Archive for the ‘Networking’ Category

DNS Records Disappearing

Friday, February 26th, 2010

This post is a little confusing, but it may help someone out there.  In a recent security audit, we were told to disable several services on our servers, one of which was DHCP.  Before disabling it on each server, I verified they were manually configured.  We have some that are set by DHCP with a static.  I then proceeded to disable DHCP on all of the servers with manually configured NICs.

After a couple hours, we had 1 server that could no longer be reached.  of course it was a fairly critical web server.  After investigating, we could reach it in our Indianapolis location, but not Albuquerque.  The server was physically in ABQ.  I started thinking it was a network issue.  Also, the external users that access it from outside our firewall could still reach it.

After looking through the network and trying to see what changed, we realized the server no longer had any records in DNS in ABQ.  How does one record get removed from DNS like that, I thought?  After getting DNS back to how it should be, we started investigating what caused the DNS change.

Finally, we realized the server was using dynamically updated DNS, instead of a manually entered static record…  Never ever did it cross any of our minds that DHCP was keeping the DNS record updated, but it was.  The DHCP service on Windows machines automatically registers with DNS regularly.  This I knew, but I didn’t know that DHCP will register with DNS even if none of the interfaces on the machine are obtaining an address from DHCP.  Interesting.

So, before you disable that service, make sure your DNS records are manual entries and didn’t just come from DHCP’s dynamic updates.

Tags: , , , , ,
Posted in Networking, Windows | No Comments »

Windows Updates and Proxy Servers

Thursday, September 3rd, 2009

So, in our environment, we have several segregated networks. Each has their own (squid) proxy server and none have previously had issues with automatic updates. All were supposedly set the same way, with the proxy being pushed through group policy. The gpo was set to only push the proxy to normal users and not members of the IT team, mainly because we just don’t like having it. Anyway, there is one network that could not get the microsoft update web page to load. When we looked at the proxy, it looked as though it was redirecting the page to a null site. The reason it was only affecting the one network was: The other networks have the ability to bypass the proxy if the page didn’t load and it wasn’t listed as blocked, whereas this particular network was forced to have all traffice through the proxy. The key to making it work was one simple command:

proxycfg -p <your proxy>:<proxyport>

That sets your proxy info, now you need to restart update services for it to really make a difference:

net stop wuauserv

net start wuauserv

Anyway, I know this is a simple little post, but hope it helps someone.

UPDATE (9/17):

For Vista/Server 2008 use this command instead of proxycfg:

netsh winhttp set proxy [myproxy]:[myport]

Tags: , , , , , , , , ,
Posted in Firewalls, Windows | No Comments »

Resetting Passwords – Cisco PIX 501 or Why are Some Consultants Pricks – Part 2

Wednesday, May 6th, 2009

So, forget the brute force idea I mentioned in my earlier post.  I knew brute forcing any security appliance would be harder than I wanted to mess with.  I also didn’t want to reset the PIX to factory defaults, since before this, i had never touched a Cisco device.  The users are using the VPN as well and I really just didn’t want to mess with this.  I just needed to open RDP to get to their server and the previous vendor magically forgot the password to the device when I took over their IT.  Anyway, this is what I used to reset their password.  As far as resolving some of their VPN issues… I’ll be consulting with some of my associates with more Cisco experience than myself.

To start, you need to download the np**.bin files from the Cisco.com.  You will also need TFTP server software(i used TFTPD).

First, plug into the PIX with a console cable, verify your connection.(When connected, I used HyperTerminal).

Turn off, then back on the PIX.  Right after the power goes back on, send a “BREAK” character(honestly, not sure what that means) or hit the ESC key(this is what I did).

For a PIX without a floppy drive and only 2 interfaces(like the one I was on), it automatically defaults traffic to the internal interface.  This is what you want. Just in case use interface command to pick the right one.
interface 1

Use the “address” command to specify the IP of the PIX internal interface.
address 192.168.11.1
Use “server” command to specify IP of TFTP server containing the PIX pw recovery file.(the np**.bin)
server 192.168.11.49
Use “file” command to specify which file on the tftp server.
file np70.bin
Use “tftp” command to start download.
tftp
Then you get a question about wanting to erase the passwords.  enter “y”

The default password is “cisco”, there is no default enable password.  Use the passwd <new password>command to create an enable password.  You’re all done.  Let me know if I missed something.

