Infocom Security Conference 2017 – On the IT Roadmap EXPECT the UNEXPECTED

infocom

The curtain of 7th Infocom Security Conference just fall down yesterday. The conference highlighted the need of Network, System and Information Security in our lives since it depends more and more on digital assets. The European General Data Protection Regulation (GDPR) is defining the general framework of information security and almost 90% of the companies should comply with in the following 12 months.

You may download the presentations at www.infocomsecurity.gr.

I just place a few photos from the main conference room and some workshop sessions.

How to secure the internet side of your Citrix Netscaler

This is a two-minute guide to securify the internet side of your Netscaler. We will setup two parameters, the “Deny SSL Renegotiation” and the acceptable Ciphers.

A. Deny SSL Renegotiation

Go to Traffic Management – SSL page on your netscaler and press the “Change Advanced SSL Settings” link.

Change advanced SSL Settings

Change advanced SSL Settings

The advanced SSL settings will appear. Notice that the default value of “Deny SSL Renegotiation” property is “NO”. Change it to “FRONTEND_CLIENT”.

Deny SSL Renegotiation

Deny SSL Renegotiation

You may want to change it to the strict value “ALL” depending on your web farm structure. This setting is usually a finding after a penetration test, so set it up to avoid SSL Renegotiation Denial of Service attacks.

B. Configure the Cipher Group

Go to the SSL tab in your virtual server and select Ciphers. The configured Cipher Group is called “DEFAULT” and includes 128bit strength ciphers. Remove this value and in the available Cipher Groups pane, select “HIGH”. This group includes high strength 168bit encryption ciphers. The available ciphers pane lists the acceptable ciphers of the selected group.

All modern browser are compatible with these ciphers, so go ahead and use them.

Cipher Groups

Cipher Groups

Do the same for all your virtual servers.

Configuring SSL VPN in Palo Alto Networks Next-Generation Application Firewall

An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. It is used to give remote users with access to internal network services, client/server applications, intranet web services etc. It provides a secure communications mechanism for data transmitted between two endpoints since the traffic is encrypted by the SSL protocol. Palo Alto Networks‘ devices provide an integrated SSL VPN service. In this post we are going to configure such a service.

First, download and activate the SSL VPN client in the PAN device, by selecting Device – SSL VPN Client.

Downloading and activating the SSLVPN Client

Downloading and activating the SSLVPN Client

Next, go to Network settings – Interfaces and configure the external ip address that the SSL VPN portal will listen by creating a new loopback interface (loopback.1 in this example).

Configuring the external ip address

Configuring the external ip address

Let’s select MTU=1500, Management profile=allow ping, ip address 195.35.125.220 and select the already configured virtual router that PAN device uses, vr1 in this example. Next, go to Network – Zones and create a new SSL VPN Zone.

Creating the SSLVPN Zone

Creating the SSLVPN Zone

Give a relevant name to the zone (e.g SSL-VPN), select Type=Layer3 and check out the interface created previously (loopback.1). In this screen you can define any ACL lists you may need to. Next, go to Device – Authentication Profiles and create a new one.

Creating a new Authentication Profile

Creating a new Authentication Profile

In this screen, give a relevant Profile Name (SSL-VPN Profile) and define the Lockout settings (e.g. after 5 unsuccessful attempts lock the user for 5 minutes). Also you should define the users that can authenticate in the SSL VPN Portal by unselecting the All checkbox and editing the Allow List with the users imported from a local Active Directory. This means that you have already imported the user list using a PAN Agent running as a service at a local server. In this example, we will configure users from the local DB, so at the bottom of the screen, select Local DB and leave the Allow List to All setting. Next, go to Network – SSLVPN Profiles and create a new one.

Creating a new SSLVPN Profile - General

Creating a new SSLVPN Profile – General

Select a Server SSL Certificate (for testing reasons you can create a test certificate from PAN device, but in production environments you must purchase a SSL Certificate from a 3rd Party CA). Unfortunately, PAN device cannot create a request CSR file to submit to a Certification Authority, so you need to create a CSR from a server or another device. I prefer to create such a CSR file and the corresponding private key file from a Citrix Netscaler virtual appliance, but this is another story. Then select the Authentication Profile created previously. Set the max users and check Enable IPsec and Redirect HTTP traffic to HTTPS login checkboxes. Select Loopback.1 interface and now you can choose the external ip address of the SSL Portal, i.e. 195.35.125.220 in this example. The final settings in this screen configures the login lifetime and inactivity logout parameters. Then select the Client Configuration tab.

Creating a new SSLVPN Profile - Client Configuration

Creating a new SSLVPN Profile – Client Configuration

In this page type in the ips of the internal DNS servers and the DNS suffix of your internal domain. The IP Pool is the address space that each SSl VPN client pc take a seat (like a DHCP address space) and the Access Route is the address space of your internal domain that the VPN client will access to. Since we use a Local DB authentication type we must create a local user in PAN device, so go to Device – Users and create one.

User creation at local DB

User creation at local DB

Finally you must set up the static routes at your virtual router (from the Pool network to your internal one and vice versa)

Virtual Router Settings

Virtual Router Settings

and permit the connected SSL VPN clients to access the services of your internal network. At least, you should open the DNS application from IP Pool network (192.168.110.0/24) to your DNS servers and then any other applications that you need to expose to the SSL VPN client pcs. In the next example the first rule permits only the adsl ip to connect to the SSL VPN Portal enabling IPSec as well, and the other two rules expose DNS and Web services to VPN clients.

Permissions Rules

Permissions Rules

SSL VPN can be secured by using a two-factor authentication mechanism, using 3rd party services such as Phonefactor or Duo Security. These services provide free trial solutions for 10 to 25 people by authenticating VPN access using a land or mobile phone.