Tag: Firewall

Authenticating SSL VPN users using LDAP

This example illustrates how to configure a FortiGate to use LDAP authentication to authenticate remote SSL VPN users. With a properly configured LDAP server, user and authentication data can be maintained independently of the FortiGate, accessed only when a remote user attempts to connect through the SSL VPN tunnel.

  1. Downloading and installing FSSO agent in the LDAP server
  2. Registering the LDAP server on the FortiGate
  3. Configuring Single Sign-On on the FortiGate
  4. Importing LDAP users
  5. Creating the SSL VPN user group
  6. Creating the SSL address range
  7. Configuring the SSL VPN tunnel
  8. Creating security policies
  9. Results

capture1

  1. Downloading and installing FSSO agent in the LDAP server

The current Forti OS version which we are using in our firewall is 5.2.5 build 701 (shown below)

Forti OS version.JPG

Download and install FSSO client on your Domain Controller, find a download link here:

https://support.fortinet.com/Download/FirmwareImages.aspx

fsso

Accept the license and follow the Wizard. Enter the Windows AD administrator password.

ca-step1

Click Next, select the Advanced Access method

ca-step2

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

ca-step3

Select the domain you wish to monitor.

ca-step4

Next, select the users you do not wish to monitor.

ca-step5

Under Working Mode, select DC Agent mode.

ca-step6

Reboot the Domain Controller.

ca-step7

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password.

ca-step8

2. Registering the LDAP server on the FortiGate

Go to User & Device > Authentication > LDAP Servers to configure the LDAP server.

ldap

3.  Configuring Single Sign-On on the FortiGate

Go to User & Device > Authentication > Single Sign-On and create a new SSO server.

Under Groups tab, select the user groups to be monitored. In this example, “FortiOS Writers” group is used.

sso_fgt

4.  Importing LDAP users

Go to User & Device > User > User Definition, and create a new user, selecting Remote LDAP User.

Choose your LDAP Server from the dropdown list.

You will be presented with a list of user accounts, filtered by the LDAP Filter to include only common user classes.

fsso-1

5.  Creating the SSL VPN user group

Go to User & Device > User > User Groups to create a new FSSO user group.

user-group

6.  Creating the SSL address range

Go to Policy & Objects > Objects > Addresses, and create a new address.

Set the Type to IP Range, and in the Subnet/IP Range field, enter the range of addresses you want to assign to SSL VPN clients. Select Any as the Interface.

Then create another Address for each Subnet or IP Range within your internal network to which remote users will connect.

capture-2

7.  Configuring the SSL VPN tunnel

Go to VPN > SSL > Portals and create the full-access portal or edit the full-access portal

capture-3

Source IP pools > select from the drop down menu > SSL address range created above (point#6)

Go to VPN > SSL > Settings.

Under Connection Settings set Listen on Port to 443.

ssl-settings1

Under Authentication/Portal Mapping, select Create New.

capture-4

Assign the LDAP group user group to the full-access portal

8.  Creating security policies

Go to Policy & Objects > Policy >  IPv4 and create an ssl.root – wan1 policy.

policyconfig1

9.  Results

Click on  VPN client > Select SSl-VPN > click on New VPN > Give Connection Name

Type the IP Address of Remote Gateway ( WAN IP Address)

Click customize the port( default port# 443)

Click on Do not Warn Invalid Server Certificate

Click > Apply and close

capture-5

Open the Forticlient >

capture-6

Type your LDAP credentials and click on Connect.

That’s it.

Happy Browsing!!

Check this video for detailed information about installation,

 source: FortiGate

AIR-GAPPED Computers

AIR-GAPPED Computers

HOW DO YOU remotely hack a computer that is not connected to the internet? Most of the time you can’t, which is why so-called air-gapped computers are considered more secure than others.

Air-gap refers to computers or networks that are not connected directly to the internet or to any other computers that are connected to the internet.

The name arises from the technique of creating a network that is physically separated (with a conceptual air gap) from all other networks.

Air gaps generally are implemented where the system or network requires extra security, such as classified military networks, the payment networks that process credit and debit card transactions for retailers, or industrial control systems that operate critical infrastructure. To maintain security, payment and industrial control systems should only be on internal networks that are not connected to the company’s business network, thus preventing intruders from entering the corporate network through the internet and working their way to sensitive systems.

A true air gap means the machine or network is physically isolated from the internet, and data can only pass to it via a USB flash drive, other removable media, or a firewire connecting two computers directly. But many companies insist that a network or system is sufficiently air-gapped even if it is only separated from other computers or networks by a software firewall. Such firewalls, however, can be breached if the code has security holes or if the firewalls are configured insecurely.

