Tushar's Blog

Creating a DMZ using Cisco ASA

tusharsingh — Wed, 24 Aug 2011 12:48:52 +0000

Creating a DMZ using a Cisco ASA 5520

Manage your Public accessed resources and secure them using the Adaptive Security Appliance

A DMZ ensures that in case of an attack, only the public servers are affected and not the internal systems as the intrusions are blocked in the zone itself. A Cisco ASA can be used, like any other firewall to create such zones easily. With Cisco ASA, the added advantage is that you do not need multiple devices to accomplish your needs of security and connectivity for your remote or public users.

This article will help you configure a DMZ in which you can keep devices like your HTTP servers, SMTP servers etc.. to be accessed by the public over the internet.

This is my example target network design

So we have a Cisco ASA acting as a firewall only (otherwise, normally I would have the outside interface with a public IP to serve both VPN as well as my stateful + transparent firewall). However, this is just for the demonstration.

Steps

Before moving on to configurations and procedures, it is conceptually important to understand the implementation. A DMZ as I mentioned is a zone where we can restrict traffic arriving for accessing public resources. Therefore, we will create a ‘zone’, give it an IP range and then ensure that we have the right rules to allow business functions. Simple isn’t it? Ok, lets configure this and get it working!

Step 1 – Configure an Interface to act as DMZ “Zone”

Let us define an interface on the Cisco ASA and call it DMZ. You can name it anything you want depending on your company standard nomenclature.

Open the ASDM and connect to the ASA box.
Navigate to Device Setup and click on Interfaces.
Click on “Add” to add an interface.

You can see that you have defined an interface and named it as dmz. Be careful while defining the subnet that the IP range you specify should not clash with the IP range you may have defined for other interfaces.

Step 2 – Configure the Access Entries (ACL)

Now, since I have an SMTP server inside my network, I will ensure that I define rules to access this resource from internet and also from my LAN. I will now specify rules to permit protocol based, port bound traffic from the resource to the outside world, from the outside world to the resource and also, from lan devices to my resource kept inside the DMZ.

Configure rule for any device from interface outside to access 126.100.60.2 only on the smtp ports.

Click on Firewall.
Go to Advanced and open the ACL Manager.
Click on Add ACL and type the name of the ACL. I will use dmz_control
Now click on “Add ACE”
Click OK to save the configuration.

Configure the rule to allow SMTP server to interact with public

Create an ACE with the following configuration

Similarly, you can define the rules from inside interface as well.

Thats it!! Since this is a connected interface, you do not have to define any static routes. Now, you can see that traffic will start flowing from both inside and outside interfaces.

Write to me if you need more info

Tushar SINGH
matrixtushar@gmail.com

SMS Alerts of Outlook Mails – Configure your own Gateway

tusharsingh — Wed, 07 Apr 2010 21:35:47 +0000

Programming Outlook Client to Send SMSs to your Indian Mobile Phone

Raj has to miss out his normal exercise routine because he needs to wait for some emails that are required to be processed immediately as they are received. The moment Raj receives the mail, he needs to acknowledge the sender and then forward the mail to the next stakeholder for their action. He is left with nothing but to sit in front of his outlook client, and wait for the mail when its received from one stakeholder, passed on to the other and then again the same cycle.

Amit wants to go for a cup of coffee with his girlfriend, but since he is waiting for an important mail, his mind is always stuck at his inbox, even when he is on a date. Amit is anxious if the mail has arrived…

If you are Raj or Amit, then you can ease off your life by a little automation, without any extra cost. Imagine, when a mail arrives in your inbox, your phone beeps the SMS tone and you have the subject of the email in your message box; and for this, you dont need a blackberry, a smart phone, an iPhone, a HiPhone. Normal GSM phone that can receive messages will suffice.

What do you need in Place?

What you need to let this run is:

Running outlook client that is able to accept incoming mails.
Outlook 2003 and above.
Internet connection.
An account at 160by2.com or any other free web based SMS portal.
An active session to this website (after login etc) so that direct links to compose and send messages would work.

The principle

Since we are not dealing with mail gateways and the dispatch mechanism from mail to SMS will be initiated by the mail client, the working principle is somewhat disjoint.

