Security
Blurred Visions
iRules, the reason to always have an LTM up your sleeve...
01/07/2007 22:37 | Permalink
f5
I was working on a great problem this week where a somewhat old application was performing HTTP 0.9 compliant GET requests that were simply being ignored by the apache server we serving files from (an odd thing to be sure, and I am not convinced that the issue didn't have more to it than just the Client / Server aspects of the equation..) but anyway, just as I was scratching my head at what to do to try to shoehorn this system in, it dawned on me... We had some of the worlds most flexible web server munging devices on the planet in our hands... F5 LTM and ASMs... I had been looking for a reason to get my hands dirty on some iRules(after having heard so many iRule fan-boys prattling on...) So I signed up and logged into they DevCentral site and took a look..

The first thing that struck me straight away was the community spirit in this place... People sharing solutions and ideas left right and centre.. The second, just about every problem that I have had with windows (and other) web servers / web apps over the last 3 years, someone has fixed with an iRule somewhere... And the solutions are there, ready to be pasted and customised...

I am starting to form a new philosophy... and that is this: "Every system design should have an F5 LTM somewhere... you will NEVER know when it might save your a**!!!"

Anyway, now that I have looked into it more closely, I might even be able to get rid of a web server altogether and several reasonably annoying cron jobs if I manage to get the ASM doing what I need it to in an iRule...
Checkpoint VPN - Creation made easy...
28/06/2007 23:49 | Permalink
yast_firewall

For anyone looking to set up a Secure Client VPN for the first time, there is a good secure knowledge article (registration and maybe even a valid support contract required) available (SK#20876) that is not particularly easy to find.. I think one of the strangest things for me to get my head around was a area that is QUITE different to setting this sort of thing up on a Cisco ASA of VPN300: If you use X-Auth (Pre-shared group passwords) there IS not group password. I can only assume that Checkpoint is using the users password as its pre-shared key...

Anyway, I ran through this article step by step and had VPN up and running in 30 minutes.
Checkpoint dbedit import file generator
11/05/2007 23:11 | Permalink
yast_firewall

A quick and dirty shell script to help generate dbedit import files for use with Checkpoint Firewall1. I had to create a few hundred items today, and there was *NO* way I was doing it manually. The shell script is available here...
Random Password Generator
31/12/2006 23:03 | Permalink
password
Random password generator written in perl, that also output the relevant phonetic alphabet entry for each character of the password. Useful for strong emergency backdoor passwords, to prevent the chance of needing it, and not being able to tell the difference between a 1 and an L character, or a Zero and an O. Arguments are passed to the script specifying the password length and the number of passwords to generate.

Changes in 2.0:
User can now select a password scheme. i.e. User can specify whether they want lower case chars, upper case chars, numbers, symbols or extended symbols (or a combination or each). It means that all passwords generated will meet the specified complexity.

Note: Run with no arguments for usage.

Examples:

Numbers + lowercase letters

./pw_gen.pl 3 10 na

Generating 3 password(s) of 10 character(s) length with complexity scheme 'na':

3005629kw2 (three - zero - zero - five - six - two - nine - kilo - whiskey - two)

9f9ef3e684 (nine - foxtrot - nine - echo - foxtrot - three - echo - six - eight - four)

xj1312f4gi (xray - juliet - one - three - one - two - foxtrot - four - golf - india)


Numbers + lowercase letters + regular symbols

./pw_gen.pl 3 10 nas

Generating 3 password(s) of 10 character(s) length with complexity scheme 'nas':

=o9!dskbk6 (equals - oscar - nine - exclamation - delta - sierra - kilo - bravo - kilo - six)

=.#ck8u%9g (equals - period - hash - charlie - kilo - eight - uniform - percent - nine - golf)

1m+.+a23c9 (one - mike - plus - period - plus - alpha - two - three - charlie - nine)


Uppercase letters

./pw_gen.pl 3 10 A

Generating 3 password(s) of 10 character(s) length with complexity scheme 'nas':

XYPNHCFMAJ (XRAY - YANKEE - PAPA - NOVEMBER - HOTEL - CHARLIE - FOXTROT - MIKE - ALPHA - JULIET)

QRZQORVIOY (QUEBEC - ROMEO - ZULU - QUEBEC - OSCAR - ROMEO - VICTOR - INDIA - OSCAR - YANKEE)

NFFBKGRURB (NOVEMBER - FOXTROT - FOXTROT - BRAVO - KILO - GOLF - ROMEO - UNIFORM - ROMEO - BRAVO)

Download it here
Checkpoint Secure Platform (SPLAT) Smartcentre
24/11/2006 23:32 | Permalink
yast_firewall
Rebuilding our Checkpoint Secondary management Server this week after a hardware failure gave us an interesting surprise: The Checkpoint Secure Platform installation process kept making the dedicated secondary management server also be a firewall policy enforcement point.

Found this page that described the same problem, and a likely solution:

cpprod_util FwIsFireWallModule

The management station returned a 1, indicating that it was indeed a firewall so we unloaded the firewall policy:

fw unloadlocal


got rid of the installed policy temporarily and we then changed the setting:

cpprod_util FwSetFireWallModule 0

Restarting the firewall services saw everything working fine:

cprestart

but a reboot left us in the exact same position, with the node loading the "initial" firewall policy on boot, even though it was now reporting itself not to be a firewall enforcement node. (now, trying to perform an "fw unloadlocal" resulted in the SPAT box telling us that it could not, because it was not a firewall.

Now there are ways to prevent the initial policy from loading at bootup , but I am always after a cleaner install, and less hacking of a nice fresh clean system, so we gave Checkpoint a call. The Checkpoint guy promptly advised us that the use of SmartView Monitor was not supported, and was not even supposed to work unless the node was also a firewall. Now this was news to us, as we had been running Smartview Monitor for the last 2 years on this system without skipping a beat.

It did however lead us in the right direction: We reinstalled the SPLAT server, only selected Smartcentre, configured it as a secondary management server, got the whole thing working, THEN installed Smarview Monitor after the fact (just like I now remember we did when it was built the first time!!)

Problem solved. It would appear that if you install Smartview Monitor at the initial run of cpconfig, it assumes that you want to make the node an enforcement point, but if you install it as a dedicated Smartcentre first, then install Smartview Monitor, it works.