Tags: , , ,
Posted in Cisco, Firewalls, Security | 1 Comment »

Watchguard SSL VPN – updated 5/14(see bottom)

Wednesday, April 15th, 2009

So, we tend to use Firebox (http://www.watchguard.com) firewall appliances quite a bit at the company I work for.  When I first started this job, I was very skeptical of their abilities, but I focused more on the server side of things and not routing or advanced firewalling.  Lately, though, I have been forced to become more familiar with them and I must say, I like them more and more all the time.  One of the most used features of the Watchguards is their Mobile User VPN.  Well, I never before messed with AD authentication in the Firebox, I always just set up users in the FireboxDB.  I also foudn out that licensing for SSL VPN users is 20:1 to MUVPN users… way more bang for your buck.  SSL VPN only works(to my knowledge) with 750 or higher models.  Basically anything using WSM.  Here’s a quick little tutorial:

Once connected to your Firebox, open the Policy Manager.

First, we need to setup AD authentication.  Go to Setup>Authentication>Authentication Servers.  Go to Active Directory tab and check Enable Active Directory server.  Put in the IP of a domain controller in your environment.  This DC MUST be a global catalog server.  Set the port to 3286(GC port).  Search Base must be in format: dc=business,dc=local (for AD domain business.local).  You should be done here, there are other optional settings and you can configure a secondary DC to use, but this will work for now, just copy these settings over for the secondary.  Click OK and go back to the Policy Manager.

ad

At the top, go to the VPN menu > Mobile > SSL

Select the box to Activate SSL VPN, then choose authentication type.  For this snippet, I am only doing Active Directory authentication because I find it the most useful for my clients.

Next, put in your public IP/domain name in the box that says “Please type or select IP or domain name for SSL VPN  users to connect to”.  If you have multiple external IPs assigned to this device, you can do a backup, but that’s personal preference and I don’t see too much of an advantage since they are most likely the same WAN block from the same ISP.

Then, just select the resources they will have access to and the IPs they will be using.  The VPN users’ IPs should not be on the same subnet as your internal networks(trusted, optional, or any others).

vpn

In the Advanced tab, choose your encryption (I use SHA1-3DES since it is the most secure, but a litlle lower speed).

Here is one thing to note.  I always change the Port to 444.  No matter where I go, port 443(default SSL) is already in use.  Changing this helps prevent conflicts.  I can’t think of anything that uses 444 by default off the top of my head and I haven’t seen any conflicts, yet.

For DNS and WINS servers, be sure you use your AD domain name(i.e. business.local) and at least one DC for the DNS(preferably the same as the one from authentication).

ssl2

Click OK.  Go ahead and save the configuration changes to the Firebox and you’re done as far as configuration goes.  For users to connect, they will need to download a small client(don’t worry it’s tiny and it’s easier for an idiot to get than google toolbar) from https://yourpublicipordomain.com:4100/sslvpn.html.  They will need to use their AD information to log into this site.  They will be prompted to download a windows client or mac client.  Yes, this works with Windows 2000, XP, Vista, 7 beta, OS X 10.x.  At least, it has for me; I’m not sure what Watchguard is claiming.  Anyway, once it’s downloaded, the client sits in the task bar and, when clicked, will pop up a username/password screen.  AD information will log them in and you don’t have to worry.  If it ever starts having issues or Watchguard updates the firmware for your Firebox(which they’re always doing) and it causes an issue, the client is designed to be able to simply go back and re-download/install.  No unistalls or tweaks.

Hope this helps someone out there.

updated 4/16:  FYI, the SSL VPN client is not compatible with any 64-bit OS’s

updated 5/14 CRITICAL NOTE:

I forgot to put an absolutely critical key step into this and I apologize to all.  Watchguard, by default looks for a security group in AD to approve users.  in AD, go to security groups and add a group “SSLVPN-Users”.  Then add whoever will be using the VPN to the group, if it is everyone, then just add domain users.

secgroupadd

Tags: , , , , , ,
Posted in Firewalls, Watchguard | 2 Comments »