First, we create a macro, that responds to a “NEW MAIL” event in outlook. Under this event, we need to read the subject of this mail.
Once we are through with this, we open the internet explorer browser using the Internet Explorer Control reference API through VBA in outlook and navigate to the compose page for the SMS.
Typing numbers and mail subject will involve some crude sendkey operations, but in the end, the process works!!

Given below, is the source code of the macro I used to setup the automation.

Private Sub Application_NewMail()

Dim Inbox As Outlook.MAPIFolder
Dim InboxItems As Outlook.Items
Dim Mailobject As Object
Dim oMailItem As MailItem
Dim i As Integer

Dim str As String

Set Inbox = Application.GetNamespace(“Mapi”).GetDefaultFolder(olFolderInbox)

Set InboxItems = Inbox.Items
InboxItems.Sort “[Received]“, True
Set oMailItem = InboxItems.GetFirst

Set ie = CreateObject(“InternetExplorer.Application”)
ie.Visible = 1
ie.navigate “http://www.160by2.com/compose_sms.aspx“
Do While ie.busy
Loop
Do While ie.ReadyState <> READYSTATE_COMPLETE
Loop

DoEvents
Call SendKeys(“981234567″) ‘ your cellphone number

DoEvents
Call SendKeys(“{TAB}”)
Do While ie.ReadyState <> READYSTATE_COMPLETE
Loop

DoEvents
Call SendKeys(“{TAB}”)

DoEvents
Call SendKeys(“{TAB}”)

DoEvents
Call SendKeys(oMailItem.Subject)
DoEvents
Call SendKeys(“{TAB}”)

DoEvents
Call SendKeys(“{ENTER}”)

‘MsgBox oMailItem.Subject

End Sub

You can also filter on the subjects or senders or send to: in case you would like to receive such SMS alerts only for some selected mails and not every mail.

Other possible changes could be if you would like to explore the Internet Explorer objects, as I could also suspect some smarted ways of working with forms through document.elements object model of IE.

Probably the next version would be better, but for now, I can have my extended coffee discussions, without risking my critical mails that need attention!

Happy Implementation!!

Device Encryption Server Migration

tusharsingh — Sun, 22 Nov 2009 18:32:43 +0000

Safeboot Hard Disk Encryption 4.2.14 to McAfee End Point Encryption 5.1.9

(Server Components and New Client Sets)

MIGRATION DIARY

One of the most sensitive infrastructure of any organization, is clearly the IT security systems; and to make changes to this infrastructure can be an interesting affair till everything is working as expected. Many of my colleagues who have touched upon IT security systems would agree to me. Any infrasturcture change poses a challenge and the more you understand how much is at stake, the job becomes more enriching and full of challenges. Well, device encryption infrastructure would be another such example to the bundle of server and client suites.

Going from Safeboot to McAfee is only a natural choice for me, and I did not do any other evaluation for any other product. Therefore, you will notice the focus for me is always to ensure how I can fit my current operations into the new suite. Also, I did not play around too much with the ‘beautiful’ features like AutoDomain, Local Logon etc.. because they simply did not fit in my enterprize landscape.

PHASE 0 – Ground Work

Step 0.0 – PLAN

Step 0.1 – Migration Strategy

The following picture presents a typical architecture of hosting the infrastructure in a large enterprize. A primary server, supported by a backup server on another data center site and a console server to allow multiple connections to the database for operations by the on site technicians and service delivery persons.

Globally speaking, the strategy I took was to replace the existing hardware with the new one. So I planned for myself 2 rack servers that could be configured on RAID 5 for greater performance and a blade server for the console server.

The idea was to swap the servers where the blade would take over the old console server and the two servers for primary and backup would mirror with their corresponding rack mounted servers. A two day down time would allow me to switch off the service on day 1, take a full backup of the database and copy it on the safe network location so that I can swap the servers, install the suite, plug the DB, tune the object browser and change a few settings to migrate from blue to red.

PHASE I – Migration of Servers

The phase began once I had the servers planted in the data center; although it had its own challenges and procedural steps to be taken care of, but I would not prefer mentioning them in the current article scope. The only major thing that needs to be taken care of is that when doing a swap, get atleast one IP address in the same VLAN and have an agreement from the data center manager about the changes you are doing.