Although air-gapped systems were believed to be more secure in the past, since they required an attacker to have physical access to breach them, recent attacks involving malware that spread via infected USB flash drives have shown the lie to this belief. One of the most famous cases involving the infection of an air-gapped system is Stuxnet, the virus/worm designed to sabotage centrifuges used at a uranium enrichment plant in Iran. Computer systems controlling the centrifuges were air-gapped, so the attackers designed Stuxnet to spread surreptitiously via USB flash drives. Outside contractors responsible for programming the systems in Iran were infected first and then became unwitting carriers for the malware when they brought their laptops into the plant and transferred data to the air-gapped systems with a flash drive.

MjIyMTQzMg

The techniques of hacking air gap computers include:

  • AirHopper that turns a computer’s video card into an FM transmitter to capture keystrokes;
  • BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;

 

 

Researchers in Israel showed how they could siphon data from an air-gapped machine using radio frequency signals and a nearby mobile phone. The proof-of-concept hack involves radio signals generated and transmitted by an infected machine’s video card, which are used to send passwords and other data over the air to the FM radio receiver in a mobile phone.

The method is more than just a concept, however, to the NSA. The spy agency has reportedly been using a more sophisticated version of this technique for years to siphon data from air-gapped machines in Iran and elsewhere. Using an NSA hardware implant called the Cottonmouth-I, which comes with a tiny embedded transceiver, the spy agency can extract data from targeted systems via RF signals and transmit it to a briefcase-sized NSA relay station up to eight miles away.

  • Stealing the secret cryptographic key from an air-gapped computer placed in another room using a Side-Channel Attack.This is the first time when such attack have successfully targeted computer running Elliptic Curve Cryptography (ECC).

Elliptic Curve Cryptography is a robust key exchange algorithm that is most widely used in everything from securing websites to messages with Transport Layer Security (TLS).

Source: thehackernews, spectrum.ieeewired.com

FortiGate Firewall Admin Credentials lost

Resetting a lost admin password:

Periodically a situation arises where the FortiGate needs to be accessed or the

Admin account’s password needs to be changed, but no one with the existing

password is available. If you have physical access to the device and a few other

tools then the password can be reset.

Warning:

This procedure will require the reboot of the FortiGate unit.

You need:

• Console cabel

• Terminal software such as Putty.exe (Windows) or Terminal (Mac OS)

• Serial number of the FortiGate device

 Step-1: Connect the computer to the firewall via the Console port on the

back of the unit.

In most units this is done either by a Serial cable or a RJ-45 to

Serial cable. There are some units that use a USB cable and

FortiExplorer to connect to the console port.

                                                       Console cable

Virtual instances will not have any physical port to connect to so

you will have to use the supplied VM Hosts’ console connection

utility.

Step 2: Start your terminal software.

Step 3: Connect to the firewall using the following:

Step 4:

The firewall should then respond with its name or hostname. (If it

doesn’t try pressing “enter”)

Step 5:

Reboot the firewall. If there is no power button, disconnect the

power adapter and reconnect it after 10 seconds. Plugging in the

power too soon after unplugging it can cause corruption in the

memory in some units.

Step 6:

Wait for the Firewall name and login prompt to appear. The

terminal window should display something similar to the following:

FortiGate-60C (18:52-06.18.2010)

Ver:04000010

Serial number: FGT60C3G10016011

CPU(00): 525MHz

Total RAM: 512 MB

NAND init… 128 MB

MAC Init… nplite#0

Press any key to display configuration menu

……

reading boot image 1163092 bytes.

Initializing firewall…

System is started.

<name of Fortinet Device> login:

Step 7:
Type in the username:
maintainer

Step 8:

The password is
bcpb +
the serial number of the firewall (letters of

the serial number is in UPPERCASE format)

Example:

bcpbFGT60C3G10016011

 Note:

On some devices, after the device boots, you have

only 14 seconds or less to type in the username and

password. It might, therefore, be necessary to have the

credentials ready in a text editor, and then copy and paste

them into the login screen. There is no indicator of when

your time runs out so it is possible that it might take more

than one attempt to succeed.

Step 9:

Now you should be connected to the firewall. To change the admin

password you type the following…

In a unit where vdoms are not enabled:

config system admin

edit admin

set password <psswrd>

end

In a unit where vdoms are enabled:

config global

config system admin

edit admin

set password <psswrd>

end

Warning:

Good news and bad news. Some might be worried that there is a backdoor into

the system. The maintainer feature/account is enabled by default, but the better

news is, if you wish, there is an option to disable this feature. The bad news is

that if you disable the feature and lose the password without having someone

Else that can log in as a superadmin profile user, you will be out of options.

