an awsome Lenovo T440S fully loaded !

Native Apple iOS Client and Android Client to Cisco ASA VPN using Certificate Authentication Part 4 – More ASA Side

Some parts I forgot from the last few posts.

The ASA also uses Group Policy (not AD group policy!) configuration.  In here you set useful things such as DNS, domain and other properties.  Its also the area to configure specifics for the IPSEC Phase 2 connection.   I normally use a GP per connection as its allows some flexibility when making changes later on.  You can also set some values within the default group policy that will be standard over the whole of your ASA, which depending on if inherit is turned on or not get set.

For Apple iOS devices IP Compression and PFS have to be turned on.  On Android, these are not.  You get a strange symptom (if set) where the Android handset claims its connected (and the ASA even issues an IP address) but the device never shows connected in ASDM.  It was only with use of various debugs that I managed to find this out.

Group policies therefore are:

!Apple iOS
group-policy GP_iOS internal
group-policy GP_iOS attributes
 dns-server value 10.100.200.10 10.100.202.10
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1 
 ip-comp enable
 pfs enable
 default-domain value mydomain.local

!Android
 group-policy GP_ANDR internal
 group-policy GP_ANDR attributes
  dns-server value 10.100.202.10 10.100.200.10
  vpn-session-timeout none
  vpn-tunnel-protocol ikev1 
  default-domain value mydomain.local

That should complete all of the configuration requried to allow iOS and Android devices to connect to a Cisco ASA using the inbuilt native IPSEC client using x509 certificates.   You really arn’t using Pre Shared Keys in this day and age are you ?

Putty – Session Logs

A useful feature when you are working on multiple devices is to keep as session log for every session.  You can then easilly see what you have typed or provide evidence.

To configure this for every session:

1) Open Putty

2) Select the Default Settings and press Load

3) Navigate to Session > Logging

4) Set the Log file name in a format that makes sence to you.  You can see mine

5) Navigate back to the sessions, making sure Default Settings is still highlighted and then press Save

Test !

Native Apple iOS Client and Android Client to Cisco ASA VPN using Certificate Authentication Part 3 – ASA Side

So based on the last post, you can now start to configure the ASA to support Apple IOS and Andoid devices.

Firstly we need to add an IKEv1 policy to allow the IKE Phase 1 to establish:

!Andoid
crypro ikev1 policy 10
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

!IOS
crypro ikev1 policy 12
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 5
 lifetime 3600

This allow the device to at least connect to the ASA to authenticate.

There is an assumption that your ASA already has installed and trust’s the CA’s that the client device certificates are issued by.  This is out of scope for here however its imperative that this is in place.  Its also crazy if you havent got CRL processing in place but you should know that as well.

From a ASA profile perspective its simple.  As stated before both Andoid and IOS only support IKE v1 so you have to create IKEv1 profiles for these connections.  The strange part of defining an IKEv1 profile is that is has to have a AAA entry set.   In my case I normally define a new AAA group that has no authentication.

aaa-server NO_USER_AUTH protocol http-form

This can then be applied to a new profile.  Its not used for authentication (remember – you are using Cerificates only) thus

tunnel-group IOSandAND type remote-access

tunnel-group IOSandAND general-attributes
 ! Clients will use addressing from the named pool shown
 address-pool IOSandAND-Pool
 ! Dont use any client authentication (other than Certificate)
 authentication-server-group NO_USER_AUTH
 ! Group policy applied for connection
 default-group-policy GP_IOSandAND

tunnel-group IOSandAND ipsec-attributes
 ! Define CA that client connections will be signed by
 ikev1 trust-point MyCA.key
 ! Define no user authentication
 ikev1 user-authentication none

Depending on if you use DAP etc (and you really should) you will have to add basic policy to allow Andoid and IOS devices to connect.  There are no posture checks availible for native clients due to what the clients expose.  If you want to do this then the client will need to use the AnyConnect client (free), will need a AnyConnect Mobility licence for the ASA (circa £500) and you can then use IKEv2 which negates a lot of this configuration.

Anyway hope it helps some of you

Native Apple iOS Client and Android Client to Cisco ASA VPN using Certificate Authentication – Part 2

So the previous thread we were discussing Apple iOS.  Now you may have had the same issues with Andoid with it becomming more popular.

First issue when configuring the ASA is the IKEv1 key exchange that goes on.  When a device attempts to connect, the client is asked to provide all of the key schemes that it supports.  Android 4.1+ and IOS 7 give out (in order)

Android

AES-CBC 256 Seconds 28800 SHA1 DH Gp 2
AES-CBC 256 Seconds 28800 MD5 DH Gp 2
AES-CBC 128 Seconds 28800 SHA1 DH Gp 2
AES-CBC 128 Seconds 28800 MD5 DH Gp 2
3DES-CBC Seconds 28800 SHA1 DH Gp 2
3DES-CBC Seconds 28800 MD5 DH Gp 2
DES-CBC Seconds 28800 SHA1 DH Gp 2
DES-CBC Seconds 28800 MD5 DH Gp 2

iOS 7

AES-CBC 256 Seconds 3600 SHA1 DH Gp 5
AES-CBC 256 Seconds 3600 SHA1 DH Gp 2
AES-CBC 128 Seconds 3600 SHA1 DH Gp 2
AES-CBC 256 Seconds 3600 MD5 DH Gp 5
AES-CBC 256 Seconds 3600 MD5 DH Gp 2
AES-CBC 128 Seconds 3600 MD5 DH Gp 2
3DES-CBC Seconds 3600 SHA1 DH Gp 2
3DES-CBC Seconds 3600 MD5 DH Gp 2
DES-CBC Seconds 3600 SHA1 DH Gp 2
DES-CBC Seconds 3600 MD5 DH Gp 2

Now we have these values we can look at configuring the ASA to support native IOS and Andoid clients using x509 Certificate authentication.   Its pretty obvious that the top one is the most secure, trailing off to blatantly insecure…….

Time for post 3……..

HMRC Basic PAYE Tools for RTI – Problems submitting RTI

Being part of a small business, we used to use the HMRC provided Basic PAYE Tools (BPT) for Payroll.  With the changes in this tax year a new version has been provided to support the RTI submissions.

The old software front end was built in Flash with a Python/MySQL backend.  Whether or not that was a good idea is debateable but at least it was clear.  The new version appears to be Python with SQLlite utilising a small HTTP server running on the local machine.

The new version now looks more like the web site and (IMHO) is very poorly designed.  Its over complicated and gives very little feedback.

We had problems submitting any return.  A standard ‘page cannot be displayed’ was shown.  Very helpful.

The HMRC helpdesks we either engaged or no help so I did some digging……

I finally stumbled on the solution.  We had imported all of our data from the 2012-2013 BPT system, company details and all.  Looking at an employees records, all looked well.  However, after clicking ‘edit PAYE details’ some fields were shown to be mandatory.  Once these we filled in the preview and submit all worked !!!!

There does not seem to be any real way to submit any feedback to HMRC but I may try an alternate method …… 🙂

VMware Workstation 8 – WAN simulation (Awesome feature alert)

Just found an awsome feature…… a bandwidth and interface error generator for each virtual NIC.  Great if you are doing Proof of Concept testing for high latency or even 3G simulated links.

To configure, locate the virtual NIC properties and press ‘Advanced’

VMw-Net1
Then you will be shown this screen.  You can select preset bandwidth in both directions and packet loss

VMw-Net2

Its truly an awsome product that amazes me each time I try to do somthing