The follwoing now discusses the steps that were taken during the migration:

Switch off the service running on the primary server so that no new clients can communicate and the database console is un-available for public access.
Start the full backup of the data base with the ‘retry if object is locked’ option clicked. Take a local backup copy of the entire database.
Compress the backup copy of the database in a ZIP file so that it is easy to navigate. Also, note the amount of files and folders with size details of the folder. This will be necessary to compare once the DB is copied over the network.
Copy the database on the new server that is eligible to be the primary server.
Copy the McAfee EPE 5.1.9 sources on this server so that it can be used during the installation.
Copy the SDMCFG.INI, SERVERS.INI, cmsettings.ini, license (.SLC) file on to the temporary location on the new server.
Change the name of the server to oldPRIMARY and let the change reflect in the Active Directory and let this propagate to all the domain controllers.
Ensure that the changes have been reflected by checking to the root domain controller and the one nearest to the physical locations of the servers.
Change the IP Address of the server to the temporary IP that was given by the data center manager. Ensure that the IP is pingable. Now the server is de-comissioned and there is accomodation for the new server to be setup as primary.
Change the IP Address of the new server to the one just released by the old primary server.
Change the hostname of the server to PRIMARY and reboot.
Ping and connect this server now with the registered DNS alias for the primary server. This will ensure that the server’s network components have been correctly configured.
Unzip the database on a location on this server. Take note of this location.
Install EEPC 5.1.9 with the required features / components.
Place the SDMCFG.ini and Server.ini file on the installation directory of the server components. This will ensure that the database that is taken into account is the existing one. Make appropriate path changes to the ini file entries to point to the data base location on the current server.
Start the Object Browser.
This will first prompt for the services to be started. Ensure that the names of the services are the same as on the old server.
The application will go in a hang state. The DB is now being enumerated and this usually takes 7-10 minutes to show up the initial screen.
Login to the database using the same credentials as the original ones.
Browse through the contents of the database to ensure that all the entries are consistent* (I noticed some garbage values in some rows of machine group entries. Do not panic. They are entries that have been deleted, but due to inconsistent DB operations, were not physically reflected. Maybe marked for deletion when the service was switched off and the DB was taken for backup.)
Create a file group to have the new file sets. Name this EPE519 Client Files.
Add the client file set (clientfileset.ini) file to this file group. Ensure that the file entries have been populated.
Change the properties of this file group to “Client Files.”
Go to the Machine Groups tab and mark this file set as the default file set for this group. This will ensure that all new clients will now have 5.1.9 client file sets.
Create a script / make a manual change to all administrative user accounts created on this server to enable the Admin Rights as “Allow Administration.” This feature is new to the implementation of McAfee 5.1.9 End Point Encryption Suite.
Open the LDAP / AD connector console and ensure that the cmsettings.ini has been properly applied. All the entries should be correctly reflected.
The server is now up and running. Perform similar steps for the backup server as well.

PHASE II – New Client Readiness

Once the servers have been migrated, test the implementation by doing a simple telnet to the DNS alias of the server on port 5555. This will ensure that the services are running and responding well.

For the new clients, right click on the default machine group and create the install set. However, before doing that, ensure that all the settings are properly selected. I personally was annoyed when I left the “Do not lock computer after removal of $autoboot$ user” as unckecked. I had to make the change. Also, for managebility, make the installation directory of the new clients as the same as the old ones (I chose this option because I depend upon a lot of support automation for the installation of the clients).

Once the install set is created, publish the package to a location where the technicians / users can install it. This could either be a common resource of a resource utilized by the deployment tool like SMS.

The new clients are now installable and the implementation is now ready to be tested.

Testing

Syncronize the existing clients with the new server implementation.
Add new users / Remove some users from the existing clients and synchronize to check whether the configuration changes come into effect. Be Careful that the “Force Synch” feature to synchronize from the server to the old 4.2.14 clients will now be unavailable and this action has to be done by the clients only. However, this is only the case with old clients. This feature will work with the new ones. If you try to force synch to old clients, you will get an error message on the console that “Failed to convert IP to hostname.”
Install the new client package and test if encryption is working fine.
Execute recovery procedure of old as well as new clients.

A possitive test result to the above will ensure that the implementation is working fine and the service can be announced to the users. Servers MIGRATED!