If you attempt to use the maintainer account and see the message on the

console,PASSWORD RECOVERY FUNCTIONALITY IS DISABLED“, this

means that the maintainer account has been disabled.

Disabling the maintainer feature/account

Use the following command in the CLI to change the status of the maintainer

Account

To disable

config system global

set admin-maintainer disable

end

To enable

config system global

set admin-maintainer enable

end

Source: Fortinet

FortiGate Firewall Configuration Backup and Restore procedure Firmware V4.0

FortiGate Firewall Configuration Backup and Restore procedure Firmware V4.0:

Do the following tasks to take FortiGate firewall backup.

Steps:

  1. Connect the firewall through browser.

 2.   Login to the firewall (Enter User name & Password) (see Figure-4).

Figure-4

3.  After logging in, click on System –>Dashboard –> Dashboard on the left hand side of the window (see Figure-5)

Figure-5

4.  Right side pane of the window, under System Information –> System Configuration –> click on Backup (see Figure-6)

Figure-6

5.  Backup window will appear (see Figure-7); Enter a password to encrypt the configuration file. You will need this password while restoring the configuration file. Confirm Enter the password again to confirm the password. Click on Backup tab.

Figure-7

Restore

After logging in, click on System –>Dashboard –> Dashboard on the left hand   side of the window.

 Right side pane of the window, under System Information –> System Configuration –> click on Backup (see Figure-8)

Figure-8

7.     Use the “choose file” button if you are restoring the configuration file from the management computer.

                Select the configuration file name from the browse list if you are restoring the configuration file from the USB disk.

       8.   Enter the password, you entered when backing up the configuration file.

Figure-9

     NOTE:  If the password is forgotten, there is no way to use the file.

source: fortinet

Firewall

A firewall is defined as a system which is designed to prevent unauthorized access to or from a private network. Claimed to be implemented in both hardware and software, or a combination of both, firewalls are frequently used in order to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets.

Types of firewall techniques:

Packet filter: Each packet entering or leaving the network is checked and based on user-defined rules it is either accepted or rejected. It is said to be fairly effective and transparent to users, but is difficult to configure and is susceptible to IP spoofing.
Application gateway: Security mechanisms are applied to specific applications, such as FTP and Telnet servers. Although this is very effective, performance degradation can be imposed.
Circuit-level gateway: Security mechanisms are applied when a TCP or UDP connection is established. Upon establishing the connection, packets can flow between the hosts without further checking.
Proxy server: All messages are intercepted while entering and leaving the network, while the true network addresses are kept effectively hidden by the proxy server

Principle of a Firewall:

A set of predefined rules constitute a firewall system wherein the system is allowed to:

Authorise the connection (allow)
Block the connection (deny)
Reject the connection request without informing the issuer (drop)

Firewall Management Best Practices:

  • Don’t assume that the firewall is the answer to all your network security needs.
  • Deny all the traffic and allow what is needed and the other way, allowing all and blocking the known vulnerable ports.
  • Limit the number of applications running (Antivirus, VPN, Authentication software’s) in your host based firewalls to maximize the CPU cycles and network throughput.
  • Run the firewall services from unique ID rather than running from generic root/admin id.
  • Follow good password practices

                   – Change the default admin or root passwords before connecting the firewall to the internet

                   – Use long and complex pass phrase difficult to crack and easy to remember

                   – Change the passwords once in 6 months and whenever suspected to be compromised

  • Use features like stateful inspection, proxies and application level inspections if available in the firewalls.
  • Physical Access to the firewall should be controlled.
  • Keep the configurations simple, eliminate unneeded and redundant rules.
  • Audit the firewall rule base regularly.
  • Perform regular security tests on your firewalls for new exploits, changes in rules and with firewall disabled to determine how vulnerable you will be in cased of firewall failures.
  • Enable firewall logging and alerting.
  • Use secure remote syslog server that makes log modification and manipulation difficult for an attacker.
  • Consider outsourcing firewall management to a managed service provider to leverage on their expertise, trend analysis and intelligence.
  • Have strong Change Management process to control changes to firewalls.
  • Try to have personal firewalls/intrusion prevention software’s, as the network firewalls can be easily circumvented when connected through devices like USB modems, ADSL links etc.
  • Backup the firewalls rule base regularly and keep the backups offsite